Government has made UK user data ‘less secure’ with Apple row – experts

The UK government’s push for data access which led to Apple withdrawing a security tool from the UK has made users “less secure”, experts have said.

The tech giant said on Friday it was withdrawing an opt-in feature called Advanced Data Protection (ADP) from its iCloud service in the UK, which increased the amount of personal data protected by end-to-end encryption, which no-one beyond the account holder – not even Apple – can access.

The decision came after the Government had made a request under the Investigatory Powers Act to gain blanket access to that data.

Apple has previously said it would never build a “backdoor” to get around its end-to-end encryption as this could also be exploited by bad actors.

And cybersecurity experts have criticised the Government’s approach, saying the tech giant has taken the “obvious option” of impacting UK users rather than making its data security tools weaker globally.

Encryption expert Matthew Hodgson, chief executive of secure communications firm Element, said Apple’s decision to remove ADP from the UK was because it did not want to create a “master key” which could be used to break its encryption tools.

“This is a serious wake up call for the UK government and its never-ending quest to undermine end-to-end encryption. Apple is way more committed to privacy than it is to the UK, and rightly so,” he told the PA news agency.

“Essentially, the Government asked for a master key to be able to look into anyone’s phone back-up – with entry being allowed on the basis of a warrant.

“This means that if an attacker were to somehow get access to this ‘master key’ they would suddenly have access to every iCloud back-up.

“The UK government tried to force Apple to give the UK a backdoor into its end-to-end encryption for iCloud.

“There was no way Apple would capitulate and sabotage its secure system for everyone.

“Apple has taken its most obvious option of stopping the service in the UK. It could go further and simply withdraw from the UK entirely.”

He added that it was “impossible” to create a backdoor for an end-to-end encrypted service and for it to remain “secure”.

Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users

Speaking to Sky News, Professor Alan Woodward, visiting professor of computing at the University of Surrey, said: “Apple is sending a very strong message here, which is that, if you want to do this for your people, then reluctantly, and with great disappointment, we will do it, but we’re certainly not going to do it globally.

“So actually, the only thing that the UK government has achieved in all of this is to disadvantage UK users.

“They’ve made that corner of the internet less secure for us.”

Professor Oli Buckley, a professor in cybersecurity at Loughborough University, said Apple’s “concession” on the issue meant UK user data could be more at risk from government data requests.

“There is still encryption on Apple devices, things like iMessage and other on-device data encryption still exist, but now data specifically stored in iCloud (which has a huge number of users) will be accessible to Apple and potentially government agencies through legal requests,” he said.

“Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users.”

Meanwhile, Dray Agha, senior manager of security operations at cybersecurity firm Huntress, said the decision to “weaken” encryption would also leave users more at risk from hackers.

“Apple’s decision to pull Advanced Data Protection in the UK is a direct response to increasing Government demands for access to encrypted user data,” he said.

“Weakening encryption not only makes UK users more vulnerable to cyber threats but also sets a dangerous precedent for global privacy.

“Governments argue this helps law enforcement, but history shows that any backdoor created for one party can eventually be exploited by bad actors.

“The broader concern is that this move could pressure other companies to weaken their security, putting personal data worldwide at greater risk.”

A number of online safety charities, as well as police and security services around the world long warned of the dangers of end-to-end encrypted services, arguing that they allow offenders such as terrorists and child abusers to hide more easily.

Rani Govender, policy manager for child safety online at the NSPCC, said this was an opportunity for Apple and other firms to consider other ways of protecting users, particularly children.

“We know that end-to-end encryption allows offenders to groom and manipulate children and build communities where they can share vile child sexual abuse material without detection,” she said.

“As Apple change their approach to encryption on their services, they must take this opportunity to ensure that they are considering other measures they can put in place to better protect children.

“All tech companies should be finding ways to tackle online risks to children whilst upholding privacy of their users, and Ofcom and Government should hold them accountable for doing so.”