The Lead Untangles: Apple users lose ADP in the UK sparking security vs privacy row
Apple said it was “deeply disappointed” that it must now disallow UK customers this highest level of security - Kevin Gopal explores the ins and outs of the issue
At a glance facts
Apple customers in the UK will no longer be able to use Advanced Data Protection (ADP) after refusing government demands to build a back door that would allow law enforcement agencies access to user data stored on iCloud.
Ministers insisted police and security agencies need to be able to access photos and other documents stored on users’ iCloud accounts and protected by ADP end-to-end encryption in order to catch criminals, including terrorists and paedophiles.
But the tech giant, which has built a reputation for privacy, refused the demand, and has instead withdrawn ADP entirely for UK customers.
Account users who opted in to ADP ensured that only they can see photos and other documents stored on the cloud. Even Apple cannot view them.
But following Apple’s reluctant decision to pull ADP, data will now only be covered by standard encryption, meaning it must hand it over to police and security forces if they have a warrant.
In a statement Apple said it was “deeply disappointed” that it must now disallow UK customers this highest level of security, “especially given the continuing rise of data breaches and other threats to customer privacy”.
Context
The Home Office has long argued that end-to-end encryption hinders the fight against crime and has tried to force the hand of tech companies before.
But human rights campaigners say encryption technology such as ADP is essential because activists, journalists and others rely on it to defend themselves against unlawful government surveillance and cybercrime.
The current row over ADP takes on a new political dimension as the Trump administration seeks to position itself and its tech companies as defenders of free speech, in opposition to European governments that Vice-President JD Vance recently condemned as censorious.
In a 2023 open letter, the heads of WhatsApp, Signal and other encrypted communication tech organisations said they would withdraw from the UK because of fears that the Online Safety Bill would contain provisions preventing end-to-end encryption.
Ministers had sought to force online platforms to scan messages for child sexual abuse material, but the tech companies argued this would compromise the privacy of all users.
The government backed down and withdrew the provisions.
The National Crime Agency will welcome the end of ADP. Last year it estimated it would lose 92 per cent of reports from Meta concerning child safeguarding issues as result of Mark Zuckerberg’s decision to introduce end-to-end encryption. It claimed one example of what would be lost was a 200 page referral on an international sextortion case.
Another stream of data produced by a tech company in response to a warrant yielded 327 arrests, the seizure of 3.5 tonnes of Class A drugs, the recovery of £4.8m, the identification of 29 previously unknown threats to life, and a further 100 threats to harm, according to the NCA.
The National Society for the Prevention of Cruelty to Children (NSPCC) has previously been critical of what it says is Apple’s lax approach to monitoring for child sexual abuse material. The Home Office says offences concerning indecent images of children increased by 13 per cent from 2022 to 2023.
But Zach Campbell, senior surveillance researcher at Human Rights Watch, said the government’s move over encryption is an “alarming overreach”. Other security experts say the dark web is of more concern when it comes to criminality than cloud storage.
Learning of the government’s initial demand for a back door, 109 civil society organisations, companies and cybersecurity experts, including Global Encryption Coalition members, published a joint letter to the home secretary, Yvette Cooper, saying it “jeopardizes the security and privacy of millions, undermines the UK tech sector, and sets a dangerous precedent for global cybersecurity”.
The irony of the Trump administration championing privacy while Elon Musk plunders the private data of federal agencies and employees won’t be lost on many.
What does Advanced Data Protection actually do?
ADP is an opt-in service meaning only account holders can view documents and other data stored on iCloud.
New customers can no longer use it, having to rely instead on Apple’s less secure standard encryption.
Existing ADP users will soon be offered additional guidance, says Apple, as it cannot automatically disable it.
Nine categories will lose ADP in the UK: iCloud Backup; iCloud Drive; Photos; Notes; Reminders; Safari Bookmarks; Siri Shortcuts; Voice Memos; Wallet Passes; and Freeform.
The UK withdrawal of ADP will not affect the 14 iCloud data categories that are end-to-end encrypted by default. Data on iCloud Keychain and Health, iMessage and FaceTime remains end-to-end encrypted globally, including in the UK.
What the left is saying
“If they go through with it, every British iOS user - doctors, lawyers, small and large business, and individuals - will be exposed to incalculable risk from spies and criminals, both organized and petty.” - Cory Doctorow, author and activist
“Crazy that our supposedly left-wing government is even more obsessed with spying on us than the Tories were.” - Nicholas Guyatt, professor of North American history, Cambridge University
What the right is saying
“In an attempt to meet the demands of the Home Office - demands made on false illusions of providing security - Apple has been forced to entirely undermine the online security of pretty much every UK citizen who uses an Apple product.” - Conservative MP David Davis
"The Trump administration is troubled by reports that some foreign governments are considering tightening the screws on US tech companies with international footprints.” – Vice-President JD Vance
What happens next?
It’s hard to say because, ironically, the government’s demand is shrouded in secrecy.
It’s been reported that ministers invoked the Investigatory Powers Act (IPA), the so-called “snooper’s charter”, to issue a “technical capability notice” to Apple to remove “electronic protection” of user data.
However, the 2016 legislation also forbids the recipients of such notices from disclosing the existence or contents of the notice.
Apple is duly not commenting, nor is the Home Office. But the tech firm hints at some form of appeal in its statement.
“Apple remains committed to offering our users the highest level of security for their personal data and we are hopeful that we will be able to do so in the future in the United Kingdom,” it says.
Last year technology secretary Peter Kyle flew to the US West Coast to bang the drum for further investment in the UK’s technology sector, but Republican and Democrat politicians have criticised the UK government’s battle with Apple.
Keir Starmer has just returned from Washington with high hopes of avoiding Trump’s tariffs but US tech giants will be bending the President's ear too.
About The Lead Untangles: In an era where misinformation is actively and deliberately used by elected politicians and where advocates and opposers of beliefs state their point of view as fact, sometimes the most useful tool reporters have is to help readers make sense of the world.
The Lead Untangles is delivered each Friday by The Lead and focuses on a different complex, divisive issue with each edition.
About the author: Kevin Gopal is a Manchester-based journalist who has returned to freelancing after editing Big Issue North from 2007 until its closure in 2023. Prior to that he was assistant editor of Chinese community magazine SiYu, international editor of Pharmaceutical Executive, and deputy editor of North West Business Insider before freelancing widely on business, politics and policy for a number of titles. He is a leader in residence in journalism at the University of Central Lancashire.