Bad Apple #5: iCloud Drive Folder Sharing Risks Data Loss

I want to like iCloud Drive, I really do. As I noted in “Cloud Storage Forecast Unsettled, with Possible Storms” (4 February 2022), iCloud Drive is attractive for Apple users. It’s reasonably priced, integrated into macOS and iOS, and unlikely to suffer from questionable privacy practices. On the downside, iCloud Drive has reliability problems that require toggling it off and back on periodically when it gets stuck—a Sync Now button and some decent logging to reveal what’s happening would be welcome.

But this is the Bad Apple column, and Bad Apple articles don’t complain about inadvertent bugs, nor do they address design decisions where reasonable people might disagree about the “right” way of doing something. Bad Apple articles call out something Apple has done intentionally but gotten utterly wrong.

Today’s target is the discovery that when collaborators in an iCloud Drive shared folder delete files or folders, those items are destroyed instantaneously, not put in the Trash or added to iCloud Drive’s Recently Deleted folder. They’re just gone, with no option for recovery. If that’s not bad enough—and it is—Apple has recently tweaked its already weak documentation in a way that further conceals this dangerous implementation. Bad Apple!

Quiet Warnings about Data Loss

Our story starts on 21 March 2022, when numerous Apple services, including iCloud Drive, became inaccessible for several hours. I was chatting with Paul Kafasis of Rogue Amoeba about whether the problem could be related to a Russian cyberattack or if it made more sense to invoke Hanlon’s Razor: “Never attribute to malice that which is adequately explained by stupidity.” The conversation segued into issues with iCloud Drive, including the desire for a Sync Now button, before Paul shared something he had discovered while researching a possible switch from Dropbox to iCloud Drive. In the main support article about iCloud Drive folder sharing, Apple made this statement:

If a participant of a shared folder deletes a sub-folder or file within that shared folder, that sub-folder or file deletes from all participants’ devices, and recovery is not available.

The emphasis is mine, but I added it because—Holy Mother of Baby Bovines!—that’s not OK! Apple has basically just said that anyone you add to an iCloud Drive shared folder can delete the entire contents of a shared folder and you can’t do anything about it. Bad Apple!

But wait, it gets worse. After the discussion with Paul, I got busy and put off writing up the problem. When I went back to our conversation today and clicked the link he had sent me, I ended up on a different page that focused on sharing iCloud Drive files and folders using iCloud.com. This page said nothing about what happens if a participant of a shared folder deletes a file or folder.

The new page threw me for a loop, but as is so often the case with Web shenanigans, the Internet Archive’s Wayback Machine revealed what had happened. Sometime between March 21st and April 1st, Apple started redirecting the previous page to the new one. Some spelunking through Apple’s documentation revealed that the company had split the previous page, which covered iCloud Drive sharing in iOS, macOS, Windows, and iCloud.com, into standalone pages in the macOS User Guide and iCloud User Guide. Yet another page that I found only through a search—it wasn’t linked to the pages about iCloud Drive folder sharing—discussed file and folder deletion, but without the emphasized warning from before:

If you’re a participant who can change shared files: Deleting a file from a shared folder deletes it from everyone’s devices. 

With Hanlon’s Razor in mind, I think it’s unlikely that Apple intended to bury the fact that iCloud Drive shared folders are susceptible to data loss when participants delete files or folders from within a shared folder. Regardless of why it happened, the fact remains that Apple went from merely hiding this fact in a long but appropriate document to putting it in the bottom of a locked file cabinet stuck in a disused lavatory with a sign on the door saying “Beware of the Leopard.” Bad Apple!

But Maybe It’s Not True Anymore?

There’s another possibility. Perhaps Apple fixed iCloud Sharing shared folders so that files deleted by participants aren’t deleted with no chance for recovery? Wouldn’t that be great? Don’t get your hopes up.

To test, I put a test file in an iCloud Drive folder I share with Tonya, and we watched the file appear on her MacBook Pro. Then she deleted the file, which presented a warning dialog. At least Apple warns sharing users that deleting a file will take it away from others in the shared folder. What Apple doesn’t say is that deleting a file in an iCloud Drive shared folder does not result in that file being moved to the local Trash as you would expect from decades of using the Finder. Instead, macOS deletes the file instantly, which, while prefaced with a warning, is terrible behavior for a cloud sharing service. Bad Apple!

Why would Apple leave such a glaring hole in iCloud Drive folder sharing? After all, if the owner of a shared folder deletes a file in that folder, macOS and iCloud Drive provide the expected opportunities for recovery. When I deleted another test file from my shared folder, I saw the same warning dialog as Tonya, but the file ended up in my local Trash, from which I could easily restore it. Plus, when I logged into iCloud.com and looked in iCloud Drive, a Recently Deleted link appeared in the lower-right corner ➊. Clicking that link revealed the equivalent of iCloud Drive’s trash. Selecting the file and clicking Recover ➋ extracted the file from my local Trash and restored it to the sub-folder from which I had deleted it. With files deleted by the owner, iCloud Drive is doing everything right.

You might think that if Tonya, as a sharing participant, were to add a file to my iCloud Drive shared folder and then delete it, it would be treated as an owner-deleted file and end up in her local Trash. You would be wrong. Files added to the shared folder by participants are equally at risk for immediate deletion as any other. Bad Apple!

It’s worth noting that moving a file out of an iCloud Drive shared folder to another location on the Mac has the same effect of taking the file away from others who have access to the shared folder. Apple provides a similar warning dialog in that scenario, but the major difference is that the file remains available to whoever moved it out of iCloud Drive, such that they could put it back.

How Much Should We Worry?

iCloud Drive folder sharing has been around since macOS 10.15 Catalina, so it’s no longer new, and Apple has had two major releases of macOS to address underlying issues if they couldn’t be addressed entirely on the iCloud side. That hasn’t happened, which could suggest that Apple doesn’t see the immediate deletion of files by sharing participants as a problem. Or perhaps Apple’s engineers think that the warning dialog is sufficient. I’d push back hard on that—a keyboard-focused user who’s moving quickly could delete a file with Command-Delete and press Return to dismiss the dialog before even reading it.

I haven’t used iCloud Drive folder sharing in a fast-paced collaborative work environment, so I can’t speak from direct experience, but over 14 years of coordinating Take Control work in Dropbox, files occasionally went missing and needed to be restored from Dropbox’s Deleted Files collection. In a workflow that requires regular trashing of temporary files, it’s easy to imagine accidental deletion of more important documents. Plus, you’re at the mercy of everyone with whom you’ve shared an iCloud Drive folder. Are they all sufficiently technical and alert that they would never make a mistake? The other major cloud sharing services all offer such a purgatory for deleted files along with version history capabilities to protect against accidental editing or corruption—iCloud Drive sticks out like a sore thumb here.

Luckily, there is one bright spot in this otherwise bleak picture of iCloud Drive folder sharing, not that Apple will tell you about it: Time Machine. By default, Time Machine backs up the local copies of iCloud Drive files, not just for the owner, but also for all participants. I confirmed that Tonya’s Mac had backups of all the files in our shared folder, and I could click through the dates in Time Machine and see the contents of that folder change appropriately.

You’ll notice that I was careful to say that Time Machine backs up the local copies of iCloud Drive files. If you have Optimize Mac Storage selected in System Preferences > Apple ID > iCloud, macOS might replace iCloud Drive files with local stubs, and those stubs, even if backed up, wouldn’t contain the data you want. So, if you’re using iCloud Drive folder sharing, make sure to deselect Optimize Mac Storage or, if you need to keep that on due to insufficient local storage space, get someone else in your sharing group to do so. That’s your last-ditch backup if someone inadvertently deletes an important file.

Despite this hidden Time Machine workaround, Apple has done a poor job here. In the modern world, there should be no easy way to delete data, particularly someone else’s data, without any option for recovery. A single warning dialog with a default OK button that means “Nuke This File From Space” is unacceptable. For goodness sake, Apple popularized the entire concept of multi-step file deletion! Move a file to the Trash, choose Finder > Empty Trash, and respond affirmatively to the prompt—that’s been a staple of Mac use since 1984. Preventing accidental data loss is table stakes.

The solution to this particular problem is conceptually simple. Any file deleted or removed from an iCloud Drive shared folder by a participant should be treated just like a file deleted or moved by the owner. It may be technically simple as well. If you open your iCloud Drive folder in the Finder and press Command-Shift-. to reveal hidden files and folders, you’ll see a hidden .Trash folder (press Command-Shift-. a second time to hide them again). iCloud Drive files you delete as the owner go into that folder, which presumably causes them to appear in the local Trash and in the iCloud Drive Recently Deleted folder. Why can’t shared files deleted by a sharing group participant go into their .Trash folder, appear in their local Trash, and trigger a notification to the owner or the rest of the group?

If you want to encourage Apple to step up and make iCloud Drive folder sharing work correctly, join me in giving feedback to the iCloud engineers.