Expanded iCloud Encryption Can't Be Enabled From New Apple Devices Right Away

[MacRumors]

Starting with iOS 16.2, iPadOS 16.2, and macOS 13.1, all of which are expected to be released next week, users have the option to enable a new Advanced Data Protection feature that expands end-to-end encryption to many additional areas of iCloud, including Messages backups, Photos, Notes, Reminders, Voice Memos, and more.

To protect users, Apple does not allow Advanced Data Protection to be enabled from a brand new device for an unspecified period after the device was first set up and added to a user's Apple ID account. We have seen dates range from late January to early February for when users will be able to turn on the feature from a new device. This buffer helps to prevent a malicious actor from enabling the feature if a user is hacked.

Users can still enable Advanced Data Protection from an older device they added to the same Apple ID account, such as another iPhone, iPad, or Mac. In this case, all devices added to that Apple ID account are fully protected by the expanded end-to-end encryption for iCloud, including newer ones that are still in the waiting period.

https://twitter.com/i/web/status/1600573589522104333

Turning on Advanced Data Protection removes your encryption keys from Apple's servers for the iCloud categories protected by the feature, ensuring that your data remains secure even in the case of a data breach in the cloud. When the feature is enabled, the encryption keys are only stored on your trusted Apple devices, meaning that they cannot be accessed by Apple or others. The feature can be turned off at any time, at which point your devices will securely upload the encryption keys to Apple's servers again.

When Advanced Data Protection is enabled, access to your data via iCloud.com is disabled by default. Users can turn on data access on iCloud.com, which allows the web browser and Apple to have temporary access to data-specific encryption keys.

iCloud already protects 14 data categories using end-to-end encryption by default, without Advanced Data Protection enabled, including passwords stored in iCloud Keychain, Health data, Apple Maps search history, Apple Card transactions, and more. Apple has a support document with a chart detailing what is protected by standard levels of encryption and what is protected by Advanced Data Protection when enabled.

Advanced Data Protection is available for U.S. users only at launch and will start rolling out to the rest of the world in early 2023, according to Apple. For more details about the feature, read our coverage of Apple's announcement earlier this week.

Article Link: Expanded iCloud Encryption Can't Be Enabled From New Apple Devices Right Away

 

[now i see it]

Likely to save people from themselves. While encrypted iCloud is great - plenty of people are going to get royally burned by it when they forget stuff

 

[trip1ex]

I just created a YouTube channel under a new gmail account and put all my photos and video on there where I know no one will view it.

 

[dantracht]

Noticed this last night.

 

[gaximus]

What is the logic that says users are better protected by waiting to enable this feature? I'm confused by the reasoning for this.

 

[supremedesigner]

It sounds like the new users are under probation for a few months, then they are qualified for it. Is that seem odd to you?

 

[NMBob]

NSA/FBI/CIA can't keep up with the backdoor installations on new devices.

 

[Maclver]

I haven’t been able to get it to turn on. I have a recovery key setup and tap “Turn On Advanced….” And it just spins :-(

 

[justperry]

What is the logic that says users are better protected by waiting to enable this feature? I'm confused by the reasoning for this.

Prevent new users from losing access to their data, users new to the platform might mess up.

 

[Mr. Heckles]

It sounds like the new users are under probation for a few months, then they are qualified for it. Is that seem odd to you?

From a new device. If you have another device on your iCloud account already, you can still turn it on. You just can’t turn it on from a recent added device.

 

[JM]

Where is iOS 16.2?! I’m about to throw my expensive iPhone in the trash!!!

😏

 

[Rigby]

Probably to prevent the scenario where an attacker somehow gains access to someone's account and then uses their own device (never registered to the victim's Apple ID) to enable advanced protection. This would permanently lock out the victim since Apple cannot help recover the data when advanced protection is enabled. The delay gives the victim enough time to change the password and remove the attacker's device from the account.

 

[Mr. Heckles]

Probably to prevent the scenario where an attacker somehow gains access to someone's account and then uses their own device (never registered to the victim's Apple ID) to enable advanced protection. This would permanently lock out the victim since Apple cannot help recover the data when advanced protection is enabled. The delay gives the victim enough time to change the password and remove the attacker's device from the account.

Good point. This is probably the reason.

 

[Sasparilla]

edit - Ninja'd by Rigby. ;-) Definitely seems the reason with either 3rd party damage or extortion being the ultimate goal they're trying to prevent there, nicely thought out.

Does provide an interesting choice for the general user - don't turn it on and Apple can save yourself from yourself (recovering your data etc.), but at the risk of warrant based access of your data - or you can turn this on and its all on you. Whether your country does or does not have a relatively strong rule of law foundation would likely alter these calculations as well.

 

[ScubaCinci]

To protect users, Apple does not allow Advanced Data Protection to be enabled from a brand new device for an unspecified period after the device was first set up and added to a user's Apple ID account. We have seen dates range from late January to early February for when users will be able to turn on the feature from a new device.

I don't understand this? It needs more context in terms of what constitutes a new device. Late Jan to early Feb for new devices obtained as of when? If I got my phone in October, is it still considered a 'new device'?

 

[jonnysods]

Imagine how many people will forget their encryption key and lose data on this.

Not sure on the reasoning behind keeping experienced users from being able to activate this feature.

Very excited about this coming to Canada.

 

[PauloSera]

Probably to prevent the scenario where an attacker somehow gains access to someone's account and then uses their own device (never registered to the victim's Apple ID) to enable advanced protection. This would permanently lock out the victim since Apple cannot help recover the data when advanced protection is enabled. The delay gives the victim enough time to change the password and remove the attacker's device from the account.

Hopefully the delay is enough. If an attacker gets your account on their device, they will eventually be able to not only lock you out and remove all of your devices from the account, but then enable advanced protection and lock you out of your content permanently.

 

[cmChimera]

Probably to prevent the scenario where an attacker somehow gains access to someone's account and then uses their own device (never registered to the victim's Apple ID) to enable advanced protection. This would permanently lock out the victim since Apple cannot help recover the data when advanced protection is enabled. The delay gives the victim enough time to change the password and remove the attacker's device from the account.

This is definitely it, and makes complete sense.

 

[fwmireault]

If it can be activated from other older devices, it’s not as bad. I agree that people should not enable lightly this protection, but maybe they should have a way to override the warning message

 

[Sasparilla]

Where is iOS 16.2?! I’m about to throw my expensive iPhone in the trash!!!

😏

Next week I believe, although this part won't be available immediately, supposedly.

 

[killawat]

If it can be activated from other older devices, it’s not as bad. I agree that people should not enable lightly this protection, but maybe they should have a way to override the warning message

If the end user is setting up a brand new device on a brand new Apple ID while good security hygiene to enable this protection from the beginning, the user should take note of Apple's limitation and reduce iCloud usage (backups, photos, messages etc) until advance data protection can be enabled.

 

[fraXis]

Am I understanding this correctly? If I buy a new iPhone and add it to my Apple ID, I can't turn on the "Advanced Data Protection" feature to encrypt my iCloud backups for 60 days?

So if I have an iPhone 13, turn on "Advanced Data Protection" and encrypt my iCloud backups, and then next month, I buy a brand new iPhone 14 and copy my iPhone 13 over to it, does that mean my backups on the new iPhone 14 are now all of sudden unencrypted until I am allowed to turn on this feature again in two months?

This makes no sense.

 

[killawat]

So if I have an iPhone 13, turn on "Advanced Data Protection" and encrypt my iCloud backups, and then next month, I buy a brand new iPhone 14 and copy my iPhone 13 over to it, does that mean my backups on the new iPhone 14 are now all of sudden unencrypted until I am allowed to turn on this feature again in two months?

This makes no sense.

No, advance data protection is account wide. If you're able to enable it on iPhone 13 it will also be on iPhone 14. But the waiting period still exists for new starts on new devices.

 

[PBG4 Dude]

Probably to prevent the scenario where an attacker somehow gains access to someone's account and then uses their own device (never registered to the victim's Apple ID) to enable advanced protection. This would permanently lock out the victim since Apple cannot help recover the data when advanced protection is enabled. The delay gives the victim enough time to change the password and remove the attacker's device from the account.

This delay, combined with the “a new device has accessed your account” popup should give anyone enough head’s up that their account has been compromised. Also gives enough time to change passwords and ban the new device from their account.

This is also a great time to turn on 2 factor if you haven’t already. It’s one more hurdle to someone trying to hijack your account.

I’m guessing if you have an existing device, you can turn on end-2-end, and it will apply to all devices, including new ones purchased after enabling this feature. You just won’t be able to enable this feature from a brand new device until the timeout period has elapsed.

 

[IceManNCSU]

I just wanted to state the obvious... If you enable ADP on your Apple ID then you will no longer be able to download your "Apple Data" from the Data & Privacy website. It will be on you to make your own backups of iCloud and Photos.

Just a heads up!