select search filters
briefings
roundups & rapid reactions
Fiona fox's blog
Scientists comment on Apple removing their advanced data protection tool for UK users.
Dr Rameez Asif, Associate Professor of Cyber and Blockchain, University of East Anglia, said:
“iCloud users are the most affected by this news, as the removal of Advanced Data Protection (ADP) weakens the encryption for their cloud-stored data.”
“Apple has announced that it will remove its Advanced Data Protection (ADP) feature in the UK due to new regulations that would require tech companies to provide government access to encrypted data. This move comes in response to the Investigatory Powers Act (IPA) 2016, which the UK government is seeking to amend, further tightening rules on end-to-end encryption and requiring companies to notify authorities of any security feature changes before rolling them out.
“Apple’s ADP is its highest level of iCloud encryption, offering end-to-end encryption for iCloud backups, photos, and more, meaning that not even application layer Apple can access the data. The UK government’s demand for access to such encrypted user data has led Apple to pre-emptively withdraw the feature from UK users rather than compromise its security policies.”
How significant is the removal of this data protection tool?
“The removal of Apple’s Advanced Data Protection (ADP) in the UK is highly significant, as it weakens the strongest level of encryption available to iCloud users, making their backups, photos, and sensitive data more vulnerable to government access and potential cyber threats. This move highlights the growing tension between user privacy and government surveillance, setting a precedent that could influence other countries to demand similar access. It also raises concerns about digital sovereignty, as companies may choose to limit security features in regions with restrictive laws rather than compromise global encryption standards.”
Are there other data protection in place that protects UK populations data on apple devices?
“Yes, despite the removal of Advanced Data Protection (ADP) in the UK, Apple still implements several robust security and privacy measures on its devices. End-to-end encryption remains in place for sensitive data such as iMessage, FaceTime, Health data, passwords stored in iCloud Keychain, and Apple Pay transactions. Additionally, on-device encryption ensures that data stored locally on iPhones, iPads, and Macs is protected by user passcodes and biometric authentication (Face ID/Touch ID). Apple’s App Tracking Transparency (ATT) and Privacy Labels provide users with greater control over app data collection.”
What does this mean for security of our data on apple devices in the UK / how much less secure is our data now?
“The removal of Advanced Data Protection (ADP) in the UK reduces the overall security of data stored in iCloud, as it removes end-to-end encryption for iCloud backups, photos, and other cloud-based data. Without this protection, Apple can be compelled to comply with government demands for access to user data, potentially making it more vulnerable to surveillance or unauthorized access. However, local data stored on devices (such as messages, contacts, and health information) is still protected by on-device encryption and remains secure, as long as the user has strong passcodes and biometric authentication enabled. While this change affects cloud-stored data, device-level security and other privacy measures like App Tracking Transparency still offer significant protections, but overall, users in the UK face slightly diminished data privacy compared to other regions with ADP still active.”
Does the idea the UK Government suggests of a “backdoor” in encryption really work because surely it undermines the whole idea behind end-to-end encryption?
“The concept of a “backdoor” in encryption, as suggested by some governments, undermines the very foundation of end-to-end encryption by intentionally introducing a method for third parties, such as law enforcement, to access encrypted data. While the idea is that a backdoor would allow authorized access to encrypted content when necessary, it inherently creates vulnerabilities, as any method that can be used by one party can potentially be exploited by malicious actors. This weakens the security of the system and increases the risk of unauthorised access, either through hacking or misuse.”
Dr Junade Ali, Fellow at the Institution of Engineering and Technology (IET) and cyber security expert, said:
“It’s important to remember that the most useful built-in cybersecurity tools remain available to Apple users. This development largely affects UK Apple device users who require the most significant levels of protection for data stored in Apple’s iCloud service.
“However, users should be aware that other features like ‘Stolen Device Protection’ mode (protection where someone steals your device and knows your password) and ‘Lockdown’ mode (an extreme protection mode for those under the most sophisticated threats) still appear to be available. These are the built-in tools which are most useful to Apple device users who need higher levels of protection.
“At the Institution of Engineering and Technology, we recommend basic steps for most users which can radically reduce the risk of most cyberattacks. This includes using a password manager to generate long, unique passwords for each website, using Two-Factor Authentication to generate login codes, installing the latest updates and backing up key data.
“Cybersecurity tools, like almost any form of engineering, can be used for good as well as bad. Addressing the challenges posed by technological development requires policy makers, engineers and society to work together. In isolation, policy solutions or technical solutions will never suffice.”
Professor Oli Buckley, a Professor in Cyber Security at Loughborough University, said:
“Apple removing their Advanced Data Protection (ADP) in the UK is a significant move because it takes away the strongest form of security on iCloud, which offered true end-to-end encryption. This meant that not even Apple had any means of viewing your files and photos.
“There is still encryption on Apple devices, things like iMessage and other on-device data encryption still exist, but now data specifically stored in iCloud (which has a huge number of users) will be accessible to Apple and potentially government agencies through legal requests.
“Whenever a ‘backdoor’ exists for one purpose, like law enforcement, there’s always a risk it will be exploited for more malicious purposes. A key factor of end-to-end encryption is that only the communicating parties have the ability to decrypt the content and introducing any special access not only weakens trust in the system, it can also provide an attack vector for cybercriminals.
“Ultimately, once a door exists, it’s only a matter of time before it’s found and used maliciously. Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users.”
Prof Alan Woodward, Visiting Professor of Computing, University of Surrey, said:
What is the protection tool being removed and what is its function?
“The extra protection that Apple have added is rather like End to End Encryption where only the participants in a dialogue have the ability to decrypt messages. In the case of iCloud only the user had the keys: Apple did not. Previously, and for those who have not opted in to the feature, Apple could also read whatever you placed or backed up to the iCloud. Apple have now said that they are removing the option to use this extra security for UK users only.”
How significant is the removal of this data protection tool?
“It is very significant for anyone interested in security and privacy. By trying to mandate to Apple that they withdraw this security option globally the UK government have succeeded in weakening security in one corner of the Internet for UK based users. It was naive of the UK government to think telling Apple what to do globally would work: the UK users now have the worst of all worlds.”
Are there other data protection in place that protects UK populations data on apple devices?
“All the other security features previously on Apple devices remain. All that is being removed is the ability to secure data in the iCloud so that only the user can access it.”
What does this mean for security of our data on apple devices in the UK / how much less secure is our data now?
“Users data is no less secure on the devices. This applies only to the iCloud. However, anyone who wants to ensure the long term security an privacy of their data will not be using the iCloud. What users do need to be aware of is that some data on your mobile device can be backed up to the iCloud, including iMessages. Users will need to ensure this is not enabled if they do not want their data in the iCloud.”
Does the idea the UK Government suggests of a “backdoor” in encryption really work because surely it undermines the whole idea behind end-to-end encryption?
“Ever since the Encryption Debate began security professionals have said that if you weaken encryption (or security in general) for your enemies you also do so for your friends. What the UK government is weakened the security of the corner of the Internet, in spectacular fashion, for the UK users alone. What has been done is not so much a back door as it is removing the door altogether. Apple had put this feature in place precisely because they knew that users did not like the idea that if compelled to do so Apple could read their iCloud data. Hence, ADP meant that only the user could access their won data. The UK government has caused UL users to take a step backward so that Apple could once again be required to read the iCloud data.”
Declared interests
For all experts, no reply to our request for DOIs was received.