Apple users in the United Kingdom will no longer have access to a key data security feature for iCloud storage: Advanced Data Protection. It’s a relatively small change, but privacy experts worry it could have ripple effects for data privacy around the world.
The iPhone maker confirmed last week that it would end access for UK users to the optional end-to-end encryption feature, which helps to ensure that only users can access their own personal data, such as photos and messages.
The move was widely viewed as an effort to avoid complying with a request from the British government for a technical “back door” to access user data. Still, the situation could serve as an example that other governments could follow to undermine user privacy, experts say.
“This has always been one of our major concerns,” said Caroline Wilson, general counsel at UK-based nonprofit Privacy International. “The fact that the UK government… is setting a bad precedent for other governments around the world.”
Apple said in a statement that it is “gravely disappointed” to no longer offer the feature to UK users, “given the continuing rise of data breaches and other threats to customer privacy.”
But the company had little choice, experts say.
“Apple was in a very difficult spot here,” said John Verdi, senior vice president of policy at Washington, DC-based advocacy group Future of Privacy Forum. “Folks in the United Kingdom simply will not have available the top level of security that Apple provides elsewhere in the world.”
What is Advanced Data Protection?
Apple’s iCloud storage service uses end-to-end encryption to protect 14 categories of sensitive data by default, including health data and passwords, stored in users’ iCloud Keychain.
That means user data is basically scrambled when it’s stored on Apple’s servers, and only the user who holds the account can access it in its un-scrambled form. So, no one with access to Apple’s servers — like hackers, or even the company itself — could read users’ sensitive data.
“In the digital world, end-to-end encryption is going to be your best bet for getting a truly private and secure conversation that’s kind of on the level of what you could have in person,” said Joe Mullin, a senior policy analyst for the Electronic Frontier Foundation.
Advanced Data Protection, or ADP, extends end-to-end encryption for additional categories of data, including photos, notes, voice memos and iCloud backups (think text messages and call logs). So, in the event of a data breach, for example, content like this would be inaccessible to a hacker since even Apple can’t read it.
“One of the very few ways to make sure that your data can’t be leaked if a company is breached is to make sure that the company (itself) doesn’t have it,” said Sarah Scheffler, an assistant professor in Carnegie Mellon’s Cylab Security and Privacy Institute.
UK users will now lose protection for those additional categories of data. Those who have not already enabled ADP are no longer able to do so, and Apple says it will soon provide guidance to existing users on how to disable the feature.
There are third-party cloud storage options that offer end-to-end encryption, like NordLocker and Proton Drive. But Mullin notes that consumers are less likely to use them because they’d have to go through extra steps, whereas Apple’s system can back up your phone automatically when it’s locked and connected to power and Wi-Fi.
“You kind of need these encrypted services on some level from the people that are making the (operating system) on your phone,” said Mullin. “That’s why so much of the encryption conversation is around what Google and Apple are doing.”
Advanced Data Protection will still be available outside of the UK. For UK users, those standard end-to-end encrypted data categories will not change, and iMessage and FaceTime will remain end-to-end encrypted.
“It’s a shame,” Verdi said. “It makes British citizens less safe.”
The UK fight over data access
Apple’s move comes weeks after multiple news outlets reported that British security officials had ordered Apple to build a technical back door that would allow access to the company’s global user data. The demand reportedly came under the Investigatory Powers Act, which lets British law enforcement compel access to communications and metadata from tech companies in secret.
Apple has built its brand around privacy and previously resisted building back doors to allow governments or law enforcement access to its users’ information.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” the company said in a statement regarding the change to ADP.
But without end-to-end encryption, Apple could have access to users’ data, which means law enforcement could legally compel the company to hand it over to aid in the investigation and prosecution of crimes. That may be why Apple believes the move to end ADP in the region will be enough for the British government.
“The decision to pull this privacy feature in the UK is an attempt to hopefully not undermine it in the rest of the world,” Wilson said.
Apple has declined to comment directly on the British demand. The UK’s Home Office, which is responsible for making requests under the Investigatory Powers Act, did not immediately respond to CNN’s request for comment.
A broader security threat
But even if it makes it easier for law enforcement to access user data, it’s “impossible to provide exceptional access” to data for some parties without “undermining security for everyone,” Verdi said.
“Either everyone is protected by strong encryption, or it’s weakened for everyone,” he said.
He added that law enforcement could instead seek to access data directly from, with a warrant that compels them to unlock their devices.
In the wake of the UK’s move, Verdi says he sees “two possible futures.” In one scenario, other governments could decide they want to do the opposite of the UK and give individuals, companies and government officials the “best security Apple has to offer,” boosting encryption protections. But some governments could also follow the UK’s lead and “seek to undermine security” by passing rules or making demands that force tech companies to weaken their encryption.
“What happens now?” said Scheffler. “This is one piece in a very large puzzle over… the future of privacy, and the future security and the future of encryption.”
