This week, the UK put the entire world at risk. I understand that may sound like alarmist hyperbole, but follow me. To understand, we have to go back to 2016, a year that I like to describe as “the year the world got collectively blackout drunk and decided to call our ex.” A lot of wild stuff happened that year – especially in the UK – so one thing that might’ve slipped under the radar was the passing of a little law called the Investigatory Powers Act. This law would later go on to be nicknamed “The Snooper’s Charter” by critics, and it allowed the UK to dramatically expand their electronic surveillance powers. How dramatically, you might ask? Two weeks ago, Apple was ordered to insert an encryption backdoor (more on that in a moment) into iCloud. And they weren’t allowed to publicly disclose it. And also even if they wanted to fight it, they’d still have to comply while the courts considered their appeal.

Yeah. That dramatically.

The thing is, Apple has made it abundantly clear in no uncertain terms that they will refuse any request by any government to knowingly insert backdoors into their software. So in light of their inability to fight this request, Apple simply decided to remove iCloud encryption entirely for UK users.

Advanced Data Protection

Some readers may be a little confused on how all this works (also my wording wasn’t 100% accurate for the sake of brevity), so let me break it down real quick. Encryption is the practice of taking data and making it unreadable to unauthorized parties, much like a secret code or language. Most modern devices and internet traffic is encrypted, but in such a way that the service provider still has access. Your Gmail inbox, for example, is encrypted as it travels between your phone and Google’s servers but it’s decrypted at those two spots, meaning anyone at Google who has the proper access can access your emails. (There’s a lot of valid reasons for this, but it also opens up your data to being spied on, sold, or otherwise shared and potentially abused.) Some providers, however, take it a step further and implement what’s called “end-to-end encryption,” (aka “E2EE” or “zero-knowledge encryption”). This is data encrypted in such a way where it’s only ever accessible on your devices, never the provider’s. (More on all of this in the page I linked earlier in this paragraph.) While there are no doubt a handful of evil people who would abuse E2EE to better cover their harmful tracks, it also benefits ordinary, law-abiding users by giving them a huge defensive boost against data breaches, massive data collection, unchecked mass surveillance, and a myriad of other threats online.

This brings us to Apple’s “Advanced Data Protection” program. Released in 2022, ADP was a huge upgrade to Apple’s iCloud suite, encrypting nearly everything stored in iCloud (except emails, contacts, and calendars) using E2EE. This feature required users to manually enable it, and while I always encourage readers to explore other options by privacy-first companies, I (among many other privacy enthusiasts) still touted this as a win for giving the everyday user an easy, effective way to protect their data. This is the encryption that Apple removed in the UK. Certain Apple products – like iMessage, Health, Passwords, and other data – remain end-to-end encrypted as it always has been, but ADP is specifically what the UK ordered a backdoor into, and thus ADP is what was pulled.

Backdoors & Salt Typhoon

Now, quickly, let me explain what an “encryption backdoor” is since I’ve already used it several times and it’s critical to this discussion. A “backdoor” is a term used to describe any sort of loophole in the encryption (or program) that allows someone – usually the developer – to gain direct access to the program or data. Usually this is done quietly, in the background, without the consent or awareness of the end user. (This should not be confused with things like analytics, telemetry, or granting access to tech support voluntarily.)

For years, politicians (and others) have called for backdoors in various software – usually encrypted messengers and the like – with the promise that it will only ever be used by the “good guys.” The problem is that backdoors are very aptly named: a backdoor of a house can be a great tool, allowing residents to come and go into their back yard conveniently and freely. For example, many households will leave the backdoor unlocked as a failsafe for residents to get in or out while reducing their risk – the backdoor is behind the house, maybe behind a fence, hidden out of sight where it may be less tempting to would-be crooks than leaving the front door unlocked.

At least, that’s the theory, right? But we all know that it’s a feel-good gesture at best. Bad guys have no way of knowing that the front door is unlocked, and if the backdoor is unlocked all it takes is one brave criminal who’s scouting the house to hop the fence and try the door. Furthermore, even if it is locked, I’ve personally noted in the past that residential locks are criminally (no pun intended) easy to pick, often taking just a few seconds to someone with even the slig