Key Points:
-
Apple’s Decision: Apple has disabled its Advanced Data Protection service for new customers in the U.K. instead of complying with a government order that would require creating a backdoor for law enforcement access.
-
Order Details: The U.K. Investigatory Powers Act mandates a backdoor for police and intelligence agencies to access encrypted content, affecting iCloud storage globally, not just in the U.K.
-
Encryption Context: The Advanced Data Protection service, launched in late 2022, offers end-to-end encryption, meaning Apple cannot retrieve user data. Customers with existing protection will need to disable it to keep accessing iCloud.
-
Implications of Compliance: Apple’s choice to disable this service reflects a preference to not create a backdoor, but it may lead to pressures from the U.K. government to comply or possibly exit the market.
-
Ongoing Debate: The commentary includes a critique of Epic Games CEO Tim Sweeney’s views, emphasizing that Apple must adhere to local laws while noting that the situation reflects a return to prior arrangements regarding iCloud security and access.
Executive Summary:
Apple recently ceased offering its Advanced Data Protection service in the U.K. as a response to a government mandate requiring a backdoor for law enforcement access to encrypted data. This decision maintains user security for existing customers but raises questions about Apple’s future compliance with U.K. law. The situation underscores ongoing tensions between privacy and law enforcement requirements, and further compliance from Apple may still be demanded. The commentary highlights the existing compromise regarding iCloud security and counters criticism about Apple’s adherence to legal obligations in the regions it operates.
Original Message:
Ben Thompson take on the Apple v UK data protection:
Apple vs. U.K, Continued
From the Washington Post:
“Apple disabled its most secure data storage offering for new customers in Britain on Friday rather than comply with a secret government order that would have allowed police and intelligence agencies to access the encrypted content. The order under the country’s Investigatory Powers Act, reported by The Washington Post two weeks ago, requires the California maker of iPhones and Mac computers to create a backdoor capability allowing authorities to snoop on iCloud storage anywhere in the world.
That would nullify the technology in Apple’s Advanced Data Protection service, which provides such strong encryption that the company itself is unable to retrieve users’ information. Apple rolled out that optional end-to-end encryption globally starting in late 2022…British customers who already have Advanced Data Protection will be warned later to disable it or lose access to iCloud.”
This response by Apple is exactly what I predicted when the Washington Post first broke the story: Apple would rather not offer Advanced Data Protection than insert a back door. Note, however, that this does not fully address the U.K.’s demands: they wanted a backdoor for all users, not just U.K. ones; we will see if the country pushes on this point, which would leave Apple no choice but to either comply or leave the market.
I think I’ve explained this issue pretty comprehensively at this point, but just to be crystal clear, let me address these complaints by Epic CEO Tim Sweeney head-on:
I think my bonafides in terms of criticizing Apple — including its at-times self-serving privacy policies — are pretty well-established at this point, so I’m happy to take this head-on. The fact of the matter is that Apple has to follow the laws of the countries in which it operates; that’s why, to take a pertinent example, iCloud keys for Chinese users are stored in China. In this case, the U.K. directive was specifically about Advanced Data Protection; Apple needed to either comply or withdraw the service (and, as noted above, that may not be enough).
Moreover, as I noted last week, this is simply a return to the status quo and the uneasy compromise that Apple had previously struck with law enforcement: iPhones are encrypted, but the default and easiest-path cloud backup service were not, and thus accessible with a warrant.
Therefore, to Sweeney’s point, if this is opening the front door, well, the front door has been open for years, and even now is only closed if the user opts in to end-to-end iCloud encryption. In other words, there is no change for most U.K. users; saying Apple compromised the security of all of them is simply wrong, and suggesting that the company shouldn’t follow the laws in the countries in which it operates is a very weird stance for someone who spends most of their time lobbying for laws that compel Apple to change its behavior