Zoe Kleinman
Technology editor•@zsk
Getty Images
Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data.
Advanced Data Protection (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption.
But earlier this month the UK government asked for the right to see the data, which currently not even Apple can access.
Apple did not comment at the time but has consistently opposed creating a “backdoor” in its encryption service, arguing that if it did so, it would only be a matter of time before bad actors also found a way in.
Now the tech giant has decided it will no longer be possible to activate ADP in the UK.
It means eventually not all UK customer data stored on iCloud – Apple’s cloud storage service – will be fully encrypted.
Data with standard encryption is accessible by Apple and shareable with law enforcement, if they have a warrant.
The Home Office told the BBC: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”
In a statement Apple said it was “gravely disappointed” that the security feature would no longer be available to British customers.
“As we have said many times before, we have never built a backdoor or master key to any of our products, and we never will,” it continued.
The ADP service is opt-in, meaning people have to sign up to get the protection it provides.
From 1500GMT on Friday, any Apple user in the UK attempting to turn it on has been met with an error message.
Apple
Existing users’ access will be disabled at a later date.
It is not known how many people have signed up for ADP since it became availabl
58 Comments
InsomniacL
malicious compliance.
Providing access when ordered by a court is not as secure so we're removing all encryption?
Retr0id
As someone currently a citizen of the UK, what are my best emigration opportunities?
LuciOfStars
Not gonna lie, I expected Apple to just kind of roll over and take the blow on this one. Interesting.
connorgurney
Really disappointed that our government decided to take such a stance.
What are people using when self-hosting services in the scope of iCloud nowadays? Nextcloud seems the closest comparable service.
jiriknesl
I wonder, what are the alternatives now?
Tresorit? Self-hosted Nextcloud?
lrdd
As a citizen, I don’t understand what the UK government thinks they are getting here – other than the possibility of leaks of the nation’s most sensitive data.
Also is it not possible to set up my Apple account outside of the UK while living here?
world2vec
I regret immensely not having turned ADP before… Now I'm feeling really angry at this whole thing.
piyuv
This can set a dangerous precedent. Now why wouldn’t any country demand the same, basically eliminating Advanced Data Protection everywhere, making user data easily accessible to Apple (and therefore governments)?
declan_roberts
I don't get what's happening to civil liberty in Europe.
thraway3837
Could moves like this by other repressive regimes finally open the door to consumer-owned, consumer-controlled, decentralized cloud storage systems that are fully encrypted and inaccessible by any agency or individual except by the owner?
Would be a beautiful thing to see. Not sure how storage would work though since you cannot take payment (that would make it centralized), and storage would have to be distributed, but by who?
herf
Why is there only one "iCloud" to backup your iPhone and store photos? Lots of ADP users would use a corporate or self-hosted solution instead.
vroomvroomboom
It's the right choice: don't bow to government pressure, let the people pressure the government.
vroomvroomboom
It's the right decision. Don't bow to the government, let the people demand it from their leaders, and vote in new ones.
v3xro
Very disappointed with this, but I think will be finding alternatives.
Family sharing especially of Reminders is a hard one – we use lists for grocery shopping and it is extremely convenient.
Has anyone tried out Ente https://ente.io/ for photos?
b800h
What happens if you're an international traveller?
tome
I'm confused. I thought iCloud was end-to-end encrypted anyway, and I've never heard of ADP before. Is ADP encryption at rest, whereas normal iCloud storage is only encrypted from the device to the server?
pyuser583
How does this affect me if I travel to the UK with an E2E encrypted IThing?
cgcrob
Removed all my stuff from iCloud about a month ago in preparation for this.
ranger_danger
The beginning of the end. A sad day for Brits
Jigsy
I don't like Apple, nor do I use any of their products, but as someone from the UK, I do respect them for doing this.
Now if only the other companies who said they'd leave would grow a backbone…
bArray
Too right, it was far more problematic than they ever made out.
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.
chatmasta
Ugh. Is this by App Store country? Anyone know what happens if I already have it configured? I’m actually in US App Store region and sometimes switch to UK… I wonder if that would disable it.
aSithLord
[dead]
drcongo
Could any hackers on here now please hack the fuck out of UK government ministers please?
wackget
So instead of building a back door they're just completely removing the option to use E2E encryption altogether, thus making everything freely available to government by default?
How is that not worse or at least equivalent to a back door?
Eavolution
What are you actually supposed to do in the UK if you oppose this sort of thing to stop laws like this coming in? It feels like the government has been incredibly out of touch for the last number of years.
wonderwonder
The UK wanted access to anyone's data. Not just UK citizens and then additionally added regulations forbidding apple to disclose this.
UK is ~3-4% of apples income. While I appreciate Apples actions here, I wish they would make a real stand here and pull completely out of the UK.
ta8645
Free speech already under threat and now y'all are giving up the right of private communication too? For anyone cheering this on, do you honestly think this will only affect the "bad people", and you'll never have your own neck under the government's boot? Even if you trust the government today, what happens when your neighbors elect a government you disagree with ideologically?
ohnoitsahuman
Let's vote Labor and Liberal to keep the UK from going fascist on our data.
Oh wait….shit.
ilumanty
What exactly can UK users do now? Turn off "backup iPhone to iCloud" and stop syncing notes?
Jackknife9
I'm going to start purging anything I store on the cloud. I'm not doing anything illegal, but why does the government want to treat me like I am.
dsmurrell
disables apple cloud sync
tw600040
Ok, I am not very technical. Can someone help me understand this. I don't have Advanced data Protection on. Does that mean UK Gov can see my data now?
Goleniewski
Think about it.. You don't even have to be an Apple user to be affected by this issue. If someone backs up their conversations with you to apple cloud, your exchange is now fair game. You get no say in it either.
We all lose.
ComputerGuru
Note that this doesn’t satisfy the government’s original request, which was for worldwide backdoor access into E2E-encrypted cloud accounts.
But I have a more pertinent question: how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense against backdooring E2E is the (US) doctrine that work cannot be compelled. Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer) if that capability already exists.
yapyap
yikes
DataOverload
This was predictable vs creating a backdoor
mynameyeff
Yikes… looks like Apple sun is setting. This cannot be allowed to happen.
throwaway77385
The nightmare continues.
For now I am using 3rd party backup services that are (currently) promising me that my backups are encrypted by a key they do not have access to, or control over.
But can this even be believed in an age where these secret notices are being served to any number of companies?
I suppose the next step would be to ensure that files don't ever arrive in the cloud unencrypted, but I have yet to see a service that allows me to do this with the same level of convenience as, say, my current backup solution, which seamlessly backs up all my phones, my family members' phones, my laptops, their laptops etc.
I depend on having an offsite backup of my data. Which inevitably includes my clients' data also. Which I am supposedly keeping secret from outside access. So how does that work once everything becomes backdoored?
jcarrano
The smartphone is a terrible platform. Something like this could never happen on the PC, where you can install any encryption and backup software that you want.
While Apple did the right thing by refusing to give the UK government a backdoor, they are responsible for getting users in this situation in the first place.
I'm not familiar with the iPhone and maybe there is already an alternative to iCloud ADP, although that would make this whole situation completely nonsensical.
fjjjrjj
Does this mean I should treat travel to the UK the same way as China and only bring a burner device with no information on it or on cloud backup accounts?
tene80i
I have a naive question, and it's genuine curiosity, not a defence of what's happening here.
This ADP feature has only existed for a couple of years, right? I understand people are mad that it's now gone, but why weren't people mad _before_ it existed? For like, a decade? Why do people treat iCloud as immediately dangerous now, if they didn't before?
Did they think it was fully encrypted when it wasn't? Did people not care about E2E encryption and now they do? Is it that E2E wasn't possible before? If it's such a huge deal to people now, why would they have ever used iCloud or anything like it, and now feel betrayed?
fdb345
How will they enforce this?
They will have to send out messages 'You have 32465 hours before you account is deleted unless you decrypt'
This is NOT a good look.
blindriver
[flagged]
perdomon
Can someone explain what's changed in the UK that they would consider requesting unfettered access to all Apple customer data (including outside their own borders)? I get that the NSA is infamous for warrant-less surveillance, but this seems a step further.
andyjohnson0
Presumably this applies to the iPhones owned by UK government ministers, civil servants, personal devices of military personnel, UK businesses, etc.
As a brit, I find that my government's stupidity is almost its only reliable attribute.
santiagobasulto
What happens if a British citizen/resident buys an iPhone in the USA?
Btw, as a European citizen, I always buy my devices in the USA. We can complain about the US as much as we want, but Europe is on another level.
Ruq
Honestly I'm surprised that rather than trying to build stupid backdoors and such, tyrannical governments don't just try to make a encryption key database. They hold ALL the keys and can get into anything they want, anytime they want. If you get caught with keys or encrypted data they can't access, punishment ensues.
Like if you're gonna try to eliminate privacy and freedom, just be honest and open about your intentions.
xyst
If you care about privacy and security of your data, you aren’t using public services from Apple or Google, or “big tech” anyways.
I always thought of “cloud” services to be a sham. I only trust them with transient data or junk data anyways (glorified temp storage, at best).
j-bos
This law raises serious concerns about being a non UK resident using British software, like Linux Mint.
sumuyuda
Apple could have disabled iCloud completely for UK users. This would protect both UK users and other users who’s data would also been captured in an iCloud backup.
They would lose some money on services, but would have been the better choice to stand up to the UK government and protect the UK users.
CodeWriter23
If Apple was a real American Company they would solve this issue by withdrawing their devices from the UK.
nomilk
Wow – how sad. To think the 2nd highest scoring post ever on hacker news is Apple's 2016 A Message to Our Customers. A display of intelligence, morality and courage under great pressure: https://hn.algolia.com
How things have changed.
> In a statement Apple said it was "gravely disappointed"
So are we, Apple. So are we.
freedomben
Devil's Advocate (meaning I don't agree with this, in fact I disagree with it, but I don't see this argument being made anywhere and think it would be interesting. If you're one of the people who are offended by this practice of people steel-manning "the other side" and only want to read comments that affirm your position, please don't read this comment).
Question: Wouldn't it be better for Apple to build a UK-only encryption that is backdoored but is at least better than nothing? If Apple really cared about people's privacy, why just abandon them?
My position: No because this is a war, not a battle. Creating a backdoored encryption would immediately trigger every government on the planet passing laws banning use of non-back-doored encryption, which would ultimately lead us to a much, much worse world. Refusing to do it is the right thing IMHO.
nomilk
Wonder what the cost/benefit looks like from Apple's perspective.
If this requirement increases the proportion of data on Apple's servers that is now unencrypted (or encrypted but which can be trivially unencrypted), that could be a huge plus to Apple; more data to use for ad targeting (or to sell to third parties), and more data to train AI models on.
backyardflock
Current days' UK is mostly a bunch of draconian laws, the political elite disrespecting "their" people (common European scenario) and third-world economic immigrants fucking up the country even further.
It's so sad…
smashah
Notice all the undemocratic dictatorships that did not require this of apple. The UK is in decline completely.
Kim_Bruning
The current EU-UK adequacy decision[1] is up for review this 27 June [2] .
Aspects of the UK investigatory powers act is close enough to US FISA [2] that I think this might have some influence, if brought up. IPA 2016 was known at the time of the original adequacy decision, but IPA was amended in 2024 . While some things might be improvements, the changes to Technical Capability Notices warrant new scrutiny.
Especially seeing this example where IPA leads to reduced security is of some concern, I should think. The fact that security can be subverted in secret might make it a bit tricky for the EU to monitor at all.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL…
[2] ibid. Article 4
[3] FISA section 702 https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/…