Concerns Over Apple’s UK iCloud Encryption Deactivation

Apple’s decision to withdraw iCloud end-to-end encryption in the United Kingdom has privacy and security advocates worried that the British government could scan and surveil sensitive information of Apple users worldwide.

Apple on Friday deactivated its Advanced Data Protection feature in the U.K. after the British Home Office reportedly requested backdoor access (see: Apple Withdraws Strong Encryption Feature for All UK Users).

See Also: Cracking the Code: Securing Machine Identities

The feature ensures that iCloud content such as messages and photos can only be decrypted on trusted devices. Starting Friday, the company has told users to deactivate the feature or risk losing access to iCloud.

“This could expose vast amounts of data to state-sponsored attackers,” said Matthew Green, an applied cryptography professor at Johns Hopkins University.

Calling the U.K. government demand a “digitally illiterate” decision, Signal President Meredith Whittaker said Apple’s decision can erode the “foundation of cybersecurity.”

“This move doesn’t just endanger people who use Apple in the U.K. This impacts anyone who shares sensitive information with these people,” Whittaker said.

The move from Apple is the latest development in a long-standing fight between law-enforcement agencies and tech companies over encryption dating to the first rollout of encrypted communications for consumers late last century. Tech companies including Apple, WhatsApp and Signal maintain that weakening encryption to facilitate governmental access to user content amounts to ushering in hackers, who inevitably would seize on the weakness for their own ends. Law enforcement agencies argue that end-to-end encryption hinders evidence collection, notwithstanding routine access to user metadata – and often to the underlying content itself, whether due to user carelessness or a technical flaw in the software.

The 2016 Investigatory Powers Act empowers the government to issue “technical capability notices” to tech companies, requiring them to have in place technology guaranteeing compliance with an order to access user content. Derided by opponents as a “Snooper’s Charter,” the law prohibits companies from disclosing such requests. An unidentified source leaked government’s Apple request to the Washington Post.

“In the worst-case interpretation of the law, the U.K. might now be the arbiter of all cybersecurity defense measures globally,” Green said. “Her Majesty’s Government could effectively ‘cap’ the amount of digital security that customers anywhere in the world can depend on, without users even knowing that cap was in place,” he added.

British lawmakers in 2023 also approved the Online Safety Act, permitting the U.K. Office of Communications to order online intermediaries, including chat apps such as WhatsApp and search engines such as Google, to use “accredited technology” to scan for child sexual exploitation and abuse material – a requirement potentially at odds with end-to-end encryption (see: UK Parliament Approves Online Safety Bill).

“No other government has this capacity to make these ‘orders’. And every time the Home Office ‘updates’ these laws they keep expanding their remit,” said Gus Hosein, executive director at Privacy International.

Josh Moore, a British cybersecurity expert on Friday opened a Change.org petition calling on the government to ensure the security of Apple users and their other fundamental rights are not compromised following the withdrawal of the Advanced Data Protection.

If the petition garners 10,000 signatures, it will get a response from the government; if it exceeds 100,000, then the petition will be debated in the U.K. Parliament.

An Apple spokesperson said it remains “committed to offering” the highest level of security for its users in the U.K. “As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” the spokesperson said.

The U.K. Home Office did not respond to requests seeking comments.