Apple and the long secret arm of the UK Government
Apple disabled their 'advanced data protection' service for UK customers following a secret UK Government order demanding access to global user data. EDRi member Privacy International criticises this weakening of security standards for users in the United Kingdom.
The UK Government can force companies to undermine the security of their users
On 21 February 2025, Apple disabled their ‘advanced data protection’ service for United Kingdom (UK) customers. That means no one in Great Britain can now enable a powerful security safeguard that people who use Apple devices everywhere else on the planet can: user controlled end-to-end encryption of stored data.
EDRi member Privacy International suspects this is likely in response to a disturbing secret government power. But it is not possible to know for sure.
The UK Government has given themselves the power to serve companies anywhere in the world notices that order them to undermine the security of their users, products, or services in secret. The company can’t tell anyone, they can’t even publicly say they’ve received one. They can’t say if they disagree, they can’t let users know they’ve been affected, and they can’t question the power in open court because the secret order is, well, secret. The notice affects millions of people, who aren’t allowed to find out it exists.
All that we actually know for sure is this: people in Great Britain will not be able to turn on this security safeguard any more, and that their data is less secure than the data of Apple users elsewhere.
Leak
As a result of a leak to the Washington Post on 5 February 2025, we can assume this is because Apple received one of these secret notices.
This is the first known use of this power, which has existed since 2016. Whoever leaked it’s existence has committed a criminal offence under Investigatory Power Act.
For more of our work against this extreme power see Privacy International’s 2023 submission.
Apple can’t say it’s received the order because that would be an offence. Even talking to lawyers to challenge the order will be difficult because they can’t say it exists. They can’t even say if they’re complying or contesting it.
This is evidenced by the UK Government’s response to global media requests asking how and why this could affect people around the world: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”
Apple warned Parliament about what it might do when Parliament was deciding to approve expansions of the secret power in 2023.
“Under the current law, the [United Kingdom’s Government (UKG)] can issue a ‘Technical Capability Notice’ that seeks to obligate a provider to remove an ‘electronic protection’ to allow access to data that is otherwise unavailable due to encryption. In addition, the Secretary of State (‘SoS’) has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public without the SoS’s express permission. Moreover, the IPA purports to apply extraterritorially, permitting the UKG to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally. Together, these provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.”(emphasis added by Privacy International)
We can do the arithmetic and presume that thanks to media coverage and Apple’s foreshadowing, that this is what has now happened.
This means we are now able to openly discuss the secret order that would be criminal to disclose, while the government that issued an order affecting millions of people will neither confirm nor deny it’s existence, even when the whole world is talking about it.
This order applies globally. Privacy International speculates that this move by Apple is perhaps designed to try to limit the damage, and not undermine security for all of their customers.
Unfortunately only outrage works now
Privacy International tried to stop this secret power from becoming enshrined in law in 2016.
Privacy International repeatedly litigated against a series of extraordinary powers held by the UK Government – but because this one is secret when its issued, it’s really hard to act against.
Privacy International encourages everyone to use these rare public opportunities to call out this extraordinary power. No government should be able to suspend security for users anywhere – whether in their country or affecting users world-wide.
This is just the first step by Governments. If the UK Government is allowed to get away with this absurd case, then what’s absurd will have to become an operational norm.
At the moment you can choose to download other storage apps in the App Store and that grant you full control over your encryption choices, on a range of other providers’ servers. But there is no guarantee that those won’t be targeted next or already have been.
The reality is that, unless something changes, we will never know what is secure for sure, because it’s all done by secret order by a ‘democratic’ government.
This article was first published here by EDRi member, Privacy International