Advanced Data Protection for iCloud
iCloud is the only major storage provider with the option for zero knowledge.
All data is encrypted in transit and on the server; the difference is who has access to it all. With Advanced Data Protection (ADP), Apple takes itself out of the equation for most services. With standard data protection, several services remain recoverable (and accessible) by Apple.
So why doesn’t Apple use Advanced Data Protection by default? It would be a customer service nightmare. Only activate it if you know what you’re doing. If you lose access to your account, you need to use the recovery contact or recovery key together with a trusted device passcode or iCloud account password to get your data back. If none of those are available, Apple will be able to restore access to your account, but most of the data will be lost. Irrevocably.
But I still implore you to use Advanced Data Protection if you know what you’re doing. It is a huge boost to privacy, especially if you store a lot of data in iCloud.
Here’s a list of iCloud services and how Apple treats their encryption as of November 2024:
| iCloud Service | Standard data protection | Advanced Data Protection |
|---|---|---|
| iCloud Mail | Apple has keys | Apple has keys |
| Contacts | Apple has keys | Apple has keys |
| Calendars | Apple has keys | Apple has keys |
| iCloud Backup (incl. Messages) | Apple has keys | Only you have keys (E2E) |
| iCloud Drive | Apple has keys | Only you have keys (E2E) |
| Photos | Apple has keys | Only you have keys (E2E) |
| Notes | Apple has keys | Only you have keys (E2E) |
| Reminders | Apple has keys | Only you have keys (E2E) |
| Safari Bookmarks | Apple has keys | Only you have keys (E2E) |
| Siri Shortcuts | Apple has keys | Only you have keys (E2E) |
| Voice Memos | Apple has keys | Only you have keys (E2E) |
| Wallet passes | Apple has keys | Only you have keys (E2E) |
| Freeform | Apple has keys | Only you have keys (E2E) |
| Passwords and Keychain | Only you have keys (E2E) | Only you have keys (E2E) |
| Health data | Only you have keys (E2E) | Only you have keys (E2E) |
| Journal data | Only you have keys (E2E) | Only you have keys (E2E) |
| Home data | Only you have keys (E2E) | Only you have keys (E2E) |
| Messages in iCloud | Only you have keys (E2E) | Only you have keys (E2E) |
| Payment information | Only you have keys (E2E) | Only you have keys (E2E) |
| Apple Card transactions | Only you have keys (E2E) | Only you have keys (E2E) |
| Maps | Only you have keys (E2E) | Only you have keys (E2E) |
| Keyboard vocabulary | Only you have keys (E2E) | Only you have keys (E2E) |
| Safari | Only you have keys (E2E) | Only you have keys (E2E) |
| Screen Time | Only you have keys (E2E) | Only you have keys (E2E) |
| Siri information | Only you have keys (E2E) | Only you have keys (E2E) |
| Wi-Fi passwords | Only you have keys (E2E) | Only you have keys (E2E) |
| W1 and H1 Bluetooth keys | Only you have keys (E2E) | Only you have keys (E2E) |
| Memoji | Only you have keys (E2E) | Only you have keys (E2E) |
The more control users have, the more responsibility they must bear.
How does web access on icloud.com work with ADP on?
Every time you attempt to access one of the E2E-encrypted services above in a web browser on icloud.com, Apple will send a request to your trusted devices, where you’ll have the option to approve the request. The device will then generate temporary keys for the browser session to decrypt and show your data.
Recovery Options
An alternate recovery option is required in order to activate Advanced Data Protection. That’s either a recovery contact or a recovery key.
With a recovery contact, a trusted friend or family member gets the ability to receive a recovery code for you if you need one. Apple will not save any information on who your recovery contacts are, so remember who you picked. Your contact does not get access to your data, they will only get the code they can hand over to you if you request one.
With a recovery key, you’ll get a 28-character code to store in a safe place. This code can be used to regain access to your account and E2E encrypted data. If you turn on the recovery key option, the regular account recovery process from Apple will no longer be available. Store the key in a safe place!
If you’re interested in reading more details about iCloud security, head on over to iCloud data security overview (Apple Support).
And here’s Apple’s overview on How to turn on Advanced Data Protection for iCloud (Apple Support).
Please write to hi@tobyx.com for comments and questions.