US Technology Giant Reportedly Received UK Government Demand for Global Backdoor
Apple on Friday deactivated a key security feature for users in the United Kingdom in response to reported backdoor-access demands from the British government.
See Also: Enterprise Browser: Solving the Need for Privacy, Security, and Compliance in the Technology Sector
Advanced Data Protection will no longer work inside the country. The feature protects data stored in Apple’s iCloud by ensuring that only the end user who owns it can decrypt the data, and only on a trusted device. “If you choose to enable Advanced Data Protection, the majority of your iCloud data – including iCloud Backup, Photos, Notes and more – is protected using end-to-end encryption,” reads Apple’s website description of ADP.
Existing U.K. users will shortly be notified that they must deactivate it – Apple cannot do so itself – or lose access to their iCloud account.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the U.K. given the continuing rise of data breaches and other threats to customer privacy,” Apple said in a statement. “Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before. Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom.”
The move comes after Apple last month reportedly received a secret order from Britain’s Home Office requiring that it provide direct access to global users’ fully encrypted cloud backups. The order also prohibited the technology giant from alerting individuals, the Washington Post first publicly disclosed.
The “technical capability notice” would have been issued under Britain’s Investigatory Powers Act 2016, long derided by critics as a “Snooper’s Charter” at odds with the need to protect all possible data in transit and at rest using strong encryption. As written, the statute allows the government to demand that a telecommunications operator remove any “electronic protections” on encrypted communications. The government can also legally prohibit anyone served with such a notice from publicly revealing that fact.
Apple has not stated whether it received a technical capability notice, but has clearly said it has never complied with any such request. “As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” the company said, and referred to its published policies on how it responds to governments’ information requests.
The Home Office said it wasn’t immediately able to comment.
The immediate impact of the U.K. government’s demand that Apple backdoor iCloud has been to leave U.K. users at greater risk, experts warned.
“This is a very disappointing development for those who value security and privacy, and the U.K. government is responsible” for what amounts to an act of national “self-harm,” said Alan Woodward, a professor of computer science at England’s University of Surrey who has advised Parliament on a range of cybersecurity matters, including securing 5G networks.
“It was naive of the U.K. government to think they could tell a U.S. technology company what to do globally,” he said.
When activated, ADP protects nine categories of information: iCloud Backup, which can contain a copy of every piece of data stored on a device; Photos; iCloud Drive for file storage; Notes; Reminders; Safari Bookmarks; Siri Shortcuts; Voice Memos; Wallet Passes; and digital whiteboarding app Freeform.
The feature has been available for U.K. users since December 2022. How many U.K. users have activated ADP isn’t clear. All U.K. users will now use “standard data protection.” With this lesser level of protection, “your iCloud data is encrypted, the encryption keys are secured in Apple data centers – so we can help you with data recovery – and only certain data is end-to-end encrypted,” Apple said.
Cybersecurity expert Brian Honan, a proponent of strong encryption for the masses who heads Dublin-based BH Consulting, praised Apple for ceasing to offer ADP in the U.K., rather than putting users in every other country at greater risk.
“By refusing to accede to the U.K. government’s alleged request, Apple is sending a clear message: weakening encryption for one government ultimately weakens it for everyone,” said Honan, who founded Ireland’s first computer emergency response team, IRISS-CERT.
“In an era of escalating cyber threats and increasing geopolitical uncertainty, the decision to withdraw its most secure service rather than compromise user trust is a principled stand that upholds the fundamental right to privacy,” he said. “Governments should be strengthening digital security, not undermining it.”