Why Apple Disabled Extended Data Protection in the UK (and What It Means for Everyone)
If you want your iCloud data to be as secure as possible, you’ll need to enable Advanced Data Protection (ADP), but this will no longer be available in the UK. Apple is pulling ADP out of the country, reportedly following a UK government request for a backdoor to encrypted iCloud files, and the consequences are likely to have global ramifications.
What is ADP?
ADP applies end-to-end encryption (the gold standard for data security) to virtually all of your iCloud backups, making them virtually impossible for anyone else to access. If ADP is not enabled, only certain types of data are protected, such as passwords and payment information, iCloud messages, and your health information. It’s important to note that this data remains completely protected from everyone, even Apple and British spies.
Without ADP, the rest of your iCloud backups (such as iCloud Drive, Photos, and Notes) are still protected, but with a lower level of encryption. This protection does a very good job of keeping out attackers and preventing your data from being hacked, but it can still be accessed by Apple employees and—most importantly for this current story—government and law enforcement agencies if necessary.
Although Apple, the governments and security agencies of the world will tell you that they have strong checks when it comes to who can access encrypted data, the possibility of access still exists. With ADP (and other places that use end-to-end encryption, like WhatsApp) this option disappears. Even if the FBI or MI5 demanded the files, they could not be delivered.
Earlier this month , The Washington Post reported that British officials had requested secret, backdoor access to Apple’s fully encrypted data files. This requirement was apparently made under the auspices of the Investigative Powers Act 2016, which gives the country’s security agencies broad access to user data in the name of investigating criminal activity: fighting terrorism and stopping child abuse are two common reasons for creating an encryption backdoor.
This is a struggle that has been going on for many years. Governments and law enforcement agencies want their own special keys to the locks protecting user data around the world, ostensibly to stop criminals in their tracks. Privacy advocates and tech companies like Apple argue that there is no effective way to limit the backdoor’s use to only the “good guys” and not the “bad guys” (even if it were easy to distinguish the two, which it isn’t).
Apple’s actions in the UK and global consequences
Apple’s policy has long been that it will never offer backdoors to its encrypted data, so it appears it has decided that the only other option is to disable ADP. Brits who don’t have ADP turned on will no longer be able to turn it on, and those who have the feature set up will have to turn it off eventually (though Apple hasn’t said when).
“Apple can no longer offer Advanced Data Protection (ADP) in the UK to new users, and current UK users will eventually have to disable this security feature,” Apple spokesperson Julien Trosdorff told The Verge . “We are deeply disappointed that the protections provided by ADP will not be available to our UK customers given the continued rise in data breaches and other threats to customer privacy.”
As you’d expect given the sensitive nature of the matter, government officials in the UK have said nothing about what was reported – and you’ll see that Apple doesn’t make any direct reference to it either, because publicizing a claim made under the Investigative Powers Act is itself a criminal offence.
As for other organizations such as Google and Meta, we are still in the dark. The UK government has allegedly made the same request, but details have not been leaked and no one involved can talk about it. Google and Meta, as well as Apple, have repeatedly stated that they oppose encryption backdoors.
This is a mess if you’re in the UK (like me), but it applies to everyone: given the rather blurred national borders we have now in the internet age, UK agencies would likely be able to access end-to-end encrypted data from users around the world through this backdoor, which looks off the table at the moment.
I have ADP enabled, but if the problem isn’t resolved, I’ll have to turn it off soon, which means some of my iCloud data will be more vulnerable to snooping again. As is often the case, it is ordinary users who ultimately lose out, and the debate about encryption backdoors continues.