Apple is no longer offering its end-to-end encrypted iCloud storage, Advanced Data Protection, to new users in the UK, and will require existing users to disable the feature at some point in the future, following UK security agencies requesting backdoor access to worldwide users' encrypted backups.
Apple launched ADP in 2022, allowing iCloud data including file backups and photos to be protected with end-to-end encryption, which means they can only be decrypted by the person who owns the device. Even Apple claims it doesn't have a key. Removing ADP means that users’ files in the UK will be accessible to Apple, and shareable with law enforcement, though that would still require a warrant.
To clarify one thing… Apple isn't entirely disabling encryption. It's merely being downgraded to standard encryption in the UK, which still keeps things safe in transit, only now, Apple holds the decryption keys, which it can hand to the UK government.
Apple spokesperson Julien Trosdorf said in a statement to The Verge:
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
However as one commentor plainly put it on a Techspot article:
“Apple has indeed blocked access via a backdoor, by welcoming them in thru the front door instead.”
Wait, so why the change? Hasn't Apple always prided themselves on being privacy focused?
Apple has fought against similar government demands for encryption backdoors in the past, particularly in the US.
One of the most high-profile cases was the 2016 Apple vs. FBI dispute, where the US government demanded that Apple create special software to unlock an iPhone used by one of the San Bernardino shooters. Apple refused, arguing that building a backdoor would compromise the security of all iPhones and set a dangerous precedent. The FBI eventually accessed the device through a third-party hacking firm.
Apple has consistently maintained that end-to-end encryption is essential for user privacy and that weakening it for one government could open the door for abuse by others. The company has fought against various legislative attempts, such as the EARN IT Act and the Lawful Access to Encrypted Data Act, which sought to force tech companies to provide law enforcement with access to encrypted communications.
Unlike past cases, this recent legal order compels Apple to comply under UK law, and rather than weakening encryption globally, Apple chose to disable the feature in the UK to maintain its stance against creating backdoors.
Was it the right answer? I'd argue that Apple should simply shut down iCloud services in the UK, leaving almost 30M iPhone users in the region with bricked phones. That would've gotten customers in contact with their government fairly quickly in support of end-to-end encryption and data privacy. We're at a point where it's going to take major stands like this to fight for the data protection rights of consumers.
However in the non-ideal world we live in, the scenario isn't so black and white. Apple has fiduciary responsibilities to investors that involve NOT losing revenue from one of their key regions, legal responsibilities to adhere to the specific rules of the jurisdictions they do business in, and a broader strategic interest in maintaining its global reputation while balancing user privacy with government compliance.
It was a no-win situation for Apple that will unfortunately have ripple effects across the globe. It won't be long before another government (no names mentioned) follows suit.