Apple's privacy game is strong, but only if you avoid the cloud.
Apple has taken a strong stance on privacy ever since the FBI began loudly demanding encryption backdoors into its products. The company's statements about its iMessage service seem plain as day: Apple can't read messages sent between Apple devices because they're encrypted end-to-end, decipherable only by you and the intended recipient.
"If the government laid a subpoena to get iMessages, we can't provide it," CEO Tim Cook told Charlie Rose back in 2014. "It's encrypted and we don't have a key."
But there's always been a large and often-overlooked asterisk in that statement, and its name is iCloud.
It turns out the privacy benefits Apple likes to talk about (and the FBI likes to complain about) basically disappear when iCloud Backup is enabled. Your messages, photos and whatnot are still protected while on your device and encrypted end-to-end while in transit. But you're also telling your device to CC Apple on everything. Those copies are encrypted on iCloud using a key controlled by Apple, not you, allowing the company (and thus anyone who gets access to your account) to see their contents.
Apple's Privacy page makes a minor acknowledgement of this, saying "we do back up iMessage and SMS messages for your convenience using iCloud Backup," but reassuring that "you can turn it off whenever you want."
To its credit, Apple does present this as a choice rather than making it a default setting. It's also possible to do encrypted non-cloud backups locally through iTunes. But while security experts and journalists know to avoid iCloud like the plague, the ramifications of that choice aren't always so obvious to average users.
Apple asks you to set up iCloud pretty much the minute you activate a new iPhone or iPad. But it doesn't make super-clear that by doing so, your otherwise "unreadable" iMessages and other data become very much readable to Apple and anyone else who comes knocking–whether that's law enforcement officers with a subpoena or hackers searching for nude selfies.
The company also doesn't offer a way to locally encrypt iCloud backups (using a combination of your Apple login and device passcode, for example) which would allow Apple to store your data on its servers but not access it. Ideally that would be at least an option, but right now it's all or nothing. (The one exception is your password keychain, which is protected by a master password that Apple does not possess.)
So it's true that Apple can't access your messages. But only if you know to avoid a feature that it encourages its customers to use.
This crucial fact is rarely noted in articles about end-to-end encryption apps. A recent primer in Wired lists iMessage next to trusted alternatives like Signal, but doesn't mention the iCloud quirk at all. Other reports on iMessage encryption have only included it as a footnote while focusing on other important shortcomings, like users' inability to verify message fingerprints and make sure they're not being targeted by a man-in-the-middle attack.
Admittedly, it's hard to know the true scope of how users are affected. The most recent estimate from software consulting firm Asymco shows there were 500 million iCloud users in March of 2014. That number was 300 million when last reported by Apple a year earlier, and it's safe to assume it's only grown since.
But it's not clear how many of those people actually use iCloud Backups. I tried reaching out to Apple, but no one could tell me what percentage of users have activated the feature. Likely complicating that answer even further is the fact that not all users backup regularly.
The company also couldn't say why it doesn't give users the option of storing cloud backups that are encrypted locally, but it's a good bet the answer has to do with convenience; if such backups were allowed, it would mean Apple couldn't help users who forgot the passcode to decrypt their data.
For many users, Apple's encryption offerings are still more than enough. But if you don't want Apple to be capable of accessing your data, the solution remains the same: Backup locally through iTunes, turn off iCloud and never look back.