In response to regulatory changes in the UK, Apple has removed its Advanced Data Protection feature, which provided end-to-end encryption for iCloud. This decision stems from the 2016 Investigatory Powers Act, granting the government increased control over digital security and potentially requiring backdoors in encryption. Apple expressed disappointment over the impact on user privacy and reiterated its commitment against creating backdoors, emphasizing the importance of robust encryption amidst rising data breaches.
Apple’s Encryption Dilemma in the UK
In the summer of 2023, Apple alerted UK officials about the potential compromise of encryption standards. The tech giant warned that if it could no longer guarantee the robust security of its services, such as FaceTime and iMessage, it might opt to withdraw these offerings from the British market altogether.
Withdrawal of Advanced Data Protection
Fast forward nearly three years, and Apple’s warning has transformed into a significant decision: the removal of its Advanced Data Protection (ADP) feature from users in the UK. This feature, which was introduced in late 2022 and deployed in 2023, provides a high level of security for iCloud, Apple’s cloud storage service. However, it does not extend to iMessage, FaceTime, Apple Health, or Apple Passwords.
The hallmark of the ADP feature is its use of end-to-end encryption (E2EE), a sophisticated method that secures data by converting files into an unreadable format through complex mathematical processes. The essence of E2EE ensures that only the user with the specific decryption key can access their data, and this key must remain confidential to maintain security. In this case, Apple does not possess the key, which means they cannot access or share the data even under legal compulsion.
Apple’s statement reinforces this point, emphasizing that “Advanced Data Protection protects iCloud data with end-to-end encryption, meaning that data can only be decrypted by the user who owns it, and only on their trusted devices.”
The decision to withdraw ADP is currently limited to the UK, which has recently updated its regulatory framework, particularly the Investigatory Powers Act (IPA) of 2016. This new legislation empowers the Home Office with greater authority regarding digital security, compelling non-UK companies to adapt to regulations that could impact their international operations, including the potential for backdoors in end-to-end encryption.
This regulatory shift has heightened tensions, prompting responses from tech giants like Meta and Signal, with the latter suggesting a possible exit from countries that impose restrictions on encryption.
For now, Apple has adjusted its strategy by discontinuing ADP in the UK at the behest of local authorities. The company is hopeful that it can reinstate the feature if the UK government is willing to reassess its regulations, though this remains uncertain. In the realm of security, legislative changes typically trend in one direction—toward increased control.
Apple has expressed its disappointment regarding this development, stating, “We are deeply disappointed that the protections provided by ADP are not available to our customers in the UK, given the ongoing increase in data breaches and other threats to customer privacy. It is more urgent than ever to enhance the security of cloud storage with end-to-end encryption.” It is important to note that while ADP is being removed, services like FaceTime, iMessage, and Apple Passwords will continue to be protected by encryption.
With this move, Apple clearly communicates its stance against backdoors. “As we have said many times, we have never built a backdoor or master key for any of our products or services, and we will never do so,” the company asserts. This commitment underscores the concern that backdoors could also be exploited by malicious actors.