About a year ago, the United Kingdom government began to suggest that Apple (and other tech firms) might be forced to install backdoors in their end-to-end encryption for its use. That hypothetical became a reality several weeks ago, with the Home Office invoking the Investigatory Powers Act 2016 to issue a secret order to Apple demanding a backdoor into iCloud. Apple has now taken the step of disabling its “Advanced Data Protection (ADP)” feature, presumably in response.
Much of this technically remains in the realm of speculation due to the UK government’s secrecy. The Investigatory Powers Act 2016 allows it to issue secret orders of this nature to tech companies and demands immediate compliance; the recipients of these orders are also barred from speaking about them publicly under threat of criminal charges. The sudden disappearance of iCloud end-to-end encryption in the UK has only been tied to this because of anonymous insider sources that revealed the existence of the order to Washington Post reporters.
UK end-to-end encryption order could result in bigger battles
Tech companies in general are very resistant to the UK government’s attitudes toward end-to-end encryption, and the country could be setting itself up for some weighty battles if it persists with these secret orders. Signal has already said that it will consider pulling out of the country if pushed. That could also be a “nuclear option” for Apple, which could pull iPhones from the country and let the government deal with an irate populace that can no longer easily buy and use them.
There is no word of either side escalating to that point as of yet, however. Apple’s move to terminate iCloud end-to-end encryption was widely expected after the Washington Post report dropped, as a stopgap measure to satisfy the UK’s legal requirements. The company can appeal the Home Office order, but is required to continue cooperating while that appeals process plays out. That appeal will also play out in secret, so it will take more leakers to keep the public apprised of what is happening.
Government backdoors are not unpopular with tech firms solely because they push away consumers (though that is a fine reason by itself). It also mandates a gaping security vulnerability, something that hackers will eventually find their way into. At minimum, company insiders and vendors with privileged access will probably be caught exploiting it at some point.
The UK may even be going too far for its usually espionage-happy partners in the Five Eyes. Some US senators are already calling for measures to be taken in response to the Apple order, such as cutting the UK out of intelligence-sharing agreements until it comes around on end-to-end encryption.
iCloud users who previously activated ADP can continue using it … for now
iCloud end-to-end encryption was deactivated in the UK as of February 21, but only for users that had not previously enabled it. Those that already had it enabled can continue using it for an indeterminate period, which Apple has suggested may be “days or weeks.” But they will eventually be required to turn it off or disable their iCloud accounts entirely.
Apple devices in the UK remain otherwise secure, in terms of end-to-end encryption of the device itself and other features like iMessage. But iCloud storage will now be readily available to law enforcement with a warrant, and could also potentially be exposed to hackers if the user does not implement their own encryption solutions.
