The lack of full end-to-end encrypted cloud backups has been a problem for Apple devices, leaving only local iTunes and Mac backups for people concerned about their security. That’s finally changing.
Apple announced a few upcoming security features today, including “Advanced Data Protection for iCloud.” The new functionality makes it possible to store most of your iCloud data in the cloud with end-to-end encryption, including device backups, Messages, iCloud Drive, Notes, Photos, Reminders, Safari bookmarks, Siri shortcuts, Voice Memos, and Wallet Passes. Some data, like Health information and passwords in Keychain, are already end-to-end encrypted. When data is end-to-end encrypted, no one besides you can access your data, including governments and Apple.
The main exceptions to full encryption right now are iCloud Mail, Contacts, and Calendar. Apple says this is due to “the need to interoperate with the global email, contacts, and calendar systems.” Many people use iCloud Mail with third-party mail clients, which would need additional software or keys to continue functioning. If you’re concerned about that, Proton is the most popular alternative.
The option for encrypted Messages backups shouldn’t be confused with full end-to-end encrypted messaging, like you get with Signal. Apple will securely back up your copies of messages and conversations, but since Advanced Data Protection is optional, most of the people you talk to probably won’t have it enabled. If Apple had a security breach, or couldn’t refuse a government order for user data (under the PRISM program, for example), there would still be an unencrypted copy of a given conversation from the other participants.
Advanced Data Protection isn’t automatically rolled out to anyone — you’ll have to turn it on yourself when it becomes available (before the end of the year in the United States). End-to-end encryption requires generating a local key, and if you lose your key, Apple can’t help you get your data back.
It’s unfortunate that the highest level of security won’t be rolled out to everyone, but at least it’s understandable. Not everyone can or wants to keep up with a separate key for unlocking their data, but at least it will be an option soon enough.