← The Journal
Privacy

Can Apple read your notes?

By MarkJul 6, 20263 min read
An open MacBook and a notebook with a pen on a warm wooden table

It’s the question, almost nobody asks, about the app they trust with their most private thoughts. So let’s just ask it straight-forwardly, and answer it plainly.

Privacy · 3 min read

Yes. On a standard iCloud account, Apple can read your notes. Not because anyone at Apple is sitting there reading them, but because the way it’s built leaves the door open. Apple holds the keys to your Notes, so it can technically open them, and it can be compelled to.

That’s not a scandal and it isn’t unique to Apple. It’s just how most cloud software has to work. If a company can show you your notes on a new phone after you’ve forgotten your password, then the company can get into your notes. The convenience and the access are the same thing seen from two sides.

What “encrypted in iCloud” actually means

Apple does encrypt your notes, in transit and on its servers. That protects you from a thief who steals a hard drive and from someone snooping the connection. It doesn’t protect you from Apple, because they keep a copy of the key.

There’s one exception and it’s worth knowing about. Apple’s Advanced Data Protection (ADP) makes iCloud end-to-end encrypted, which shuts that door properly. The catch is that it’s off by default, you actually have to go and turn it on, and new users in the UK can no longer turn it on at all.

So the honest picture is this. Unless you’ve specifically enabled Advanced Data Protection, and you’re somewhere you still can, your notes sit in iCloud under a key Apple holds.

If a company can recover your notes when you forget your password, it can read your notes.

Does it matter?

For a shopping list, no. For a photo of a receipt, no. If your notes are low-stakes and you’re happy trusting Apple, standard iCloud is genuinely fine and you should carry on.

It starts to matter when your notes become the place you actually think. Years of half-formed ideas, the things you’d never say out loud, drafts of difficult messages, the stuff you’d hate anyone to index. Right then “it’s encrypted” and “only I can read it” stop being the same sentence, and the gap between them is the whole point.

What to do about it

You’ve got a few options, in rough order of effort.

  • Turn on ADP, if you can still enable it where you are. It’s the single biggest improvement you can make to Apple Notes without leaving it.
  • Lock individual notes. Apple lets you password-protect single notes, which end-to-end encrypts just those. Good for the sensitive few, impractical for everything.
  • Use an app that is easily validated as zero-knowledge by default, so there’s no setting to remember and no key held by anyone but you.

That last one is what we built. In Catchlight every note, task and reminder is encrypted, on your device, with a 12-word Privacy Phrase that only you ever see. We don’t run a cloud of our own, we don’t hold your key and we couldn’t hand your notes over if someone came asking. The answer to “can the company read your notes” is no, and it stays no, because it was never an option in the first place.

Notes that are yours alone, by design.

Catchlight launches soon for iPhone. Join the list, early joiners get 30 days free instead of 14.

Early joiners get 30 days free, instead of 14, when we launch, and that’s all we’ll email you about.