Data is encrypted on your iPhone or iPad, and on your Mac assuming you’ve enabled FileVault. iCloud data is encrypted when it is sent to and from Apple’s servers, and at rest on Apple’s servers, but the company still has encryption keys, and can access some of your data when requested by law enforcement.
End-to-end encryption, however, removes any possibility of a third party accessing your data: you have the only keys to the data on your devices. Apple’s Advanced Data Protection for iCloud (ADP) enables this level of security, but there are some limitations to the way it works.
Let’s examine what Advanced Data Protection is, how to enable it, and whether you should turn this feature on.
In this article:
Apple says that Advanced Data Protection gives users the “highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
Currently, not all iCloud services are protected by end-to-end encryption. This Apple support document lists the different data categories and the type of encryption they use. “In transit & on server” means that the data is potentially accessible to Apple employees or law enforcement. And, as Apple says, some classes of data cannot be end-to-end encrypted: “The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
Advanced Data Protection for iCloud enables end-to-end encryption for many additional Apple services. But depending on the sensitivity of each Apple service where you store data, you may find some of the additional protections more valuable than others.
For example, if you have private pictures stored in Photos, or if you keep passwords or other confidential information in Notes, on iCloud Drive, or in your iCloud Backup, you may not want Apple employees to be able to access them under any circumstances. You may also prefer for Apple employees to not be able to see which sites you’ve bookmarked in Safari, or to see your Wallet passes, which can reveal a lot about you.
But arguably one of the most significant changes is how Apple handles Messages in iCloud. Although iMessage may be used as a secure messaging platform, there have always been important caveats. Historically, if any sender or recipient of an iMessage has their Messages data backed up to iCloud — and they don’t have ADP enabled — then Apple employees can potentially access those iMessages. If all parties in an iMessage chat have ADP enabled, however, then (at least in theory) iMessage becomes a much more secure messaging platform. Unfortunately, there are no in-app indicators of whether recipients have disabled Message back-ups to iCloud or have enabled ADP. But if you have personally confirmed that your conversation partners either use ADP or don’t back up their Messages to iCloud, then you can be more confident about the security of your communications.
To enable Advanced Data Protection, you must have:
In addition, every device you log into with your Apple ID must be using recent versions of Apple’s operating systems: iOS 16.0 or later, iPadOS 16.2 or later, and macOS 13.1 or later. You access some data from your iCloud account with other devices, so any Apple TV, Apple Watch, or HomePod must also be running recent software, and, if you use iCloud for Windows, it must be version 14.1 or later.
This means that if you have an older device that can’t be upgraded, you either cannot use Advanced Data Protection, or you must create a separate Apple ID to use on that device.
As long as you’ve met the above requirements, enabling Advanced Data Protection simply requires toggling one setting. You can only do this on an iPhone, iPad, or Mac.
Go to Settings, tap or click your name, then tap or click iCloud. Scroll down to Advanced Data Protection and click it. You’ll see a screen like this:
Your device will then tell you to review your recovery methods, and Advanced Data Protection will be enabled.
When you enable Advanced Data Protection, access to your data on the iCloud.com website is turned off to ensure that data is only accessible on your trusted devices. If you need to access this data on the Web, you can temporarily grant access via one of your trusted devices.
To do this, turn on Access iCloud Data on the Web; the setting is just below the Advanced Data Protection setting. A request is sent to your trusted devices, and, if you approve this, you can access your data on iCloud.com for one hour. Each time you access a new category of data — such as photos, notes, or files — you’ll need to approve that access from your trusted device.
For more on accessing data on the Web when Advanced Data Protection is enabled, see this Apple support document.
Go to Settings > your name > iCloud, then scroll down and turn off Advanced Data Protection.
Advanced Data Protection offers the highest level of protection for your data, but with some limitations. There’s a real risk of no longer being able to access data if you forget your Apple ID password, but you have to set up a recovery contact and a recovery key to minimize the possibility of losing access to your account. If you often use iCloud.com to access your data or the Web-based versions of Apple’s iWork apps (Pages, Numbers, and Keynote), then the requirement to regularly grant Web access may be a hindrance. Additionally, you can only enable ADP if all of your devices are running the latest OS, which may be a problem if you have one older Mac, iPhone, iPad, or iPod touch with which you would like to keep using the same Apple ID.
For most people, Advanced Data Protection is overkill, and adds constraints to accessing your data, but you may want this protection so all your data is end-to-end encrypted.
We discussed Advanced Data Protection for iCloud in episode 270 of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: