Apple has taken the unprecedented step of rolling back its most advanced data privacy feature for customers in the United Kingdom, following the government's request for backdoor access to user data stored on the cloud. Effective February 21, 2023, the Advanced Data Protection (ADP) feature, which utilized end-to-end encryption to keep users’ data secure, has been removed for new users, and current users will soon be required to disable it.
Apple's decision means iCloud backups will no longer have the same level of encryption, allowing the company to access user data under certain circumstances, such as complying with law enforcement requests. This is particularly alarming for users who may have relied on the heightened security of the ADP feature, which was introduced after the FBI's calls for backdoor access to encrypted data. Now, Apple is stating, "the removal of this feature will expose users to greater risks of data breaches and other privacy issues,” as the company can share information if legally required.
Andrew Crocker, Director of Surveillance at the Electronic Frontier Foundation, weighed in on the decision, emphasizing, “The decision to disable this feature for UK users might be the only reasonable response at this point, but it puts users at risk of data leaks and strips away important privacy-protecting technology.” The UK government has been adamant about needing access to encrypted communications, viewing it as necessary for national security and law enforcement.
The UK’s Investigatory Powers Act, passed several years ago, gives law enforcement broad powers to access information, and Apple’s decision may set precedent affecting iPhone users worldwide. The act requires companies to cooperate with police investigations, sometimes against their users’ interests. Apple has historically resisted building backdoors, fearing they could be exploited by malicious actors, and security experts agree with this stance.
Oli Buckley, Cybersecurity Professor at Loughborough University, commented on the weakening of iCloud’s security measures, stating, “Removing ADP is not just symbolic but rather marks a substantial degradation of iCloud security for UK users.” Despite this, Apple reassured customers their local device data remains encrypted and safe; yet, many users today find relying solely on device storage impractical.
With smartphones increasingly acting as repositories for sensitive data — from photo collections to extensive messaging histories — cloud backup has become indispensable. Losing this encryption means if the user’s device is lost or damaged, they may lose everything without means of recovery through iCloud.
The rollback reflects the broader tension between government requests for surveillance capabilities and companies’ promises to protect user data. Many tech leaders believe stringent encryption technologies should remain as they are to shield users from threats, emphasizing, “Once the door is open, it’s only a matter of time before it gets exploited and used maliciously.”
The divide between maintaining strong encryption and ensuring public safety continues to create friction between technology firms and governmental bodies. Apple’s prior stance was to provide strong user control over their data, leading to the implementation of ADP as optional for those who wanted enhanced security.
The introduction of ADP aimed to give users the ability to fully encrypt their device backups to iCloud chooses. iMessage and FaceTime have continued to remain encrypted by default. Government officials, on the other hand, have expressed concerns, arguing this level of encryption might inadvertently protect criminals and impede legitimate investigations.
Apple released the Advanced Data Protection feature to new users on January 2023 after allowing existing users to opt-in, marking its commitment to security. Yet, just weeks later, it reversed course due to pressure from the UK government. The decision raises questions for many about what the future holds for data privacy and protection.
Experts are warning not only UK users but global consumers should be prepared for potential changes as other countries may follow suit. The concerns surrounding data privacy, user control, and the regulatory pressures exerted on tech companies promise to be contentious issues for the coming years.
While Apple maintains it will never build backdoors to its devices or services, the reality faced by users who regularly back up their data is sobering. The cease of ADP might compel many to reconsider their security strategies moving forward—relying more on local storage solutions or considering alternative services for data backup.
User trust has become integral for technology firms as dependency on digital services continues to grow. How such companies handle data legislation like the ones from the UK will be watched closely by consumers worldwide, as the outcome of these regulatory demands will shape the security practices of the future.