Bad Apple #5: iCloud Drive Folder Sharing Risks Data Loss
I want to like iCloud Drive, I really do. As I noted in “Cloud Storage Forecast Unsettled, with Possible Storms” (4 February 2022), iCloud Drive is attractive for Apple users. It’s reasonably priced, integrated into macOS and iOS, and unlikely to suffer from questionable privacy practices. On the downside, iCloud Drive has reliability problems that require toggling it off and back on periodically when it gets stuck—a Sync Now button and some decent logging to reveal what’s happening would be welcome.
But this is the Bad Apple column, and Bad Apple articles don’t complain about inadvertent bugs, nor do they address design decisions where reasonable people might disagree about the “right” way of doing something. Bad Apple articles call out something Apple has done intentionally but gotten utterly wrong.
Today’s target is the discovery that when collaborators in an iCloud Drive shared folder delete files or folders, those items are destroyed instantaneously, not put in the Trash or added to iCloud Drive’s Recently Deleted folder. They’re just gone, with no option for recovery. If that’s not bad enough—and it is—Apple has recently tweaked its already weak documentation in a way that further conceals this dangerous implementation. Bad Apple!
Quiet Warnings about Data Loss
Our story starts on 21 March 2022, when numerous Apple services, including iCloud Drive, became inaccessible for several hours. I was chatting with Paul Kafasis of Rogue Amoeba about whether the problem could be related to a Russian cyberattack or if it made more sense to invoke Hanlon’s Razor: “Never attribute to malice that which is adequately explained by stupidity.” The conversation segued into issues with iCloud Drive, including the desire for a Sync Now button, before Paul shared something he had discovered while researching a possible switch from Dropbox to iCloud Drive. In the main support article about iCloud Drive folder sharing, Apple made this statement:
If a participant of a shared folder deletes a sub-folder or file within that shared folder, that sub-folder or file deletes from all participants’ devices, and recovery is not available.
The emphasis is mine, but I added it because—Holy Mother of Baby Bovines!—that’s not OK! Apple has basically just said that anyone you add to an iCloud Drive shared folder can delete the entire contents of a shared folder and you can’t do anything about it. Bad Apple!
But wait, it gets worse. After the discussion with Paul, I got busy and put off writing up the problem. When I went back to our conversation today and clicked the link he had sent me, I ended up on a different page that focused on sharing iCloud Drive files and folders using iCloud.com. This page said nothing about what happens if a participant of a shared folder deletes a file or folder.
The new page threw me for a loop, but as is so often the case with Web shenanigans, the Internet Archive’s Wayback Machine revealed what had happened. Sometime between March 21st and April 1st, Apple started redirecting the previous page to the new one. Some spelunking through Apple’s documentation revealed that the company had split the previous page, which covered iCloud Drive sharing in iOS, macOS, Windows, and iCloud.com, into standalone pages in the macOS User Guide and iCloud User Guide. Yet another page that I found only through a search—it wasn’t linked to the pages about iCloud Drive folder sharing—discussed file and folder deletion, but without the emphasized warning from before:
If you’re a participant who can change shared files: Deleting a file from a shared folder deletes it from everyone’s devices.
With Hanlon’s Razor in mind, I think it’s unlikely that Apple intended to bury the fact that iCloud Drive shared folders are susceptible to data loss when participants delete files or folders from within a shared folder. Regardless of why it happened, the fact remains that Apple went from merely hiding this fact in a long but appropriate document to putting it in the bottom of a locked file cabinet stuck in a disused lavatory with a sign on the door saying “Beware of the Leopard.” Bad Apple!
But Maybe It’s Not True Anymore?
There’s another possibility. Perhaps Apple fixed iCloud Sharing shared folders so that files deleted by participants aren’t deleted with no chance for recovery? Wouldn’t that be great? Don’t get your hopes up.
To test, I put a test file in an iCloud Drive folder I share with Tonya, and we watched the file appear on her MacBook Pro. Then she deleted the file, which presented a warning dialog. At least Apple warns sharing users that deleting a file will take it away from others in the shared folder. What Apple doesn’t say is that deleting a file in an iCloud Drive shared folder does not result in that file being moved to the local Trash as you would expect from decades of using the Finder. Instead, macOS deletes the file instantly, which, while prefaced with a warning, is terrible behavior for a cloud sharing service. Bad Apple!
Why would Apple leave such a glaring hole in iCloud Drive folder sharing? After all, if the owner of a shared folder deletes a file in that folder, macOS and iCloud Drive provide the expected opportunities for recovery. When I deleted another test file from my shared folder, I saw the same warning dialog as Tonya, but the file ended up in my local Trash, from which I could easily restore it. Plus, when I logged into iCloud.com and looked in iCloud Drive, a Recently Deleted link appeared in the lower-right corner ➊. Clicking that link revealed the equivalent of iCloud Drive’s trash. Selecting the file and clicking Recover ➋ extracted the file from my local Trash and restored it to the sub-folder from which I had deleted it. With files deleted by the owner, iCloud Drive is doing everything right.
You might think that if Tonya, as a sharing participant, were to add a file to my iCloud Drive shared folder and then delete it, it would be treated as an owner-deleted file and end up in her local Trash. You would be wrong. Files added to the shared folder by participants are equally at risk for immediate deletion as any other. Bad Apple!
It’s worth noting that moving a file out of an iCloud Drive shared folder to another location on the Mac has the same effect of taking the file away from others who have access to the shared folder. Apple provides a similar warning dialog in that scenario, but the major difference is that the file remains available to whoever moved it out of iCloud Drive, such that they could put it back.
How Much Should We Worry?
iCloud Drive folder sharing has been around since macOS 10.15 Catalina, so it’s no longer new, and Apple has had two major releases of macOS to address underlying issues if they couldn’t be addressed entirely on the iCloud side. That hasn’t happened, which could suggest that Apple doesn’t see the immediate deletion of files by sharing participants as a problem. Or perhaps Apple’s engineers think that the warning dialog is sufficient. I’d push back hard on that—a keyboard-focused user who’s moving quickly could delete a file with Command-Delete and press Return to dismiss the dialog before even reading it.
I haven’t used iCloud Drive folder sharing in a fast-paced collaborative work environment, so I can’t speak from direct experience, but over 14 years of coordinating Take Control work in Dropbox, files occasionally went missing and needed to be restored from Dropbox’s Deleted Files collection. In a workflow that requires regular trashing of temporary files, it’s easy to imagine accidental deletion of more important documents. Plus, you’re at the mercy of everyone with whom you’ve shared an iCloud Drive folder. Are they all sufficiently technical and alert that they would never make a mistake? The other major cloud sharing services all offer such a purgatory for deleted files along with version history capabilities to protect against accidental editing or corruption—iCloud Drive sticks out like a sore thumb here.
Luckily, there is one bright spot in this otherwise bleak picture of iCloud Drive folder sharing, not that Apple will tell you about it: Time Machine. By default, Time Machine backs up the local copies of iCloud Drive files, not just for the owner, but also for all participants. I confirmed that Tonya’s Mac had backups of all the files in our shared folder, and I could click through the dates in Time Machine and see the contents of that folder change appropriately.
You’ll notice that I was careful to say that Time Machine backs up the local copies of iCloud Drive files. If you have Optimize Mac Storage selected in System Preferences > Apple ID > iCloud, macOS might replace iCloud Drive files with local stubs, and those stubs, even if backed up, wouldn’t contain the data you want. So, if you’re using iCloud Drive folder sharing, make sure to deselect Optimize Mac Storage or, if you need to keep that on due to insufficient local storage space, get someone else in your sharing group to do so. That’s your last-ditch backup if someone inadvertently deletes an important file.
Despite this hidden Time Machine workaround, Apple has done a poor job here. In the modern world, there should be no easy way to delete data, particularly someone else’s data, without any option for recovery. A single warning dialog with a default OK button that means “Nuke This File From Space” is unacceptable. For goodness sake, Apple popularized the entire concept of multi-step file deletion! Move a file to the Trash, choose Finder > Empty Trash, and respond affirmatively to the prompt—that’s been a staple of Mac use since 1984. Preventing accidental data loss is table stakes.
The solution to this particular problem is conceptually simple. Any file deleted or removed from an iCloud Drive shared folder by a participant should be treated just like a file deleted or moved by the owner. It may be technically simple as well. If you open your iCloud Drive folder in the Finder and press Command-Shift-. to reveal hidden files and folders, you’ll see a hidden .Trash folder (press Command-Shift-. a second time to hide them again). iCloud Drive files you delete as the owner go into that folder, which presumably causes them to appear in the local Trash and in the iCloud Drive Recently Deleted folder. Why can’t shared files deleted by a sharing group participant go into their .Trash folder, appear in their local Trash, and trigger a notification to the owner or the rest of the group?
If you want to encourage Apple to step up and make iCloud Drive folder sharing work correctly, join me in giving feedback to the iCloud engineers.
Hmmm… I wonder if Apple is looking at it differently. Let’s say I shared a file, realized it was an embarrassing mistake and wanted to unshare it immediately. I certainly don’t want everyone else to have access to it when I delete my copy. I want it gone entirely.
So there are a few scenarios:
My trash folder.
Apple’s tools are consumer tools and not business tools. File retention is extremely important for a business. You don’t want an employee to decide to delete all of the shared files they have access to right before they storm out upset at something. Thus, in a business tool, you never completely delete a file simply because an employee (or manager) deleted it.
However, as a consumer maybe the picture of me in my muscle shirt and shorts showing off my (grand)dad body might be something I no longer want to share now that I’m running for governor. I might have shared it with a dozen friends as a joke, but maybe I don’t want it leaking out there. I should be able to revoke sharing rights and suddenly no one has access to it.
None of this means Apple did this right, but it might explain Apple’s thinking a bit. Even as a consumer tool, Apple still needs to make sure they did it correctly.
You’re very generous.
If Apple was thinking along these lines, it would need to automatically exclude all iCloud Drive shared folders for which you’re not the owner from Time Machine backups. As it stands, everyone in a shared folder can have a complete copy of that folder’s contents in a local Time Machine backup. So I doubt that’s playing into the equation.
Even ignoring the Time Machine backup, which Apple itself seems to do, if Apple wants to let collaborators remove their files from a shared folder immediately, it should be putting the deleted file in the local Trash of the user who’s deleting it. Some deletions are entirely accidental, and no one should be punished for a mis-click before hitting Command-Delete / Return.
Hmm, I’ve had an even better idea. What if deleting a file from a shared iCloud Drive folder simply did a move to a local hidden folder before putting it in the local Trash? In other words, make the file local first, then trash it like any other local file. That way there’s a local version that could be restored like any other file? This doesn’t seem like rocket science. Or computational photography.
What about the case where the file hasn’t been downloaded locally because the Mac is optimizing its storage? If someone deletes it, is the file supposed to be downloaded and then put in the local trash? What if the file is large and there’s not enough free space locally?
Fair point. It’s harder to know how the iCloud Drive Recently Deleted folder works because it’s in the cloud, but using both that and the local version if there’s space is the answer.
Apple never uses the word “sync.” You will never see a “sync now” button. Maybe the less informative “Update” or something like that.
It appears that Apple is treating the shared iCloud drive as a networked drive. I’ve always found it strange that if I attach the home folder on my desktop to my laptop and then delete a file or folder on the desktop from the laptop, it doesn’t pass through any computer’s trash, but, after a warning, is immediately deleted. Yet if I’m on the desktop, the deleted file is in that computer’s trash.
In the article, you wrote:
That doesn’t work here on Monterey. Does that feature have to enabled first somewhere?
I guess I could be less generous and possibly more accurate, so maybe something like this:
Back in 2011, before iCloud was announced, it was revealed that Steve Jobs wanted to buy Dropbox, but failed. I imagine the conversation went like this:
Steve: Dammit, I wanted to buy Dropbox, and they wouldn’t accept my offer. I even offered them free iPhones! I want you to implement something like Dropbox into our operating systems! I want it by the next release.
Engineer: That sounds like a wonderful idea! I’ll put together a team right now. We’ll go through syncing and various scenarios on file sharing and deleting. We don’t want people to lose work, but we must protect privacy. I should have a proposal put together in four weeks. Of course, it won’t go into this OS release, but it’ll be ready…
Steve: I SAID THE NEXT RELEASE!
So, maybe Apple was a bit light on features, workflow, and testing.
I use iCloud quite heavily to sync files between my Mac, iPhone, and iPad. It’s great when someone wants me to update a file while I’m away from my desk, and I can pull up my iPhone and get the change in right then and there.
And in that scenario, iCloud works great. However, sharing files between people, not so wonderful. I use it to share some files between my wife and myself. Usually things like house sitter instructions, so my wife or I can print them out. Actually, she usually asks me to do it, but at least I know that these things are in our shared folder.
If I was not retired, I’d probably have a standard subscription to Dropbox rather than the free version just to share files between myself and colleagues. I wouldn’t trust iCloud for that. Plus, that would require them to have iPhones and Macs.
I’m going to try to test various sharing scenarios to see how they work out.
With Apple’s iPhone/iPad focus, Time Machine, a great piece of software is sort of forgotten. I wish iCloud had a built in Time Machine backup system where you can go back in time to see older file versions.
An unrelated iCloud Drive problem: if I work “live” off a file in iCloud Drive, when I save or it auto-saves, the iCloud Drive state becomes briefly confused and the app I’m using often loads the previous version of the file—iCloud seems to revert temporarily and then download the new one, which is not ideal.
I only use Nisus Writer Pro with iCloud Drive, and I can be typing away and suddenly the file reverts back before recent changes. If I don’t keep typing, I can sometimes execute Undo, and it “reverts” to the version with my changes. If I type but a single key, changes are wiped out. I can then use the File > Versions command sometimes to go back one version and recapture the changes. Often, not.
I noted this on Twitter and a few people have this happen with other apps, too. No explanation as to why. I have gigabit Internet, and I have some wonder if low-latency is playing havoc: is the upload so rapid that iCloud Drive in macOS doesn’t update to reflect changes quickly enough and has cached an older version?
Whatever the reason, Dropbox does not have this problem, so I now have to copy files on iCloud Drive to Dropbox to edit while retaining the version history I want and sometimes need.
My mistake—it should be Command-Shift-. — I just biffed it when typing.
I’ve updated the article.
OneDrive has a similar issue, but at least the error message makes it clear, and it’s consistent whether you are the file owner or not. Starting with the OneDrive version that is compatible with Monterey 12.3, when you delete a file from OneDrive using the Finder, you get an warning message that it will not be saved in the Trash. If you go ahead with the delete, it is instead saved in the OneDrive Recycle Bin (in the cloud) and can be restored from there. This approach appears to have been triggered by the new Apple cloud management model.
Thanks for the details! I hadn’t previously considered that the new Apple cloud management model would change this behavior, and while I’m not super happy about deleted files not ending up in the local Trash as well, at least they’re in the OneDrive Recycle Bin in the cloud.
So now Apple just has to catch up with all the independent cloud services that are playing by Apple’s rules. ;-)
Remember AppleShare? Mac OS X Server? Any AFP server has the exact same behavior. Delete a file when you are connected to one using macOS/Mac OS X and it’s gone instantly. No Trash or any other recovery method.
Back in OS 9 and previous, there was a Network Trash folder (IIRC, by user), so you could trash a file and it would appear in your trash when you were connected.
Apple is just being consistent.
Should it work like in the OS 9 days? I think that would be far better solution for both iCloud Drive and any AFP or SMB server sharepoint.
I seem to remember you would get a warning message to that effect.
Just sent feedback to Apple, as requested.
I don’t share my folders but I do work on a lot of different devices and that way I can always access important files ( and they are ) from those devices. The thought of inadvertently losing those files makes me shiver. After reading this I am considering to move over to DropBox.
Can you lock a file to prevent it from being trashed?
Presumably that also prevents people from editing the file, but is there any difference between deleting a file and deleting its contents?
… unless iCloud Drive supports Versions.
I don’t if locking would have the effect you want, but it’s sort of moot because the entire point of sharing a folder and allowing participants to make changes is that you want them to make changes. You can always share an iCloud folder as “view only,” which prevents the files from be deleted, but also prevents them from being changed.
I only use iCloud Drive for home use.
All our family home paperwork is stored digitally on my 2TB Mac Mini ('Optimise" storage is off). But so my other half can see it, I share with “read-only access” my whole documents folder with her (so she can read all our bills, and all associated comms docs, etc. for reference).
Then when she needs to edit a a doc, I make a temporary copy, and share that in our “read & edit access” shared folder, then copy-paste the whole text back again to the read-only version when done and delete the temp version.
I did this regardless of knowing about this bug, as I like to keep the folder structure and know how easy it is for multi-person access to get confusing and difficult to maintain, with deletions.
This only works as she rarely edits info (I do most boring household admin paperwork, lol!). But for more complex needs with constant access and editing requirements, it wouldn’t. So this issue doesn’t sound good for most users.
Same is true for network drives mounted in Windows. There’s no trash for deletions there. (There is a time-machine-like “previous versions” feature, but that’s a feature of the network drive server, and at my workplace is locked down so you have to ask IT to restore for you.)
This is ultimately the problem. iCloud needs versioning, as both scenarios are problems:
Whether the action is deliberate or accidental, both are unrecoverable from without some kind of recovery and versioning system in place for shared files/subfolders.
Do other mainstream online storage providers (OneDrive, G-Docs, Dropbox, et al.) provide these, presumably they do? (I haven’t tested, so don’t know.)
Apple should at the very least provide file versioning (and email recovery) for iCloud+ paying customers.
Like @glennf – I know of another related iCloud issue, but with email recovery.
Basically I had an email folder in iCloud email in my Mail.app client, and somehow it got accidentally deleted. But TimeMachine does not restore emails properly with all attachments in place, despite me trying within a couple of days of said accidental email folder deletion. And nor can you do any type of restore at iCloud.com. So unfortunately you lose most of these attachments.
Luckily most of the important attachments (i.e. the actual documents I needed, not the graphical elements of the emails) I manually saved outside of my email system when they originally arrived. But this is still a failure that should be recoverable from but isn’t.
Apple is not the only one to overlook critical important information about a software tool or feature.
Microsoft Teams has several GOTCHAs that go against the behavior of their competitors.
Delegates can schedule a Teams meeting on behalf of someone but they are not the owner / organizer and therefore cannot create breakout rooms. Only the owner / organizer will and if they have delegated authority they are unlikely to be planning their meeting. But the invite needs to come from them.
Microsoft apparently added a co-organizer and the owner / organizer can elevate an individual to this level but it still doesn’t allow the co-organizer to create breakout rooms.
You can only assign people to specific breakout rooms if you do so within 24 hours prior to the meeting start or they will be lost.
There are similar issues with those who can record a meeting. A user may have record permissions assigned via group membership but unless they are the owner they cannot record the meeting. All these issues stem from a self-service mindset that doesn’t fly with senior management staff. Top tier VPs and Executives do not run their meetings, they have staffers who do that for them. So now one needs to create shared mailboxes with Teams access to run meetings so some corporate communications staff can be behind the curtain to manage the meetings.
There is a known issue with registering attendees for a meeting or webinar if they are not in your organization. This is ridiculous because who the heck needs to register people within an organization? They all have a Teams license and likely SSO into Teams and there will be an attendance report and they cannot forward the meeting invite. You only need to register people you don’t know intimately and collect some additional information when registering them.
There are many more examples within Windows and other Microsoft software that is not well documented and does not follow industry standards that other operating systems and software observe.
What is the root cause? Too many witches in the brew? Too much complexity? Differing departments? Failing to observe the KISS principles? Pursing “The One Tool To Rule Them All”? But I like Hanlon’s Razor the best.
Apple recently announce “Apple Business Essentials” which is a simpler form of “Apple Business” the portal designed to work with an MDM (Mobile Device Management) server of choice. They include the MDM with Apple Business Essentials. They also provide considerable iCloud storage. Along with BYOD MDM functionality.
Wondering if they addressed these issues with iCloud storage but only in Apple Business Essentials? I am not at liberty to test it. Data Retention would certainly or should certainly be addressed in this scenario.
Here’s something fun! I can lock a file on my Mac. I can mark it as stationary, and when I open it, it creates a copy.
However, that locked file on my Mac shared via iCloud isn’t locked on my iPhone or iPad. What fun!
I’ve tried using
chmodon my Mac to mark a file as read only. It can’t be changed on the iPad, but the Files App freaks out.
I don’t share folders on my iCloud drive but it’s good to know of this issue nonetheless.
Join the discussion in the TidBITS Discourse forum