Apple has removed its strongest data protection from UK users -- why and what does it mean?
Apple's Advanced Data protection allows the data that its users store in iCloud to be end-to-end encrypted. On Friday of last week the company announced that it would be removing this tool from users in the UK.
The move follows a demand from the UK government to allow 'backdoor' access into data in order to investigate crime. The problem is that even Apple can't access ADP protected data and the company argues that a backdoor would be exploited by attackers.
From 3pm GMT on Friday users in the UK attempting to switch on ADP have been presented with an error message. The service will be disabled for existing users at a later date.
Standard encryption is still available, however, this is accessible by Apple and shareable with law enforcement, provided they have a warrant.
David Ruiz, senior privacy advocate at Malwarebytes says, "This is only bad news and it is difficult to call it anything other than a disaster. The loss of end-to-end encryption for cloud storage is wholesale bad -- it leaves users less secure and private -- but the global consequences tip this into far worse territory."
Ruiz believes that the decision could put the US-UK Privacy Shield, which allows organizations to transfer personal data across the Atlantic, at risk:
With the UK's order, I legitimately do not know what happens to US-UK Privacy Shield. The last time we saw an order of this magnitude was before the Snowden revelations when The Guardian revealed that the FBI had asked Verizon for the call details records for all incoming and outgoing calls in the United States for the past three months. We never learned what the FBI was so afraid of, but we did learn that they’d been emboldened by a post-9/11 surveillance regime that gave them nearly everything they wanted.
In short, the loss of end-to-end encryption is bad, yes. But the global impact of this demand has extremely dangerous and idiotic potential.
It's clear that Apple -- which has always promoted its products on their strong security and privacy features -- is defending a point of principle here. Had it allowed backdoor access for the UK it would have soon faced similar demands from other governments around the globe.
"An encryption product with backdoor not only would have given access to the government but also, it's breach of trust with the customers, who expect encryption to keep their information privacy from prying eyes," Ambuj Kumar, co-founder and CEO of Simbian, says. “Any such backdoor would also be attractive for hackers trying to misuse it. So, they make the overall security worse for everyone."
Kumar adds, "What's most commending though is to see Apple valuing privacy on behalf of its customers. It's clear that Apple considers privacy as its core differentiator and expects customers to pay for it. A society where people value privacy and are willing to pay money for it, and companies building product for it is exactly the society I want to live in and create."
Whilst the decision may not have too severe an effect on individual users storing their photo collections on iCloud, it is of concern to business that use the service to store sensitive and commercially confidential data.
Dray Agha, senior manager of security operations at Huntress, agrees, "Apple's decision to pull Advanced Data Protection in the UK is a direct response to increasing government demands for access to encrypted user data. Weakening encryption not only makes UK users more vulnerable to cyber threats but also sets a dangerous precedent for global privacy. Governments argue this helps law enforcement, but history shows that any backdoor created for one party can eventually be exploited by bad actors. The broader concern is that this move could pressure other companies to weaken their security, putting personal data worldwide at greater risk."
In an official statement Apple said it regretted the decision and that, "Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in future in the UK."
So, is this government overreach? An important move to help the fight against crime? Or another example of politicians not really understanding technology? Watch this space.
Image credit: jpgon/depositphotos.com