Apple is removing its Advanced Data Protection feature in the UK
Following recent reports that the United Kingdom was seeking access to end-to-end encrypted data on Apple platforms, the company on Friday announced that it would be phasing out its iCloud Advanced Data Protection (ADP) feature in the UK. As of February 21, users in the country can no longer enable the feature; those users who currently have it on will have to disable it in the near future.
ADP allows users to store their own encryption keys for several types of data that are otherwise encrypted, but for which Apple itself holds the keys, including iCloud Backups, iCloud Drive, Photos, and more. While ADP helps users store that data more securely—including preventing access via law enforcement—it’s not without tradeoffs: it can also prevent Apple from directly helping recover lost data.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” said the company in a statement.
According to Apple, this change won’t affect data that is end-to-end encrypted by default, such as health data and iCloud Keychain. That does, however, leave one longstanding loophole: though Apple’s Messages in the Cloud system is end-to-end encrypted, the encryption key for those messages is backed up in iCloud Backups, for which Apple holds the keys. Those are, in turn, accessible to law enforcement under the proper procedures.
Since Apple cannot disable ADP for UK users who’ve already turned it on, the company says it will provide future guidance in the near term for the process to turn it off.
Though Apple also says ADP will continue to be available for users elsewhere in the world, one fact it did not specifically address is that the UK government was supposedly seeking the ability to access this end-to-end encrypted data worldwide—a matter, perhaps, to play out on a larger political stage. Apple’s move on Friday seems to suggest it considers its removal of ADP sufficient to meet the demands of the UK government.
But the fight may not be over. Apple’s statement also reaffirmed the company’s stance on security and privacy. “Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before,” the company said. “Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
That last line, in particular, reads as a canary in the event that the company is forced to make further changes that it might not, as per the UK law, be able to actually communicate to its users. And it remains to be seen whether this move establishes a precedent for other world governments to follow in the UK’s footsteps.
[Dan Moren is the East Coast Bureau Chief of Six Colors. You can find him on Mastodon at @dmoren@zeppelin.flights or reach him by email at dan@sixcolors.com. His latest novel, the sci-fi spy thriller The Armageddon Protocol, is out now.]
If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.