Fundamentally, I think the issue is more about technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear. Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.
Many people might not be aware of it, but Apple publishes a breakdown of the number of government requests for data that it receives, broken down by country.
The number of UK requests has ballooned in recent years: https://www.apple.com/legal/transparency/gb.html#:~:text=77%...
Much of this is likely related to the implementation and automation of the US-UK data access agreement pursuant to the CLOUD Act, which has streamlined this type of request by UK law enforcement and national security agencies.
>Online privacy expert Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government.
>"It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.Note that this doesn’t satisfy the government’s original request, which was for worldwide backdoor access into E2E-encrypted cloud accounts.
But I have a more pertinent question: how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense against backdooring E2E is the (US) doctrine that work cannot be compelled. Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer) if that capability already exists.
Think about it.. You don't even have to be an Apple user to be affected by this issue. If someone backs up their conversations with you to apple cloud, your exchange is now fair game. You get no say in it either.
We all lose.
> Online privacy expert Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government".
> "It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.
Attributing this shockingly pro-UK-spy-agencies quote to an "online privacy expert" without pointing out she consults for the UN, EU and international military agencies is typical BBC pro-government spin. In fact, Caro, it would be "very, very worrying" if communications operators didn't withdraw a product rather than be forced to make it deceptive and defective by design.
I have a naive question, and it's genuine curiosity, not a defence of what's happening here.
This ADP feature has only existed for a couple of years, right? I understand people are mad that it's now gone, but why weren't people mad _before_ it existed? For like, a decade? Why do people treat iCloud as immediately dangerous now, if they didn't before?
Did they think it was fully encrypted when it wasn't? Did people not care about E2E encryption and now they do? Is it that E2E wasn't possible before? If it's such a huge deal to people now, why would they have ever used iCloud or anything like it, and now feel betrayed?
Free speech already under threat and now y'all are giving up the right of private communication too? For anyone cheering this on, do you honestly think this will only affect the "bad people", and you'll never have your own neck under the government's boot? Even if you trust the government today, what happens when your neighbors elect a government you disagree with ideologically?
The nightmare continues. For now I am using 3rd party backup services that are (currently) promising me that my backups are encrypted by a key they do not have access to, or control over. But can this even be believed in an age where these secret notices are being served to any number of companies? I suppose the next step would be to ensure that files don't ever arrive in the cloud unencrypted, but I have yet to see a service that allows me to do this with the same level of convenience as, say, my current backup solution, which seamlessly backs up all my phones, my family members' phones, my laptops, their laptops etc. I depend on having an offsite backup of my data. Which inevitably includes my clients' data also. Which I am supposedly keeping secret from outside access. So how does that work once everything becomes backdoored?
I'm sympathetic to the J.D. Vance angle, which is that European governments are increasingly scared of their own people. This is not doing a lot to change my mind.
As a citizen, I don’t understand what the UK government thinks they are getting here - other than the possibility of leaks of the nation’s most sensitive data.
Also is it not possible to set up my Apple account outside of the UK while living here?
I always thought that metadata and circumstantial evidence is enough to incriminate someone. Do you really need plaintext data and communication to put criminals behind bars?
What's stopping Apple from launching an AppleTV-esque device that functions as personal iCloud storage?
The design of ADP is that even taking control of the data centre won't allow access to the information held within. Decentralising the service makes it significantly harder to write ham-fisted legislation that aims to prevent tech companies from offering secure products.
Additionally there isn't a technical need for ADP to interface with iCloud. Apple could feasibly release free software for DIY ADP.
My expectation is that either the UK will alter the law, or Apple will work around it. I don't think we're looking at the end of this.
So many questions around this that need answering, such as:
1. What happens if I have ADP enabled and then visit the UK? Will photos I take there still be E2E encrypted? If not, will I be notified? I realize that at the moment the answer is yes, that for now, they are only disabling ADP enrollment. But they are planning to turn it off for everyone in the UK in the future. So what happens then?
2. If they make an exception for visitors, such as by checking the account region, then obviously anyone in the UK who cares about security will just change their account region - a small inconvenience. Maybe this will be a small enough group that the UK government doesn’t really care, but it could catch on.
3. Is this going to be retroactive? It’s one thing to disallow E2E encryption for new content going forward, where people can at least start making different decisions about what they store in the cloud. It’s an entirely different thing for them to remove the protection from existing content that was previously promised to be E2E encrypted. When they turn off ADP for people who were already enrolled, how is their existing data going to be handled?
This is bad news and it is going to be messy.
It's the right choice: don't bow to government pressure, let the people pressure the government.
The current EU-UK adequacy decision[1] is up for review this 27 June [2] .
Aspects of the UK investigatory powers act is close enough to US FISA [2] that I think this might have some influence, if brought up. IPA 2016 was known at the time of the original adequacy decision, but IPA was amended in 2024 . While some things might be improvements, the changes to Technical Capability Notices warrant new scrutiny.
Especially seeing this example where IPA leads to reduced security is of some concern, I should think. The fact that security can be subverted in secret might make it a bit tricky for the EU to monitor at all.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
[2] ibid. Article 4
[3] FISA section 702 https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/...
What are you actually supposed to do in the UK if you oppose this sort of thing to stop laws like this coming in? It feels like the government has been incredibly out of touch for the last number of years.
This can set a dangerous precedent. Now why wouldn’t any country demand the same, basically eliminating Advanced Data Protection everywhere, making user data easily accessible to Apple (and therefore governments)?
> Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government".
She believes wrong. Google retreated from the Chinese market to not give in. Apple stayed in China and also banned VPNs on App Stores for Chinese customers. Kudos to Apple to not giving in to a backdoor in this case but some there companies took a even higher moral stand in some other situations, so there is precedent indeed.
Presumably this applies to the iPhones owned by UK government ministers, civil servants, personal devices of military personnel, UK businesses, etc.
As a brit, I find that my government's stupidity is almost its only reliable attribute.
The more I live I’m less concerned about what are often described as “bad actors”. The bad actors are often the state, and this kind of information is collected without thought to the risk of future politicians who don’t follow the rules or who don’t have any respect for the laws.
This law raises serious concerns about being a non UK resident using British software, like Linux Mint.
They keep asking for more and more ridiculous powers, but then someone on a terrorist watchlist will go and stab a bunch of toddlers. They don’t need more powers, they need to just do their jobs.
I'm going to start purging anything I store on the cloud. I'm not doing anything illegal, but why does the government want to treat me like I am.
What the UK government achieved:
Lowering the data protection of it's citizens in comparison to the rest of the world.
I was under the impression governments were supposed to protect their citizens.
Why is there only one "iCloud" to backup your iPhone and store photos? Lots of ADP users would use a corporate or self-hosted solution instead.
I regret immensely not having turned ADP before... Now I'm feeling really angry at this whole thing.
The smartphone is a terrible platform. Something like this could never happen on the PC, where you can install any encryption and backup software that you want.
While Apple did the right thing by refusing to give the UK government a backdoor, they are responsible for getting users in this situation in the first place.
I'm not familiar with the iPhone and maybe there is already an alternative to iCloud ADP, although that would make this whole situation completely nonsensical.
I’m at the point where I’m ready to get a pixel and install graphene
Devil's Advocate (meaning I don't agree with this, in fact I disagree with it, but I don't see this argument being made anywhere and think it would be interesting. If you're one of the people who are offended by this practice of people steel-manning "the other side" and only want to read comments that affirm your position, please don't read this comment).
Question: Wouldn't it be better for Apple to build a UK-only encryption that is backdoored but is at least better than nothing? If Apple really cared about people's privacy, why just abandon them?
My position: No because this is a war, not a battle. Creating a backdoored encryption would immediately trigger every government on the planet passing laws banning use of non-back-doored encryption, which would ultimately lead us to a much, much worse world. Refusing to do it is the right thing IMHO.
If you're in the UK, please consider signing the below petition. Thanks.
https://you.38degrees.org.uk/petitions/keep-our-apple-data-e...
"Existing users' access will be disabled at a later date."
Hmmm how? How can they decrypt your already end-to-end encrypted and uploaded data without you entering the passphrase to do so? I can understand them removing the data from iCloud completely, or asking you to send the keys to Apple, but I don't understand how they can disable the feature for already uploaded data.
What is stopping me from using something like Proton in the same way? Why does the UK government simply make an example out of Apple on this one?
I don't like Apple, nor do I use any of their products, but as someone from the UK, I do respect them for doing this.
Now if only the other companies who said they'd leave would grow a backbone...
Not gonna lie, I expected Apple to just kind of roll over and take the blow on this one. Interesting.
Apple could have disabled iCloud completely for UK users. This would protect both UK users and other users who’s data would also been captured in an iCloud backup.
They would lose some money on services, but would have been the better choice to stand up to the UK government and protect the UK users.
It's a drag that we're seeing this crap happen, but authoritarians will be authoritarians. What's the general opinion of tools like Cryptomator? [^1]
[^1]: https://cryptomator.org
What exactly can UK users do now? Turn off "backup iPhone to iCloud" and stop syncing notes?
I'm confused. I thought iCloud was end-to-end encrypted anyway, and I've never heard of ADP before. Is ADP encryption at rest, whereas normal iCloud storage is only encrypted from the device to the server?
This is a great article!
They are not the first country to do this. Apples advanced security features are rolled out non-uniformly across global markets. You get different capabilities, depending on where you are and where your account is resident, it would be great if there was a website that listed the countries and the security protections Apple provides in those countries.
Related discussion:
U.K. orders Apple to let it spy on users’ encrypted accounts (washingtonpost.com) 762 points by Despegar 14 days ago | 1070 comments https://news.ycombinator.com/item?id=42970412
This provides an incentive for Apple computer users to do the right thing: Stop storing sensitive data on Apple servers. Unfortunately, due to Apple's pre-installed proprietary operating systems that phone home incessantly, that may be more challenging than it should be.
Could moves like this by other repressive regimes finally open the door to consumer-owned, consumer-controlled, decentralized cloud storage systems that are fully encrypted and inaccessible by any agency or individual except by the owner?
Would be a beautiful thing to see. Not sure how storage would work though since you cannot take payment (that would make it centralized), and storage would have to be distributed, but by who?
Wonder what the cost/benefit looks like from Apple's perspective.
If this requirement increases the proportion of data on Apple's servers that is now unencrypted (or encrypted but which can be trivially unencrypted), that could be a huge plus to Apple; more data to use for ad targeting (or to sell to third parties), and more data to train AI models on.
Hopefully it'll spur growth of decentralised, distributed peer to peer mobiles like the new Holochain-based Volla Phone https://volla.online/en/
How will they enforce this?
They will have to send out messages 'You have 32465 hours before you account is deleted unless you decrypt'
This is NOT a good look.
The UK backdoor means US and other FVEY states are able to freely request any person’s private data from GCHQ.
As a British citizen I am amazed at how much the government has invaded our privacy. I think it started after 9/11 when they first introduced terrorism laws and saw they could get away with it. I wonder if the ruling classes are nervous, given the state and direction of our economy and the inequality, as well as the iron grip a small part of the country has maintained on society. They are perhaps making preparations for a class revolt.
Having said that, in practice to date the extraordinary powers the government has acquired are rarely used, eg to quell the race riots last year. It feels more like a risk for the future and that makes it harder to argue against now. One day this will hit the fan.
I’m very curious, however, to see Americans criticise our government for its (mostly theoretical) overreach, whilst simultaneously the constitution of America is being torn to shreds by the actions of Musk and Trump, with some in the tech community even cheering on DOGE.
It's the right decision. Don't bow to the government, let the people demand it from their leaders, and vote in new ones.
It's just a shame that Apple didn't include the contact details for the Home Office officials responsible as the place for inquires regarding the matter.
Reading all the comments here makes me sick. I really need to move to a remote place where people are not constantly bashing each other.
The cloud is just someone else’s computer. If you really, really care about privacy, self host.
Can someone explain what's changed in the UK that they would consider requesting unfettered access to all Apple customer data (including outside their own borders)? I get that the NSA is infamous for warrant-less surveillance, but this seems a step further.
Write to local MP and Home Office. This is totally unacceptable.
Could this be the catalyst for the rise of third party encryption companies that operate in UK? Or perhaps, rise to third party self host E2E cloud solution?
Only time will tell.
I've already invested in USB storage :)
I live between France and the UK. How do I move my iCloud account out of Britain?
So instead of building a back door they're just completely removing the option to use E2E encryption altogether, thus making everything freely available to government by default?
How is that not worse or at least equivalent to a back door?
If anyone’s looking for open-source, self-hostable, E2EE storage then checkout Peergos (disclaimer: lead here):
What happens if a British citizen/resident buys an iPhone in the USA?
Btw, as a European citizen, I always buy my devices in the USA. We can complain about the US as much as we want, but Europe is on another level.
Are there non-icloud backup options? There used to be local encrypted backups through itunes, but I can't tell if that feature is still around.
Ugh. Is this by App Store country? Anyone know what happens if I already have it configured? I’m actually in US App Store region and sometimes switch to UK… I wonder if that would disable it.
Does Apple offer this type of encryption in China?
I don't get what's happening to civil liberty in Europe.
Ok, I am not very technical. Can someone help me understand this. I don't have Advanced data Protection on. Does that mean UK Gov can see my data now?
What happens if you're an international traveller?
The UK wanted access to anyone's data. Not just UK citizens and then additionally added regulations forbidding apple to disclose this.
UK is ~3-4% of apples income. While I appreciate Apples actions here, I wish they would make a real stand here and pull completely out of the UK.
Is there a way for a UK iPhone to circumvent the warning and enable ADP? Like connecting through a VPN?
Not relevant to the Apple story but as a general comment on UK surveillance/search/detainment laws: Five Eyes means the US just needs to get their citizen into the UK for their partner to gain access that the US doesn't have to their citizen. The reciprocity possibilities are endless.
ok so while being AI safety concerned.. uk politicians go ahead and remove humanity's single logical control tool that they have to keep AI in check.. encryption maths.
gg
Deep betrayal by Apple.
"privacy is a fundamental human right" - Tim Cook.
They should of forced ADP on by default and this would of never happened.
Notice all the undemocratic dictatorships that did not require this of apple. The UK is in decline completely.
Really disappointed that our government decided to take such a stance.
What are people using when self-hosting services in the scope of iCloud nowadays? Nextcloud seems the closest comparable service.
How does this affect me if I travel to the UK with an E2E encrypted IThing?
Honestly I'm surprised that rather than trying to build stupid backdoors and such, tyrannical governments don't just try to make a encryption key database. They hold ALL the keys and can get into anything they want, anytime they want. If you get caught with keys or encrypted data they can't access, punishment ensues.
Like if you're gonna try to eliminate privacy and freedom, just be honest and open about your intentions.
This is a good reminder that the one who cares about privacy and security cannot rely on closed-source products from commercial companies; don't be deceived by marketing slogans.
I wonder, what are the alternatives now?
Tresorit? Self-hosted Nextcloud?
Very disappointed with this, but I think will be finding alternatives.
Family sharing especially of Reminders is a hard one - we use lists for grocery shopping and it is extremely convenient.
Has anyone tried out Ente https://ente.io/ for photos?
Well this is double plus ungood...
Are anyone of you lot getting the realisation onto why they are pushing Passkeys so hard?
They know they access 8 out of 10 phones they seize.
DONT USE PASSKEYS
Absolutely mental the kind of people that have power. Dealing with this like immature children.
“We don’t get what we want? We ruin it for everyone.”
Trying to backdoor a privacy feature for no real reason, just for the sake of having a backdoor. Pathetic
If Apple was a real American Company they would solve this issue by withdrawing their devices from the UK.
Does this mean I should treat travel to the UK the same way as China and only bring a burner device with no information on it or on cloud backup accounts?
I'm drunk. No offense. Why our world ends up like this.
How many UK people who haven't heard of ADP will now enable it?
Being locked into an ecosystem seems really nice.
The problem is that you don't really know your future jailer.
As someone currently a citizen of the UK, what are my best emigration opportunities?
At some point, we need to stop being surprised at authoritarian countries doing authoritarian things.
Here's hoping the inevitable regime change will be a peaceful one.
This is almost the status quo in the USA, given that nobody turns on the optional e2ee anyway.
disables apple cloud sync
Why can't governments simply compel every software developer to create a backdoor, or go to jail?
If even one government does it, then the backdoors exist globally. Here is an overview of the global situation: https://community.qbix.com/t/the-global-war-on-end-to-end-en...
Let's vote Labor and Liberal to keep the UK from going fascist on our data.
Oh wait....shit.
How do you like your "liberal democracy", UK-ians? Is that democratic enough for you yet? Do you feel in control?
its a shame
Could this have been a reason UK pushed to separation from the EU?
EU is all for privacy while UK is slowly drifting towards becoming a Stasi state.
concessions afer concessions we gave away our freedom. the axis of good is mostly responsible for this but the opposition also wanted to remove anonymity and freedom from the web.
no one fought when the democrats called snowden or assange russian spys for revealing clinton corruption. they just blindly sided with their own corrupt political party and gave away freedom. just like previous govs censored trump, banned political opponents they created a precedent and opened the door to the end of freedom. its now beyond politics, we should fight for the last moments of freedom we have before its too late.
If you care about privacy and security of your data, you aren’t using public services from Apple or Google, or “big tech” anyways.
I always thought of “cloud” services to be a sham. I only trust them with transient data or junk data anyways (glorified temp storage, at best).
The beginning of the end. A sad day for Brits
Removed all my stuff from iCloud about a month ago in preparation for this.
This was predictable vs creating a backdoor
Lol so much for the privacy-first Apple BS everyone keeps touting
If they had any balls whatsoever they would've rejected this and pulled out of the UK, but of course money comes before anything else.
Could any hackers on here now please hack the fuck out of UK government ministers please?
yikes
[dead]
[dead]
[dead]
[flagged]
[flagged]
[flagged]
Yikes... looks like Apple sun is setting. This cannot be allowed to happen.
malicious compliance.
Providing access when ordered by a court is not as secure so we're removing all encryption?
Wow - how sad. To think the 2nd highest scoring post ever on hacker news is Apple's 2016 A Message to Our Customers. A display of intelligence, morality and courage under great pressure: https://hn.algolia.com
How things have changed.
> In a statement Apple said it was "gravely disappointed"
So are we, Apple. So are we.
Workers in tech jobs over the past few decades are the ones who are primarily to blame for the total degradation of the very notion of privacy, and our societies are, I think, reaping the consequences of this now in many ways.
This story didn't spring up out of nowhere, like a monster from under the bed. It's been a gradual decline since, let's say, the 90s or so.
I don't want to be vulgar, but the people who understood the best what was happening were mostly too busy taking large paychecks to get too upset about the whole thing. It got explained away, rationalised, joked about, and here we are.
Too right, it was far more problematic than they ever made out.
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.