Apple advanced data protection: A game-changer for privacy?

Privacy is the foundation of all other freedoms. Without privacy, there can be no freedom of speech, no freedom of association, and no freedom of thought.

On January 18, 2023, Apple, with iOS 16.3, expanded the global availability of its new feature: Advanced data protection for iCloud.

Advanced data protection is a pretty big deal when it comes to bringing privacy to the masses by protecting your most important data from unauthorized access, and I have to admit, it even surprised me coming from a tech giant.

By flipping one switch on your Apple devices, you can enable end-to-end encryption (what is end-to-end encryption? More on that later) for almost all of your iCloud data: files, photos, notes, maps, bookmarks, and more.

Even better, iCloud Shared Photo Library, iCloud Drive shared folders, and shared Notes are also end-to-end encrypted when all the participants have advanced data protection enabled.

As we can see in the documentation, contacts and calendars, which are pretty sensitive pieces of data, are not end-to-end encrypted with advanced data protection due to some compatibility reasons.

End-to-end encryption

End-to-end encryption (E2EE) is a method of secure communication and storage that ensures the privacy of data shared between two parties. It's a set of techniques and protocols that application makers and service providers can (and should, in my opinion) implement to prevent unauthorized access to their users' data.


Who want to access users data?

First, there are the hackers. Personal data is valuable for scammers and is used for financial fraud and extortion. A recent example is the leak of the personal data of 400 million people from Twitter's servers. Furthermore, some disturbed individuals hack cloud accounts of women and celebrities in order to find explicit pictures, such as in 2014 with the hack of the iCloud accounts of hundreds of celebrities.

But criminals are not the only threat to unencrypted cloud services: in 2019, two Twitter employees were charged with spying for Saudi Arabia.

Indeed, whether it be by spying or more traditional methods such as warrants, governments across the world have recently become addicted to easy access to the private data of their citizens and persons of interest. With end-to-end encryption, government agencies have to physically access your devices to get the data, which is closer to the spirit of a free world.

Finally, an advantage of end-to-end encryption less discussed is the protection against automated systems scanning your data. When you use a traditional cloud service such as Google Drive and Google Photos, the data you upload is constantly scanned for "malicious content" (whatever that means, viruses, pirated movies, and music...) and an "AI" may flag your account and permanently block your access to your data. It recently happened to a father who sent a picture of his son to his doctor for examination. By taking the picture with his Android phone, it was immediately uploaded to Google Photos' servers and scanned by its "content safety" system, which marked it as child abuse, sent an alert to the police (who investigated and cleared the father, of course), and blocked his account. Even after breaking the news, Google refused to reinstate the account, and the father lost access not only to his files stored in the cloud but also to all his emails and contacts.

Is it normal for a huge company to scrutinize my private pictures and expel me from my entire digital life when all I wanted to do is preserve memories of my young cousin's childhood? Nope, and this kind of stalking is really creepy.

Want to learn more about how end-to-end encryption works under the hood? Get my book Black Hat Rust where we build our own end-to-end encrypted protocol to secure the communication of a Remote Access Tool in Rust.


Advanced data protection for iCloud is not perfect.

First, if you lose or break all your Apple devices at the same time and lose access to the security key you should have noted and securely stored when setting up advanced data protection, you will lose access to all your data. I consider this a pretty minor risk, as the odds of it happening are quite low, and it can always be neutralized by having an encrypted backup of your data on an external disk.

Second, is Apple's growing passion for tracking in order to show ads. As the king of consumer hardware, Apple now needs to expand its revenues by selling services to satisfy insatiable financial markets. What are the most profitable companies of today selling? Ads. And so, Apple wants its piece of the cake. The consequences are an increase in the trackers present on your Apple devices themselves. And as we saw a few months ago, it was far from perfect.

Finally, and even more worryingly, is the technology developed by the same company: local-content scanning. Apple's devices can scan your private data on your own device (not on their iCloud servers) for "unsafe content". As we saw previously with Google, these technologies are not reliable and cause more problems than they solve.

While Apple stated that they would not deploy this technology on their devices following the universal backlash after their initial announcement, we all know that companies have short memories and that governments across the world, now knowing that such technology exists, may want to force it into our devices so they can report all our private information, such as with the EU's chat control.

Some closing thoughts

Honestly, I still can't believe how huge this is. Simply by clicking a button, anyone can now end-to-end encrypt their data without any kind of arcane knowledge and protect their data against a long list of threats, which is incredible!

With Advanced Data protection for iCloud and Lockdown mode, Apple is really pushing the status quo on personal digital security. While I'm usually pretty skeptic when it comes to announces like that. This one is a big deal.

Don't wait, flip the switch and enable advanced data protection on your iCloud account today, for you and all your family (follow the official guide).

Just make sure to securely note and store the recovery key of everyone displayed during the setup.

Want to learn more about how to implement end-to-end encryption in practice? Get my book Black Hat Rust where we build our own end-to-end encrypted protocol to secure the communication of a Remote Access Tool in Rust.

1 email / week to learn how to (ab)use technology for fun & profit: Programming, Hacking & Entrepreneurship.
I hate spam even more than you do. I'll never share your email, and you can unsubscribe at any time.

Tags: hacking, security, cryptography, privacy, apple

Want to learn Rust, Cryptography and Security? Get my book Black Hat Rust!