Apple expands End-to-End Encryption for iCloud with Advanced Data Protection
If you go back to the nascent days of the World Wide Web securing data was a secondary concern. It is not just that the protocols had not yet been established, but also the fact that there was not a lot of information that needed to be protected. The standards for Transport Security Layer, or TLS 1.0, would not be defined until January of 1999.
Secure communications had occurred prior to 1999, with the Secure Sockets Layer (SSL) protocol defined by Netscape and included in their Netscape Navigator browser. SSL 3.0, the precursor to TLS 1.0, was defined by Netscape in 1996. This protocol was adopted by Microsoft’s Internet Explorer and support for SSL was added to Apache in April of 1998.
As you might expect, the primary driver for adding security to your site was commerce, and even though the ability to secure sites has been around for nearly the last 25 years, it has only been recently that more sites are now secured by certificates than those that are not secured by a certificate.
Beyond commerce, the need to secure information, even if it does not necessarily need to be secured, but it is just a good idea to do so. Even though some data does not need to be secured, there is some data that absolutely should be. Some of these types of data are Health data, Passwords and keychain, and Wi-Fi passwords.
Yesterday Apple announced that additional iCloud data would become eligible to have end-to-end encryption. This brings the total to 23 of the 26 different types of iCloud data that could be encrypted. These additional types of data that could be end-to-end encrypted is made possible through a new feature called “Advanced Data Protection”. Before we delve into the new services, let us look at the existing end-to-end encrypted services.
Current End-to-End Encrypted iCloud Services
When data is “End to End” encrypted it means that only devices that are trusted by the user, as in devices signed into the user’s iCloud account, will be able to store the keys. There are currently fourteen types of data that are end-to-end encrypted. These types of data are:
- Passwords and Keychain
- Health Data
- Home Data
- Messages in iCloud
- Payment Information
- Apple Card Transactions
- Maps
- QuickType keyboard learned vocabulary
- Safari
- Screen Time
- Siri information
- Wi-Fi passwords
- W1 and H1 Bluetooth keys
- Memoji
These items are already end-to-end encrypted and the keys are kept on your trusted devices.
New End-to-End Encrypted Data
As mentioned above if you enable Advanced Data Protection, 23 types of data will be included in the end-to-end encryption. Fourteen already have this, so there are nine new types of data that will be end-to-end encrypted. These new types of data are:
- iCloud Backup (Device and Messages)
- iCloud Drive
- Photos
- Notes
- Reminders
- Safari Bookmarks
- Siri Shortcuts
- Voice memos
- Wallet passes
Without Advanced Data Protection enabled, Apple holds the keys necessary to decrypt any of the data. This is how everything is configured without Advanced Data Protection enabled.
Data Categories that Cannot be Encrypted
There are three different types of data that cannot be end-to-end encrypted. These types of data are:
- iCloud Mail
- Contacts
- Calendars
The reason that these three types of data cannot be end-to-end encrypted is because they need to be able to communicate with other services that cannot be end-to-end encrypted. Next, let us look at enabling Advanced Data Protection.
Advanced Data Protection
Advanced Data Protection is an optional feature that you can enable on your iCloud account. Advanced Data Protection requires iOS 16.2, iPadOS 16.2, and macOS 13.1 to work across all of your devices. You begin setup of Advanced Data Protection on any of your devices. If you have older devices on your account, you may not be able to enable Advanced Data Protection. Here is an example of what that might look like:
To enable this feature perform these steps:
- Open Settings or System Settings.
- Tap, or click, on your iCloud account at the top of the list.
- Tap, or click, on “iCloud” to show iCloud items.
- Tap, or click, on “Advanced Data Protection”.
- Tap, or click, on “Turn On”.
When you turn on Advanced Data Protection you will get a popup that provides some brief information about the fact that you will become responsible for your data. This is because your devices will hold the encryption keys and Apple will not be able to help you with recovering the data if the devices are lost. In order to minimize this you will need setup Account Recovery. Account Recovery can take one of these forms:
- Recovery Contact
- Recovery Key
A Recovery Contact is someone whom you trust to help you recover your account should you lose access to it. Similarly, a Recovery Key is a 28-character code that can be used to recover your data should you get locked off your account. You will need to have one of them enabled, because if one of these are not setup, and you can lose ALL access to your account and data.
IMPORTANT NOTE adding a Recovery Key will remove your ability to recover your account by other means. Yes, this is more secure, but you are being trusted with the key. If you lose the key, you cannot recover your account. This is a trade off between security and convenience.
In order to be able to perform the setup, one of the two options will need to be enabled. For most users, it is preferred to setup a Recovery Contact. You should only setup a Recovery Key if you are willing to make the trade off of possibly losing all access to your account.
Once you have a Recovery Contact and/or a Recovery Key configured you can proceed with turning on Advanced Data Protection.
Operating System Versions
It was mentioned above, but it needs to be re-iterated. ALL of your devices need to be on iOS 16.2, iPadOS 16.2, and macOS Ventura, as well as the latest version of iCloud for Windows, in order to be able to set this up. If you have any devices that are not on these versions, or later, you will not be able to configure Advanced Data Protection. This is required in order ot fully protect your data.
Closing Thoughts
It has long been speculated that Apple would enable end-to-end encryption for more items, and they are now making it possible with Advanced Data Protection. Advanced Data Protection will be available in the United States with iOS 16.2, iPadOS 16.2, and macOS Ventura 13.1. It will be available in other areas of the world in 2023.
It is very important that if you have a single device you absolutely NEED to setup a recovery code and/or a recovery account BEFORE you enable Advanced Data Protection, because if you lose access to your account and device you will lose access to ALL of your data.
Source: Apple Newsroom
Additional Info: iCloud data security overview