Apple Discontinued Encryption Features for iCloud Backups

My Privacy Blog

My Privacy Blog

10 min read
Apple Discontinued Encryption Features for iCloud Backups
Photo by simerpreet singh / Unsplash

Apple has discontinued advanced encryption features for iCloud backups in the United Kingdom following reported pressure from British authorities under updated surveillance laws, marking a significant development in the ongoing debate over privacy versus national security. This move comes as governments globally push for expanded access to encrypted communications under the guise of public safety.

Apple Siri Privacy Settlement
In January 2025, Apple agreed to a $95 million settlement to resolve a class-action lawsuit alleging that its voice assistant, Siri, had inadvertently recorded users’ private conversations without consent. The lawsuit claimed that Siri was sometimes activated unintentionally, leading to the recording of confidential discussions, which were then allegedly shared
My Privacy BlogMy Privacy Blog

The Encryption Rollback

Apple quietly removed end-to-end encryption for iCloud backups in the UK through a February 2025 software update. This feature had previously ensured that only device owners could access backup data through personal recovery keys. The company made no public announcement but updated its regional legal process guidelines to reflect the change.

Apple’s Evolving Approach to Combatting Child Sexual Abuse Material (CSAM)
June 2021: Initial Announcement to Scan iCloud Photos for CSAM In June 2021, Apple took a significant step in its fight against child sexual abuse material (CSAM) by announcing plans to scan iCloud Photos. The tech giant intended to implement technology that would detect known CSAM images stored in iCloud
My Privacy BlogMy Privacy Blog

Key technical impacts:

  • UK users no longer get E2EE for iCloud backups of messages, photos, and device settings
  • Law enforcement can now request backup data through existing warrants
  • Device-to-device encryption for iMessages remains intact

The decision follows renewed demands under the UK's Investigatory Powers Act 2016 (IPA), which requires companies to assist in decrypting data when technically feasible. Recent amendments to the IPA expanded surveillance powers, including:

  • Real-time data collection without warrants
  • Bulk hacking of devices and networks
  • Expanded data retention requirements

British Home Office officials argued the encryption feature "severely hampered terrorism investigations," citing multiple cases where suspects' iCloud backups contained critical evidence.

The Apple-FBI Standoff: Unraveling the Implications for Digital Privacy
Introduction The confrontation between Apple Inc. and the Federal Bureau of Investigation (FBI) over unlocking an encrypted iPhone belonging to a San Bernardino terrorist has been a landmark case in the debate over digital privacy and security. This article examines the impact of this incident on privacy, both at the
My Privacy BlogMy Privacy Blog

Corporate Response

Apple confirmed the change in a statement to regulators:
"We continue to advocate for strong encryption globally, but must comply with local laws where we operate. Users concerned about privacy can disable iCloud backups entirely."

Privacy advocates criticized the move, with Signal Foundation president Meredith Whittaker stating: "This creates dangerous precedent - authoritarian regimes will demand similar access."

Global Implications

The decision raises concerns about:

  • Jurisdictional precedence: Other countries may request similar concessions
  • Security risks: Unencrypted backups create larger attack surfaces
  • Market fragmentation: Regional encryption differences complicate device security

UK digital rights group Big Brother Watch reports a 300% increase in encrypted data requests since 2023. Legal experts note this could reignite debates over the US EARN IT Act and EU Chat Control proposals.

Understanding and Managing the ‘NameDrop’ Feature in Apple’s iOS 17: A Law Enforcement Perspective
Introduction The Oakland County Sheriff’s Office, along with other law enforcement agencies, has raised concerns about a new feature in Apple’s iOS 17 update, known as “NameDrop.” This feature, while intended to enhance user experience, has prompted warnings due to potential privacy and security implications. What is ‘NameDrop’? ‘NameDrop’ is
My Privacy BlogMy Privacy Blog

User Recommendations

Security experts suggest UK users:

  1. Disable iCloud backups in Settings
  2. Use local encrypted backups via Finder/iTunes
  3. Enable Advanced Data Protection if available
  4. Consider alternative encrypted storage solutions

This development highlights growing tensions between tech companies and governments over digital privacy, with Apple's compliance suggesting a strategic shift in navigating complex surveillance landscapes. The long-term impact on user trust and global encryption standards remains uncertain.

Apple's decision to discontinue Advanced Data Protection (ADP) for iCloud data in the UK has profound implications for user privacy, reshaping data security dynamics under pressure from government surveillance demands. Here’s how this move impacts individuals and sets broader precedents:

Privacy Concerns: Microsoft Recall and Apple Intelligence Auto-Enablement
As technology companies continue to integrate artificial intelligence and data-driven features into their products, privacy concerns have become a major point of discussion. Two recent developments—Microsoft’s Recall feature and Apple’s automatic enablement of Apple Intelligence in iOS 18.3 and macOS 15.3—have sparked debates on user consent,
My Privacy BlogMy Privacy Blog

Immediate Privacy Impacts

  • Loss of End-to-End Encryption (E2EE): UK users can no longer enable ADP, which previously secured iCloud backups (photos, notes, device settings) with encryption that even Apple couldn’t bypass12. Data stored in iCloud is now accessible to Apple and, by extension, law enforcement via warrants36.
  • Selective Encryption Rollback: Default E2EE for iMessages, FaceTime, Health data, and payment information remains intact, but backups and other iCloud data are vulnerable28. Metadata (e.g., file creation dates) for services like Photos and Notes also becomes accessible8.
  • Forced Compliance for Existing Users: Current ADP subscribers will eventually need to disable the feature to continue using iCloud, eroding their existing privacy safeguards16.
The San Bernardino Terrorist Attack: A Turning Point in Cell Phone Encryption Debate
In December 2015, a tragic event unfolded in San Bernardino, California, when Syed Rizwan Farook and Tashfeen Malik carried out a mass shooting, resulting in the deaths of 14 people and injuries to 22 others. This horrific incident not only shook the nation but also sparked a significant legal and
My Privacy BlogMy Privacy Blog

Heightened Security Vulnerabilities

  • Increased Risk of Data Breaches: Without ADP, iCloud backups become “low-hanging fruit” for hackers, as unencrypted data is easier to exploit15. Cybersecurity experts warn this undermines protections against rising threats like ransomware38.
  • Government Access via Legal Requests: UK authorities can now compel Apple to hand over iCloud data under the Investigatory Powers Act (IPA), including through secret warrants57. This includes bulk data collection and real-time surveillance powers granted by recent IPA amendments5.
  • Weakened Trust in Cloud Storage: Users may lose confidence in Apple’s ability to safeguard data, particularly after the company emphasized ADP as critical for modern privacy threats12.
  • Surveillance Overreach: The UK government’s demand for a backdoor—reportedly rejected by Apple—led to ADP’s removal instead57. Critics argue this prioritizes surveillance over user security, creating a “self-harm” scenario for digital privacy34.
  • Risk of Global Domino Effect: Authoritarian regimes could leverage this precedent to demand similar concessions, fragmenting encryption standards worldwide26. The EU’s Chat Control proposals and US EARN IT Act debates may follow suit3.
  • Corporate Compliance Dilemma: Apple’s compliance highlights the tension between operating in jurisdictions with stringent surveillance laws and maintaining privacy commitments. The company stated it “never will” build backdoors but acknowledged legal obligations15.

User Recommendations

  1. Disable iCloud Backups: Opt for local, encrypted backups via Finder/iTunes to retain control over data34.
  2. Use Alternative Encrypted Services: Shift sensitive data to third-party E2EE platforms like Signal or Proton Drive48.
  3. Monitor Account Security: Enable two-factor authentication and regularly review connected devices1.
  4. Advocate for Policy Changes: Privacy groups urge pressure on the UK Home Office to revoke its order, framing it as a threat to democratic digital rights47.

Brokerage of Privacy vs. Security

While UK authorities argue encrypted data hampers criminal investigations (e.g., terrorism, child exploitation)7, experts warn that weakened encryption harms all users. As cryptography professor Alan Woodward noted: “Breaking encryption for anyone risks exposing it to everyone”4. This decision underscores the fragile balance between state security mandates and individual privacy rights—a conflict increasingly defining the digital age.

Apple’s withdrawal of ADP signals a troubling shift toward regionalized privacy standards, leaving UK users disproportionately vulnerable in an interconnected world26.

Apple's removal of Advanced Data Protection (ADP) for UK users marks a pivotal shift in its global encryption strategy, balancing legal compliance with core privacy principles while risking fragmentation of security standards across jurisdictions. Here's how this decision reverberates worldwide:

Precedent for Regional Compliance

  • Selective Feature Rollbacks: By disabling ADP only in the UK, Apple demonstrates willingness to adjust encryption offerings regionally when faced with surveillance mandates. This creates a blueprint for handling similar demands from other governments (e.g., EU’s Chat Control proposals, India’s IT Rules) without compromising global systems16.
  • Avoiding Backdoors: Apple’s refusal to build a UK-requested decryption tool preserves its longstanding stance against undermining encryption integrity worldwide. However, critics argue regional feature removal still weakens security for affected users28.

Fragmentation Risks

  • Split Encryption Standards: UK users now have weaker iCloud backup protections compared to other regions, creating a two-tiered privacy landscape. Experts warn this could normalize "encryption shopping" by authoritarian regimes seeking similar carveouts56.
  • Technical and Ethical Challenges: Maintaining divergent encryption policies complicates Apple’s development pipeline and risks accidental security gaps. For example, UK iCloud backups now lack ADP’s end-to-end encryption, while U.S. and EU users retain it47.

Global Policy Pressure

  • Surveillance Arms Race: The UK’s use of a technical capability notice under the Investigatory Powers Act (IPA) signals to other nations that encryption bypasses can be legally enforced. Countries like Russia and China may leverage this precedent to demand localized backdoors36.
  • Impact on U.S. Legislation: U.S. lawmakers, including Sen. Ron Wyden, fear the UK’s actions could embolden efforts to revive the EARN IT Act, which seeks to erode encryption under the guise of combating child exploitation26.

Corporate Policy Shifts

  • Reactive vs. Proactive Security: Apple’s compliance contrasts with its 2023 threat to withdraw iMessage and FaceTime from the UK if forced to weaken encryption. This retreat suggests pragmatic concessions to maintain market access, despite earlier defiance68.
  • User Trust Erosion: Privacy advocates globally now question Apple’s commitment to "privacy as a fundamental right," fearing future compromises in other regions. Cybersecurity experts note the decision weakens UK users’ security while preserving Apple’s reputation elsewhere58.

Strategic Implications

  • Legal Shield Strategy: By complying with local laws while avoiding systemic backdoors, Apple seeks to insulate its global user base from cross-jurisdictional surveillance. However, this approach leaves users in authoritarian regimes disproportionately exposed26.
  • Market Prioritization: Retaining ADP in markets with stronger privacy laws (e.g., EU) suggests Apple views user trust in these regions as critical to its brand identity, even as it capitulates elsewhere47.

Long-Term Industry Impact

  • Vendor Accountability: Competitors like Google and Signal face pressure to clarify their policies, with UK officials likely to target them next. Signal’s president has already condemned Apple’s move as a “dangerous precedent”26.
  • Encryption Diplomacy: The UK’s unilateral action complicates international data-sharing agreements, including the U.S.-UK CLOUD Act framework, by introducing distrust in cross-border data integrity56.

Apple’s decision underscores the growing tension between multinational tech firms and national surveillance regimes. While the company avoided a catastrophic global backdoor, its regional concession risks normalizing fragmented encryption standards—a scenario privacy experts warn could unravel decades of progress in digital security. As governments increasingly weaponize laws like the IPA, Apple’s ability to uphold uniform privacy guarantees worldwide will face unprecedented strain.

Citations:

  1. https://www.forbes.com/sites/davidphelan/2025/02/21/apple-warns-uk-iphone-owners-it-will-remove-encryption-protection/
  2. https://techcrunch.com/2025/02/21/apple-pulls-icloud-end-to-end-encryption-feature-for-uk-users-after-government-demanded-backdoor/
  3. https://www.bbc.com/news/articles/cgj54eq4vejo
  4. https://www.standard.co.uk/news/tech/what-does-apple-axing-encryption-tool-mean-uk-users-data-safety-b1212579.html
  5. https://appleinsider.com/articles/25/02/21/apple-turns-off-data-protection-in-the-uk-rather-than-comply-with-backdoor-mandate
  6. https://www.theverge.com/news/617273/apple-removes-encryption-advanced-data-protection-adp-uk-spying-backdoor
  7. https://www.itv.com/news/2025-02-21/why-apple-is-removing-a-data-protection-tool-and-what-does-it-mean-for-uk-users
  8. https://cyberscoop.com/apple-uk-encryption-advanced-data-protection-privacy/
  9. https://www.eff.org/deeplinks/2025/02/cornered-uks-demand-encryption-backdoor-apple-turns-its-strongest-security-setting
  10. https://www.cnet.com/tech/services-and-software/apple-pulls-icloud-encryption-feature-following-uk-government-demands/
  11. https://arstechnica.com/tech-policy/2025/02/apple-pulls-data-protection-tool-instead-of-caving-to-uk-demand-for-a-backdoor/
  12. https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/
  13. https://apnews.com/article/apple-iphone-encryption-britain-cybersecurity-c5c37e99b3b9161dbed24231fbd94746
  14. https://www.reddit.com/r/privacy/comments/1iut0uq/apple_pulls_data_protection_tool_after_uk/
  15. https://abcnews.go.com/Business/wireStory/apple-drops-encryption-feature-uk-users-after-government-119046304
  16. https://www.reddit.com/r/privacy/comments/1iuzhi8/we_need_to_talk_about_the_uks_new_rules_for_apple/
  17. https://www.usatoday.com/story/money/business/2025/02/21/apple-discontinues-advanced-encryption-uk/79461250007/
  18. https://www.reuters.com/technology/apple-removing-end-to-end-cloud-encryption-feature-uk-bloomberg-news-reports-2025-02-21/

Read more

Russian Cyber Warfare Targets Encrypted Messaging: The Signal QR Code Exploit Crisis The Rise of a New Attack Vector

Russian Cyber Warfare Targets Encrypted Messaging: The Signal QR Code Exploit Crisis The Rise of a New Attack Vector

Encrypted messaging apps like Signal have become critical tools for journalists, activists, military personnel, and privacy-conscious users worldwide. However, Google's Threat Intelligence Group has revealed that Russian-aligned hacking collectives UNC5792 and UNC4221 have weaponized Signal's device-linking feature, turning its core privacy functionality into an espionage vulnerability.

By My Privacy Blog