Rules Navigator

Demand for access to iCloud data is ‘wrong fight to pick’ say critics of UK government move

Apple iPhones on display in a store.
End-to-end encryption means even Apple cannot access customers’ data. Photo: Leon Neal/Getty Images

Hameed Shuja

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Apple has said it won’t give the UK government backdoor access to customers’ encrypted data.

The announcement by Apple last week to withdraw its cloud storage encryption services from the UK market took many users by surprise. As it turned out, not everyone knew about the behind-the-scenes battle between the tech giant and the UK government that led to the decision.

“Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users, and current UK users will eventually need to disable this security feature,” Apple said in a statement.

The move came after the UK government asked Apple last month to give it access to encrypted customer data which is stored on Apple’s cloud storage services.

The sensitivity of the matter is evident from the fact that the government will neither confirm nor deny making such a demand. “We do not comment on operational matters, including for example confirming or denying the existence of any such notices,” Home Office sources have said.

But it has been widely reported that the government’s demand for access has to do with matters of national security.

The original demand by the UK government, which was served by the Home Office under the Investigatory Powers Act (IPA), did draw some criticism and media attention at the time. However, Apple’s response, and its refusal to comply with the request, has now blown the lid off a battle that will affect all Apple customers in the UK.

Why is ADP important?

The ADP service “protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices,” Apple’s statement said.

Put simply, end-to-end encryption secures customers’ data, such as messages, photos and other content, against illegal and unsolicited access from external actors. Those actors include governments, security agencies and even Apple itself.

Despite this obvious benefit, using Apple’s ADP service is optional, and there is currently no clear data on exactly how many customers in the UK actually use it.

Apple’s withdrawal of ADP from the UK market doesn’t automatically give external actors access to customers’ data, as many other security features will still be in place. “Authorities would still have to follow a legal process, have a good reason and request permission for a specific account in order to access data – just as they do now with unencrypted data,” according to the BBC.

However, the removal of end-to-end encryption does mean that cyber criminals could potentially find it easier to exploit customers’ data than than they could.

Thomas Richards, a cybersecurity expert at Black Duck, told Yahoo News: “Weakening encryption not only makes UK users more vulnerable to cyber threats but also sets a dangerous precedent for global privacy.”

“Governments argue this helps law enforcement, but history shows that any backdoor created for one party can eventually be exploited by bad actors,” he added.

The reaction

Apple has made its position clear. “We have never built a backdoor or master key to any of our products or services and we never will,” the global tech giant has said in its statement.

The UK government’s demand has also drawn harsh criticism from rights campaigners and security experts, who believe it is an unprecedented attack on people’s privacy and data.

Caroline Wilson Palow, legal director of the charity Privacy International, was quoted by the BBC saying: “This is a fight the UK should not have picked. This overreach sets a hugely damaging precedent and will embolden abusive regimes the world over.”

Prof Alan Woodward, a cyber-security expert at Surrey University, called it a “very disappointing development”. He told the BBC: “All the UK government has achieved is to weaken online security and privacy for UK-based users.”

A headline from the Financial Times‘ editorial board also read Encryption ‘back doors’ are a bad idea, insisting that end-to-end encryption is the best safeguard against cyber criminals trying to exploit customers’ data.

“Most cyber security experts argue government bodies cannot be given access without creating a vulnerability that hackers, including authoritarian states, could abuse,” the FT editorial board argues.

Solomon Klappholz, a Staff Writer at ITPro, says: “I think the UK government’s attempt to strong-arm Apple into giving it an ADP backdoor is a travesty – and so does most of the industry.”

He argues that “demands for a government backdoor are misguided from a cybersecurity, privacy, and business perspective,” insisting that in today’s age encryption is essential for almost all digital services.

, , , , , , , , , ,

You may also like