Without Advanced Data Protection enabled (which most people haven't), Apple holds the keys to your passwords. Law enforcement sends Apple a warrant, Apple decrypts your Keychain, and hands over every password you've saved. This happened 12,812 times in the US in just the first half of 2024. Apple was going to encrypt iCloud so even they couldn't read it. The FBI said no, and Apple caved. They waited 4 years, then released it as an opt-in feature buried in settings that most people will never find.
France fined Apple EUR 150M because App Tracking Transparency blocks competitors' tracking while Apple's own ad platform is exempt. Meanwhile the Siri $95M settlement proved Apple was recording private conversations. Privacy is their marketing, not their practice.
What they claim: Apple's privacy marketing drove an antitrust response from French regulators
What we found: France's CNIL fined Apple EUR 150M in March 2025, ruling that App Tracking Transparency was anticompetitive — using privacy as a weapon to disadvantage competitors while Apple's own advertising platform was exempt. The Siri $95M settlement further undermines privacy claims.
Security4/4 EXTREME4 findings
⚠️ criticalpolicy claims vs firmware analysis
Without Advanced Data Protection enabled (which most people haven't), Apple holds the keys to your passwords. Law enforcement sends Apple a warrant, Apple decrypts your Keychain, and hands over every password you've saved. This happened 12,812 times in the US in just the first half of 2024.
What they claim: Apple markets privacy as a fundamental human right — 'what happens on your iPhone stays on your iPhone'
What we found: iCloud Keychain syncs passwords via iCloud. Without Advanced Data Protection (ADP) enabled, iCloud backups — which contain Keychain data — are encrypted with keys Apple holds. Apple can and does provide this data to law enforcement. In H1 2024, Apple received 12,812 US account data requests and complied with the majority.
⚠️ criticalpolicy claims vs regulatory findings
Apple was going to encrypt iCloud so even they couldn't read it. The FBI said no, and Apple caved. They waited 4 years, then released it as an opt-in feature buried in settings that most people will never find.
What they claim: Apple positions itself as the privacy-first alternative to Google and Microsoft
What we found: Reuters reported in 2020 that Apple internally planned full iCloud E2EE (codenamed Plesio/KeyDrop) but dropped it after FBI objections. Advanced Data Protection wasn't released until December 2022 — and only as opt-in. Apple chose law enforcement access over user privacy, then marketed privacy as their differentiator.
⚡ highfirmware analysis vs regulatory findings
Apple's Secure Enclave chip is genuinely strong hardware security. But CVE-2025-24204 let an attacker dump your Keychain passwords without any authorization prompt. The software keeps letting people walk around the hardware.
What they claim: Apple Passwords uses AES-256-GCM with Secure Enclave hardware protection
What we found: CVE-2025-24204: macOS gcore utility could dump Keychain passwords without proper TCC authorization. CVE-2024-44162: Keychain access control bypass. CVE-2024-44131: TCC bypass allowing access to iCloud-synced data including Keychain items. Hardware security is strong but software vulnerabilities repeatedly bypass it.
⚫ mediumfirmware analysis vs firmware analysis
Apple designed Advanced Data Protection to be scary to enable — warning screens about losing access, requirements for all devices to be updated. The friction is deliberate. Security researchers estimate single-digit adoption. The 'privacy option' that Apple knows almost nobody will use.
What they claim: Advanced Data Protection provides end-to-end encryption for iCloud data
What we found: ADP is opt-in, requires all devices on recent OS versions, and Apple actively warns users about the risk of losing access to their data if they enable it. The friction is designed to discourage adoption. Apple does not publish adoption rates, but security researchers estimate it remains in single-digit percentages.
Honesty3/4 HIGH1 finding
⚡ highpolicy claims vs app permissions
If you ever switch to Android or Windows, your passwords are trapped. There's no app, no sync, no easy export. Apple didn't build a password manager — they built a lock-in mechanism.
What they claim: Apple Passwords is positioned as a full password manager replacement
What we found: Apple Passwords has NO Android app, NO Windows app (outside iCloud for Windows with limited functionality), and NO Linux support. Users are locked into Apple's ecosystem. If you switch platforms, extracting passwords requires manual CSV export. This is ecosystem lock-in disguised as a feature.
What happened to real people
Documented incidents involving Apple products and user data.
PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction. [source]
Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.' [source]
Government requests for push notification metadata rose from 158 (H1 2023) to 277 (H1 2024). Push tokens can identify devices and link to accounts. [source]
What your data is worth to governments
Apple complied with 12,043 government data requests in H1 2024. That's +621% over 10 years. Apple has been a confirmed PRISM participant since 2012. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702).
Documented: PRISM participant since 2012. Apple dropped full iCloud E2EE plans (codenamed Plesio/KeyDrop) after FBI objections (Reuters 2020). Advanced Data Protection released 2022 as opt-in with deliberate friction.
Documented: Apple handed over iCloud backups in 1,568 cases covering ~6,000 accounts. 90% compliance rate. Surveillance firm: 'If you did something bad, I bet I could find it on that backup.'