Experts call this a step backwards for consumer security in the UK with worldwide consequences.
Apple recently stopped offering its end-to-end encryption tool called Advanced Data Protection (ADP) to new users in the UK and announced that existing users in the country will lose their access at an unconfirmed later date.
The company’s move comes after the UK government, earlier this month, demanded that Apple allow it backdoor access into the encrypted data stored by iOS users worldwide. Its demand applies to all content stored using the ADP tool, which includes vast categories of data such as photos, notes, voice memos and wallet passes.
However, withdrawing the tool from the country does not necessarily mean Apple will be in compliance with the UK’s Investigatory Powers Act, which obliges companies to provide communication data to the government. In a statement to the BBC, Apple said that it had “never built a backdoor or master key to any of our products, and we never will”.
The US has criticised the UK government’s ask from the American company. The country’s director of national intelligence, Tulsi Gabbard said that the UK’s demand is a “clear and egregious violation of Americans’ privacy and civil liberties”, which would “open up a serious vulnerability for cyber exploitation by adversarial actors”.
According to a letter addressed to the US Senate and the House of Representatives, Gabbard said she has directed her office to outline the potential implications of the UK “compelling” an American company to create back door access to private user content. Moreover, she said she will also engage with UK government officials regarding the same.
‘Chilling effect’ of removing data protection
ADP was introduced by Apple in 2022, expanding the categories of data that were protected under end-to-end encryption on iCloud storage. The tool encrypts data in a way that it can only be decrypted by the person who owns the iCloud account, removing even Apple’s access to it.
This means that government authorities cannot access protected iCloud data, or ask Apple for it. The lack of backdoor access also increases encrypted devices’ protection from malicious actors. Moreover, Apple has previously refused to write software which would have allowed US authorities access into a gunman’s iPhone.
Although, even without ADP in the UK, some types of iCloud data, including passwords, health data and payment information will continue to remain end-to-end encrypted by default. Still, the UK’s demands have elicited sharp criticism from experts.
“Apple is clearly not able to withdraw from the whole UK market, but removing a feature that should help everyone – especially those who may need the extra protection (activists, journalists etc), is one step they can take to remain ‘compliant’ without leaving the UK entirely,” explained Nick France, the CTO of Sectigo, a website security certification manager.
“This is the chilling effect I think we can expect with the enforcement of this act.” France worries that there could be other companies who are also complying with the UK’s demands.
“While Apple’s actions are visible, it’s likely that other tech giants are quietly complying with these demands. Any backdoor created, even with ‘good’ intent will always be abused, and the fact that Apple would choose to remove a security feature altogether rather than comply is telling how serious the government’s requirement under the act is.”
While Paul McKay, a Forrester VP analyst, calls Apple’s move to remove ADP a “backwards step” for UK consumer security.
“The debate around inserting ‘encryption’ backdoors to allow lawful interception to aid law enforcement tackle online crime and abuse rests on the shaky assumption that any encryption weaknesses will only be used for good and will never fall into the hands of malign forces.
“From recent Salt Typhoon attacks showing the ability of state actors to exploit weaknesses to infiltrate critical infrastructure in the US in 2024, we can never assume that weaknesses introduced will always remain hidden and only ‘exploited for good’.
“Rather than yield to the UK’s request, Apple has chosen to withdraw the product on the principle, which should drive some hard thinking in the UK and internationally on how to strike the balance between individual privacy and protecting citizens from online harms.”
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
