NPR Yesterday wrote a story on the efforts of tech companies to protect consumer data, which included an extensive chart on how companies measure up when it comes to encryption.
While Apple was found to be encrypting iMessage end-to-end, as well as email from customers to iCloud, it was found to be one of the few global email providers based in the U.S. that does not encrypt customer email in transit between providers. That means emails that are sent from iCloud to iCloud are encrypted, but emails sent from iCloud to other providers, such as Gmail, are not encrypted.
Following the post, however, Apple told NPR that it is planning to encrypt those emails in the near future.
As noted by 9to5Mac, Apple's response to NPR mentions only Me.com and Mac.com without a mention of the newer iCloud.com email addresses, but Google's data protection transparency website suggests that outbound iCloud.com emails are not encrypted, so it is likely Apple's plans include changes to the iCloud.com domain as well.Apple encrypts e-mail from its customers to iCloud. However, Apple is one of the few global email providers based in the U.S. that is not encrypting any of its customers' email in transit between providers. After we published, the company told us this would soon change. This affects users of me.com and mac.com email addresses.
NPR's study also noted that many app installations and iOS updates are sent unencrypted to iPhones, as are configuration files sent from telecom companies, and pre-login browsing/shopping traffic from the Apple Store.
Article Link: Apple Plans to Encrypt iCloud Email in Transit Between Providers