Apple has made the unprecedented decision to disable its most advanced security encryption feature, Advanced Data Protection (ADP), for cloud data in Britain. This move is a direct response to government demands for greater access to user data. ADP is designed to provide end-to-end encryption for a wide range of cloud data, including iCloud backups, which means that even Apple would be unable to access the data once the feature is activated. However, as of late last week, the feature is no longer available to new users in Britain, and those attempting to enable it are met with error messages. Existing users will eventually be required to disable the security feature, effectively stripping their iCloud backups of the enhanced level of encryption previously offered by ADP.
This change has significant implications for data privacy, as it allows Apple to access certain user data, such as copies of iMessages, under legal compulsion. With end-to-end encryption enabled, even Apple would not be able to access this data. By disabling ADP, the company is making user data more accessible to authorities when legally required, marking a significant shift in its approach to data security and user privacy. This decision has sparked concerns among privacy advocates, with Andrew Crocker, surveillance litigation director at the Electronic Frontier Foundation, arguing that it leaves UK users vulnerable to cyber threats and deprives them of a crucial privacy-preserving technology.
The conflict between governments and technology companies over strong encryption is longstanding. Governments see robust encryption as an obstacle to mass surveillance and crime-fighting programs, while tech companies and privacy advocates argue that weakening encryption compromises user privacy and security. Apple’s decision to disable ADP in Britain is particularly significant because it represents one of the most sweeping concessions to government demands for digital access. This decision is likely influenced by Britain’s Investigatory Powers Act of 2016, which gives law enforcement broad authority to compel companies to provide technical assistance in collecting digital evidence.
The decision also follows historical precedents. In or around 2018, Apple initially shelved plans to fully encrypt iCloud backups after the FBI privately raised concerns, but the company eventually proceeded with the feature in 2022. The U.S. Federal Bureau of Investigation continues to express concerns about “warrant-proof encryption” on its website, arguing that it undermines law enforcement’s ability to access digital evidence.
Apple has consistently maintained that it would never create a backdoor into its encrypted services or devices, warning that such a backdoor could be exploited by hackers as well as governments. This sentiment is widely shared by security experts who argue that once a vulnerability is introduced, it is only a matter of time before it is discovered and misused. Professor Oli Buckley, a cybersecurity expert at Loughborough University in Britain, emphasized that disabling ADP is not just a symbolic gesture but a practical weakening of iCloud security for UK users.
Despite the removal of ADP, certain data will remain encrypted, such as passwords and messaging data from services like iMessage and FaceTime that were encrypted before the launch of ADP in late 2022. Apple also clarified that the change does not impact the encryption of data stored directly on devices. However, as users increasingly rely on cloud backups to store large volumes of photos, messaging histories, and other personal data, the absence of ADP significantly reduces the privacy and security of iCloud backups for UK users. Device-only storage is impractical for many users due to limited storage space and the risk of data loss if the device is damaged or lost.
Apple has expressed disappointment over its inability to provide ADP protections to its UK customers, citing the growing threat of data breaches and privacy concerns. The company’s decision highlights the ongoing tension between user privacy and government surveillance, as well as the challenges faced by tech companies operating under different legal frameworks in global markets.
Law enforcement agencies have frequently targeted Apple’s cloud services, including iMessage, by exploiting iCloud backups that were not end-to-end encrypted before ADP was introduced. These backups often contain sensitive personal data, and the removal of ADP makes it easier for authorities to access this information under legal compulsion. Although Apple cannot unilaterally disable ADP for existing users because it does not hold the encryption keys, it will encourage users to disable the feature themselves.
The British government has neither confirmed nor denied issuing a technical capability notice (TCN) to Apple, as allowed under the Investigatory Powers Act of 2016. A TCN compels companies to provide technical assistance in collecting digital evidence, although separate authorizations are required for accessing specific user data. This ambiguity has led to speculation that the UK government’s demand for access to encrypted data influenced Apple’s decision. The move could set a precedent for other countries with similar laws. Joseph Lorenzo Hall, a distinguished technologist with the Internet Society, noted that Commonwealth countries, including Australia, tend to follow each other’s regulatory decisions. Australia has comparable legislation, and Hall predicts that it may issue a similar TCN, effectively mirroring Britain’s move against ADP.
The debate over encryption is not limited to Apple alone. Other tech giants, such as Alphabet’s Android operating system, also offer encrypted backups and have resisted government attempts to weaken encryption. In 2016, Apple famously resisted a U.S. government order to unlock the iPhone of a San Bernardino shooter, citing security and privacy concerns. The debate over encryption dates back to the 1990s when the U.S. government proposed a “Clipper Chip” that would allow authorities to access encrypted communications, but the initiative was ultimately abandoned due to privacy and security concerns.
The controversy over strong encryption has continued as digital communication technologies have evolved. Today, many consumer services use robust encryption protocols, including Apple’s iMessage, Meta’s WhatsApp, Zoom meetings, and the privacy-focused app Signal. Notably, Signal’s president, Meredith Whittaker, has criticized Britain’s demand for weakened encryption, calling it “technically illiterate” and warning that it undermines cybersecurity and Britain’s ambitions to be a leader in the tech sector. Whittaker emphasized that encryption is a fundamental human right essential to privacy and security in a digital age.
The implications of Apple’s decision extend beyond user privacy and security. It also raises questions about the role of technology companies in protecting user data while complying with government regulations. As the debate over encryption continues, tech companies face increasing pressure to balance user privacy with legal obligations to provide access to digital evidence. Apple’s decision to disable ADP for UK users highlights the complex intersection of technology, privacy, and government surveillance. It reflects the growing challenges faced by tech companies as they navigate diverse regulatory environments across global markets. The outcome of this debate could shape the future of digital privacy, cybersecurity, and government surveillance practices worldwide.