a federal police operation in brazil that arrested famous rappers in april 2026 made headlines everywhere. but most articles focused on the artists and the billion-reais scheme. what caught my attention was another detail. the thread that pulled everything was an icloud backup from the accountant rodrigo morgado.
then people went to twitter saying "wow icloud is so secure even apple cant protect it". (ꐦ°᷄д°᷅) thats not what happened. icloud was duly "hacked" by the federal police... with a court order. apple simply handed over the data. exactly like it does every day, all around the world.
this isnt a security flaw. its the system working exactly as designed.
icloud wasnt breached. it obeyed the law
i already wrote about this in my article about cellebrite and digital raids, where i explain why google drive, dropbox and standard icloud arent safes, and what real client-side encryption is. but the rappers case is a perfect example to recap.
icloud uses server-side encryption. this means ur data is scrambled on apples servers, but the key to unscramble stays with apple, not with u.
- server-side encryption (default): apple holds the key. court order → apple hands over everything.
- client-side encryption: only u have the key. not even apple can decrypt.
standard icloud is server-side. apple can read ur files if it wants (or is forced to). and it does this regularly when receiving court orders, its published in their own transparency report.
what an icloud backup keeps (and most people forget)
according to reports, the cross-referenced material included statements, receipts, conversations, corporate records, contracts, powers of attorney and financial documents. all stored by the accountant on icloud, probably with automatic iphone backup enabled.
and what else comes in a standard icloud backup? lets see:
- photos and videos (with location and date metadata)
- imessage and sms messages
- notes from the notes app
- icloud drive files
- emails (if u use icloud mail)
- calendar and contacts
- health history (healthkit)
- passwords (keychain, depending on config)
if u use iphone with icloud active, all of this is being synced automatically while u sleep, connected to wifi and power. most people dont even know whats there.
a backup like this literally becomes a timeline of the persons life, where they were, who they talked to, what they planned, what they received. for investigators, its gold.
there is protection. but almost no one enables it
apple has a feature called advanced data protection. when enabled, encryption becomes client-side for most categories. not even apple itself can decrypt.
settings → [your name] → icloud → advanced data protection → turn on. simple as that. but read the warning. if u lose account access and dont have recovery contact configured, u lost everything. apple cant help u.
but theres a catch (⌐■_■), not everything is covered even with advanced protection on. icloud mail, calendar and contacts stay out for interoperability reasons. so ur email messages and agenda remain accessible by apple via court order.
the irony of the case
reports mention the accountant "placed great trust in iclouds digital security". that sentence sums up the whole problem.
this is a classic confusion, mixing up convenient with secure. icloud is extremely convenient. ur files are available on all devices, with automatic backup, zero effort. but convenient and private are almost opposite concepts.
a service that needs to be convenient has to hold ur key. a service that is truly private puts the key responsibility on u, and then it becomes less convenient.
google drive, dropbox, onedrive, icloud without advanced protection. all use server-side encryption. all comply with court orders. all can be accessed by internal employees under specific conditions. if u store something sensitive, this matters.
what i think about all this
look, i have zero sympathy for billion-reais money laundering schemes. the system worked, police investigated, court authorized, data was handed over.
but what worries me is the narrative that "icloud is secure" that keeps circulating. secure against what? against someone stealing ur password? yeah, relatively. against anyone accessing without a court order? not necessarily. against total privacy of ur data? definitely not.
privacy and security are distinct concepts and media mixes them up all the time. a physical bank is "secure" against robberies, but the government can freeze ur account. icloud is "secure" against amateur hackers, but apple hands over ur data when the judiciary orders it.
the question each person should ask is: who do i need to protect myself from?
- hackers and leaks? standard icloud is reasonable.
- court orders? only advanced protection, and even then it doesnt cover everything.
- corporate surveillance? use solutions with real client-side encryption, like proton drive, or roll ur own using rclone crypt + object storage.
i use proton mail for sensitive emails and backblaze b2 with client-side encryption via rclone crypt for important backups. for day-to-day files? icloud with advanced protection turned on. every layer of convenience i accept, i accept knowing the trade-off.
the rappers case doesnt change anything in technology. but its a public reminder that automatic cloud backup is, in practice, a copy of ur data available to the provider and whoever theyre forced to hand it to.
be careful what u upload to the cloud. (⌐■_■)