The promise of end-to-end encryption has become a kind of security blanket for millions of Americans — journalists, lawyers, activists, and ordinary citizens who assume that apps like Signal render their private conversations untouchable. That assumption just took a serious hit.
Court documents recently unsealed in a federal case reveal that the FBI successfully recovered deleted Signal messages from an iPhone belonging to a suspect in a criminal investigation. Not through some exotic zero-day exploit. Not by breaking Signal’s encryption protocol. Through a far more mundane vulnerability that most iPhone users have never thought to address: iCloud backups.
The case, first reported in detail by TechRadar, has sent ripples through the privacy and cybersecurity communities, prompting renewed warnings about a gap between what users believe encrypted messaging apps protect and what they actually protect. The distinction matters enormously — and not just for people with something to hide.
Signal, widely considered the gold standard of secure messaging, encrypts messages so thoroughly that even Signal itself cannot read them. The nonprofit behind the app has repeatedly demonstrated in court that it holds virtually no user data. When served with subpoenas, Signal has produced little more than account creation dates and last connection times. Its encryption protocol, developed by cryptographer Moxie Marlinspike, is the same one that underpins WhatsApp’s security for its two billion users.
But encryption protects data in transit and at rest within the app. It does not — and cannot — protect data that gets copied somewhere else.
This is where Apple’s iCloud backup system enters the picture. By default, iPhones are configured to back up substantial amounts of device data to iCloud, including, in many configurations, app data and attachments. When a user hasn’t specifically excluded Signal’s data from iCloud backups, fragments of conversations, attachments, and metadata can be swept up into Apple’s cloud servers during routine backup cycles. And unlike Signal’s own infrastructure, Apple’s standard iCloud backups are not end-to-end encrypted by default. Apple holds the decryption keys. Which means Apple can — and does, when compelled by valid legal process — hand that data over to law enforcement.
That’s precisely what appears to have happened in the FBI case. Investigators didn’t crack Signal. They didn’t need to. They went around it.
The iCloud Blind Spot That Undermines Encryption
The mechanics of this vulnerability aren’t new to security researchers. For years, privacy advocates have warned that iCloud backups represent a significant weak point in the security chain for iPhone users. In 2020, Reuters reported that Apple had shelved plans to fully encrypt iCloud backups after the FBI raised objections, arguing it would hamper investigations. Apple eventually reversed course in late 2022, introducing a feature called Advanced Data Protection that extends end-to-end encryption to iCloud backups — but it remains an opt-in feature that the vast majority of users have never activated.
The numbers tell the story. Apple has more than 1.5 billion active iPhone users worldwide. Estimates from security researchers suggest that only a small fraction — likely in the single-digit percentages — have turned on Advanced Data Protection. Most users don’t even know it exists.
So what does this mean in practice? If you use Signal on an iPhone with standard iCloud backup settings, your messages may be encrypted on your device and encrypted during transmission, but copies or fragments of those messages could be sitting on Apple’s servers in a form that Apple can decrypt. The same applies to WhatsApp, Telegram’s secret chats, and essentially any encrypted messaging app whose data gets swept into an iCloud backup.
Signal’s own documentation addresses this. The app includes a setting to disable iCloud backups of Signal data specifically, and the organization has long recommended that security-conscious users take this step. But the default configuration leaves it up to the broader device backup settings — which, again, most users never modify.
Privacy researcher and Johns Hopkins cryptography professor Matthew Green has been vocal on this point for years. “People have this mental model where they think Signal equals safe,” Green has noted in public commentary. “But Signal can only protect what it controls. It can’t protect against the operating system copying your data to the cloud.”
The FBI’s success in this case is a concrete illustration of a theoretical risk that experts have long discussed. And it arrives at a moment when encrypted communications are under intensifying political and legal pressure on multiple fronts.
In Europe, the proposed “Chat Control” regulation would require messaging platforms to scan messages for child sexual abuse material — a requirement that privacy advocates say is fundamentally incompatible with end-to-end encryption. In the United Kingdom, the Online Safety Act gives regulators the theoretical power to demand that platforms build in backdoor access. And in the United States, the FBI and Department of Justice have spent more than a decade arguing that encryption creates a “going dark” problem that shields criminals from lawful surveillance.
The irony is that the FBI didn’t need a backdoor here. The front door was open the whole time.
Apple’s position on this is nuanced. The company markets itself aggressively on privacy — “What happens on your iPhone stays on your iPhone” was the tagline of a memorable billboard campaign. And Apple has genuinely taken strong stances on device encryption, most famously refusing to help the FBI unlock the San Bernardino shooter’s iPhone in 2016. But iCloud backups have always been a different story. Until Advanced Data Protection, Apple maintained the ability to decrypt iCloud backup data, and it complied with tens of thousands of government data requests annually. Apple’s transparency reports show that in the first half of 2023 alone, the company received over 30,000 device requests from U.S. law enforcement and provided data in approximately 90% of cases.
Advanced Data Protection changes this equation — when it’s enabled. With the feature turned on, iCloud backups are encrypted with keys that only the user holds. Apple cannot decrypt the data, even if served with a warrant. But Apple doesn’t enable this by default, and the setup process requires users to designate a recovery contact or save a recovery key, adding friction that discourages adoption.
For iPhone users who rely on Signal or any encrypted messaging app and want their privacy settings to actually match their expectations, the steps are relatively straightforward but require deliberate action. First, enable Advanced Data Protection in Settings > [Your Name] > iCloud > Advanced Data Protection. Second, within Signal’s own settings, disable iCloud backups for Signal data specifically. Third, consider whether you need iCloud backup at all — local encrypted backups via a Mac or PC offer an alternative that keeps data entirely off cloud servers.
Android users face a parallel but somewhat different situation. Google’s cloud backup system has offered end-to-end encrypted backups since 2018 for devices running Android 9 and above, using the device’s lock screen PIN, pattern, or password as part of the encryption key. This means Google cannot decrypt backup data from modern Android devices — a stronger default posture than Apple’s standard iCloud backup. But Android’s fragmented update situation means older devices may not have this protection, and users should verify their specific backup encryption status.
The broader lesson here extends beyond any single app or operating system. Encryption is not a magic shield. It’s a tool with specific properties and specific limitations. End-to-end encryption protects messages between sender and receiver. It does not protect messages that are copied, backed up, screenshotted, or otherwise extracted from the encrypted environment. The weakest link in any security system is almost always at the edges — where encrypted data meets unencrypted storage, where careful app design meets careless default settings, where user assumptions diverge from technical reality.
Signal remains an exceptionally well-designed tool. Nothing about the FBI’s recovery of messages suggests any flaw in Signal’s encryption or its protocol. The vulnerability exploited here is entirely outside Signal’s control — it sits in the interaction between Apple’s backup infrastructure and users who haven’t taken steps to lock it down.
But that’s cold comfort for anyone who assumed their deleted Signal messages were actually gone. In security, assumptions are the enemy. And the gap between perceived privacy and actual privacy just got a very public illustration.
For the millions of iPhone users who downloaded Signal precisely because they wanted communications that couldn’t be surveilled, the message is blunt: your app is only as secure as the system it runs on. Check your settings. Today.
Pingback: Your Encrypted Messages Aren’t As Safe As You Think: How The FBI Recovered ‘Deleted’ Signal Texts — And What IPhone Users Should Do Now - AWNews