Apple Has Released Advanced Data Protection…. Here’s Why Most Of Us Don’t Need To Switch It On

Long time readers of my blog will know that I have always argued that you should have the right to encrypt everything if you should choose to do so. But the title of this post may make you think that I have flipped to the other side of that argument. In fact, it hasn’t. Let me explain.

With the release of iOS 16.2 and related macOS, iPadOS and watchOS releases, Apple has released Advanced Data Protection. This is meant to do the following:

Advanced Data Protection for iCloud is an optional setting that offers Apple’s highest level of cloud data security. When a user turns on Advanced Data Protection, their trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it with end-to-end encryption. For users who turn on Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises from 14 to 23 and includes iCloud Backup, Photos, Notes and more.

Now your first thought is going to be “my iCloud data wasn’t end to end encrypted?” And the fact is that not all of your iCloud data was end to end encrypted. Without Advanced Data Protection turned on, iCloud end to end encrypts 14 sensitive data types such as passwords in keychain, health data, payment information, messages in iCloud, Apple card transactions, Home data, and much more. But that list goes up to 23 data types if you turn on Advanced Data Protection. You can find a list of what is and isn’t end to end encrypted here. The key thing is to look for the words “end-to-end” in the list.

So at this point, you might be thinking that more of your data is going to be end to end encrypted, this is a feature that you should turn on. Right.

Not so fast.

Here’s the thing about Advanced Data Protection that you need to know before you flip that switch. Apple makes you solely responsible for your encryption. Or put another way, because Apple will not have the keys required to recover your data, you need to set up an alternate recovery method, such as a recovery contact or recovery key in case you ever lose access to your account. And if you lose access to that alternate recovery method, you’re screwed because Apple cannot help you to get your data back. Nor can anyone else.

So with that in mind, should you turn on Advanced Data Protection? My answer would be no for the vast majority of you. And I include myself on that list. Why? Simply put, I am currently not a high value target for hackers or nation states who would see the data on my devices as being of significant value for them to acquire. And on top of the fact that Apple’s default security model works fine for me, encryption can make it harder for you to recover data should you need to as you would have to hop through extra hoops with little assistance from your local Apple Store or Apple’s phone support to help you. Thus I would argue that for the vast majority of you, Advanced Data Protection should remain turned off.

Having said that, you might want to consider Advanced Data Protection if you fall into one of these categories:

  • Politician
  • Journalist
  • Activist (human rights activist for example)
  • High probability of being a target of law enforcement

I am sure there are more categories, but I think you get the point. The fact is that these are the types of people that Advanced Data Protection was intended for because they are at high risk of getting pwned by hackers, nation states and other threat actors among other types who would want access to the data that’s in iCloud or on their iPhones or MacBooks. The other 95% of us should not touch this feature. But if you feel that you need to enable this feature, Apple has this support document that describes how to do it. But honestly, I would think long and hard before you go down that path. Because while I am glad that Advanced Data Protection is there, most of us don’t need to use it. And it may create more problems for you than it solves.

Leave a Reply

%d bloggers like this: