Actually it is the opposite. If you have Messages in iCloud, they do not store messages in "iCloud Backup" but keep it separate with some client-side device-to-device encryption key (UPDATE: which they also store a copy of inside iCloud backup unless ADP is on; thanks to 'modeless). If you enable iCloud Backup and Messages in iCloud is turned off, it will backup all your messages in a way visible to Apple servers. Of course, that is unless you enable Advanced Data Protection (the thing that UK hates).

The fact that this is so unintuitive that I had to explain it and I am only 95% sure I got it right is precisely the problem.

Yes but when Messages in iCloud is enabled that "client-side" encryption key is itself included in your iCloud backup (that Apple can read), as disclosed. So Apple can read your messages regardless of whether you enable or disable Messages in iCloud. The only things that prevent it are disabling cloud backups entirely, or enabling ADP. But even those don't really prevent it because unless everyone you message also does the same, Apple can still read your messages.

Good to know, hence my 95% certainty. Fortunately for me, each new device starts with DFU restore and installation of my own Configuration Profile which supervises the device, disable automatic pairing with new devices, disables useless apps like Game Center, and most importantly disables iCloud Backup entirely, etc.

How do you make backups of your data; e.g. Photos, Notes and Messages?

I keep "optimized storage" turned off for Photos and back up directly from the filesystem. The photo library sits in $HOME/Pictures with all originals and the SQLite database intact - any regular backup solution works fine with this.

For Notes, I've migrated to Obsidian since I couldn't find a reliable backup method for Apple Notes.

Messages is tricky - I just screenshot anything important since it's so tightly integrated with Apple's ecosystem. Most of my important conversations happen on WhatsApp anyway, which lets me export anything I need to preserve.

For Apple Notes, you can technically export using Shortcuts with a loop for entire folders, but it's quite limited. From my experience, it doesn't work with locked/encrypted notes at all - just returns blank pages when you try to access those. That's one of the reasons I switched to Obsidian.

You could always sync and backup (make sure it has a password so that keychain data is stored in the backup) your iPhone to your Mac since the dawn of iPhone OS. You can still use iCloud sync for contacts and notes if you choose to for convenience, but I absolutely do not want iCloud backup.

How are you achieving this? I’d like to know more. Thanks in advance.

Perhaps I should document it and link to it in detail but basically you use Apple Configurator to create a profile and set its restriction flags accordingly and keep it somewhere you can redeploy with ease and simply DFU restore the iOS device so that it gets the latest clean iOS image. After that you don’t activate it by going through the setup screen. Instead you use the connected Mac with Apple Configurator to “Prepare” the device and the computer activates it and pairs it with your “organization” public key and you can add the profiles you created in the previous steps to apply the configuration restrictions. It’s like having an enterprise MDM except you don’t need a server just the local profile is enough.

> Perhaps I should document it and link to it in detail

Would be very interested in this.

Feel free to send me a note to the email in the profile. I will make sure to link to you when I get to documenting this.

Yes please, document this, this sounds great!

No, that's not what it means. The key is stored on their server, but you still need to provide a password to unlock the key. In the same way that you can password protect an SSH key.

It's also the same way ProtonMail encrypts their email. They have to store the private key for you to be able to use the email on any browser.

This is demonstrably false: you can restore an iCloud backup on a new device without the original device password. Only with iCloud credentials which can be reset by Apple.

Only enabling ADP, disabled by default and unavailable in UK, makes it like you describe.

It is extremely simple, actually. Don’t use “Messages in iCloud” and don’t backup your Messages app to iCloud, and Apple cannot see your message content at all. Luckily these are the defaults.

It is definitely not the default to exclude iMessage from iCloud backups.

This is false. If you turn off the "Messages in iCloud" feature then your messages are included in your regular iCloud backup which Apple has the keys to decrypt, as disclosed.

Of course iCloud backup is itself optional. But Apple gives you and the people you're messaging no other option for cloud backups. ADP actually encrypts your backups, but since it defaults to off your messages are almost certainly still readable by Apple thanks to the keys stored in other peoples' backups.

And of course ADP is off in the U.K., where I live. And iMessage sometimes randomly falls back to unencrypted SMS/MMS even when you ticked the checkbox disallowing this in System Settings.

If you turn off Messages in iCloud then the messages are instead stored in your iCloud backup and encrypted "In transit & on server" with key storage by Apple, not just on your devices, as specified in the fourth row of the "Data categories and encryption" table in the Apple support article I linked. "In transit & on server" means not e2ee. That is, Apple can decrypt the messages at will without notice or consent.

If the messages were still protected by e2ee with key storage only on your devices then it would specify that in the table. Some other data types like keychain passwords and Memoji are in fact protected by e2ee even when ADP is not enabled, and the table reflects that. Messages do not fall in the category of e2ee without ADP.