Apple gives their iCloud storage full encryption, meaning only the user can access their backups, photos and other data. Microsoft 365 customers should be asking Microsoft to do the same (don’t hold your breath).
Advanced Data Protection is an option that encrypts all the customers information and files on Apple’s servers. Only customers can access that data via their login. Apple did this so they can’t give out any customer information, even if required by law or court order.
Note: in February 2025, Apple was forced to block Advanced Data Protection for UK users, Apple blocks their best security feature in the UK
Though there will be a recovery process available, the user will be responsible for keeping their password and two-factor recovery available.
Happily, “Advanced Data Protection” is an option. That’s good because it puts more responsibility on the customer to protect their login and two-factor authentication options. Some people might not feel the need for greater security and prefer the easier recovery options.
Noone else will be able to read the iCloud data. Not even Apple itself. Governments and law enforcement can’t access info either, no matter how many laws or court orders are issued.
Some iCloud data is already protected this way, such as Keychain (passwords) Maps (location) and Health data.
The new ‘Advanced Data Protection’ expands that to Backups, Photos and Notes. Mail, Calendar and Contacts can’t get the new protections because that info has to work with other mail systems which aren’t sufficiently secure.
The “Full encryption” myth
Maybe you think that your data is already secure, after all there’s lots of talk about “full encryption” when it’s not entirely true. There’s encryption while data is being transferred – that should be a given these days. Your files should be encrypted when saved on cloud servers (aka ‘data at rest’), but the key is held by the company – not the customer. Microsoft overemphasises that their cloud drives are Bitlocker secured but the key is held by Microsoft so the company can read that information for themselves or to comply with a government or court order.
“Advanced Data Protection” is described by Apple as “end to end encryption” which is true. However other companies use the same “end to end encryption” about their current security arrangements! A lot of privacy and security phrases sound great but have very slippery meanings.
At the moment, most online storage is NOT customer encrypted when it’s saved on the cloud servers. That means the storage company (Apple, Microsoft, Dropbox etc) can read any files saved on their servers. The companies might promise not to do that, but it’s only a promise with no consequences. Microsoft has, in the past, read customers cloud data for their own purposes.
Some people make their own security arrangements by saving encrypted documents or backups to OneDrive or similar. Companies and governments can still copy the files but can’t open them without the password.
Many governments have laws that allow them to snoop on data saved in the cloud. In many cases, the companies have to comply and NOT notify the customer of the intrusion. These laws are often justified as powers needed to combat terrorism, organized crime and child abuse, however the data access laws don’t limit the powers to those areas.
The OneDrive ‘Personal Vault’ has no greater cloud encryption than regular OneDrive. The Vault lets the customer add a layer of login security to some files but those same files are still accessible to Microsoft and governments.
Will Microsoft add full encryption to OneDrive?
Microsoft should follow Apple’s lead and fully secure their OneDrive and SharePoint storage in the same way.
Corporate customers are already pushing for exclusive access to server data encryption, the same options should be available to small organizations and individuals who are just as entitled to proper security.
Alas, most likely they’ll try to obfuscate by pointing to their current setup and suggest that it’s enough – which it definitely is not.
Microsoft’s track record on privacy has always been to put hype ahead of action. A lot of talk about how secure their services are while reluctantly adding the necessary protections due to customer and competitive pressure.
In other words, Microsoft 365 customers might eventually get fully secure cloud storage with customer-only key access, but don’t hold your breath.
Image privacy breach still in Microsoft Office.
Apple Privacy tags don’t tell the whole story with Office
Microsoft clarifies cloud service privacy, is it enough?
