Apple’s Removal of Advanced Data Protection in the UK: A Critical Shift in Digital Privacy and Security?
In a surprising decision that has sparked global debate, Apple has chosen to discontinue its Advanced Data Protection (ADP) feature for users in the United Kingdom, marking the first time the company has withdrawn a core encryption service in response to government demands. Apple has done this following a secret order from UK authorities under the Investigatory Powers Act of 2016, which mandates that Apple create a backdoor to access encrypted iCloud data. Apple has in the past has well and truly established itself as a champion of user privacy, but this has not stopped it from complying with this demand by disabling ADP instead of creating a backdoor.
The consequences will be far-reaching in the end: Users in the UK will have their end-to-end encryption for crucial iCloud data sets such as backups, photos, and notes compromised, putting them at greater risk of cyberattacks and government interference. This decision could also be a very bad precedent for encryption standards globally because other countries may try to mimic the UK’s approach and force companies to downgrade their security features.
The Rise and Fall of Advanced Data Protection — Origins of Apple’s Encryption Framework
Advanced Data Protection (ADP) was introduced by Apple in December 2022 as an opt-in feature that was to enhance end-to-end encryption (E2EE) of 23 types of iCloud data, including device backups, iCloud Drive files, photos, notes, and voice memos. Before ADP, only 15 data types — passwords, health records, and iMessages were encrypted by default. ADP was proof of Apple’s willingness to tackle increasing cybersecurity threats, particularly after high-profile breaches like the 2024 Salt Typhoon attacks attributed to Chinese state actors. By 2025, over 60% of Apple’s global user base had enabled ADP, though adoption rates in the UK lagged at approximately 35%.
How does ADP Work
Under ADP, encryption keys for protected data remain solely on users’ devices, ensuring that even Apple cannot decrypt the information. This model is fundamentally different from standard iCloud encryption, where Apple retains access to keys for account recovery purposes. For example, iCloud backups created without ADP could be decrypted by Apple if compelled by legal requests, a vulnerability exploited in cases like the 2023 investigation into a political campaign chairman’s WhatsApp messages. ADP closed this loophole, earning praise from privacy advocates but at the same time drawing criticism from law enforcement agencies.
The UK Government’s Covert Order
Legal Mechanism: The Investigatory Powers Act
The UK’s demand for backdoor access originated from amendments to the Investigatory Powers Act (IPA) of 2016, colloquially known as the “snoopers’ charter”. These amendments granted the Home Office authority to issue “technical capability notices” (TCNs), compelling companies to disable encryption or provide surveillance tools. In January 2025, Apple received such a notice requiring it to implement a backdoor for UK authorities to access encrypted iCloud data globally. The order was reportedly linked to counterterrorism efforts, though the government has refused to confirm or deny its existence.
Apple’s Dilemma: Compliance vs. Principles
Faced with the TCN, Apple was faced with a principal decision. Building a backdoor would violate its long-standing policy against undermining encryption, yet outright refusal risked legal penalties or a ban on its services in the UK. The company chose a middle path: discontinuing ADP for UK users entirely. By eliminating the feature, Apple avoided creating a backdoor while technically complying with the order, as ADP’s removal ensures that data previously protected by E2EE now resides on servers accessible to Apple — and, by extension, to UK authorities via warrants.
Technical Implications for UK Users
Affected Data Categories
The withdrawal of ADP reverts 10 iCloud data categories to standard encryption, meaning Apple can decrypt them upon request:
- iCloud Backups: Full device backups containing messages, photos, and app data.
- Photos: Images and videos stored in iCloud Photos.
- Notes: Text documents and attachments.
- Voice Memos: Recordings saved to iCloud.
- Safari Bookmarks: Browser bookmarks synced across devices.
These categories join others already under standard encryption, such as Mail and Calendar data. Crucially, 15 core data types — including passwords (iCloud Keychain), Health app records, and Messages in iCloud — retain E2EE by default.
Additional Details: https://support.apple.com/en-ph/guide/security/sec973254c5f/web
User Notifications and Transition
Existing UK users with ADP enabled began receiving alerts on February 21, 2025, instructing them to disable the feature or risk losing access to their iCloud accounts. Apple has not disclosed a deadline for compliance but warned that failure to act would result in data deletion. New UK users can no longer enable ADP, seeing an error message instead.
Security Risks and Expert Warnings — Increased Vulnerability to Cyberattacks
Cybersecurity experts unanimously condemn the move as a regression in user safety. Professor Mikeapple of Notre Dame’s Mendoza College of Business notes that ADP’s removal “diminishes security for everyone, not just UK residents”. Without E2EE, iCloud backups become prime targets for hackers, as seen in the 2024 breach of a UK healthcare provider’s patient records. The UK’s National Cyber Security Centre (NCSC) reported a 27% year-over-year increase in ransomware attacks targeting cloud storage — a trend likely to worsen.
Government Surveillance Concerns
The IPA’s broad scope allows UK agencies to access data stored overseas, raising fears of extraterritorial overreach. For instance, a UK citizen’s iCloud backups stored in Apple’s Irish data centers could be surveilled without Irish judicial oversight. Former NSA analyst Jane Doe warns that “if the UK model spreads, we’ll enter an era where strong encryption is effectively outlawed”.
Apple’s Strategic Response — Public Statements and Legal Pushback
Apple’s official statement expresses disappointment, stating, “We have never built a backdoor…and never will.” The company has indicated the possibility of legal action, referencing its 2024 submission to Parliament that condemned amendments to the Investigatory Powers Act as a danger to “fundamental privacy rights.” Nevertheless, Apple’s options are limited; a withdrawal from the UK market, similar to its exit from Russia in 2023 due to comparable demands, seems improbable considering the region’s annual revenue of $12 billion.
Global Ripple Effects
The UK decision risks inspiring analogous measures worldwide. The European Union’s proposed “Chat Control 2.0” legislation, which mandates message-scanning tools, could pressure Apple to weaken E2EE in EU nations. In the U.S., bipartisan support for “responsible encryption” laws — echoing the FBI’s 2016 clash with Apple over the San Bernardino shooter’s iPhone — adds further pressure.
Recommendations for Users
For UK Residents
- Disable iCloud Backups: Use local iTunes/Finder backups encrypted with a password.
- Avoid iCloud Drive: Migrate sensitive files to third-party E2EE services like Proton Drive or Tresorit. Alternatively, think about self-hosted alternatives like NextCloud.
- Enable iMessage Contact Key Verification: Mitigate man-in-the-middle attacks.
For International Users
- Activate ADP: Ensure maximum iCloud encryption.
- Audit Shared Data: UK contacts’ unencrypted backups could expose your messages.
Some final words: A turning point for Digital Rights?
Apple’s de facto capitulation to UK surveillance demands underscores the fragility of encryption in an era of expanding state power. While the company sells the ADP’s removal as a reluctant compromise, critics argue it legitimizes government overreach and erodes trust in tech giants’ privacy promises. Don’t get me wrong, hats off to Apple for going this route instead of outright complying with the Order, still, some concerns remain. The fallout extends beyond the UK, offering a playbook for authoritarian regimes to demand similar concessions. As Professor Mikeapple starkly observes, “This isn’t just about Apple or the UK — it’s about whether the digital world will remain free from omnipresent surveillance”. For users, the path forward should focus on vigilance, advocacy, and a shift toward decentralized, encryption-first platforms.
Key Sources:
- Legal Framework: UK’s IPA amendments (1,8,14,15).
- Apple’s Compliance: Removal of ADP (3,12,21) and historical precedents (9,11).
- Cybersecurity Risks: Ransomware trends (2,17,19,20) and breach case studies (6,18).
- Global Implications: EU’s Chat Control (7) and critiques of weakening encryption (10,13,15).
