We are living in dangerous times, where the threat landscape has reached unprecedented levels, largely due to advancements in AI and a forensic industry that exploits security vulnerabilities at an alarming rate. Against this backdrop, Apple has issued a security warning affecting tens of millions of users, described by the EFF as “an emergency for us all.”
The issue at hand is the removal of iCloud’s end-to-end encrypted wrap in the UK, following a mandate from the UK government to create a backdoor into all users’ secure data stores. Apple has complied by pulling Advanced Data Protection (ADP) for UK users, challenging the UK's directive amidst negative publicity.
Apple confirmed that it “can no longer offer Advanced Data Protection in the UK to new users, and current UK users will eventually need to disable this security feature.” This decision is particularly concerning given the rising number of data breaches and other threats to customer privacy.
While this change primarily affects UK users, it also impacts anyone communicating with a UK user, as messages will be stored in accessible backups. This raises the risk of similar actions by other governments. Europe is already pushing for messaging scanning, and the U.S. advocates for “responsible encryption,” which includes warranted access. Therefore, this change is a significant threat to data security worldwide.
Technically, the change involves the removal of end-to-end encryption from several apps, including Photos, Notes, Reminders, and Voice Memos. More critically, device backups and iCloud Drive storage will no longer be fully encrypted and will be accessible by Apple.
For UK users with ADP enabled, Apple warns that the setting will need to be changed, or the data will be deleted. This highlights the importance of security, as Apple cannot access the data itself to make these changes.
When considering end-to-end encryption, messaging apps like iMessage and WhatsApp are at the forefront. Apple's iMessage, known for its encryption, previously had a loophole that was closed by ADP – a loophole that has now been reopened for UK users. Users must either disable iCloud syncing or accept the vulnerability.
WhatsApp, a Meta-owned messenger, maintains its end-to-end encryption unaffected by the UK change. However, iPhone users should disable general iCloud backups for WhatsApp and enable daily end-to-end encrypted backups directly within WhatsApp.
If there are apps you wish to keep secure, disable iCloud backup for those apps. Opt for fully encrypted backups offered by the app itself. Signal, known for its security, does not offer an iPhone backup but remains fully secure.
In response to these changes, Apple has stated its commitment to delivering the highest level of security for personal data and hopes to restore these protections in the UK in the future. Apple emphasizes that it has never built a backdoor or master key into its products.
To protect your data, make necessary adjustments now. ADP remains active for current UK users until Apple enforces a deadline. Non-UK users should enable the setting if available, as the risks highlighted by Apple are universal. WhatsApp and iMessage changes are relevant to all users, not just those in the UK.
It appears arbitrary for the UK to impose this mandate on Apple but not on Google or Meta. The public nature of Apple's changes suggests that similar actions elsewhere would require other platforms to follow suit. Meanwhile, the UK joins countries like China, Russia, and Iran in its governmental privacy crackdown.