Apple is bringing end-to-end encryption to iCloud backups. Here's what it means

Apple adds to the types of data protected by end-to-end encryption. Not everyone is happy about it.
Written by Liam Tung, Contributing Writer
iPhone 14 Pro on a table
Image: June Wan/ZDNET

Apple has unveiled plans to let users choose to encrypt their iCloud backups in a move that will thwart hackers – and also put limits on law enforcement requests for user data.   

The new feature, known as Advanced Data Protection for iCloud, will allow users to encrypt data on Apple's servers and thus prevent Apple itself from accessing a user's content. The new content types that support end-to-end encryption (E2EE) include iCloud backups, Notes, and Photos. 

This approach extends the 14 data categories that by default are protected by E2EE, such as iCloud Keychain, Health data, Messages in iCloud, Maps, and Safari history. Now, with the new approach, the categories have expanded to 23

As Apple notes, with Advanced Data Protection, only a user's trusted devices have access to those categories of data. It will protect user content even in the event attackers compromise iCloud servers.

Also: This mind-blowing iPhone headset gave me a glimpse of Apple's AR future

Advanced Data Protection for iCloud will be available to US users by the end of the year. It will start rolling out to the rest of the world in early 2023. The option will be available in the soon-to-be released iOS 16.2, iPadOS 16.2, and macOS 13.1.

"Apple makes the most secure mobile devices on the market. And now, we are building on that powerful foundation," Ivan Krstić, Apple's head of security engineering and architecture, said in an announcement.

"Advanced Data Protection is Apple's highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices."

Digital rights group Electronic Frontiers Foundation (EFF) welcomed E2EE iCloud backups – something it's long campaigned for. Apple chief Tim Cook previously explained Apple hadn't encrypted iCloud backups because users sometimes lose their private key and then seek help from Apple to regain access to their data.

"Encryption is one of the most important tools we have for maintaining privacy and security online," said EFF's Joe Mullin. "Apple's on-device encryption is strong, but some especially sensitive iCloud data, such as photos and backups, has continued to be vulnerable to government demands and hackers."

Also: Ransomware: Why it's still a big threat, and where the gangs are going next

Categories that remain not protected by E2EE include iCloud Mail, Contacts, and Calendar because of the need to interoperate with global email, contacts, and calendar systems, according to Apple. 

"For users who opt in, Advanced Data Protection keeps most iCloud data protected even in the case of a data breach in the cloud," Apple said.

Not everyone is happy, though. According to The Washington Post, the FBI has said it is "deeply concerned" with the threat end-to-end and user-only-access encryption poses, saying that it hinders the agency's ability to protect against criminal acts. Many governments and law enforcement agencies are worried that the increasing use of end-to-end encryption will make it harder for them to gain access to information. 

For security conscious individuals and at-risk public personalities, Apple is also introducing support for third-party hardware security keys with two-factor authentication for Apple ID. The security key becomes one of two factors and is required to access the account, and does prevent phishing attacks that compromise the second factor. 

Another security enhancement for public personalities and others who might be targeted by advanced attackers is iMessage Contact Key Verification. This feature lets users verify that they are only messaging with the people they intend. 

Once a user enables iMessage Contact Key Verification, they'll receive automatic alerts if an attacker succeeds in breaching Apple's servers, inserts their own device in there, and eavesdrops on encrypted communications. iMessage Contact Key Verification users can also compare a Contact Verification Code in person, on FaceTime, or through another secure call, according to Apple.

Editorial standards