[unloader6118]

There are some fundamental different between two ecosystems.

On Google, the Google Drive and Photo are encrypted to a key owned by google.

On iCloud, the iCloud Drive and Photo are encrypted to your account key. In which, without ADP, this key is shared with Apple. When ADP is enabled, Apple does not store this key. iCloud Backup is stored with the same technology as iCloud Drive.

When it comes to lost password account recovery:

- Google can just reset your password, and your drive and photo are still accessible. All barrier are procedural, not technical.

- iCloud (with ADP), they can still reset your password, but then your icloud drive and icloud photo are loss forever.

There are some trade off ..:

- Lost password recovery experience. _Some_ user will lost their password anyway. How high should the bar be?

- Cloud first? or local device first with cloud backup?

- Are you giving the cloud data same protection as local device?

In google's solution, they put the google drive data at risk...

In apple's solution, it need extra steps to ensure you have proper account recovery flow covered.

[modeless]

That's all fine, but tangential to my complaint, which is about iMessage specifically. iMessage, as a system that strongly promotes e2ee as a core feature, should not be backing up its encryption keys to non-e2ee iCloud backup in any scenario. Messages should fall in the same category as keychain passwords and (yes!) Memoji, backups of which are always end-to-end encrypted even when ADP is not enabled.

In fact I would say calling iMessage an e2ee system is false advertising until this is corrected. Reasonable people would assume that an Apple system advertised as e2ee would make an effort to prevent Apple servers from having the keys to decrypt most iMessages, while the reality is with these defaults it's likely that a large majority of iMessages can be decrypted by Apple servers at will.

[xvector]

You aren't understanding the point being made in OP. Everyone here understands the crypto for ADP vs non-ADP, there's no need to explain it.

The simple fact of the matter is that if I have ADP enabled, my chats should be excluded from the backups of those I'm communicating with (it should be as an opt-in basis at the very least).

Not having this renders ADP useless for the purpose of its stated threat model.

[joshstrange]

Why does your desire for complete privacy and _control_ outweigh mine to keep a complete history of my communications?

Why can you reach into my phone and wipe data you sent to me?

Why are _you_ the final arbiter?

Once you send a message it is _out of your hands_. You do not own that message. You do not have the right to dictate to others what they can do with what you send to them. That’s life, that’s reality.

If you want to be able to delete your sent messages from other’s devices, there are many apps out there that can provide it to you and both you and the person you are talking to can go in “eyes wide open” to what you agreeing to (I can delete messages I sent to you and you have no record).

The potential for abuse of this is high and the vast majority of users would _not_ want this feature. The same way that mostly people probably shouldn’t use ADP due to the risks, this type of feature will cause way more issues IMHO. It doesn’t take much imagination to get to “Grandpa pressed the wrong button and deleted years (decades) of conversation from everyone’s phone”.

I am not interesting my normal conversations potentially disappearing. That was not the agreement that we had and changing the rules later on that is gross to me. If you want disappearing chats or the ability to wipe all the messages you’ve sent there are other apps (with their own pitfalls, what if I keep my phone offline and never get the update to clear out your conversations?).