Apple's Data Encryption Changes in the UK Explained

[MacRumors]

Apple on February 21 withdrew its Advanced Data Protection feature from the United Kingdom following government demands for backdoor access to encrypted user data. The move came after UK officials reportedly ordered Apple in secret to provide unrestricted access to encrypted iCloud not just in the UK, but worldwide.

The development has naturally left some Apple device users in the UK asking questions about the security of their data and whether their digital privacy has been affected. Keep reading to learn the answers.

What is Advanced Data Protection?

Advanced Data Protection (ADP) was introduced in 2022, and is Apple's highest level of cloud data security. It is an opt-in feature that expands the number of iCloud data categories protected by end-to-end encryption – a security measure where data is encrypted in such a way that only the user can access it on their trusted devices, and no one else, not even Apple, can decrypt it.

We don't know how many people use ADP (Apple has never released figures) but it is likely that most casual Apple device users have not enabled the feature, either because they don't know it exists or they have old Apple devices that are running older software, making them incompatible with ADP. (ADP requires updated software on all of the devices linked to an Apple Account.)

Without ADP enabled, many iCloud data categories use standard encryption. This means categories like iCloud Mail, Contacts, and Calendars are always encrypted regardless of whether ADP is enabled. The difference is that Apple also holds the encryption keys for these categories and can access the data if legally compelled to do so.

ADP removes this possibility, since the encryption keys exist only on users' trusted devices. In other words, with ADP enabled, even if Apple receives a court order to provide user data, the company technically cannot access it. End-to-end encryption essentially creates a mathematical lock that not even Apple can break.

This difference is in how the encryption keys are stored:

Protection Level Encryption Key Storage
Standard data protection
In transit and on server
Apple

Advanced Data Protection (ADP)
End-to-end
Trusted devices only

Unlike standard encryption, ADP applies end-to-end encryption to additional iCloud data categories including:

• iCloud Backup (including device and Messages backup)
• iCloud Drive
• Photos
• Notes
• Reminders
• Safari Bookmarks
• Siri Shortcuts
• Voice Memos
• Wallet passes
• Freeform

Who Is Affected by Apple's Decision?


Apple's move affects two groups of UK users:

• New users: As of February 21, UK users can no longer enable Advanced Data Protection on their accounts. When attempting to activate ADP, they'll see a notice stating "Apple can no longer offer Advanced Data Protection in the United Kingdom to new users."
• Existing users: Those who already had ADP enabled will need to manually disable it during an unspecified grace period to maintain their iCloud accounts. Apple has stated it "does not have the ability to automatically disable it on their behalf" and will provide additional guidance to affected users in the future.

Notice UK iCloud users now see after the feature was pulled​

UK users who never enabled ADP will see no change to their current iCloud security. Their data remains protected by Apple's standard encryption, where the company holds the keys and can access the data if legally required.

Which iCloud Features Remain Protected?

It's important to understand that not all iCloud security is affected by this change. Several Apple services remain end-to-end encrypted by default in the UK, including:

• Messages in iCloud*
• iMessage communications
• FaceTime calls
• Passwords and Keychain
• Health app data
• Journal data
• Home data
• Payment information and Apple Pay transactions
• Maps
• QuickType Keyboard learnt vocabulary
• Safari (History, Tab Groups, and iCloud Tabs)
• Screen Time
• W1 and H1 Bluetooth keys
• Wi-Fi passwords
• Siri information
• Memoji

* Messages in iCloud is end-to-end encrypted when iCloud Backup is disabled. When iCloud Backup is enabled, backups include a copy of the Messages in iCloud encryption key to help users recover their data.

Why Did Apple Make This Decision?

The UK government issued a "technical capability notice" under the Investigatory Powers Act (IPA), demanding that Apple create a backdoor allowing British security officials to access encrypted user data globally. This order was made secretly because the IPA makes it illegal for companies to disclose the existence of such government demands.

The order would have required Apple to create a backdoor to its end-to-end encryption system, granting UK officials access to user data worldwide, not just within the UK. Worse, Apple would have been legally bound to keep this capability secret, preventing users from knowing about its existence – which would be basically lying to them about the security of their data.

Cybersecurity experts have consis... Click here to read rest of article

Article Link: Apple's Data Encryption Changes in the UK Explained

 

[JonathanParker]

‘Advanced Data Protection’ shouldn’t exist. All iCloud data should be end to end encrypted for everyone as the standard. And Apple should’ve withdrew all iCloud services from the UK, not removed an important encryption feature.

 

[Flore]

The one thing I don’t understand is why this doesn’t apply to the data that is already end to end encrypted without ADP.

 

[Radeon85]

‘Advanced Data Protection’ shouldn’t exist. All iCloud data should be end to end encrypted for everyone as the standard. And Apple should’ve withdrew all iCloud services from the UK, not removed an important encryption feature.

And cause millions including me to suffer when me and others rely on it for syncing between devices, not to mention the vast amount of people in this country that use Apple Pay including me who has used it as my primary payment method for 10yrs!, get real.

Apple won't pull out of the UK as Apple is pretty big here, plus it's too much money to give up.

 

[JonathanParker]

And cause millions including me to suffer when me others rely on it for syncing between devices, not to mention the vast amount of people in this country that use Apple Pay including me who has used it as my primary payment method for 10yrs!, get real.

Apple won't pull out of the UK as Apple is pretty big here, plus it's too much money to give up.

Regarding your point about Apple Pay: I said iCloud services. Nothing to do with Apple Pay. And if they cared about privacy so much then principally they’d refuse to compromise their user’s security

 

[thefrost]

Oh well. Here we are.

 

[ELman]

The one thing I don’t understand is why this doesn’t apply to the data that is already end to end encrypted without ADP.

Because Apple holds the encryption keys.

 

[Radeon85]

Regarding your point about Apple Pay: I said iCloud services. Nothing to do with Apple Pay. And if they cared about privacy so much then principally they’d refuse to compromise their user’s security

Without iCloud, that means no Apple Pay. Without iCloud all of Apples devices are essentially bricks as they rely heavily on it. Could Apple work around it? Probably yes, but I doubt they would ever do that.

 

[jennyp]

How long for the "grace period" I wonder?

And if you don't disable ADP, then they pull iCloud from you entirely?

 

[honglong1976]

To be for is the average user goong to notice anything? No.

 

[Ursadorable]

The UK welcomes Authoritarianism. They join the ranks of North Korea and China on infringing citizen's privacy.

 

[msackey]

‘Advanced Data Protection’ shouldn’t exist. All iCloud data should be end to end encrypted for everyone as the standard. And Apple should’ve withdrew all iCloud services from the UK, not removed an important encryption feature.

Sure, but how would you advise Apple to respond given the current situation in the UK?

=====

On another note: what happens if I as a non-UK iOS user travels to the UK and say stay there as a tourist for 3 months? I have Advanced Data Protection turned on already in the US where I live. Will my ADP be required to be disabled?

 

[msackey]

The UK welcomes Authoritarianism. They join the ranks of North Korea and China on infringing citizen's privacy.

Yup. Joining also the ranks of the current decrepit USA too.

 

[zarmanto]

... This order was made secretly because the IPA makes it illegal for companies to disclose the existence of such government demands. ...

This reminds me very much of a quote from the first book in the Harry Potter series:

What happened down in the dungeons between you and Professor Quirrell is a complete secret -- so, naturally the whole school knows. - Professor Dumbledore to Harry in Harry Potter and the Sorcerer's Stone

 

[Will Co]

A useful summary. Let's see where this goes. In a few days or weeks, we're either going to see a follow up from Apple telling those of us in the UK who have ADP enabled what we need to do (presumably just turn it off) or something will happen behind the scenes and there will be a climb down from the UK gov. We shall see.

 

[Aeronauts]

The UK welcomes Authoritarianism. They join the ranks of North Korea and China on infringing citizen's privacy.

You forgot to add the NSA.

 

[aidler]

I enabled ADP as soon as it became available in 2022 and have left it on since then.

 

[Aeronauts]

I’m not saying the U.K. government is right or wrong but all governments spy on their citizens. It’s the price we pay to help the police catch serious and organised crime gangs.

 

[bigboy29]

This is a great article on the subject, thank you!

 

[con2apple]

Because Apple holds the encryption keys.

That would mean Apple is lying.

Because they are telling otherwise.

 

[Plutonius]

This is the cheapest and quickest way for Apple to come in compliance with the UK.

Unfortunately, I can see ADP being turned off in more countries as more countries implement laws similar to the UK.

 

[con2apple]

I’m not saying the U.K. government is right or wrong but all governments spy on their citizens. It’s the price we pay to help the police catch serious and organised crime gangs.

Two problems:

Firstly, the authorities never get enough. Because in the logic of the state, the citizen is an enemy.
Because the citizen wants to change the state. Replace the politicians. Adapt the authorities.

Secondly, it makes the technology more vulnerable to criminals. In other words, “thanks” to the state's backdoors, citizens are at the mercy of criminals without protection.
That includes also car keys, apartment doors or safes.

 

[klasma]

Regarding your point about Apple Pay: I said iCloud services. Nothing to do with Apple Pay. And if they cared about privacy so much then principally they’d refuse to compromise their user’s security

I think that users should be able to choose for themselves whether they consider the level of security good enough or not. By your logic, Apple also shouldn’t provide the choice of not using ADP that they currently do, and instead cut off old devices that don’t support ADP, in order to not compromise their users’ privacy.

 

[nnoble]

1. The number of users with ADP enabled in the UK is likely a minority.
2. Given the tech leaders in the USA are all crawling around the skin folds hidden in Trumps underwear, I wouldn't give much for anyones data security where this autocrat is involved and given the diminishing levels of rule of law in the USA.
3. Where would your data security be in the event of a civil war in the USA?

 

[amt2002]

I must admit, I had ADP turned off already. Didn't even know it existed. Feels a bit like a storm in a teacup.