Apple is scrapping its most advanced security encryption feature for cloud data in Britain, the company said on Friday, an unprecedented response to government demands for access to user data.
The change affects a feature called Advanced Data Protection (ADP), which extends end-to-end encryption across a wide range of cloud data. Apple said it is no longer available in Britain for new users and current users would eventually need to disable this security feature.
The move means iCloud backups in Britain will no longer have that level of encryption, allowing Apple to access in certain cases user data that it otherwise could not, such as copies of iMessages, and hand it over to authorities if legally compelled. With end-to-end encryption enabled, even Apple cannot access the data.
Governments and tech giants have long been locked in a battle over strong encryption to protect consumers’ communications, which the authorities view as a mettlesome obstacle to mass surveillance and crime fighting programs. But such a demand from Britain would be particularly sweeping.
Early plans to let Apple users fully encrypt backups of their devices to the company’s iCloud service were dropped in or around 2018 after the FBI privately complained, Reuters has previously reported, but the company eventually went forward with the plan in 2022.
“Lawful access to digital evidence and threat information is rapidly eroding,” the U.S. Federal Bureau of Investigation says on its website, citing “warrant-proof encryption”.
Apple has long said that it would never build a so-called backdoor into its encrypted services or devices, because once one is created, it could be exploited by hackers in addition to governments, a sentiment echoed by security experts.
“Ultimately, once a door exists, it’s only a matter of time before it’s found and used maliciously. Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users,” said Professor Oli Buckley, a professor in cybersecurity at Loughborough University in Britain.
Data that was encrypted before Apple launched its protection service in late 2022, such as passwords and iMessage and FaceTime messaging services, will remain encrypted.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said in a statement.
The change does not affect encryption of data stored directly on its devices, but in the era of large photo collections, huge messaging histories and regular phone upgrades, many users find it impractical to store all their data on their device alone.
Device-only storage also means that if the device is lost or damaged, all of a user’s data could disappear, which drives many if not most consumers to opt for some form of cloud backup that now will be easier for British authorities to access.
SECURITY CONCERNS
Law enforcement agencies have frequently targeted Apple services including iMessage through iCloud backups, which were not end-to-end encrypted before Apple offered Advanced Data Protection.
Those backups – which can contain photos and other sensitive information and are widely used – can no longer be end-to-end encrypted for UK users, Apple said.
While Apple cannot disable ADP for existing users as it does not hold encryption keys, it will prompt users to turn off the feature themselves.
A spokesperson for Britain’s Home Office declined to comment on whether such an order had been issued. “We do not comment on operational matters, including for example confirming or denying the existence of any such notices,” the spokesperson said.
The Washington Post reported this month that Britain issued Apple a Technical Capability Notice, requiring access under the broad Investigatory Powers Act of 2016, which allows law enforcement to compel firms to assist in evidence collection.
Technical Capability Notices (TCN) do not grant blanket access to users’ personal data, according to the government’s website. Even with a TCN in place, separate authorizations are still required to allow access to data.
Australia has a similar law, and could follow Britain’s lead, said Joseph Lorenzo Hall, a distinguished technologist with nonprofit group Internet Society.
“The one thing we see with Commonwealth countries is the second one does something, the others tend to do that. And so I would expect Australia to issue a technical capability notice that probably mirrors this, given their own laws.”
Hall also noted that Alphabet’s Android operating system also offers encrypted backups.
Apple shares were largely unchanged in Friday afternoon trading.
The company has long resisted government efforts to weaken encryption, including in 2016 when U.S. authorities tried to compel it to unlock the iPhone of a San Bernardino shooter.
Efforts to subvert it date back to the 1990s, when former U.S. President Bill Clinton’s administration first proposed adding a physical chip to computer hardware that would give cops and spies a way of eavesdropping on encrypted communications.
The effort foundered, and strong encryption has since made its way into an increasing number of consumer services, including Apple’s iMessage, Zoom meetings, Meta’s WhatsApp and the privacy-focused app Signal.
Signal has previously threatened to leave Britain over similar concerns, while Meta has faced pushback over its plans to expand encryption on WhatsApp.
(Additional reporting by Arsheeya Bajwa And Zaheer Kachwala in Bengaluru; Editing by Sayantani Ghosh, Peter Henderson and Marguerita Choy)
