We live in dangerous times. The threat landscape has never been worse, fueled by AI and a forensic industry exploiting security vulnerabilities at a rate we have not seen before. And it’s against this backdrop that Apple’s has confirmed a security warning for tens of millions of users, which EFF describes as “an emergency for us all.”
We’re talking the removal of iCloud’s end-to-end encrypted wrap in the UK following the Pythonesque secret/not secret mandate from its government to build a backdoor into all users’ secure data store. Apple has done as was expected, and pulled Advanced Data Protection for UK users, even though that doesn’t meet the mandate. To use a poker analogy, Apple has called the UK’s bluff against a glare of negative publicity.
Apple’s confirmation that it “can no longer offer Advanced Data Protection (ADP) in the UK to new users and current UK users will eventually need to disable this security feature,” came with a warning that “we are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”
While the new change only directly hits UK users, it also impacts anyone messaging a UK user given messages will be stored in accessible backups. And it risks a trend, where other governments now do the same. We have seen a push across Europe for messaging scanning and the U.S. has pushed repeatedly for “responsible encryption,” meaning warranted access. As such, this change is much more dangerous than it seems now, and all users should pay attention to how their data is secured.
Technically, what has changed is the removal of end-to-end encryption from a raft of apps that are not fully secured by default: Photos, Notes, Reminders and Voice Memos. But there is also a more critical change — your device backups and iCloud Drive storage will no longer be fully encrypted and will be accessible by Apple.
If you are a UK user with ADP enabled, Apple warns you will need to change the setting or it will delete your data — underlining the value of the security in the first place, ironically, as Apple doesn’t have access to make the change itself.
But when we think of end-to-end encryption, we think first of the messaging apps that popularized this effective security wrap. And here there are serious implications. Most iPhone users worldwide are not using the additional security layer being removed in the UK, and so Apple’s warning applies to you. With WhatsApp and iMessage in particular, make changes now to underpin your security.
First to Apple’s own iMessage, which was first to end-to-end encryption, but which always had a loophole that Apple removed. That loophole is now back. When you enable “Messages in iCloud,” you store a backup of your messages database to enable access cross-device and to restore onto a new phone. ADP closed the loophole, but the UK (and other countries that follow suit) have forced it back. This means you either turn off iCloud syncing or accept the vulnerability.
The situation with WhatsApp is different. The Meta-owned messenger, the most popular worldwide by some distance, has built its success on end-to-end encryption. and the privacy of its 3 billion users. WhatsApp enables it’s own end-to-end encrypted backups on either iCloud or Google Cloud, for iPhone and Android respectively. This full security is not affected by the UK change.
But on your iPhone’s settings, you can also enable a general iCloud WhatsApp backup alongside other apps, duplicating WhatsApp’s own backup. ADP removed the need for WhatsApp own encrypted backup, as the standard iCloud backup was also end-to-end encrypted itself. That has now changed for impacted users. To ensure your WhatsApp messages can’t be accessed, disable the iCloud backup and enable a daily end-to-end encrypted backup from WhatApp itself. You find this in Settings-Chat-Chat Backup.
Similarly, if there are any apps you don’t want to be unsecured within an iCloud backup, you should disable these from within your iCloud settings. Where an app or platform offers a fully encrypted backup/sync, you might be better using this instead of iCloud unless and until full security is restored.
The uber secure Signal app, favored for its security — notwithstanding warnings that its linked device setting has been exploited — does not offer an iPhone backup, and so remains fully secure.
In response to the forced move, Apple says it “remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the UK. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
Meanwhile, you can ensure your critical data remains secured — you just need to make some changes. ADP remains enabled for existing UK users, until Apple sets and enforced a deadline to switch it off. Users elsewhere should enable the setting — you can find details here. Non-UK users without ADP are already running these risks Apple has warned about, and so the WhatsApp and iMessage changes also apply to you.
As I’ve commented before, it seems arbitrary for the UK to mandate this of Apple but not the same of Google and Meta, in particular. The fact Apple’s change has been so public should give you confidence that if similar changes are made elsewhere, those platforms will need to remove security in the same way. In the meantime, the UK joins the likes of China, Russia and Iran in its governmental privacy crackdown.
