Security Update: Apple Removes End-to-End Encryption from UK

Good work, Britain. The UK’s demands for a backdoor into Apple’s iCloud encryption have led the company to remove its most secure end-to-end (E2E) encryption feature from the country. This move is in response to the government’s request to build a backdoor into its iCloud encryption feature, which would allow law enforcement to access the cloud data of any iPhone user worldwide.

A History of Resistance

Apple has long marketed its products as the most secure personal electronics available, and the company has consistently pushed back against government orders to decrypt confiscated devices or build backdoors into its products. The most notable instance was when Apple refused the Department of Justice’s demands to unlock an iPhone used by the attacker in a mass shooting in San Bernardino, California, during President Trump’s first administration. The FBI eventually paid a third-party Australian firm $900,000 to identify an "exploit chain" and crack open the device.

The Consequences of Backdoors

Following its decision to pull E2E cloud encryption from the UK, Apple stated that "enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before" and that it "remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom." Building a backdoor into any encryption product defeats its purpose, rendering the security moot. If there is a backdoor, bad actors and authoritarian states will be able to find and exploit those backdoors or demand access. The entire purpose of end-to-end encryption is that nobody, not even Apple, can access a user’s sensitive data.

What’s at Stake

The end-to-end encryption of iCloud, formally called Advanced Device Protection, covers data storage, device backups, web bookmarks, voice memos, notes, photos, reminders, and text message backups. The way ADP works, data is stored in the cloud but can only be decrypted locally on a user’s device, using a key stored in the Secure Enclave security component built physically into Apple devices. Apple will not remove end-to-end encryption for other features, including iMessage, FaceTime, password management, and health data.

A Shrewd Move

With this move, Apple is essentially saying that it would rather pull the E2E encryption altogether and inform customers they will be less safe, rather than build an open door for the UK government. It is a strategic decision by Apple, even though consumers in the UK will no longer have the same level of security as others around the globe.

The Cat-and-Mouse Game

Of course, no security is entirely bulletproof, and hackers and law enforcement groups still manage to find ways to penetrate iPhones. Companies like Israel’s NSO Group supply iPhone cracking software to governments worldwide, playing a cat-and-mouse game with Apple. Each time hackers find an exploit, they can take advantage of it for a limited time before Apple plugs the hole. Advanced Device Protection was intended to make it tougher for nefarious actors to access certain data, though it makes it more difficult for users to recover their content if they lose their devices.

The Risks of Backdoors

NSO Group and other firms claim they only sell their exploits to governments and law enforcement and prohibit the software from being used to spy on dissidents or journalists. However, reporting over the years has put those claims in doubt, as NSO’s software has been linked to hacks of journalists around the globe, including Jamal Khashoggi, whose devices were monitored leading up to his brutal assassination by Saudi intelligence agents.

What’s Next for UK Users

If you live in the UK, you will need to manually disable Advanced Device Protection during an unspecified grace period to keep your iCloud account. Apple will release feature guidance on this process soon.