> though the celeb hacking shows the limits of that approach
Apple has clearly stated that its system was not compromised.
The user reset questions were socially engineered meaning it is irrelevant whether or not the data is encrypted. From Apple's perspective the owner of the data is downloading it.
> The user reset questions were socially engineered
Yep, you're right. My point, perhaps poorly stated, is that if Random Hacker X can figure out the answers to the iCloud reset questions, so can a law enforcement agency. Then they can log into that account. Impersonating someone this way is legal -- or at least has not been ruled to be illegal -- as long as it's done under court supervision under the Wiretap Act or similar legal authority authorizing prospective surveillance.
Possibly related: I disclosed last year that the Feds have demanded that major Internet companies divulge targeted users' stored passwords, and in some cases the algorithm used and the salt:
http://www.cnet.com/news/feds-tell-web-firms-to-turn-over-us...
> if Random Hacker X can figure out the answers to the iCloud reset questions
Answers about very famous people. Wikipedia will not tell me your mothers maiden name.
Also, as much as I sympathise with the women whose accounts were breached, actors aren't always the sharpest tools in the shed, and phishing schemes are a common tool for gaining access to other peoples accounts. One of them (I don't remember which) publicly claimed iCloud backup for her iPhone was "too complicated" a while ago. Given that it's as complicated as "turn it on, and make sure it gets plugged into power with Wifi every so often", I don't doubt some of them would fall victim to even a very simple phishing scam.
Apple has clearly stated that its system was not compromised.
The user reset questions were socially engineered meaning it is irrelevant whether or not the data is encrypted. From Apple's perspective the owner of the data is downloading it.