Apple pulls data protection feature in UK amid government demands
· CNA · JoinRead a summary of this article on FAST.
Get bite-sized news via a new
cards interface. Give it a try.
Click here to return to FAST Tap here to return to FAST
FAST
Apple is scrapping its most advanced security encryption feature for cloud data in Britain, the company said on Friday, an unprecedented response to government demands for access to user data.
The change affects a feature called Advanced Data Protection (ADP), which extends end-to-end encryption across a wide range of cloud data. Apple said it is no longer available in Britain for new users, with those who try to turn it on receiving an error message starting Friday, and that current users will eventually need to disable this security feature.
The move means iCloud backups in Britain will no longer have that level of encryption, allowing Apple to access in certain cases user data that it otherwise could not, such as copies of iMessages, and hand it over to authorities if legally compelled. With end-to-end encryption enabled, even Apple cannot access the data.
"Apple's decision to disable the feature for UK users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology," said Andrew Crocker, surveillance litigation director at the Electronic Frontier Foundation.
Governments and tech giants have long been locked in a battle over strong encryption to protect consumers' communications, which the authorities view as a mettlesome obstacle to mass surveillance and crime fighting programs. But such a demand from Britain would be particularly sweeping.
Early plans to let Apple users fully encrypt backups of their devices to the company's iCloud service were dropped in or around 2018 after the FBI privately complained, Reuters has previously reported, but the company eventually went forward with the plan in 2022.
"Lawful access to digital evidence and threat information is rapidly eroding," the U.S. Federal Bureau of Investigation says on its website, citing "warrant-proof encryption".
Apple has long said that it would never build a so-called backdoor into its encrypted services or devices, because once one is created, it could be exploited by hackers in addition to governments, a sentiment echoed by security experts.
"Ultimately, once a door exists, it's only a matter of time before it's found and used maliciously. Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users," said Professor Oli Buckley, a professor in cybersecurity at Loughborough University in Britain.
Data that was encrypted before Apple launched its protection service in late 2022, such as passwords and iMessage and FaceTime messaging services, will remain encrypted.
"We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," Apple said in a statement.
The change does not affect encryption of data stored directly on its devices, but in the era of large photo collections, huge messaging histories and regular phone upgrades, many users find it impractical to store all their data on their device alone.
Device-only storage also means that if the device is lost or damaged, all of a user's data could disappear, which drives many if not most consumers to opt for some form of cloud backup that now will be easier for British authorities to access.
SECURITY CONCERNS
Law enforcement agencies have frequently targeted Apple services including iMessage through iCloud backups, which were not end-to-end encrypted before Apple offered Advanced Data Protection.
Those backups - which can contain photos and other sensitive information and are widely used - can no longer be end-to-end encrypted for UK users, Apple said.
While Apple cannot disable ADP for existing users as it does not hold encryption keys, it will prompt users to turn off the feature themselves.
A spokesperson for Britain's Home Office declined to comment on whether such an order had been issued. "We do not comment on operational matters, including for example confirming or denying the existence of any such notices," the spokesperson said.
The Washington Post reported this month that Britain issued Apple a Technical Capability Notice, requiring access under the broad Investigatory Powers Act of 2016, which allows law enforcement to compel firms to assist in evidence collection.
Technical Capability Notices (TCNs) do not grant blanket access to users' personal data, according to the government's website. Even with a TCN in place, separate authorizations are still required to allow access to data.
Australia has a similar law, and could follow Britain's lead, said Joseph Lorenzo Hall, a distinguished technologist with nonprofit group Internet Society.
"The one thing we see with Commonwealth countries is the second one does something, the others tend to do that. And so I would expect Australia to issue a Technical Capability Notice that probably mirrors this, given their own laws."
Hall also noted that Alphabet's Android operating system also offers encrypted backups.
Apple shares ended largely unchanged on Friday.
The company has long resisted government efforts to weaken encryption, including in 2016 when U.S. authorities tried to compel it to unlock the iPhone of a San Bernardino shooter.
Efforts to subvert it date back to the 1990s, when former U.S. President Bill Clinton's administration first proposed adding a physical chip to computer hardware that would give cops and spies a way of eavesdropping on encrypted communications.
The effort foundered, and strong encryption has since made its way into an increasing number of consumer services, including Apple's iMessage, Zoom meetings, Meta's WhatsApp and the privacy-focused app Signal.
Some U.S. officials have encouraged the use of encrypted services in the wake of December's widespread Salt Typhoon hack on U.S. telecommunications firms.
Meredith Whittaker, president of Signal, which has previously threatened to leave Britain over similar concerns, called Britain's move "technically illiterate" and said that it would hurt the country's efforts to cultivate its tech sector.
"You can’t be tech-friendly while eroding the foundation of cybersecurity on which robust tech depends. Encryption is not a luxury - it is a fundamental human right essential to a free society that also happens to underpin the global economy," Whittaker said.
(Additional reporting by Arsheeya Bajwa, Zaheer Kachwala and Juby Babu in Bengaluru; Editing by Sayantani Ghosh, Peter Henderson and Marguerita Choy)
Sign up for our newsletters
Get our pick of top stories and thought-provoking articles in your inbox
Get the CNA app
Stay updated with notifications for breaking news and our best stories
Get WhatsApp alerts
Join our channel for the top reads for the day on your preferred chat app