The UK Government Just Made Everyone Less Safe As Apple Shuts Down iCloud Encryption
from the shortsighted-dangerous-nonsense dept
In a stunning display of government overreach, the UK has effectively forced Apple to disable its iCloud encryption for British users. Earlier this month, we wrote about the UK wielding the Investigatory Powers Act — aka “The Snooper’s Charter” — to demand Apple create a backdoor in its iCloud encryption for all users globally. Despite Apple’s long-standing warnings that it would rather exit the UK market than compromise encryption, the UK government doubled down.
The ensuing public outcry and warnings of “serious consequences” from US politicians fell on deaf ears. While the government’s exact demands remain secret (because of course they do), Apple’s response speaks volumes: they’re shutting down iCloud encryption for UK users entirely rather than create a global backdoor.
Apple disabled its most secure data storage offering for new customers in Britain on Friday rather than comply with a secret government order that would have allowed police and intelligence agencies to access the encrypted content.
That sounds like the UK isn’t backing down.
This is a terrible result for everyone, making Apple users globally (but especially in the UK) more vulnerable. Law enforcement’s tired narrative frames this as a trade-off between privacy and safety, but that’s dangerously wrong. Encryption isn’t just about privacy — it’s a fundamental security mechanism that protects against identity theft, financial fraud, corporate espionage and much more. This move effectively dismantles both privacy and safety, not because law enforcement lacks investigative tools, but because they’re really just lazy and demanding a “convenient” backdoor that inevitably creates new security risks.
While this compromise gives UK law enforcement their coveted access to British users’ iCloud data, it creates a dangerous precedent and leaves user data vulnerable to bad actors ranging from cybercriminals to hostile nation-states. Even worse, this “solution” likely falls short of the government’s reported demands for global backdoor access — suggesting this might just be round one of a longer fight.
As the folks at EFF note, this would have been a disaster:
Had Apple complied with the U.K.’s original demands, they would have been required to create a backdoor not just for users in the U.K., but for people around the world, regardless of where they were or what citizenship they had. As we’ve said time and time again, any backdoor built for the government puts everyone at greater risk of hacking, identity theft, and fraud.
This blanket, worldwide demand put Apple in an untenable position. Apple has long claimed it wouldn’t create a backdoor, and in filings to the U.K. government in 2023, the company specifically raised the possibility of disabling features like Advanced Data Protection as an alternative. Apple’s decision to disable the feature for U.K. users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology. The U.K. has chosen to make its own citizens less safe and less free.
It’s not just EFF folks saying this. Lots of security experts are horrified.
Mike Salem, UK country associate for the Consumer Choice Center, called on opposition parties to voice their discontent and demand the government outlines its reasoning.
“The UK government has set a precedent, and cast a new reputation that underscores the erosion of personal liberties and privacy in a digital age where these values are needed more than ever,” he said.
“This marks a very sad day for the basic principle of consumer privacy in the 21st century, depriving users of the tools that leave UK citizens exposed to governments, criminals and malicious hackers. The fact this has been done without debate, oversight or advance warning to UK Apple users is extremely concerning,” Salem said.
David Ruiz, senior privacy advocate at Malwarebytes, described the news as a “disaster” for the UK and one with potential global consequences.
“To demand access to the world’s data is such a brazen, imperialist manoeuvre that I’m surprised it hasn’t come from the US. This may embolden other countries, particularly those in the Five Eyes, to make a similar demand of Apple,” he argued.
Others have pointed out that if Apple had caved to the UK’s stupid demand, they would have almost immediately faced identical demands from other countries, including Russia, Turkey, Iran… you name it.
It is difficult to think of a more shortsighted move than what the UK has done here. It has put its own citizenry at greater risk, while threatening some of the basic fundamentals of private storage.
It’s good that Apple is taking a stand, but it feels like this is just one battle in a war that is far from over.
Filed Under: backdoors, encryption, icloud, investigatory powers act, snoopers charter, uk
Companies: apple
Comments on “The UK Government Just Made Everyone Less Safe As Apple Shuts Down iCloud Encryption”
I’m not in the UK, but I don’t trust Apple anymore, so I removed my data from iCloud. I back my iPhone up to my Mac, but I’ll also be switching to Windows. If they give in on this one, they’ll give in on many more, but may not tell us.
Re:
Hackers will be happy browsing your data though the gazillion Windows security holes and backdoors 🙂
Don’t trust companies blindly, if no one but the company employees can check the security, it’s as good as no security bu only obfuscation.
This comment has been flagged by the community. Click here to show it.
Re:
Paranoid much?
Fucking child.
Re:
Apple put up a fight, and this publically disable it’s security. Where is Android or Windows in this fight? They have said nothing. So I assume they caved in and created backdoors in their own OS.
Re: Re:
They haven’t blocked their users from installing whatever software they choose, as Apple has. So Google and Microsoft can remove such software from their U.K. stores, and U.K. people can get it from elsewhere to still be secure.
Another cave-in, another “we’re all fucked” scenario.
I miss seeing good news regarding privacy and civil rights.
Re:
In some sense, this can be seen as good news regarding privacy and civil rights in the sense that it forces people to reconsider trusting all their data to big corporations that may preach about privacy one day and then collapse in the face of pressure the next, that might preach “don’t be evil” one day and then is evil the next. It’s just a really inconvenient means of learning the lesson for individuals who have to react now.
In the specific case of Apple, this is going to drive some people from their walled garden, so that’s also a good thing. Hopefully (but I’m not counting on it), this will lead to an exodus that leads Apple to be more open and compatible.
This comment has been flagged by the community. Click here to show it.
Re:
Comments like this are not helping.
Re:
Okay, Chicken Little.
The way they’re taking a stand is not so great, though. They should’ve followed up on their promise to leave the market, instead of putting other users at risk.
Especially since it’s already got a history of caving to authoritarian demands, with how it’s already caved to China to host user data on state sponsored servers, with different encryption.
Re:
That ‘stand’ should have been an uniquivocal ‘NO!’
Followed up by “We’ll see you in court.”
Milquetoast Apple strikes again. They don’t actually have their customers’ best interests heart at all.
Sounds like the FBI will be super happy about this: “Just do what you did for the UK government”
What a treasure trove!
Since one of the items the iPhone backs up to iCloud is all your passwords… and if those are now clear text and no longer encrypted… they now have all the accounts, IDs and passwords of all the iCloud users.
What could go wrong?
Re:
Enough to make them rethink this decision, I hope!
Re:
The UK .gov is like “Quick, while everyone’s so focused on US stupidity! Let’s break the internet!”
Re:
Gotta love it when morons scream how stupid they are to the world, LOUDLY.
Re:
Passwords are one of 15 categories that are still end-to-end encrypted by default in iCloud. I say this as an Android user. Apple has enough issues, let’s attack them with the truth, not FUD.
Re: Re: Lol WUT
You’re linking to the UNITED STATES (“en-US”) page of Apple’s site.
Of course it will show passwords as e2e encrypted, because they ARE in the US.
I can’t wait for some UK politician to have their entire Apple account data hacked and published. Because you know some of them are not very good about keeping work stuff and personal stuff separate.
Re:
They will bluster about it being entirely Apples fault some how.
Rememeber: These sort of people are not on speaking terms with Ms. Sanity.
Doesnt this mean the UK has basically told the worlds hackers “compromise THESE servers, and you’ll have the keys to basically half the UK”. Sounds like a great move.
I would not be too surprised if in the next couple of months Apple has a series of data breeches[0] that heavily effect UK residence.
[0] Through no fault of their own security… I WOULD be surprised if there was an “inside job” breach.
The good news is that UK government is changing pretty much every six months so the next government could be much better.
The bad news is that no other governments in the World is actually much better.
Re:
The data does not support your hypothesis.
The senate also just passed the TAKE IT DOWN act, according to EFF that one might endanger encryption as well. (ontop of its other issues).
It’d be nice if we could not speedrun into dystopia.
The phrase you're looking for is 'cowardly compliance', not 'taking a stand'
It’s good that Apple is taking a stand, but it feels like this is just one battle in a war that is far from over.
Except they’re not. Taking a stand would have been to follow through on their ‘We will leave the UK market entirely rather than create a backdoor’ position, not doing what they just did.
They just gave the UK government and every government on the planet rock solid evidence that their ‘We will leave a market rather than cave to demands to cripple or remove our encryption’ claim is nothing more than a bluff, which not only means that every other government that’s been wanting Apple to cripple their encryption is likely to start making the same demands but that the UK government has good odds of of success if they keep pushing for a global removal of encryption, since the company has already caved once and soon enough there will be plenty of other countries that aren’t protected so it’s not like they’re being asked to remove something Apple actually values.
Re:
If anything, this is actively the worst choice they could have made. Encryption with a massive hole in it is still better than nothing at all; throwing up their hands and going “if our customers can’t be safe from everyone, we’ll make sure they’re safe from nobody” is not praise-worthy.
Re: Re:
Can’t say I agree here; I’d much rather know something is unsecured than have it be secure only against people who aren’t willing to spend (say) $10,000 on the dark web.
Re: Re:
Encryption with a massive hole in it is still better than nothing at all
I’d argue the exact opposite actually, as crippled encryption gives people a false-sense of security that causes them to not take steps to protect themselves that they might have otherwise taken if they believed that their safety and security was entirely on them to manage.
If someone believes that their privacy and security is entirely on them to protect they’re much more likely to take steps to secure it, whereas if they believe that someone else has it covered they’re less likely to take those steps, and if that belief is wrong then that leaves them even worse off.
Re: Re: Re:
Then apple should tell them that they have no security and their data is unsafe, and Apple should still encrypt that data.
You are making an argument about Apple’s customer communication strategy, not an argument about data safety. I agree that Apple should clearly and unambiguously and regularly inform customers that their data is unsafe and insecure. I do not agree that Apple should reduce their data security while doing so.
The two things are unrelated, Apple does not need to do the second in order to do the first.
This comment has been flagged by the community. Click here to show it.
Love all these cowboy capitalists commenters demonstrating their total and utter ignorance of everything to do with running a global company.
“I’d be much better, I’d show them who is the boss!”
Grow up, children.
Re:
Yes, people who expect a company to follow through on their word and not cave to a government to cripple one of their products in a fashion that encourages other governments to make similar demands and demonstrates to customers both current and potential that the company can not and should not be trusted when they claim that they are dedicated to user privacy and security are just so naive…
Re:
So why don’t you be the adult and demonstrate that you know anything about running a global company. For starters, explain why they would publicly threaten to leave the UK market rather than create a backdoor and then do the exact opposite?
Re:
Love these sycophants that think the people running global companies are geniuses rather than just greedy sociopaths.
The British don’t deserve rights or freedoms – including the right to privacy and security.
And I hope they learn this lesson the hard way.
Re:
The British aren’t the only ones with a shitty government right now, you know. Are you arguing that Americans also don’t deserve security (and especially privacy) because Trump is currently running the country into the ground and pissing off other international actors?
Hitting the proverbial conspiratorial crack pipe for a moment (read: actually sick out of my gourd), but I’m increasingly wondering if calls for breaking encryption are done ‘in good faith’, as it were. Everybody who pushes for it Say it’s to combat crime, but that increasingly doesn’t make sense in terms of proportionality and scale. The UK demanding access to UK users to combat crime, incredibly intrusive but, I mean, makes sense, UK governs the UK – but they demanded Worldwide access. Access to literally Every Apple Account In Circulation with an encrypted iCloud.
Obviously, not every encrypted iCloud user is in the UK, or in countries in the Five/Nine/Fourteen Eyes alliances. The UK doesn’t have jurisdiction over the rest of the world, but they still demanded free access to Everything. Doesn’t matter if it’s someone with a warrant out or just someone’s grandma who had the encryption turned on by their grandkids. This is also before we consider that the vast, incredibly vast majority of users of encrypted iClouds are not hardcore criminals selling speedballs to children and world elite cannibal snuff.
The amount of data to sift through to get whatever single digit procent of encrypted iCloud users who are doing Crime, much less the kind of Crime national security cares about (so not nudes of your ex you forgot to delete, or a saved clip from the Simpsons) is Insane. There is no logical way that it’s worth that amount of time and money to get at the few guys who Do have something Really, Really Bad on their iCloud. AI’s not an argument, running that still costs money and takes time-
Especially when factoring in that several government agencies over the world (and many cybersecurity jobs) rely on encrypted communication to, you know, preserve national (and corporate) security.
My point is that This Sort of Rhetoric Doesn’t Make Any Sense. Especially not for the reasons given by both UK and now Swedish politicians. Not unless you actively Wanted to break stuff and leave entire countries vulnerable for whatever reason. And with stuff like what Patrick wrote about just yesterday about the interpolation between Europol and Thorn, it’s hard not to be horrified by the thought. The thought that national security is being undermined for the sake of corporate-izing the literal enforcement of the law.
All I know is that this is me right now
iCloud Encryption Dilemma by Darren Chaker
By Darren Chaker
What occurred in the UK is a reminder to all who value privacy and do not want certain information discovered that there are inherent risks associated with uploading data to the cloud.
Even if, the UK did not have such a law, alternate means to obtain the information could have been employed to gain access to it from the remote installation of spyware like Pegasus developed by the Israeli company, SO Group, to attempting to waiting until the subject enters his password in view of a CCTV camera at Starbucks, thus allowing police to access the cloud once the phone is seized.
I do not agree with such laws, but do not reside in the UK. However, here in the USA, prior to Apple instituting Advanced Data Protection for iCloud content, government could access the cloud with very little effort by showing mere probable cause exists to believe the iCloud data is somehow tied into a crime. Very little is needed to tie a phone into criminal activity from alleging it was used to arrange the sale or importation of narcotics, used to make alleged threats, to needing to obtain data placing a person in a certain location on a specific day. The viable nexus a phone has to criminal investigations are numerous.
As for the probable cause standard, it doesn’t take much to demonstrate such to obtain a warrant. “Probable cause is not a high bar.” District of Columbia v. Wesby, ––– U.S. ––––, 138 S.Ct. 577, 586, 199 L.Ed.2d 453 (2018).
Now that Advanced Data Protection remains intact in the United States, there remains a sense of privacy since very limited data is now available with a warrant. This is of course if the iPhone user turns on Advanced Data Protection.
Otherwise, the risks associated with storing data in the cloud may result in disclosure if a suspect may be compelled to disclose his or her password. There are no clearly defined rules on this topic. The issue remains if disclosure is deemed testimonial, and protected under the Fifth Amendment. See In Re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012). Such an “act of production” may itself be incriminating or effectively concede the “existence, possession and control, and authenticity” of potentially incriminating evidence on a device. Id. at 1343.
Put another way, it forces the suspect to reveal “the contents of his own mind.” In Re Grand Jury Subpoena Duces Tecum 670 F.3d at 1345; see also U.S. v. Apple MacPro Computer, 851 F.3d 238 (3d Cir. 2017).
Many courts do not agree with compelling a suspect to divulge his or her password. U.S. v. Djibo, 151 F. Supp. 3d 297 (E.D. N.Y. 2015) (passcode suppressed as an un-Mirandized statement).
Although the standard appears to be more lenient when dealing with compelling a suspect to look at his or her phone if only the biometric lock is in effect, courts continue to disallow such practices. See In Re Application for a Search Warrant, 236 F. Supp. 3d 1066 (N.D. Ill. 2017); Matter of Residence in Oakland, California, 354 F. Supp. 3d 1010 (N.D. Cal. 2019).
Another method of bypassing encryption is the ruse. For example, police knock on a suspects door and says it was alleged the suspect was seen taking photos of kids at a park. Police ask to see his phone, to view the photo album to make sure to dismiss the allegation as being false. The suspect claiming innocence shows the unlocked phone’s camera roll to police – at which time its snatched from the suspect.
The objective was to get the suspect to unlock the phone to search for evidence of another crime, thus made a false statement which would invoke a natural reaction for a person wanting to clear their name. Having a warrant to search the phone would allow police to take the phone from the suspect. The police may lie about anything they want, if the suspect believes the ruse – it is what it is.
Nonetheless, the common denominator is, if you have sensitive data on or accessible through your phone 1) create a lengthy password using random characters – this prevents software like Graykey from accessing the phone easily – if at all; 2) use a utility to wipe logs, history, texts, and free space, once or month or once a week depending on your personal risks; and 3) do not keep anything in the cloud that would be deemed highly sensitive information.
Besides the above, I wish the best to everyone here!
Re: iCloud Encryption, Fifth Amendment, and Compelled Password Disclosure Update by Darren Chaker
By Darren Chaker – As a First Amendment and digital privacy advocate, I want to add an important update to my earlier comment on iCloud encryption and compelled password disclosure.
To answer a common question: Can police force you to unlock your iPhone or disclose your iCloud password? Under current U.S. law, the answer depends on whether disclosure is deemed testimonial under the Fifth Amendment. Courts remain split. The Eleventh Circuit in In Re Grand Jury Subpoena Duces Tecum, 670 F.3d 1335 (11th Cir. 2012) held that compelled decryption is testimonial because it forces a suspect to reveal the contents of his own mind. The Third Circuit in U.S. v. Apple MacPro Computer, 851 F.3d 238 (3d Cir. 2017) reached a similar conclusion.
Since my original post, Apple Advanced Data Protection for iCloud remains intact in the United States, making end-to-end encryption the default for most iCloud categories when enabled. For anyone concerned about smartphone privacy and Fourth Amendment protections, enable Advanced Data Protection immediately, use a strong alphanumeric passcode rather than biometrics, and avoid storing highly sensitive data in any cloud service.
The intersection of iPhone encryption, the Fourth Amendment, and Fifth Amendment compelled password disclosure remains one of the most important evolving areas in digital privacy law. Best wishes to all, Darren Chaker