Apple’s Advanced Data Protection Gives You More Keys to iCloud Data

Originally published at: Apple’s Advanced Data Protection Gives You More Keys to iCloud Data - TidBITS

Apple has announced Advanced Data Protection, an optional switch that enables end-to-end encryption for more types of iCloud data, including iCloud Backups, iCloud Drive, Photos, Notes, Reminders, and more.

Apple calls it “Advanced Data Protection”. Coming to US users by end of year (iOS 16.2, macOS 13.1), rollout abroad in 2023. No extra cost. Services then included (beyond those already E2E encrypted such as passwords and health data) will be:

• Device Backup
• Messages Backup
• iCloud Drive
• Photos
• Reminders
• Safari Bookmarks
• Siri Shortcuts
• Voice Memos
• Wallet Passes

What I’m curious about, is there anything apart from mail, calendar, and contacts that won’t be E2E encrypted once this is active?

Email.

Apple has a chart: iCloud data security overview - Apple Support

One thing to note is that things get a little complicated when you share notes, reminder lists, iCloud Drive links or folders, etc. Somehow Apple needs to have a transient key that it uses to allow the info to be read by multiple recipients, but it may be that once the share is established Apple no longer can see the item. I read about it yesterday, I can’t recall the details. (It was something like this that probably made this complicated and take this long to implement.)

I saw this news. I assume that once you activate this, any older Apple equipment (Macs running Monterey or older, iOS 15 or older, etc.) will no longer be able to access iCloud data like Notes.

Good idea, but for me, it’s going to be quite a while before I can enable it since my iPhone is the only Apple device I have running a compatible OS, and my other equipment either can’t be upgraded far enough or I’m deliberately holding off on the updates.

[Brought the posts above into this thread to centralize the discussion—they predate my publishing the article.]

2 posts were split to a new topic: “Trust this browser” feature not working in Safari

This is great news. It doesn’t quite erase my annoyance at a certain bug, but it does eliminate all but purely economic arguments.

Cyrus IMAP is also a caldav and carddav server. So that’s that sorted. (I’m still very sorry that Apple discontinued Server, though.)

And my 2015 MBP, which will be the biggest casualty of the change, will make a fine full-time Windows box, and has been fetching to take that role for a while now. I wonder how iCloud for Windows will take this?

We anticipate.

People focusing on messages seem to forget that the conversation is only as encrypted as all parties to the conversation choose to make it. Apple also announced a feature that warns you if the other end of a conversation recently added a new device (I think that’s what the Contact Key Verification feature does?). I would think it is valuable to the kinds of targets this stuff is designed for to have a warning when you converse with someone who has not enabled ADP. (The counter-argument, I suppose, is that the feature could later be un-enabled. But, then, you could also say any message could be copied out to an unsafe location.)

I would be interested to know if passkeys would make working with iCloud Web a bit less onerous. I’m sure you would need the login flow each time to provide the key to the web client, but that login seems like it could be a good passkey candidate.

From the article:

• Data sharing: When you share notes, reminders, and iCloud Drive folders or use iCloud Shared Photo Library, all the data remains end-to-end encrypted and available only on the participants’ devices as long as all users involved in sharing have Advanced Data Protection turned on. Sharing with anyone who’s not using Advanced Data Protection or using the “anyone with a link” option when sharing makes the content available to Apple servers using Apple-controlled keys.

So does this mean that sharing an iCloud Drive file/folder using an ‘anyone with a link’ option or with someone who happens to not be using ADP (how would you know??), means the e2e is effectively turned OFF for that file/folder?

Surely that could be a problem if it is sensitive information being shared? And how manageable is that going to be (eg. will there be a place to check which files/folders in your iCloud Drive file system are not e2e encrypted, accordingly?).

Lots of questions remain here.

Also:

• Collaboration: The iWork collaboration capabilities and the Shared Albums feature of Photos don’t support Advanced Data Protection. The real-time collaboration in iWork requires server-side mediation to coordinate document changes, so Apple has to maintain those keys. Since Shared Albums can be publicly shared on the Web, Apple also has to manage keys for that data.

This may stop a lot of users turning ADP on I suspect – presuming this includes the new iCloud Shared Photo Library feature. Although if all your other iCloud Photos outside of the shared albums are still e2e encrypted, that may mitigate the issue somewhat.

It’s still encrypted - but Apple has a key to decipher it. That’s the way all of iCloud works now, and will unless you turn on ADP for your account.

Having not turned on ADP yet, I don’t know if Apple warns you when you share a folder/file that the recipient doesn’t have ADP or not.

This a reference quote about iWork documents not supporting ADP. I didn’t read the article as saying that you can’t use ADP if you want to do iWork file collaboration- I read it as those particular files will not have ADP turned on and that Apple will have keys to decipher them.

@ddmiller is spot on. If you share something with someone not using Advanced Data Protection, the system falls back to Apple’s standard data protection, where everything is encrypted in transit and at rest, but Apple manages the keys.

And neither iWork collaboration nor iCloud Shared Photo Library Shared Albums can use Advanced Data Protection at all because of how they must interact with servers and the outside world. Again, they have encryption going on all the time; it’s just that Apple controls the keys.

In my mind, there are only two reasons not to turn on Advanced Data Protection once it becomes available:

• You have old devices that can’t upgrade to the necessary version of OS and that you still need connected to your iCloud account.

• You’re uncertain of your ability to remember/record/access your login information such that you want Apple to be able to perform account recovery for you if you get locked out.

The iCloud data security overview explicitly states iCloud Shared Photo Library supports Advanced Data Protection if all users have opted in. Did you mean to say Shared Albums?

I would say the other reason not to turn it on is if you access iCloud through the web client frequently. (I’m hoping calendars, email and contacts will be accessible without extra authentication since those are not E2E encrypted, but Apple has not said that will be how it works).

Yep, brain short circuit. Fixed.

And yes, if you use the iCloud.com Web clients a lot, that’s going to be much more annoying with Advanced Data Protection turned on. I don’t know how common that would be.

I do have a few Macs that are stuck on pre-Ventura OSes and for which I don’t necessarily need iCloud connectivity (except for Music, which does, in fact, work fine when you disconnect from iCloud.) So I’m getting myself ready for this going forward to see if I can run those Macs disconnected from iCloud but still have them be useful so I can turn on ADP.

Two of them are Mac Mini that I use basically as iTunes/Music media servers, one of which stores the canonical version of all of our ripped CDs, plus, of course, purchased iTunes tracks and now some tracks from Apple Music. One of them also runs SpamSieve as a spam filtering drone for all of the email accounts we have that don’t have strong server-based spam filtering. (Wonderful product and solution.) For these, I don’t need access to contacts, calendars, iCloud Drive, Notes, Reminders, etc. - I just need the ability to connect to the iTunes Store and to my Apple Music account, plus the email accounts in the Mail app. And, yes, I can do that (this I’ve already been doing on one of the Mac Minis.) I’ve also been using one of the Mac Minis to connect to the iCloud Photos and be the source of backup offsite and to Time Machine, but that I can no longer do after disconnecting from iCloud - for that I have transferred that function to an iMac that can run Ventura and I will use that computer for this.

My bigger issue is my old 2015 MacBook Air which I have kept as a backup to my 2022 MBA, and that I also use during the summer when I am my main home while we have moved up to the summer house with the 2022 MBA. (Yes, I know, first world problems.) The 2015 is stuck at Monterey.

I’m not all that worried about losing access to Messages and FaceTime on the old MBA - I don’t like using Messages on the Mac anyway, and almost all of my FT is from my iPad or iPhone. Reminders - I use this a little, but I’m ok with having them only my phone and iPad. I really don’t need them on my Mac. Notes - this one is tougher. Notes I use mostly as a list of things that I want to read later, but it’s also a convenient way to transfer info between computers. For right now, I am trying out the app Agenda as a Notes replacement for that, and the Notes app itself I’ll use just for ephemeral content (such as scanning documents using the iPhone camera) and for private info that I lock with passcode / FaceID / TouchID.

Also, the iMac I mentioned before is at home, so I can really just use that. The main issue is going to be if the 2022 MBA fails and I need to use the 2015 as a backup until I get it repaired/replaced. (For that actually I think I would just disable ADP temporarily and reconnect to iCloud.)

So to get ready for this, I’ve moved almost all iCloud Drive content to my Sync dot com syncing service (a service similar to Dropbox, but a bit less expensive and with a nicer MacOS app).

As for this:

As I have said, Mail is fine. Calendars I have solved by sharing my calendars to another iCloud account that I will not be turning ADP on and then adding the other iCloud account to Calendars; I can now get calendars on the 2015 MBA.

Contacts: that’s tougher. There seems to be no way to share contacts with another account as you can calendars, Apple doesn’t have shared family account contacts, and I can’t find a way to access an iCloud account from within Contacts unless you are officially connected to it. And my Apple ID is not an iCloud account, so I can just connect to iCloud as a secondary account and sync contacts (unless I have missed something.) But, the truth is, I don’t think that I need this. If I ever need an email address from anywhere, I can just share the actual address in an Agenda note (or email it to myself) and manually add the contact to the 2015 MBA. (I had thought about using my fastmail account as my main contacts repository, but connecting fastmail contacts to iOS seems to be a bit of a pain, requiring either a profile, which I’d rather not do, or a non-SSL carddav server. I could use my old gmail account for contacts, but I’d rather not. I’ll just manually export them and maintain them manually, as listed above.)

Agenda: the first wrench in this plan was that Agenda syncs using iCloud by default to sync. However, it does support syncing via Dropbox, so I’m trying that out. I had to do some manual editing to some notes that wouldn’t sync (just changing their name forced a sync, then I renamed them back).

One last thing that I’ll need to do is go up to the summer house and upgrade the Apple TV there to tvOS 16.2. After that I should be able to try out ADP.

Unless you are 100% on 16.2 and 13.1, this isn’t easy.

I have and use several older Macs stuck as far back as Catalina. But I don’t think I’ll truly be needing iCloud services on those systems. I’ll definitely be trying out ADP as soon as a few days go by without hearing about anything dramatic with these updates.

IMHO the writing is on the wall for local iOS backup to Mac. Looks like Apple has finally successfully bullied me into submission with their most recent shenanigans. If ADP works well and holds its promises, I will be moving to iOS iCloud backup (considering the base 5GB iCloud will suffice for my humble iPhone backup needs). I need only backup so I’ll probably be just fine, but I’m afraid the iMazing crowd is effed.

I agree that the free storage tier should provide enough storage to hold the data for the tasks that Apple forces you to use iCloud (and a bit more to encourage users to try out other products.) That said, the upgrade to 10x the free amount (50Gbps) is only $1(USA)/month ($12/year). That should provide more than enough storage to handle backups from a few oodles on mobile Apple devices. What’s more, it also gives you access to Apple Private Relay and the ‘Hide My Mail’ feature allowing you to quickly create email aliases for anticipated junk.

I wouldn’t dispute that, but, frankly, I will certainly not reward their bullshit bullying tactics with even more revenue. I fork them over more than enough money for hardware every single year already. I have zero interest in most of their “services”. Half is of little to no value to me, the other is crap. Of course, as always, YMMV.

Haha, I’m kinda the other way… already store most docs in iCloud Drive, and would like even higher storage plan maximums than Apple currently offer. But I get you’re point. ;-)

Pardon the slightly OT: if you do not include iMessage in iCloud (say because you only use your one single iPhone for iMessage), does it still get backed up to iCloud such that a new iPhone will pick up all old message threads? Or is that exactly why even with just a single iOS device you’d want iMessage sync turned on with iCloud?

If you have messages in iCloud turned off, the messages get backed up to iCloud, yes. If you have iCloud for messages turned on, it doesn’t duplicate the storage by also backing them up.