Apple Advanced Data Protection in the UK
Apple removed its Advanced Data Protection for new UK users on 24th February 2025. Existing users still have a period of grace to use the service and are expected to disable it themselves before Apple fully revokes access. The decision is a result of UK government pressure to allow access to Apple user data for regulatory or legal investigations under the Investigatory Powers Act of 2016.
This might be seen as a test case. If Apple complies and there is no obvious outcry from the end users then other bodies that encrypt data at rest could be compelled to allow the UK government to unlock and read this data. Such encrypted email and messaging services would include WhatsApp, Signal and Proton Mail. Signal itself may be targeted by similar new encryption removal legislation in Sweden and has threatened to withdraw its services should that be the case.
Apple could have refused to comply, set up backdoor access allowing authorised bodies access to the encrypted data or taken their chosen path of removing the encryption completely. By disabling their service Apple has dodged the implications of the law as by not storing data under Advanced Data Protection there is no case for having keys that allow the government to access it. Apple has left Advanced Data Protection in place for users outside the UK. In addition Apple has challenged the order through an appeal to the Investigatory Powers Tribunal
The encryption relates to protecting data at rest on Apple servers. It does not affect the existing encryption as data moves between the user’s device and Apple servers. Removing the ‘at rest’ advanced encryption creates a risk of data loss from criminal activity. This data will still be encrypted but to a lesser extent by Apple’s Standard Data Protection. Perhaps a larger worry is that a ‘legal entity’ could request and receive this private data from Apple. This could later be exposed either in the clear as a result of some authorised investigation or through compromised devices or accounts on the external (to Apple) devices processing that data.
iCloud Keychain and Health retain the full Apple Advanced Data Protection. The following Apple products have now dropped to Standard Data Protection for new UK users:
iCloud Backup; iCloud Drive; Photos; Notes; Reminders; Safari Bookmarks; Siri Shortcuts; Voice Memos; Wallet Passes; and Freeform.
These changes are clearly going to impact any user who is seriously committed to the Apple environment. As well as text data within the affected applications there will be privacy risks related to images. Important data can be derived from the contents of images as well as their metadata providing details such as when and where they were created. In all cases alternative solutions are available from other providers but these will need to be individually evaluated as to their security. It is possible that many of these will also become exposed to UK government demands for data access in the future. The dedicated Apple user will probably want to keep to the bespoke Apple offerings but would need to consider what they are saving and where. With many services running by default as real-time uploads and syncing the settings for each will need to be examined and possibly changed.
