Today, in response to the U.K.’s demands for a backdoor, Apple has stopped offering users in the U.K. Advanced Data Protection, an optional feature in iCloud that turns on end-to-end encryption for files, backups, and more.
Had Apple complied with the U.K.’s original demands, they would have been required to create a backdoor not just for users in the U.K., but for people around the world, regardless of where they were or what citizenship they had. As we’ve said time and time again, any backdoor built for the government puts everyone at greater risk of hacking, identity theft, and fraud.
This blanket, worldwide demand put Apple in an untenable position. Apple has long claimed it wouldn’t create a backdoor, and in filings to the U.K. government in 2023, the company specifically raised the possibility of disabling features like Advanced Data Protection as an alternative. Apple’s decision to disable the feature for U.K. users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology. The U.K. has chosen to make its own citizens less safe and less free.
Although the U.K. Investigatory Powers Act purportedly authorizes orders to compromise security like the one issued to Apple, policymakers in the United States are not entirely powerless. As Senator Ron Wyden and Representative Andy Biggs noted in a letter to the Director of National Intelligence (DNI) last week, the US and U.K. are close allies who have numerous cybersecurity- and intelligence-sharing agreements, but “the U.S. government must not permit what is effectively a foreign cyberattack waged through political means.” They pose a number of key questions, including whether the CLOUD Act—an “encryption-neutral” law that enables special status for the U.K. to request data directly from US companies—actually allows the sort of demands at issue here. We urge Congress and others in the US to pressure the U.K. to back down and to provide support for US companies to resist backdoor demands, regardless of what government issues them.
Meanwhile, Apple is not the only company operating in the U.K. that offers end-to-end encryption backup features. For example, you can optionally enable end-to-end encryption for chat backups in WhatsApp or backups from Samsung Galaxy phones. Many cloud backup services offer similar protections, as do countless chat apps, like Signal, to secure conversations. We do not know if other companies have been approached with similar requests, but we hope they stand their ground as well.
If you’re in the U.K. and have not enabled ADP, you can longer do so. If you have already enabled it, Apple will provide guidance soon about what to do. This change will not affect the end-to-end encryption used in Apple Messages, nor does it alter other data that’s end-to-end encrypted by default, like passwords and health data. But iCloud backups have long been a loophole for law enforcement to gain access to data otherwise not available to them on iPhones with device encryption enabled, including the contents of messages they’ve stored in the backup. Advanced Data Protection is an optional feature to close that loophole. Without it, U.K. users’ files and device backups will be accessible to Apple, and thus shareable with law enforcement.
We appreciate Apple’s stance against the U.K. government’s request. Weakening encryption violates fundamental rights. We all have the right to private spaces, and any backdoor would annihilate that right. The U.K. must back down from these overreaching demands and allow Apple—and others—to provide the option for end-to-end encrypted cloud storage.
