UK Again Wants iCloud Backdoor
Jess Weatherbed (Hacker News, Reddit, MacRumors, 9to5Mac):
The UK government is reportedly once again demanding that Apple provide it with backdoor access to encrypted iCloud user data, following claims that the effort had been abandoned in August. The Financial Times reports that a new technical capability notice (TCN) was issued by the UK Home Office in early September, this time specifically targeting access to British citizens’ iCloud backups.
[…]
While US officials raised concerns about the order during President Trump’s state visit to the UK last month, according to The Financial Times, the publication reports that two senior British government figures said the UK was no longer facing US pressure to drop its demands.
Just returned from the UK, where a digital ID is about to be enforced on all adults. Soon, my Signal messages may be scanned. Financial policing co-opted to the institutions with KYC and draconian source-of-funds investigation.
Previously:
- UK Online Safety Act
- UK Backing Down on Apple Encryption Backdoor
- France Rejects Backdoor Mandate
- FBI Also Wants to Break iCloud Advanced Data Protection
- Apple Pulls iCloud Advanced Data Protection From UK
- UK Orders Apple to Break iCloud Advanced Data Protection
- Proposed EU Chat Control
- Apple Dropped Plans for End-to-End Encrypted iCloud Backups After FBI Objected
Update (2025-10-04): Nick Heer:
Reporters like Tripp Mickle, at the New York Times, and Annabelle Timsit and Joseph Menn, of the Washington Post, were too eager to claim the U.K. would wholly abandon its pursuit of customer data. Neither allowed for different interpretations of Gabbard’s tweet. Journalists like these have sources who could have offered clarity. It is unclear in either article whether they did reach out to their contacts; if they did, their stories were misleading even with — or perhaps because of — that information.
Withdrawing Advanced Data Protection from the UK will not affect the 15 iCloud data categories that are end-to-end encrypted by default. Data like iCloud Keychain and Health remains protected with full end-to-end encryption.
Our communication services, like iMessage and FaceTime, remain end-to-end encrypted globally, including in the UK.
We’re back to the same situation as before, where Apple insists that iMessage is E2EE, which is technically true for the iMessage service. But unless you and everyone you message with opts out of iCloud Backup, Apple stores the encryption key and can access all of your message data.
For users in the UK who already enabled Advanced Data Protection, Apple will soon provide additional guidance. Apple cannot disable ADP automatically for these users. Instead, UK users will be given a period of time to disable the feature themselves to keep using their iCloud account.
So Apple is currently not complying in full, but it plans to.
It’s probably the TCN’s that are in place, that you don’t know about, that are the current biggest threat.
That’s not to take away anything from this new TCN, or make light of it, it’s a big deal.
But think about what’s likely already in place with other companies as you go about your business.
Previously:
14 Comments RSS · Twitter · Mastodon
They're never going to stop. They always wait a few months and try again, hoping you're distracted.
Is this mostly a means to allow them to scale-up? Apple is a PRISM company and the US and the UK are part of Five Eyes (each govt does roundabout surveillance on each other's citizens and shares). Would backdoor laws on the books more-easily allow (or compel) other Five Eyes members to step up their efforts on UK citizens (on behalf of the UK)?
Apple should just grow a tiny little spine and not comply, perhaps temporarily suspending sales in the UK. The current government is so unpopular, this is likely an event that will see its inevitable downfall be hastened.
@Leo: Would also be an image boost for them and a strong signal to governments everywhere. We should be so lucky :)
They have not complied and have actively resisted this for years, right? So it’s not exactly a matter of growing a tiny spine.
It’s good to call them on their BS, and there is plenty of it. But it doesn’t serve anyone well to ignore the good stuff they are doing or have done recently whether or not they are perfect or perfectly consistent.
@Christopher In what sense has Apple not complied? The UK said to give them a backdoor, so Apple stopped offering iCloud Advanced Data Protection in the UK, and now all UK iCloud accounts can be accessed through the backdoor because there’s no E2EE.
And they have complied with similar requests in China, where Chinese iCloud accounts sit on Chinese state-controlled servers, accessible to all. Cook's legacy.
And let's not forget removing VPN apps from stores in Russia and China. Zero spine. They only play tough for domestic audience consumption in the US as it serves them politically and commercially, and even then, zero peeps or lobbying against numerous FISA court orders over the years.
Are companies allowed to not-comply with local laws? Is that a thing?
Not complying in advance, though, I think Apple has been pretty good at. The fact that we’re even aware this is happening is evidence of that.
Not that it’s gone away or stopped working, but Apple needs to recommit to showing people the upside of backing their phones up to their computers instead of iCloud. I wonder if there’s a whole generation of iPhone users who have the means to do this but don’t know it’s possible, much less how to do it. Seems obvious to us long-timers but I do wonder if it is to anyone else.
@else I don’t think anyone is saying some Apple exec should go to a Chinese or Russian hard labor camp. But they can choose to not sell their products there. Or stop with the privacy veneer. Or allow sideloading and then people can obtain VPN apps through other means.
@MichaelTsai That is not correct. Enrolling in ADP has been disabled but the current accounts that have been enrolled are still E2EE. Apple makes it clear in their wording: “Apple can no longer offer Advanced Data Protection
(ADP) in the United Kingdom to new users.”
@Michael_Tsai - I have clearly mistakenly attributed their refusal to allow explicit cryptography to just turning it off. Apologies for error.
So Apple will eventually cave in to our shitty, authoritarian government and make it necessary for people like me to disable ADP.
Wankers. Contemptible, milquetoast wankers. It wouldn't be so bad if there were alternatives to iCloud Backup, but …
@Billyok Sadly, basically unusable, because every time you start a backup, you are asked to "Enter your passcode to trust this computer and start a backup". So it's no longer possible to automate. And, anyway, realistically it's never going to be as convenient as a network-based solution, of which of course there is only one option, in iCloud. The Which? lawsuit is moving slowly, but I'm sure Apple will fight it, because they're hypocrites (as well as wankers). And especially given the iCloud lock-in already in effect (like Photos), it's probably hard to make the case that most people don't already have the iCloud storage necessary; my family group certainly does, and that's ultimately why I gave in and went with iCloud Backup—so long as ADP was available, and because we have a fast Internet connection, it's basically a net win.
