UK demands backdoor to Apple’s encrypted cloud storage, putting everyone at risk

Macworld

Privacy and security have been central themes for Apple for years now, and the company sees itself as a market leader in making sure your data is shielded from prying eyes. While encryption and privacy are important issues for many tech companies, Apple has gone much further than most to make sure that your data is only accessible to you, unless you explicitly say otherwise.

A new secret government order in the U.K. seeks to absolutely destroy that for every Apple user around the world. That’s right: over 2 billion Apple users globally would have their privacy and security obliterated by an undisclosed order from the British government.

The Washington Post got tipped off by insiders about the order, issued last month, from the office of the Home Secretary. Called a “technical capability notice” and calling on powers afforded to the office by the U.K. Investigatory Powers Act of 2016, the British Government has secretly ordered Apple to “create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud,” according to the Post.

What the U.K. government is asking for is the ability to access the encrypted cloud data for every Apple user around the world. That is, frankly, a comically authoritarian and draconian order and well beyond the jurisdiction of any individual government.

According to The Washington Post’s sources, Apple can appeal the decision to a technical board, but it is not permitted to delay compliance while the appeal is underway. As a result, the company is likely to stop offering encrypted cloud storage in the U.K. (a huge problem in itself) or remove other iCloud services. But even those extreme measures wouldn’t satisfy the requirements handed down by the U.K. government.

As bad as the order is, it is just as worrying that it was made in secret and that Apple is legally forbidden from even acknowledging that it has received the order at all. The law makes it a criminal offense to even reveal that one has received such an order.




The encryption built into every iCloud account is at risk due to the U.K.’s new rule.Apple

What is at stake

By default, many Apple cloud services are encrypted, but they are encrypted in transit and on the server, so Apple has the encryption key. Photos, Notes, Reminders, iCloud Mail, and Calendar contacts are examples of this data that Apple can decrypt. The company has done so many times in the past when issued a lawful order from law enforcement.

However, Health data, Home data, Messages in iCloud, and other types of data are end-to-end encrypted, with the encryption key stored on your Apple device and locked to your passcode or biometric (Face ID and Touch ID). Apple has no way of decrypting this data even if it wanted to.

In 2022, Apple began offering the Advanced Data Protection option, which brings end-to-end encryption to nearly all Apple cloud services. If enabled (go to Settings > Your account > iCloud and look for the Advanced Data Protection option), only iCloud Mail, Contacts, and Calendars will be stored encrypted with the key in Apple’s hands.

Apple has a support document with a table showing which data is end-to-end encrypted and which Apple has the key to, for both standard and Advanced Data Protection settings.

The U.K. rule essentially demands that all data that Apple stores for its cloud services be retrievable not just by Apple, but by the U.K. government—no longer requiring a legal process to request that Apple provide targeted data—and for this to apply to every Apple user in the world.

Of course, if a government has access to a back door to your data, it is only a matter of time before that backdoor escapes the bounds of a government agency, and is in the hands of outside agencies, governments, criminals, or even sold on the black market. It is far too valuable a thing to believe that it would stay confined to a security agency within the U.K. and that they would only use it sparingly and when absolutely necessary.

In short, there is no such thing as a “secure back door.”

On its face, if fully complied with, the security of cloud storage for every Apple user in the world (estimated at around 2.2 billion) would be not only diminished but basially nonexistent. A less strict interpretation may allow Apple to get away with only ruining the privacy of its users in the U.K., or halting valuable and popular cloud services for all of them.

What is not at risk, from our understanding of the reporting on this issue, is the sanctity of your Apple devices themselves and their storage. The order apparently only applies to cloud data and does not require a backdoor to access your iPhone, iPad, Mac, or any other device or the data stored locally on it.

Apple is surely not the only recipient of such an order. Google’s encrypted backups for Android phones, WhatsApp’s encrypted messaging data, and other similar cloud services would be as big or bigger targets for the U.K. government. Again, if these companies have gotten orders to make this encrypted data accessible to the U.K. government, and whether or not they have complied with it, it would be a criminal offense to even let it be known. We are at the mercy of whistleblowers and leakers to know if our privacy is being secretly, globally, violated.