Privacy debate shifts to ownership

The privacy fight is shifting from hacked accounts to a simpler question: who controls your data once it is copied into the cloud. (support.apple.com) A backup is a second copy you keep so you can restore a phone after it is lost, wiped or replaced. On Android, Google says device backups are uploaded to your Google Account and can be restored to another Android phone. (support.google.com) Encryption is the lock on that copy, and the key decides who can open it. Apple says standard iCloud protection encrypts stored data, but Apple keeps access to the keys so it can help with recovery on a new device or after a forgotten password. (support.apple.com) Apple says its optional Advanced Data Protection changes that arrangement by moving the keys for most iCloud data back to the user’s trusted devices. Since iOS 16.2, that option has covered iCloud Backup, Photos and Notes, and Apple says it raises the number of end-to-end encrypted iCloud categories to 25. (support.apple.com) Google draws a similar line inside Android backups. Google says all backup data is encrypted in transit and at rest, but only some of it is end-to-end encrypted with the phone’s screen-lock PIN, pattern or password. (support.google.com) That gap is why messaging backups keep surfacing in privacy arguments. WhatsApp said in October 2021 that it added optional end-to-end encrypted backups for chats stored in iCloud or Google Drive, instead of leaving those copies protected only by the cloud provider’s standard account security. (about.fb.com) WhatsApp says those encrypted backups can be locked with a password or a 64-digit key, and that only the user can use that secret to restore the backup on a new device. The tradeoff is recovery: WhatsApp says that if you lose the password or key, you cannot access that encrypted backup. (faq.whatsapp.com) Meta tried to reduce that friction on October 30, 2025, when it announced passkey-encrypted chat backups for WhatsApp. The company said users could restore encrypted backups with a fingerprint, face scan or screen-lock code instead of remembering a long password or 64-digit key. (about.fb.com) The policy language is also moving toward user rights, not just breach cleanup. Singapore’s Personal Data Protection Act sets a baseline for how organizations collect, use, disclose and care for personal data, and the law’s 2020 amendments began taking effect in phases from February 1, 2021. (pdpc.gov.sg) The new pressure point is not whether companies say data is encrypted, but which copy is encrypted, who holds the key, and whether recovery tools quietly give the provider a way back in. That is turning privacy from a breach-response story into a fight over custody. (support.apple.com)