As had been expected by many, Apple has turned off its Advanced Data Protection iCloud feature for users in the United Kingdom, following that government’s demand for backdoor access to users’ encrypted data, according to a report from Bloomberg.
UK officials had secretly ordered Apple to provide unfettered access to the encrypted iCloud data of users worldwide.
UK customer that are already using Advanced Data Protection, or ADP, will be required manually disable it during an unspecified grace period if they want to keep their iCloud accounts, according to the report. Apple said it will issue additional instructions in the future to affected users, also saying that it “does not have the ability to automatically disable it on their behalf.”
The order is said to have been issued last month, and requires that Apple provide backdoor access that allows UK security officials to access encrypted user data worldwide. Such a demand from a democratic country is a first.
The spying order was included in a “technical capability notice,” document sent to Apple by the Home Secretary. The document orders the Cupertino company to provide access under the sweeping UK Investigatory Powers Act (IPA) of 2016, labeled the “Snooper’s Charter” by critics, as it authorizes law enforcement to compel assistance from companies when needed to collect evidence.
The order would have compromised the Advanced Data Protection feature, which ensures that iCloud data is end-to-end encrypted. Such a backdoor would have given the UK government access to users’ Photos, Notes, Messages backups, device backups, and more.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said in a statement. “ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices.”
Apple’s decision to pull the feature rather than comply with the UK’s demands is consistent with the company’s previous statements that it would consider withdrawing encrypted services from the UK rather than compromise security. Apple has long opposed creating backdoors in its products, maintaining that such access points would inevitably be discovered by malicious actors.
The UK order was quite controversial, as Apple would be required to provide access to the encrypted data of users from around the world, without the knowledge of this users’ governments. The IPA also makes it illegal for companies to reveal such UK government demands.
The UK order comes as U.S. security agencies such as the NSA and FBI, have been pushing for users to increase the use of encryption to protect against threats from sources such as the Chinese.
“Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before,” said Apple on Friday, per Bloomberg. The company added that it “remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom.”
While Advanced Data Protection in the UK may be coming to an end, the move does not affect the existing end-to-end encryption of iMessage, FaceTime, password management, health data, and some other data.
In a statement in a press release, Mike Salem, UK Country Associate for the Consumer Choice Center (CCC), reacted to the news:
“This unfortunate move is a direct result of the government’s own decision to force tech companies to hand over the keys to our data, giving them a blank cheque to access any of our information without proper due process.”
“Everyone in the UK should be extremely worried about what the government aims to access not just in the UK, but across the world. Over 40 public authorities, including police, intelligence agencies, HMRC, and even local councils can apply for such warrants with broad powers for communication and data surveillance, and with almost always guaranteed approval.”
“The UK Government has set a precedent, and cast a new reputation that underscores the erosion of personal liberties and privacy in a digital age where these values are needed more than ever.”
“This marks a very sad day for the basic principle of consumer privacy in the 21st century, depriving users of the tools that leave UK citizens exposed to governments, criminals and malicious hackers. The fact this has been done without debate, oversight or advance warning to UK Apple users is extremely concerning.”
The CCC has called upon the UK Government to explain its reasons for such measures as soon as Monday in Parliament, and is urging parliamentarians in opposition to “hold the government to account so that consumers can once again elect to encrypt and secure their data.”
(Photo by A Perry on Unsplash)
