Apple Caves to UK, Removes Advanced Data Protection From iCloud

Apple has removed its most advanced security encryption feature for iCloud data in the UK, Reuters reports, citing government demands for access to user data. This unprecedented move affects Advanced Data Protection (ADP), which extends end-to-end encryption across a wide range of iCloud data.

The change, effective immediately for new users and phasing out for existing users, means that iCloud backups in the UK will no longer be encrypted to the same level, allowing Apple to potentially access user data, including iMessages, if legally compelled.

"Apple's decision to disable the feature for UK users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology," said Andrew Crocker, surveillance litigation director at the Electronic Frontier Foundation, to Reuters.

This move marks the latest development in the long-standing conflict between tech companies and governments over strong encryption, which authorities often view as hindering surveillance and crime-fighting efforts. While the UK's demand is particularly sweeping, it is not entirely unexpected.

Apple had initially planned to offer fully encrypted device backups to iCloud in 2018 but abandoned those plans after the FBI expressed concerns. The company eventually implemented ADP in 2022.

"Lawful access to digital evidence and threat information is rapidly eroding," the FBI states on its website, citing "warrant-proof encryption" as a major challenge.

Apple has consistently maintained that it will not create a "backdoor" into its encrypted services or devices, citing the potential for exploitation by hackers in addition to governments. Security experts echo this sentiment.

"Ultimately, once a door exists, it's only a matter of time before it's found and used maliciously," said Oli Buckley, a professor of cybersecurity at Loughborough University.

Data that was already encrypted under ADP before its launch in late 2022, such as passwords and iMessage and FaceTime data, will remain encrypted. However, the change significantly impacts the security of new iCloud backups in the UK, making it easier for authorities to access sensitive data.

"We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," Apple said in a statement.

The Home Office declined to comment on whether a specific order was issued to Apple. However, The Washington Post reported earlier this month that the UK government had issued a Technical Capability Notice (TCN) to Apple, requiring access under the broad Investigatory Powers Act of 2016.

While TCNs do not grant blanket access to personal data, they do require companies to assist in data collection. This move is likely to be followed by other Commonwealth countries, according to Joseph Lorenzo Hall, a distinguished technologist with the Internet Society.

"The one thing we see with Commonwealth countries is the second one does something, the others tend to do that," Hall told Reuters.

Apple shares ended largely unchanged on Friday.