Good work, Britain. Owners of Apple devices in the United Kingdom will be a little less safe moving forward as the company pulls its most secure end-to-end (E2E) encryption from the country. The move is in response to government demands there that Apple build a backdoor into its iCloud encryption feature that would allow law enforcement to access the cloud data of any iPhone user around the world under the guise of national security.
Apple has for many years marketed its products as being the most safe and secure personal electronics available on the market. Being a key pillar of the brand, Apple has consistently pushed back against government orders around the world to decrypt confiscated devices or build similar backdoors into its products. China requires data be stored domestically but the system of encryption is still present there.
The most famous instance of Apple’s non-compliance was when, under President Trump’s first administration, it refused Department of Justice demands to unlock an iPhone used by the attacker in a mass shooting in San Bernardino, California. The FBI eventually paid a third-party Australian firm a reported $900,000 to identify an “exploit chain” and crack open the device.
Following Apple’s decision to pull E2E cloud encryption from the UK, the company on Friday told Bloomberg that “enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before” and that it “remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom.”
The UK order asked Apple for access to global user data under the country’s Investigatory Powers Act, a law that grants officials the authority to compel companies to remove encryption under a “technical capability notice.” Gizmodo has reached out to the UK government.
good on Apple for pulling encryption from the UK rather than compromising it’s security.
it’s unfortunate for UK users, but that’s on their government for insisting on weaker security pic.twitter.com/hOzfwcydlG
— Alex Miller (@alexlmiller) February 21, 2025
“Security officials asked not only that Apple allow the UK government access to UK residents’ encrypted cloud storage, but that the UK government get access to any Apple user’s encrypted cloud storage,” said David Ruiz, an online privacy expert at Malwarebytes. “To demand access to the world’s data is such a brazen, imperialist maneuver that I’m surprised it hasn’t come from, well, honestly, the US. This may embolden other countries, particularly those in the ‘Five Eyes,’ to make a similar demand of Apple.” Ruiz questioned what this means for the UK’s privacy guarantees with the US.
Law enforcement is always looking for new ways to conduct surveillance under the guise of protecting the public—Edward Snowden famously revealed a dragnet of surveillance created after 9/11 that pulled in data on individuals domestic and abroa. But once the genie is taken out of the proverbial bottle, it is hard to put it back, and the capabilities can end up in the wrong hands. Police already have access to plenty investigative powers, privacy advocates say, and the public should be very cautious about giving them more that could be ripe for abuse.
Building a backdoor into any encryption product defeats the purpose, essentially rendering the security moot. If there is a backdoor, Apple and privacy advocates have long argued, then bad actors and authoritarian states will be able to find and exploit those backdoors or demand Apple provide access. The entire purpose of end-to-end encryption is that nobody, not even Apple, can access a user’s sensitive data. Backdoors are an inherent vulnerability.
End-to-end encryption of iCloud, formally called Advanced Device Protection, covers data storage, device backups, web bookmarks, voice memos, notes, photos, reminders, and text message backups. The way ADP works, data is stored in the cloud but can only be decrypted locally on a user’s device, using a key stored in the Secure Enclave security component built physically into Apple devices. Bloomberg reports that Apple will not remove end-to-end encryption for other features including iMessage, FaceTime, password management, and health data. So all of that is safe for now.
With today’s move, Apple is essentially saying that it would rather pull the E2E encryption altogether and inform customers they will be less safe, rather than build an open door for the UK government. It is a shrewd, gigachad move by Apple even though consumers there will no longer have the same amount of security as others around the globe. iCloud encryption is important as the service has in the past been a target of hackers who penetrated the accounts of celebrities to steal their nudes and post them online in a scandal that was called “the Fappening.”
Of course, because no security is entirely bulletproof, hackers and law enforcement groups still manage to find ways to penetrate iPhones, and doing so is a billion-dollar business for companies like Israel’s NSO Group, which supplies iPhone cracking software to governments around the world. It is essentially playing a cat-and-mouse game with Apple—each time hackers find an exploit, they are able to take advantage of it for a limited time before Apple plugs the hole. ADP was intended as a way to make it tougher for nefarious actors to access certain data, though it makes it more difficult for users to recover their content if they lose their devices.
NSO Group and other firms claim they only sell their exploits to governments and law enforcement and prohibit the software from being used to spy on dissidents or journalists. But reporting over the years has put those claims in significant doubt, as NSO’s software has been linked to hacks of journalists around the globe, including Jamal Khashoggi, whose devices were monitored leading up to his brutal assassination by Saudi intelligence agents.
Those who live in the UK will need to manually disable ADP during an unspecified grace period to keep their iCloud account. Bloomberg says that Apple will release feature guidance on this process sometime soon.
