Key Points
- The UK government has demanded backdoor access to encrypted iCloud backups for all users worldwide.
- Apple has not provided a global backdoor; instead, it stopped offering Advanced Data Protection (ADP) in the UK, affecting only UK users.
- This means UK users’ data is now accessible to the UK government, but non-UK users’ data remains encrypted and inaccessible.
What the UK Demanded
The UK government, under the Investigatory Powers Act (IPA) of 2016, issued a “technical capability notice” demanding that Apple create a backdoor to access encrypted iCloud backups of any user globally. This would allow UK authorities to view data protected by Apple’s Advanced Data Protection (ADP), which uses end-to-end encryption, meaning only the account holder can decrypt it, not even Apple.
Apple’s Response
Instead of creating a global backdoor, Apple decided to stop offering ADP to new customers in the UK. Existing UK users will eventually need to disable ADP, meaning their iCloud backups will no longer be end-to-end encrypted and will be accessible to Apple and, with a warrant, to the UK government. This change does not affect non-UK users, whose data remains end-to-end encrypted and inaccessible to the UK.
Surprising Detail: Impact Limited to UK
It’s surprising that Apple’s response only affects UK users, not providing the global access the UK demanded, potentially setting a precedent for how tech companies handle such government requests.
Survey Note: Detailed Analysis of UK’s Demand and Apple’s Response
The UK’s demand for backdoor access to iCloud users’ encrypted backups worldwide has sparked significant debate over privacy, security, and the balance between law enforcement needs and individual rights. This note provides a comprehensive overview of the situation, including the legal framework, Apple’s actions, and the implications for users globally and in the UK.
Background and Legal Context
The UK government’s demand stems from the Investigatory Powers Act (IPA) of 2016, often referred to as the “Snoopers’ Charter” by critics. This legislation authorizes law enforcement to compel companies to assist in collecting evidence, including issuing technical capability notices (TCNs). A TCN was reportedly served to Apple by the Home Office, demanding access to data protected by Apple’s Advanced Data Protection (ADP) service, which was introduced in December 2022 to offer end-to-end encryption for iCloud backups, including photos, notes, messages, and device backups (The Guardian).
The demand was described as a “blanket” request, applying to any Apple user worldwide, not just UK residents, which is unprecedented in major democracies (The Washington Post). This global scope raised concerns among privacy advocates, with the Electronic Frontier Foundation (EFF) calling it an “emergency for us all,” highlighting the risks of weakening encryption (EFF).
Apple’s Advanced Data Protection and Encryption
ADP is an optional feature that extends end-to-end encryption to various iCloud data categories, ensuring that even Apple cannot access the data. This is a significant privacy enhancement, but it has been criticized by law enforcement agencies in both the UK and US for hindering investigations into serious crimes like terrorism and child abuse (The Record). Prior to ADP, iCloud backups were not fully encrypted, allowing Apple to provide data to authorities with a warrant, but ADP changed this, making such access impossible without a backdoor.
Apple has consistently opposed creating backdoors, arguing that any such mechanism would be exploited by malicious actors, increasing risks of hacking and data breaches (TechCrunch). This stance was reiterated in filings to the UK government in 2023, where Apple warned of potentially withdrawing security features rather than compromising encryption (Washington Post).
UK’s Demand and Global Implications
The UK’s demand for a backdoor was not just for UK users but for all iCloud users worldwide, as reported by multiple sources including MacRumors and The Verge. This would undermine Apple’s privacy pledge, potentially setting a precedent for other governments, especially authoritarian regimes, to demand similar access. Security experts, like those at EFF, warned that such a backdoor would inevitably be abused, citing examples like the Chinese Salt Typhoon hacks that exploited legally mandated backdoors in telecoms (TechCrunch).
The demand also conflicts with international human rights standards, with the UN and European Court of Human Rights recognizing encryption as vital for privacy, and any weakening risking violations (Amnesty International).
Apple’s Response: Disabling ADP in the UK
Faced with this demand, Apple chose not to create a global backdoor, which would have compromised all users’ data. Instead, on February 21, 2025, Apple announced it would stop offering ADP to new customers in the UK, with existing users eventually required to disable it (Reuters). This decision means that UK users’ iCloud backups will no longer be end-to-end encrypted, making their data accessible to Apple and, with a warrant, to the UK government (BBC News).
Apple expressed “grave disappointment” in this move, stating it leaves UK users more vulnerable to data breaches and other privacy threats (The Guardian). However, Apple emphasized its commitment to not creating backdoors, aligning with its long-standing policy (Apple UK).
Impact on Users
- UK Users: New users cannot enable ADP, and existing users will lose end-to-end encryption, meaning their data (e.g., photos, messages) can be accessed by Apple and shared with law enforcement under a warrant. This change was effective immediately for new users, with existing users given an unspecified period before disabling ADP (Apple Insider).
- Non-UK Users: Their data remains end-to-end encrypted under ADP, and the UK’s demand does not affect their privacy, as Apple has not provided a global backdoor (PCMag).
This decision has drawn criticism from figures like Sen. Ron Wyden (D-Oregon), who warned it sets a dangerous precedent for authoritarian countries to follow, and from the Computer & Communications Industry Association, calling it a “worrying step backwards” for online security (Washington Post).
Table: Comparison of User Impact
| User Location | ADP Availability | Encryption Status | Accessibility to UK Government |
|---|---|---|---|
| UK (New Users) | Not Available | Standard Encryption | Accessible with warrant |
| UK (Existing Users) | Must Disable Eventually | Standard Encryption | Accessible with warrant |
| Non-UK Users | Available | End-to-End Encrypted | Inaccessible |
Legal and Political Reactions
The UK government’s response has been notably silent, with the Home Office refusing to comment on operational matters, including confirming or denying the existence of TCNs (BBC News). This lack of transparency aligns with the IPA, which makes it a criminal offense for companies to disclose such notices, adding to the controversy (Washington Post).
Internationally, there has been backlash, with US lawmakers like Ron Wyden and Andy Biggs urging the US to reject foreign demands for backdoors, highlighting potential conflicts with US privacy laws (Silicon UK). The move has also been seen as a test case for how tech companies navigate government pressures, with implications for global privacy standards.
Conclusion
The UK’s demand for backdoor access to iCloud users’ encrypted backups worldwide remains unmet in its global scope, as Apple has only compromised UK users’ data by disabling ADP. This partial compliance reflects Apple’s effort to balance legal obligations with its privacy commitments, but it leaves UK users more vulnerable while protecting non-UK users. The situation underscores ongoing tensions between security, privacy, and government surveillance, with potential long-term effects on international tech policy.