What Is Advanced Data Protection?
Advanced Data Protection is Apple’s name for end-to-end encryption for your iCloud data. End-to-end encryption means that data is encrypted when it leaves your device, stored in that encrypted format on Apple’s servers, then decrypted with the required key using trusted devices, like your iPhone. The big difference is that only you have the key to decrypt your data: Not even Apple has the key to access your data on its servers.
Standard data protection for these services encrypts data in transit, and on Apple’s servers, with the key required to decrypt and access that data also stored on Apple’s server. This remains the default setting. With Advanced Data Protection, decryption keys are stored offline on your trusted devices (including the iPhone, iPad, and Mac).
Since this key is private, data cannot be decrypted even if someone else gets a hold of it. For example, even if Apple has a data breach and loses all the data it has on you, the thief wouldn’t be able to decrypt the data without your private key.
When data is stored in this manner, not even Apple can decrypt it. Since the keys required to decrypt the data are stored in a way that Apple doesn’t have access to them, Apple is unable to grant authorities, such as law enforcement agencies or the government, access to the data. Not even internal attacks by “rogue” Apple employees can reveal the contents of user data protected in this manner.
The feature has been described as “deeply concerning” by the FBI while the Electronic Frontier Foundation issued a statement to “applaud Apple for listening to experts, child advocates, and users who want to protect their most sensitive data”—a demand previously outlined in the EFF’s Fix It Already campaign.
Should You Enable iCloud Advanced Data Protection?
If end-to-end encryption on your iCloud data protects you from having your data accessed, why wouldn’t you want to enable it right away? In fact, you might wonder why isn’t the feature enabled by default.
Enabling Advanced Data Protection affords your data better protection, but it also means that accessing your data depends on you having a recovery key or at least one trusted contact you can use if you lose access. Should you lose track of either of those things, you won’t be able to recover your data at all. Apple won’t be able to assist you because Apple doesn’t have the decryption key.
You’ll be prompted to select your recovery assistance choices as part of the setup if you haven’t already set up Account Recovery for your Apple ID.
You can do this under Settings > [Your Name] > Password & Security > Account Recovery. Use this menu to nominate contacts that you trust and a recovery key that you can keep safe and private. They’re your last resort for recovering your encrypted data if you lose access to trusted devices that are already signed in.
As long as you implicitly trust a nominated contact and can keep your key in a secure location (so that it remains accessible to you but not obvious to any attackers), you should have no trouble enabling Advanced Data Protection. If you’re concerned about either of these things, you might want to leave standard data protection enabled instead.
What’s (Not) Included?
Some iCloud data has been end-to-end encrypted for a while, including categories like Health, your Keychain (which stores other login data), and payment information. With the arrival of Advanced Data Protection, nine additional categories are now covered, including:
Backups in iCloud (including devices and Messages backups) Photos Notes Reminders Siri Shortcuts Bookmarks (Safari only) Wallet Passes Reminders Voice Memos
With Advanced Data Protection enabled, the keys required to decrypt this data are stored on your device. The only iCloud services that still limit encryption to “in transit” and “on-server” with keys stored on Apple’s servers are:
iCloud Mail Contacts Calendars
Apple states that “iCloud Mail does not use end-to-end encryption because of the need to interoperate with the global email system” and that contacts and calendars “are built on industry standards (CalDAV and CardDAV) that do not provide built-in support for end-to-end encryption”.
RELATED: The Best Free Ways to Send Encrypted Email and Secure Messages
How to Enable Advanced Data Protection
If you’re happy that the benefits of Advanced Data Protection outweigh the risks of your data being irretrievable if you lose your recovery key (or your nominated contacts are unavailable), you can enable it under the Settings menu.
Head to Settings > [Your Name] > iCloud > Advanced Data Protection. Tap “Turn On Advanced Data Protection” then follow the steps for enabling Account Recovery if you haven’t already done so. Keep your recovery key in a safe place.
To finalize the process, you’ll be asked to update certain devices that don’t currently support the feature. Tap on “Remove Devices in Settings” to enable the feature right now without applying the updates.
To remove a device, tap on it, then choose “Remove from Account” to proceed. The device will need to be updated and added to your account again to show up in the Settings app.
To disable the feature, head back to this menu and tap “Turn Off Advanced Data Protection” and your device will store the required keys locally instead.
Advanced Data Protection Coming Worldwide in 2023
Note that Advanced Data Protection is available with iOS 16.2 and later. (iOS 16.2 was released on December 13, 2022.) You can update your iPhone or iPad under Settings > General > Software Update. Advanced Data Protection is rolling out in the US at first, with the feature coming to the rest of the world in early 2023.
There are other ways to protect your Apple devices and associated accounts. Make sure that two-factor authentication is enabled on your Apple ID, that you’re using the most secure iPhone password, and that you’re applying software updates even on outdated devices.
Check out our full list of iPhone security tips for more best practices.
RELATED: 10 Easy Steps to Better iPhone and iPad Security