Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Apple is withdrawing its most secure cloud storage service from the UK, escalating a confrontation over a secret government demand to access customer data.
The company said on Friday that it “can no longer offer” Advanced Data Protection (ADP) for iCloud in Britain, removing the system that ensures “end-to-end encryption” of user information stored in the US tech giant’s servers.
Last month, Apple received a “technical capability notice” under the UK Investigatory Powers Act, a law dubbed “Snooper’s Charter” by its critics, but which the government believes is needed by law enforcement to investigate terrorism and child sexual abuse.
The law prevents companies who receive such a notice from publicly discussing receipt of such an order, making Friday’s move Apple’s first tacit acknowledgment of the situation.
The IPA’s use against Apple is believed to be the first such case since the law was updated last year and has triggered the tech industry’s highest-profile battle over encryption technology in almost a decade.
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom,” it said. “As we have said many times before, we have never built a back door or master key to any of our products or services and we never will.”
The Home Office did not immediately respond to a request for comment.
The request for a so-called back door to user data would have enabled law enforcement and security services — after obtaining a warrant that is approved by a judge — to tap iPhone back-ups and other cloud data that is otherwise inaccessible, even to Apple itself.
The law has extraterritorial powers, meaning UK law enforcement would have been able to access the encrypted iCloud data of Apple customers anywhere in the world, including in the US.
After reports of the UK’s order emerged earlier this month, the tech industry rallied to oppose the government’s move.
“If the UK forces a global back door into Apple’s security, it will make everyone in every country less safe,” Will Cathcart, head of Meta’s WhatsApp business, said last week. “One country’s secret order risks putting all of us in danger and it should be stopped.”
As the latest amendments to the Investigatory Powers Act were moving through parliament in early 2024, Apple said it was “deeply concerned” by what it described as “unprecedented over-reach” and signalled that it would pull any affected products from the UK.
But Aled Lloyd Owen, professor at Southampton University and a cyber security expert, said Apple’s move “is a dramatic and unnecessary response”.
“There are technical options which can facilitate lawful exceptional access,” said Owen. “Apple are playing politics with users’ data privacy and security to prove a point.”
Apple’s communication services, iMessage and FaceTime are also end-to-end encrypted. They were not subject to the government’s order and remain available in the UK.
New users can no longer sign up to iCloud ADP in the UK as of Friday. Customers in the UK who had already turned the setting on will be required to disable the feature in order to keep using their iCloud account, Apple said.
The way the system is set up means that Apple cannot disable the feature itself. Under the opt-in ADP service, only iCloud customers — not Apple itself — hold the encryption keys needed to unlock their data.
“Rather than be forced to do something it didn’t want to do, Apple took the decision to withdraw ADP from the UK market,” said Edward Lewis, chief executive of CyXcel, a cyber security consultancy.
“This just means that the absolute encryption, that enabled bad actors to do things that any reasonably minded member of the public would not support, has now disappeared. That is not necessarily a bad thing.”
But Matthew Sinclair, UK senior director at the Computer & Communications Industry Association, a tech trade group, said weakening encryption was a “worrying step backwards”.
“Law enforcement authorities should be working with companies to help protect people’s privacy against growing global threats, not forcing them to scrap important security improvements,” he said.