The cloud has always been a convenient place to store your files, but a hostile place for security. With your files backed up on a company’s servers somewhere, they are at risk to demands from authorities to access them, or hackers that may break into the company’s infrastructure.
Apple’s recently launched “Advanced Data Protection” offers to upend that idea by using end-to-end encryption for its iCloud service. This means that device and messages backups, notes, photos, voice memos, and more should be much better protected from third-parties when stored or synced across iCloud. The promise is that not even Apple will be able to access your data stored in the cloud, and by extension, third parties. This is because the keys for decrypting the content are stored on the user’s devices. This is a notable and welcome change; for years, Apple has encrypted data stored on individual devices, but often backups synced to the cloud did not have a similar level of protection.
Videos by VICE
“For years we’ve had to deal with the fact that an entire copy of our phone lives on a server that’s outside of our control. Now the data on that server is under our control. That’s really all that’s changed here,” Matthew Green, associate professor at Johns Hopkins University, told Motherboard in an online chat. “I think it’s an extremely important development.”
Do you work on security at Apple? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email joseph.cox@vice.com.
In my tests, the process of setting up Advanced Data Protection was a bit buggy, but if the system delivers what it promises, iCloud’s new security add-on could be a game changer for people who have avoided cloud backup tools due to the lack of end-to-end encryption.
“The ability to have end-to-end encryption for cloud storage such that it is a personal vault to which only you hold the keys is a big step for Apple,” Alan Woodward, a cybersecurity professor at the University of Surrey, told Motherboard in an online chat. “It has been a bit of an alternate route for law enforcement in the past to obtain data that was stored on devices when users hadn’t quite realised it was being synchronised to iCloud. Closing the ‘loophole’ is doubtless going to bring some push back from law enforcement but clearly Apple believe it is something the customers want.”
Apple launched Advanced Data Protection for Mac, iPhone, and iPad users throughout December and January. To turn it on, users have to go into their iCloud settings where a box will read “Advanced Data Protection.” After clicking that, the device will run the user through the process. Setup takes a few minutes. Devices have to be updated to the latest version of the available operating systems.
Data recovery is especially important when setting Advanced Data Protection because Apple will not be able to help if you lose your own access. To mitigate this, Apple asks you to write down a 28 character recovery code and keep it somewhere else. Apple also asks users if they want to set up a “recovery contact,” someone trusted who also uses Apple products that can then give you a code to help you regain access to your account.
The full list of data that falls under Advanced Data Protection according to the explainer box in the iCloud settings is device backup, messages backup, iCloud drive, notes, photos, reminders, safari bookmarks, siri shortcuts, voice memos, and wallet passes. (The explainer adds that passwords, health, and map data is already protected with end-to-end encryption).
When I tested Advanced Data Protection, I enabled it from an iPad. But when checking whether it was also enabled from a Mac signed into the same Apple ID, the Mac settings said Advanced Data Protection was not enabled. This appears to be a bug. I then enabled Advanced Data Protection from the Mac as well. Apple declined to provide a statement about this issue.
In 2020, Reuters reported that Apple previously dropped plans to encrypt device backups in iCloud after complaints from the FBI. Advanced Data Protection seems to have overridden those complaints. Green added, “It’s really amazing to me that this was ever controversial, but judging from the reaction of law enforcement officials: I guess it still is for some people.”
Woodward said “It’s interesting that the Advanced Protection is optional and not standard. It’s almost as if Apple are dipping their toe in the water to see if there really is demand for this.”.
For some, end-to-end encryption may still not be enough. Woodward added “at the end of the day anything in the cloud is somebody else’s computer. I might be that I’m an old cynic but I’d prefer to control my data myself even with the personal vault features now on offer. It may be I’ll not be able to do that [in the] future.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.