Apple Pulls iCloud Advanced Data Protection From UK
Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data.
Advanced Data Protection (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption.
[…]
Apple would not comment on the notice and the Home Office refused to either confirm or deny its existence[…]
[…]
It is not clear that Apple’s actions will fully address those concerns, as the IPA order applies worldwide and ADP will continue to operate in other countries.
More insidiously and outrageously, they are apparently forbidden by UK law, under severe penalty (imprisonment), from even informing the public about this demand, or, if they were to comply, from telling the public what they’ve done.
[…]
Re-read Apple’s statement above, which I’ve quoted in full, including the hyperlink. What stands out is that Apple is offering no explanation, not even a hint, why the company “can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature”. On issues pertaining to security and privacy, Apple always explains its policies and features as best it can. The fact that Apple has offered no hint as to why they’re doing this is a canary statement of sorts: they’re making clear as best they can that they’re under a legal gag order that prevents them from even acknowledging that they’re under a legal gag order, by not telling us why they’re no longer able to offer ADP in the UK.
It is crazy that Apple would seemingly rather close down the company than let people install apps from outside the App Store, even running an extended PR campaign against it, but they roll over immediately for this.
Even if they didn’t want to risk acknowledging the notice—which I was hoping they would—you’d think Apple could say something in general about the law and the process. On the other hand, I guess Apple is so far doing more than other companies that presumably also received the notice. Are they silently building in backdoors?
Note that the loss of Advanced Data Protection in the UK does not affect the existing end-to-end encryption of several other Apple features available in the country, including iMessage, FaceTime, password management and health data.
As of February 21, users in the country can no longer enable the feature; those users who currently have it on will have to disable it in the near future.
[…]
According to Apple, this change won’t affect data that is end-to-end encrypted by default, such as health data and iCloud Keychain. That does, however, leave one longstanding loophole: though Apple’s Messages in the Cloud system is end-to-end encrypted, the encryption key for those messages is backed up in iCloud Backups, for which Apple holds the keys. Those are, in turn, accessible to law enforcement under the proper procedures.
Previously:
- UK Orders Apple to Break iCloud Advanced Data Protection
- The Time Tim Cook Stood His Ground Against the FBI
Update (2025-02-25): See also: Matthew Green, Glenn Fleishman, Jaanus Kase, Rui Carmo.
Update (2025-02-26): Bruce Schneier:
Should the UK government persist in its demands, the ramifications will be profound in two ways. First, Apple can’t limit this capability to the UK government, or even only to governments whose politics it agrees with. If Apple is able to turn over users’ data in response to government demand, every other country will expect the same compliance.
[…]
Apple isn’t the only company that offers end-to-end encryption. Google offers the feature as well. WhatsApp, iMessage, Signal, and Facebook Messenger offer the same level of security. There are other end-to-end encrypted cloud storage providers. Similar levels of security are available for phones and laptops. Once the UK forces Apple to break its security, actions against these other systems are sure to follow.
It seems unlikely that the UK is not coordinating its actions with the other “Five Eyes” countries of the United States, Canada, Australia, and New Zealand: the rich English-language-speaking spying club.
Apple’s decision to disable their encrypted cloud backup feature has triggered many reactions, including a few angry takes by Apple critics, accusing Apple of selling out its users[…]
With all this in mind, I think it’s time to take a sober look at what might really happening here.
[…]
So if you’re Apple and faced with this demand from the U.K., engaging with the demand is not really an option. You have a relatively small number of choices available to you. In order of increasing destructiveness[…]
“What else could Apple have done in response to the UK encryption law?” I dunno. Seems they’ve come up with all sorts of creative responses to the DMA and other antitrust cases. I guess the creativity just wasn’t flowing when it comes to important things though.
The most obvious idea would be for Apple to provide a way for users to securely store their data outside of iCloud, either with other providers or on their own Time Capsule–like device. This is much easier said than done, however.
Previously:
- Testimony on External Purchase Fee and Scare Screens
- FBI Also Wants to Break iCloud Advanced Data Protection
Update (2025-02-27): John Gruber:
Upon learning of the UK’s odious demands on Apple, the Biden administration’s response wasn’t to defend Apple (or Americans’ privacy), but instead to try to hide it from Congress. Unreal.
My lawyers are working to provide a legal opinion on the implications of the reported UK demands against Apple on the bilateral Cloud Act agreement. Upon initial review of the U.S. and U.K. bilateral CLOUD Act Agreement, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents (“U.S. persons”), nor is it authorized to demand the data of persons located inside the United States.
Via John Gruber:
The gag-order aspect of the UK’s Investigatory Powers Act prevented Apple from even fighting it in court. But a US ruling that would hold it illegal for Apple to comply would put Apple in an impossible situation, where they can’t comply with a UK legal demand without violating the law of the home country. That would actually give Apple the ground to fight this in the UK.
It’s unclear how much of the US intelligence establishment agrees with the new DNI.
Update (2025-02-28): John Gruber (Mastodon):
Ben Domenech interviewed President Trump yesterday in the Oval Office, after Trump’s meeting with UK Prime Minister Keir Starmer. The Spectator has published the entire transcript, and I read it so you don’t have to, to get the part about Apple and the UK’s encryption backdoor demand[…]
Update (2025-03-05): Connor Jones (Hacker News):
Apple has reportedly filed a legal complaint with the UK’s Investigatory Powers Tribunal (IPT) contesting the UK government’s order that it must forcibly break the encryption of iCloud data.
The appeal will be the first of its kind lodged with the IPT, an independent judicial body that oversees legal complaints against potential unlawful actions by a public authority or UK intelligence services, according to the Financial Times, which broke the news.
It looks like I, by way of Mike Masnick, was wrong to believe the only grounds on which Apple could fight this are financial. It turns out there is an appeals process which I could have found at any time — and in even more detail (PDF) — if I had double-checked. That is on me. However, in the first four years appeals were permitted on legal grounds, just two cases (PDF) were heard, with one being dismissed.
The way this is playing out is farcical. Nobody is legally permitted to discuss it, so we have only on-background leaks from Apple (almost certainly, I am guessing) and U.K. intelligence (maybe) to the same handful of reporters.
