{"id":46667,"date":"2025-02-07T16:44:22","date_gmt":"2025-02-07T21:44:22","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=46667"},"modified":"2025-04-08T13:36:23","modified_gmt":"2025-04-08T17:36:23","slug":"uk-orders-apple-to-break-icloud-advanced-data-protection","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/02\/07\/uk-orders-apple-to-break-icloud-advanced-data-protection\/","title":{"rendered":"UK Orders Apple to Break iCloud Advanced Data Protection"},"content":{"rendered":"

Dominic Preston<\/a> (Hacker News<\/a>, MacRumors<\/a>):<\/p>\n

Apple has reportedly been ordered by the UK government to create a backdoor that would give security officials access to users’ encrypted iCloud backups. If implemented, British security services would have access to the backups of any user worldwide, not just Brits, and Apple would not be permitted to alert users that their encryption was compromised.<\/p>

The Washington Post<\/em> reports<\/a> that the secret order, issued last month, is based on rights given under the UK’s Investigatory Powers Act of 2016, also known as the Snoopers’ Charter. Officials have apparently demanded blanket access to end-to-end encrypted files uploaded by any user worldwide, rather than access to a specific account.<\/p>

[…]<\/p>

The UK has reportedly served Apple a document called a technical capability notice. It’s a criminal offense to even reveal that the government has made a demand. Similarly, if Apple did accede to the UK’s demands then it apparently would not be allowed to warn users that its encrypted service is no longer fully secure.<\/p><\/blockquote>\n\n

Dan Moren<\/a>:<\/p>\n

While law enforcement has long been able to access encrypted data for which Apple holds the keys, this move would reportedly apply to end-to-end data in which the user<\/em> holds the keys, such as Apple’s Advanced Data Protection<\/a>. This law would target end-to-end encrypted data from Google and Meta as well.<\/p>

This is red alert, five-alarm-fire kind of stuff. Providing a backdoor would be worrying enough for reasons that should be obvious to anybody who knows the barest inkling about technology—to wit, that there exists no mechanism to keep such a tool out of the hands of malicious actors<\/a>—but the fact that it would apply beyond the UK borders to other countries is a staggering breach of sovereignty. And, moreover, as Menn points out, such a move would no doubt embolden other powers to ask for access to the same capabilities—such as China.<\/p>\n

[…]<\/p>\n

Ironically, the biggest impediment might come in the form of the European Union, as Apple apparently argued that the implementation would undermine the European right to privacy.<\/p><\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

In any case, the reported demands by the U.K. government are an extraordinary abuse of their own. It has global implications<\/a> for both U.K. access and, I would venture, access by its allies. As a reminder, U.S. and U.K. spy agencies routinely<\/a> shared<\/a> collected data while avoiding domestic legal protections. This order explicitly revives the bad old days of constant access.<\/p>\n<\/blockquote>\n\n

Tim Hardwick<\/a>:<\/p>\n

\n

According to sources that spoke to the publication, Apple is likely to stop offering encrypted storage in the UK as a result of the demand. Specifically, Apple could withdraw Advanced Data Protection, an opt-in feature that provides end-to-end encryption (E2EE) for iCloud backups, such as Photos, Notes, Voice Memos, Messages backups, and device backups.<\/p>\n

In this scenario, UK users would still have access to basic iCloud services, but their data would lack the additional layer of security that prevents even Apple from accessing it.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n