Advanced Data Protection for iCloud
Cloud storage becomes very popular nowadays with personal emails, family photos and other documents stored in the clouds. It makes sense to ask almost the obvious question - are we in a full control of our own data? In recent years there were quite few serious data breaches affecting millions of people across many platforms exposing personal photos, messages, documents and even attracting FBI's attention. In cases when data was stored on iCloud Apple denied that the hack was caused by a security flaw in iCloud, and said that the leaks were the result of phishing.
End-to-End Encryption (E2EE)
Wikipedia explains that E2EE ensures that only communicating people can participate and see their own messages. No one else, including the IT system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to read or send messages across the communication channel. The lack of end-to-end encryption has its own merits: users could perform text search more easily and service providers are able to scan data for illegal or unacceptable content. However, this also means that the data content can be read by anyone who gets access to the data stored whether directly using provided tools or via a backdoor.
Two-Factor Authentication (2FA)
The 2FA security procedure requires two forms of user verification before granting access to the encrypted data. Typically this requires a password and a one-time code sent to a trusted device or an app. The method helps to prevent unauthorized access even if a malicious party obtains a user's password. The end-to-end encryption ensures that only authorized parties can view the data during transmission or storage and 2FA strengthens the authentication process ensuring that only the rightful user can decrypt and access the encrypted sensitive information. Both technologies create a robust framework for privacy and security.
Best of ADP
Apple introduced two-factor authentication for Apple ID in 2015. To strengthen the encryption service the company officially introduced Advanced Data Protection in December 2022 that enhanced the iCloud security by offering end-to-end encryption for more data categories. The key features announced were:
Expanded Encryption: with ADP enabled the number of iCloud data categories protected by end-to-end encryption increased from 14 to 23. This includes iCloud Backup, Photos, Notes, and more.
User-Controlled Encryption Keys: only trusted devices retain the encryption keys making sure that even Apple cannot access the data.
Enhanced Security for Sensitive Data: protects against potential data breaches in the cloud.
Recovery Options: users must set up recovery methods such as a trusted recovery contact or a 28-digit recovery key in order to regain access.
The biggest change introduced with the ADP is how encryption keys are managed. In standard iCloud Apple manages encryption keys and therefore the company is able recover any account locked by a password. With ADP enabled users would be able to use security keys stored on chosen trusted devices in the two-factor authentication procedure. However, the responsibility to manage those keys also shifts to the end user and Apple is no longer able to recover locked accounts or access the data stored on iCloud. The only major iCloud data categories that are not covered by ADP are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.
Media Reviews
Most of the comments in the media were positive. CNET wrote that “Apple's highest level of security can ensure that only you have access to your data, but you'll want to keep a few safeguards in mind”. Wired was assured: “So, do you need ADP? If you want the most complete level of security and privacy possible, then yes”. NYT noted that “A couple of years ago, Reuter's reported that Apple had dropped a plan to encrypt backups after the FBI complained about it. But now that the feature is here, everyone should turn it on”.
Clearly security and encryption is a quite regulated area and therefore Apple’s ADP does operate in all countries. Surprisingly, it was switched off in the UK. PCMag wrote that “A secret UK order demanding that Apple backdoor its iCloud encryption appears to have prompted the company to pull Advanced Data Protection in the region”. CNN commented that “There are third-party cloud storage options that offer end-to-end encryption, like NordLocker and Proton Drive. But ... consumers are less likely to use them because they’d have to go through extra steps”.
What it Means for You?
Advanced Data Protection is an advanced data security service for Apple users extending powerful end-to-end encryption to most of the iCloud data. The major benefits it provides are enhanced privacy and security against data breaches, privacy from all parties (including Apple) and complete control over the digital information.
However, these benefits come with one important responsibility - the security key management. Lost keys without backup options can lead to permanent data loss - a consequence that should not be taken too lightly!