Apple moved toward deactivating its Advanced Data Protection iCloud privacy-protection feature for iCloud in the United Kingdom. The move is a stopgap measure instead of giving the UK government what it demanded: a “backdoor” way to break the encryption offered by the feature so it could secretly surveil its citizens.
The problem is, this move won’t fully satisfy the UK government, who wants to be able to spy on the iCloud accounts of any Apple user in any country.
Apple forced to reduce user privacy in the UK
The news broke several weeks ago that the UK wants a “backdoor” into iCloud. This would allow law enforcement to secretly access the information that iPhone and Mac users store on Apple servers, despite the files all being encrypted on accounts that have Advanced Data Protection enabled.
Apple’s response is to stop enabling its UK customers to encrypt data stored in iCloud with ADP. That way, at least users won’t mistakenly think their files are safe from being accessed by the UK government.
Apple offers end-to-end encryption on some of the data stored on iCloud by all users, but the encryption keys are stored by Apple. This allows the company to access the files if a customer forgets their password… or if law enforcement requests the data. The ADP option ramps up the privacy protections considerably, encrypting iCloud Backup, Photos, Notes and more. And the user retains sole access to the encryption keys, so Apple can’t read the files even if it gets subpoenaed.
Previously, when UK law enforcement asked Apple to turn over data in iCloud accounts, the company explained that it couldn’t break the encryption on files protected by ADP. That’s why the UK wanted a backdoor. With ADP disabled, investigators can read the files again — either Apple holds the keys or the iCloud files aren’t encrypted. And the U.K. Investigatory Powers Act of 2016 gives a wide range of agencies warrantless access to the data.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said in a statement to Bloomberg. “ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices.”
However, all Apple has been able to do so far in response to the UK government’s demand is block new users in the UK from activating Advanced Data Protection — it doesn’t have the ability to turn it off on users’ devices where it’s already active. “Customers already using ADP will need to manually disable it during an unspecified grace period to keep their iCloud accounts,” explained Bloomberg. “The company said it will issue additional guidance in the future to affected users.”
No UK iCloud backdoor: Weakened encryption is no encryption
In general, it’s Apple’s policy to follow the legal orders of governments in which it does business. At the same time, Apple and other companies insist that any deliberately inserted weakness in encryption will inevitably be exploited by hackers. So rather than building in a backdoor to encrypted files, it’s going to reduce the types of files stored in iCloud that can be encrypted, and stop giving users sole access to the encryption keys.
That only applies to UK residents, but the UK government wants access to encrypted iCloud files of anyone, worldwide. That’s a demand Apple is currently fighting.
It’s not clear what the company’s next step will be. The only way it could fully comply with the UK demand would be to deactivate iCloud ADP worldwide.
Privacy as a right
Apple executives regularly call privacy a fundamental human right. And it’s more than talk — the iPhone maker has previously made moves to protect user privacy at the expense of law enforcement, including encrypting iCloud images so they can’t be scanned for illegal content.
It’s exactly this sort of encryption that the UK government wants a backdoor through.
