- iCloud is a privacy nightmare
- iCloud e2ee with ADP is sometimes-kinda e2ee
To operate in China, Apple has to run parts of iCloud on CCP-controlled hardware. Presumably this is to preserve the same government surveillance access that Apple explicitly preserved in the USA at the behest of the FBI (as reported by Reuters).
https://www.reuters.com/article/idUSKBN1ZK1CO/
iCloud syncs the list of recently emailed contacts to Apple, so Apple has your social graph and important contacts even if you don’t use Apple email, iCloud contacts, or iMessage/FaceTime. There is no UI to disable this, it must be done via provisioning profile.
As for ADP - Apple stores file and image plaintext hashes non-e2ee, which allows Apple to see which set of people has unique files, and when. If I make an original meme or document and send it to you, even via AirDrop directly, if we both use iCloud and ADP then Apple knows that we have associated, and when. If you share it to a third person, Apple knows that too. Also, if anyone you iMessage with doesn’t have ADP enabled, your full iMessage conversation history with them remains readable to Apple (and USG et al).
https://support.apple.com/en-us/102651
> Some metadata and usage information stored in iCloud remains under standard data protection, even when Advanced Data Protection is enabled. For example, dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves. Representative examples are provided in the table below.
Also, iOS in general is a privacy cesspool. You can’t install apps without identifying yourself to Apple, and doing so sends your IP (coarse location), Apple ID (phone number), and device hardware serials to Apple. You can’t ever change or disable this. Even if you don’t use iCloud, the hardware serials are sent to Apple and it maintains a persistent serial-linked connection to Apple for APNS at all times. This cannot be disabled. Additionally the connections happen early in the boot process so they will bypass any user-installable VPNs (provisioning profiles can use old outdated VPN protocols and I think can load before these connections, but approximately nobody uses VPNs in this fashion).
The moment you install a SIM card in an iPhone, the device serial and SIM card phone number are known to Apple and linked, as it will immediately try to register for iMessage without prompting you. This happens even if you don’t use iCloud, and thus is independent of ADP.
This means that wiping the device and swapping SIM cards is useless from a privacy standpoint, as the subsequent phone numbers will be linked by virtue of the device serial (and will also be linked to your IP, bypassing any UI-configured VPN).
