Data is encrypted on your iPhone or iPad, and on your Mac assuming you’ve enabled FileVault. iCloud data is encrypted when it is sent to and from Apple’s servers, and at rest on Apple’s servers, but the company still has encryption keys, and can access some of your data when requested by law enforcement.
End-to-end encryption, however, removes any possibility of a third party accessing your data: you have the only keys to the data on your devices. Apple’s Advanced Data Protection for iCloud (ADP) enables this level of security, but there are some limitations to the way it works.
Let’s examine what Advanced Data Protection is, how to enable it, and whether you should turn this feature on.
In this article:
- What is Advanced Data Protection for iCloud?
- What are the most important protections that ADP offers?
- What are the requirements to use Advanced Data Protection?
- How to enable Advanced Data Protection for iCloud
- Accessing iCloud.com with Advanced Data Protection enabled
- How to turn off Advanced Data Protection for iCloud
- Should you use Advanced Data Protection?
- How can I learn more?
What is Advanced Data Protection for iCloud?
Apple says that Advanced Data Protection gives users the “highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices.”
Currently, not all iCloud services are protected by end-to-end encryption. This Apple support document lists the different data categories and the type of encryption they use. “In transit & on server” means that the data is potentially accessible to Apple employees or law enforcement. And, as Apple says, some classes of data cannot be end-to-end encrypted: “The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.”
What are the most important protections that ADP offers?
Advanced Data Protection for iCloud enables end-to-end encryption for many additional Apple services. But depending on the sensitivity of each Apple service where you store data, you may find some of the additional protections more valuable than others.
For example, if you have private pictures stored in Photos, or if you keep passwords or other confidential information in Notes, on iCloud Drive, or in your iCloud Backup, you may not want Apple employees to be able to access them under any circumstances. You may also prefer for Apple employees to not be able to see which sites you’ve bookmarked in Safari, or to see your Wallet passes, which can reveal a lot about you.
But arguably one of the most significant changes is how Apple handles Messages in iCloud. Although iMessage may be used as a secure messaging platform, there have always been important caveats. Historically, if any sender or recipient of an iMessage has their Messages data backed up to iCloud — and they don’t have ADP enabled — then Apple employees can potentially access those iMessages. If all parties in an iMessage chat have ADP enabled, however, then (at least in theory) iMessage becomes a much more secure messaging platform. Unfortunately, there are no in-app indicators of whether recipients have disabled Message back-ups to iCloud or have enabled ADP. But if you have personally confirmed that your conversation partners either use ADP or don’t back up their Messages to iCloud, then you can be more confident about the security of your communications.
What are the requirements to use Advanced Data Protection?
To enable Advanced Data Protection, you must have:
- Two-factor authentication enabled for your Apple ID
- Passcodes or passwords set on your devices (yes, it’s possible to set up iPhones and Macs without passcodes or passwords, although it isn’t advisable)
- At least one account recovery contact or recovery key
In addition, every device you log into with your Apple ID must be using recent versions of Apple’s operating systems: iOS 16.0 or later, iPadOS 16.2 or later, and macOS 13.1 or later. You access some data from your iCloud account with other devices, so any Apple TV, Apple Watch, or HomePod must also be running recent software, and, if you use iCloud for Windows, it must be version 14.1 or later.
How to enable Advanced Data Protection for iCloud
As long as you’ve met the above requirements, enabling Advanced Data Protection simply requires toggling one setting. You can only do this on an iPhone, iPad, or Mac.
Go to Settings, tap or click your name, then tap or click iCloud. Scroll down to Advanced Data Protection and click it. You’ll see a screen like this:
Accessing iCloud.com with Advanced Data Protection enabled
When you enable Advanced Data Protection, access to your data on the iCloud.com website is turned off to ensure that data is only accessible on your trusted devices. If you need to access this data on the Web, you can temporarily grant access via one of your trusted devices.
To do this, turn on Access iCloud Data on the Web; the setting is just below the Advanced Data Protection setting. A request is sent to your trusted devices, and, if you approve this, you can access your data on iCloud.com for one hour. Each time you access a new category of data — such as photos, notes, or files — you’ll need to approve that access from your trusted device.
For more on accessing data on the Web when Advanced Data Protection is enabled, see this Apple support document.
How to turn off Advanced Data Protection for iCloud
Should you use Advanced Data Protection?
Advanced Data Protection offers the highest level of protection for your data, but with some limitations. There’s a real risk of no longer being able to access data if you forget your Apple ID password, but you have to set up a recovery contact and a recovery key to minimize the possibility of losing access to your account. If you often use iCloud.com to access your data or the Web-based versions of Apple’s iWork apps (Pages, Numbers, and Keynote), then the requirement to regularly grant Web access may be a hindrance. Additionally, you can only enable ADP if all of your devices are running the latest OS, which may be a problem if you have one older Mac, iPhone, iPad, or iPod touch with which you would like to keep using the same Apple ID.
How can I learn more?
We discussed Advanced Data Protection for iCloud in episode 270 of the Intego Mac Podcast:
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: