Turn on this security feature in iOS 16.2 pronto on yours and your family’s iPhones

http://www.nytimes.com/wirecutter/reviews/how-to-set-up-apples-new-icloud-encryption-security-feature/

Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now

By Thorin Klosowski

Updated December 14, 2022

Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now
Photo: Michael Hession

FYI

We’ve added details about what happens if you cannot update all your Apple devices to the newest operating systems.

December 14, 2022

Apple just rolled out iOS 16.2, a software update that includes a key new feature called Advanced Data Protection for iCloud. That means you can finally enable end-to-end encryption for your iCloud backups so no one but you—not even Apple—can access your iCloud data.

The fact that iCloud backups haven’t offered the option of end-to-end encryption until now has long been a point of controversy. iCloud backups of the Messages app were of particular concern because Apple could still hand over certain types of data within the backups to law enforcement. In particular, although conversations in Messages (along with other more personal data types, like the data stored in the Health app) were end-to-end encrypted, backups of those conversations were not. That meant police could subpoena those backups and gain access to texts. A couple of years ago, rumors suggested that Apple had dropped a plan to encrypt backups after the FBI complained about it. But now that the feature is here, everyone should turn it on. Here’s why.

Encryption is a mathematical process that jumbles data in a way that makes it unreadable without a key. End-to-end encryption ensures that only you control that key. This protection allows for private communication between a sender and a receiver—in this case, you’re both—such that third parties can’t access the data. Once you enable Advanced Data Protection, not even Apple will have the key to decrypt your data—and therefore it will have no way to help you regain access if you lose it. End-to-end encryption is common in secure messaging apps like Signal, as well as in software that stores sensitive data, such as password managers.

Many people enable iCloud backups because their iPhone bothers them repeatedly to do so, and perhaps they haven’t thought through the implications. Prior to today, storing a complete backup of your device, including your private photos and files, on a server—where someone other than you has access to it—has meant entering a data-privacy minefield. Someone gaining access to that account, through a data breach or by other means, would have access to anything stored there. And the problem hasn’t been limited to iCloud: Startlingly few cloud storage companies, in fact, offer end-to-end encryption.

But now, if you own one or more Apple devices, you can now make sure that your backups, photo libraries, and iCloud Drive file are end-to-end encrypted.

How to turn on Advanced Data Protection

Advanced Data Protection is rolling out as part of the iOS 16.2 over-the-air software update in the US today. Other parts of the world will receive Advanced Data Protection in early 2023. Follow these steps:

  1. Turn on two-factor authentication for your Apple ID if you haven’t done so already.
  2. Update all your Apple devices to iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2, or newer. If your devices are older and don’t support the latest versions of Apple’s operating systems, you’ll have to remove them from your Apple ID in order to enable Advanced Data Protection. That means you won’t be able to log into your Apple account on that older device, in which case, you should probably not enable Advanced Data Protection until you upgrade to a newer Apple device.
  3. On an iPhone or iPad, open Settings (or System Preferences on a Mac) > [Your name] > iCloud > Advanced Data Protection > Account Recovery. On this page you’ll see a choice of recovery methods. To use Advanced Data Protection, you must set up at least one of these two options (you can do both):
    • Designate a recovery contact, a trusted person from your contacts list who also owns an Apple device and whom you can easily reach out to in case you get locked out of your account. If you choose this method, you’ll send the recovery contact a message with a link that they will need to tap or click to accept. They’ll now have the key to help you unlock your account, but they won’t be able to unlock it on their own.
    • Set up a recovery key, a 28-character key that you can use to access your account in case you are locked out. Apple has no way to recover this key for you, so it’s important that you save it somewhere safe. If you choose this method, you’ll need to verify the key before you enable it, so write it down.
  4. Head back to Settings > [Your name] > iCloud > Advanced Data Protection, tap Turn on Advanced Data Protection, and then follow the on-screen prompts. Here, you need to confirm your recovery contact or enter your recovery key one more time, followed by your device’s passcode. If you have any older devices that cannot be updated, you can remove them from the list at this point.

Aside from not being able to ask Apple to help you access your data, if you regularly access data or files from iCloud.com, web access is disabled by default when Advanced Data Protection is enabled. That means you can’t access anything there—however, you can hop into Settings > [Your name] > iCloud and tap Access iCloud Data on the Web to temporarily turn on access when you need it.

Enabling the new security feature is relatively simple, though it’s important to note that if you choose the recovery key option, you must secure your encryption key and make sure to store it somewhere safe. If you choose a recovery contact, make sure to stay in touch with that person. Otherwise, if you lose your device, your data could be completely gone.

What data gets protected (and what doesn’t)

Until this update, Apple provided end-to-end encryption for some of the most sensitive data stored in iCloud backups by default, including passwords, health data, and payment information. If you don’t turn on Advanced Data Protection, here are the data categories that are end-to-end encrypted by default, according to Apple’s list:

  • Passwords and Keychain
  • Health data
  • Home data
  • Messages in iCloud (but not iCloud backups)
  • Payment information
  • Apple Card transactions
  • Apple Maps (details such as favorites and search history)
  • QuickType Keyboard learned vocabulary
  • Safari (details such as history, tab groups, and iCloud tabs)
  • Screen Time
  • Siri information (details such as settings and personalization)
  • Wi-Fi passwords
  • W1 and H1 Bluetooth keys
  • Memoji

When you turn on the feature, nine more data categories are end-to-end encrypted:

  • iCloud backup
  • iCloud Drive
  • Photos, including photos in a Shared Library, if everyone in the Shared Library has Advanced Data Protection enabled
  • Notes
  • Reminders
  • Safari Bookmarks
  • Siri Shortcuts
  • Voice Memos
  • Wallet passes

Some data stored in iCloud still isn’t encrypted, notably iCloud Mail and some third-party data, because doing so would break certain functions. The affected categories are as follows:

  • iCloud Mail
  • Contacts
  • Calendars
  • Photos stored in Shared Albums and any file shared with “Anyone with a link”
  • Any document shared for iWork collaboration
  • Any third-party app data that doesn’t employ its own end-to-end encryption (though if the backups of those apps are stored in iCloud Backup, they will be end-to-end encrypted, and if an app stores data in iCloud Drive, it should be end-to-end encrypted, as well)
  • Some metadata and usage information (details such as the names of your devices, the sizes of files, and more, which is notable because recent reports suggest that Apple isn’t entirely transparent about the data it collects)

If you use any collaboration features for Files or Notes, end-to-end encryption is enabled only when you and all other parties have Advanced Data Protection enabled. So, if you are collaborating through a shared Notes or Reminder item and want that data secured with end-to-end encryption, make certain your collaborators enable the feature, too.

Setting up Advanced Data Protection is an important step, but it’s not the end of the story. In addition to the various steps everyone needs to take to secure themselves online, be sure to take a few fundamental steps to secure your phone, such as using a strong passcode.

This article was edited by Caitlin McGarry.

About your guide

Thorin Klosowski is the editor of privacy and security topics at Wirecutter. He has been writing about technology for over a decade, with an emphasis on learning by doing—which is to say, breaking things as often as possible to see how they work. For better or worse, he applies that same DIY approach to his reporting.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.