Online backup services are convenient and offer resilience. Instead of managing your own backup drives a cloud backup service can upload your data to the Internet automatically whenever you’re connected. If your house burns down you don’t lose your data either. But, as with most things in the universe, there are trade offs. By placing your data on somebody else’s server you lose control over it. This can be mitigated by encrypting your files locally before uploading them but sometimes that’s not an option as with Apple’s iCloud Backup for iOS:
“If the government laid a subpoena to get iMessages, we can’t provide it,” CEO Tim Cook told Charlie Rose back in 2014. “It’s encrypted and we don’t have a key.”
But there’s always been a large and often-overlooked asterisk in that statement, and its name is iCloud.
It turns out the privacy benefits Apple likes to talk about (and the FBI likes to complain about) basically disappear when iCloud Backup is enabled. Your messages, photos and whatnot are still protected while on your device and encrypted end-to-end while in transit. But you’re also telling your device to CC Apple on everything. Those copies are encrypted on iCloud using a key controlled by Apple, not you, allowing the company (and thus anyone who gets access to your account) to see their contents.
I don’t use iCloud Backup for precisely this reason. My backups are done locally on my computer. This brings me to my point: you need to fully understand the tools you use to hope to have any semblance of security. One weakness in your armor can compromise everything.
iMessage may be end-to-end encrypted but that doesn’t do you any good if you’re backing up your data in cleartext to somebody else’s server.