Let’s talk about the iCloud saga. I’m angry as a UK citizen with the government. I’m frustrated with the countless bad takes on social media. And I’m exasperated that so many in the general public don’t realise just how important this issue is. So let’s talk about it. I’m going to demystify this issue and explain it in plain English, examine the various bad takes, and talk about what happens next..
What is iCloud? ☁️
Firstly what is iCloud and what does it do? iCloud is Apple’s service that backs up your data, keeps that data in sync across your Apple devices and protects your privacy.
By default some of this data is end to end encrypted. Some of it is just encrypted (Apple calls this ‘Standard Protection’) unless you turn on an optional feature called Advanced Data Protection. We’ll get into the differences in a moment.
Back Ups 💽
When you turn on iCloud backups in Settings on an iPhone, iPad, iPod Touch, or Apple Vision Pro, your device creates a complete copy of your device in its current state (more or less). It creates a copy of your data like photos, messages, and notes, your settings, preferences, apps, messages, and more. There are a few things that can’t be backed up, such as Apple Pay cards (known as tokens). But for the most part, an iCloud backup is a pretty complete replica of the state of your device as it was when the backup was created. Right down to small details like your wallpaper.
Device Syncing 🔁
Let’s say you own multiple Apple devices. Wouldn’t it be useful if your information matched across your devices? For example, a photo taken on your iPhone could automatically appear in photos on your iPad. Or a contact you add on your iPhone will appear in the Contacts app on your Mac. This is one of the primary benefits of iCloud. It saves you time and work by keeping the data on your devices up to date and synchronised with one another. You can turn off categories you don’t want to sync too. For instance, perhaps you don’t want your iPhone messages to show up on your other devices.
Encrypted (Standard Protection) 🔓
Some categories of data stored in iCloud are just encrypted by default unless you turn on Advanced Data Protection. But they aren’t end to end encrypted. But what does that mean? It means that the data is secure on Apple’s servers. But it also means that Apple has a key to access it. This can be useful if you lose the password to your Apple Account and also lose your recovery information to reset it. It means that Apple can help you to recover your data. The downside is that because Apple has a key, they can be compelled to provide access to your information by governments across the world.
These categories are encrypted by default only and Apple has a key. Unless you turn on Advanced Data Protection:
- Apple Invites
- iCloud Mail*
- Contacts*
- Calendars*
- Freeform files
- iCloud Drive (your files)
- Photos
- Notes
- Reminders
- Safari Bookmarks
- Siri Shortcuts
- Voice Memos
- Wallet Passed
- And most importantly, iCloud Backups
*Mail, Contacts and Calendars can’t be end to end encrypted even with Advanced Data Protection. This is because it would break interoperatbiltiy with the global email system and the global CalDAV and CardDAV industry standards.
Some of the items on this list I’m sure most people can agree would seem to be important to keep safe. Especially personal photos, notes and voice memos. Enter Advanced Data Protection.
End to End Encryption + Advanced Data Protection 🔒
End to end encryption goes beyond standard encryption. Only you have a copy of the key to your data. Not even Apple has the key. So if you lose access to your Apple Account and also your Recovery Key or Recovery Contact, Apple can’t help you retrieve your data. They also can’t hand it over to the government since they don’t have a key.
These categories are end to end encrypted by default, even if you don’t turn on Advanced Data Protection:
- Apple Card Transactions
- Health Data
- Home Data
- Journal Data
- Maps pins, guides and search history
- Memoji
- Messages*
- Payment Information
- Keyboard Vocabulary
- Passwords and Keychain
- Safari History, Tab Groups and iCloud Tabs
- Screen Time Data
- Siri information and personalisation
- WiFi Passwords
- H1/W1 Bluetooth Keys
*Messages are end to end encrypted by default but only if you have iCloud backup turned off. If you enable Advanced Data Protection, they are end to end encrypted even with iCloud backup turned on.
What’s the big deal with Advanced Data Protection? 🌎
With the exception of Mail, Contacts, and Calendars, which rely on open standards, Advanced Data Protection activates end-to-end encryption for all of your data. The security and privacy of all categories of your data is upgraded, including your iCloud backups. It means that you and only you have the key to your data. Not even Apple can decrypt it or hand it over to a government, no matter how well-intentioned that government may be.
With Advanced Data Protection switched on, if Apple’s servers were somehow breached, then criminals or other state-sponsored attackers can’t access your data. That’s because Apple does not have a copy of the key to decrypt it. When switched off, Apple does have a copy of your key. So while this allows Apple to comply with government requests, it also invites hackers to attempt to breach their servers and access your data. Hopefully, you can begin to see the issue here.
Why isn’t it on by default if it’s so important? 😅
It’s not on by default because of the risk of data loss. End-to-end encryption requires that only you know the key to access your data. If you turn on Advanced Data Protection, Apple requires you to set up not the standard two layers of security, but three. The third being a recovery key or recovery contact. If you ever get locked out of your account and lose your recovery key or your recovery contact refuses to help you, Apple can’t do anything to help recover your data.
When you turn on Advanced Data Protection, it makes it clear that you should keep your recovery info safe. It’s made clear that you’re responsible, but we know that many people will still lose their recovery information anyway. For example, last year, the most common passwords were ‘123456’ and ‘Qwerty123’. Before storing a recovery key, people think they can always get their password and recovery info back later. But with Advanced Data Protection, only the recovery key/contact can help. Apple knows this, and they’re right to put the responsibility on us to not lose this info. That’s why it’s opt in, not opt out. If it were the other way around, millions of people would lose their backups every year because they forgot to keep their recovery key/contact safe or because they’re not tech-savvy.
What the UK government wanted Apple to do 🇬🇧
The UK government wanted Apple to create a way for them to access your end-to-end encrypted data by building a dangerous tool called a ‘backdoor’. A backdoor, in the simplest sense, is a piece of software that allows covert bypassing of encryption. What makes this dangerous is that if the software fell into the wrong hands, it can allow criminals or authoritarian regimes to access your private data too. It’s akin to leaving a key under the doormat for a family member. Great if only they know where it is. Not so great if a criminal decided to sniff around your home.
Put simply, there is no safe way to build a backdoor. Apple knows this and has consistently refused to build one. They refused the US government in 2016 following the San Bernardino terrorist attack. And they refused the UK government in 2025..
So what’s all the fuss about? 🤔
Rather than build a backdoor, Apple is withdrawing its Advanced Data Protection tool here in the UK. That means UK citizens won’t be able to benefit from end-to-end encryption for their iCloud backups, their photos, and more. You’ll only have Standard Data Protection. It means that should the UK government request it, Apple can now be compelled to hand over your data since they do store a copy of your encryption key when Advanced Data Protection is turned off.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy. Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before.
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the UK. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
Why is the UK government doing this? 👑
They’re doing this in an attempt to improve national security, detect crimes, enhance child protection, and prevent terrorism. On the surface, this sounds noble or at least altruistic. Of course, law-abiding people want to feel safe, for crime to be reduced, children to be protected, and for terrorism to be prevented. But this approach from the government is as flawed as it is dangerous.
Criminals will just stop using iCloud and move any nefarious activity to other platforms that remain end-to-end encrypted. Essentially, criminals will change the locks while the government can now unlock innocent users’ front door. Sure, Apple is still a guard dog for your data by keeping it encrypted on its servers. But state-sponsored attackers will now try exceedingly hard to put the dog down and access your key.
All the UK government has achieved in forcing Apple to withdraw Advanced Data Protection is weaken security for innocent people. This won’t have a meaningful impact on reducing crime or protecting children. But it will reduce privacy and online safety for everybody else. Given the state of the world right now, security needs to be enhanced and not weakened. It invites other governments, including authoritarian states, to make similar demands. It emboldens dictators while leaving innocent people exposed.
Why Apple had no other choice 🍏
The UK’s former conservative government passed a law in 2016 called the Investigatory powers bill. Colloquially known as the Snoopers’ Charter. It includes vast powers for the government to complete covert information collection on its citizens in the name of reducing crime and gathering intelligence. The law was later enhanced to include a power called a ‘technical capability notice’. The power enables the government to ask tech companies to do all kinds of nefarious things. Now the new left-wing government has chosen to wield this dangerous weapon.
The new government has asked Apple to break end-to-end encryption by building a backdoor. What’s even more insidious is that the law prevents Apple from even divulging that this request had been made. If they did, accountable executives at Apple or leakers if identified, would face criminal prosecution. Apple can appeal the request (and likely have) but are still required to implement the request while the appeal is heard. Of course, Apple also can’t divulge that an appeal has been made. We don’t know for certain how this became public. Maybe somebody at Apple leaked it to the press or maybe somebody with a conscience in the UK Government. But the Home Office won’t comment.
“We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”
Apple had only two legal options.
Option 1 was to build the backdoor. It would achieve the objective of the government to be able to access user data. But a backdoor doesn’t respect land borders. Had Apple built this, not only would UK citizens be exposed, so would every Apple user worldwide. This is an act of serious government overreach with the UK government essentially asking Apple for a way to access the iCloud data of everybody on the planet. If it wanted to, the UK government could have peered into the phones of world leaders had Apple agreed to build this tool. Apple refused.
Option 2 was to withdraw advanced data protection and only offer standard data protection. It means that UK citizens can’t benefit from end-to-end encryption. And should the government ask to see a person’s iCloud backup or other data stored on Apple servers, Apple can now provide this since with standard data protection, Apple has a key.
Now there are pretty stupid takes on this issue online. Some people think that Apple should have refused not only the order to build a backdoor, but should have continued to offer Advanced Data Protection. That’s not a tenable position. Apple has to obey the laws in the countries it operates in. In this specific case, if Apple did not comply, its executives could face criminal prosecution. Perhaps Apple could be sanctioned. Or at the extreme end of the scale, be forced to cease operating in a key market.
Let’s think about that for a moment. For taking a stand on privacy, individuals, not Apple as a company, could face criminal prosecution. Is that fair or reasonable? I don’t think so. But there are some who have you point the finger at Apple. Rather than the UK government for building in personal criminal consequences into this intrepid law. Furthermore, millions and millions of the UK’s 80 million strong population use Apple devices. Businesses, students, the civil service, and the government themselves rely on Apple technology. Just pulling out of the market would have a hugely detrimental impact on its users, the UK economy, and Apple’s own economic standing. The UK is one of Apple’s most lucrative markets.
Would a part of me love to see Apple stick a finger up to the man? Sure. But it’s not realistic. Not unless Apple is willing for its employees and executives to accept criminal prosecution. Not unless Apple is willing to be forced to withdraw from the UK market and cause huge economic harm to itself, its users, and even the UK itself. And not unless Apple is willing to see how far the UK government will go. Most of its executives live in the USA. But they don’t benefit from diplomatic immunity. Would the UK make extradition orders for members of Apple’s leadership team? We don’t know. What we do know is that there was only one choice that Apple could make. That was to withdraw Advanced Data Protection. It’s a terrible choice, but of the legal avenues available, it was the only choice. At least now we know the government is spying on us.
I have nothing to hide so why should I care? 🤷
One of the biggest arguments in favour of the government is that age-old carrot of ‘if you’ve done nothing wrong, you’ve nothing to hide’. That doesn’t hold water. Really think about what privacy means to you. And if you don’t have any personal stakes in this, think about what it means to others.
Imagine a person who is LGBT but isn’t out to their family or their community for fear of persecution. They use their phone as a way to communicate safely and seek support. But suddenly their phone’s data is leaked in a data breach due to weakened security. They didn’t commit a crime. They didn’t do anything wrong. But all of a sudden find themselves endangered. Because their government, who should protect their privacy, decided that their safety wasn’t as important as spying on its citizens.
I’m sure you can think of other examples of where privacy has quite literally been the difference between life and death. That’s how serious this is in some cases. It’s not just about the government being able to peer through your holiday photos. It’s about self-agency. About the right to your own thoughts. Your freedom of speech. To love who you choose, to practice your faith with privacy, to be your authentic and true self. Nothing could be more important to the human experience than that. Wars have been fought over these issues for as long as human kind has been around.
So where does this leave us? 📢
It leaves us in a position where we either roll over and accept this. Or we organise. We don’t stand for it. We petition, we fight, and we refuse to capitulate. We don’t accept technically inept politicians breaking into our digital homes and stealing our data. We don’t allow misinformed users to weaken security for everybody in the name of ‘thinking of the children’. And we point fingers at the government, not the people trying to do something about it. The consequences are far too vast to ignore this issue.
There are many ways to gather intelligence, to keep our children safe, to reduce crime and prevent terrorist acts. But let’s be clear. There is only one tool available to us to keep our data out of the hands of bad actors and nefarious governments. End to end encryption. Some politicians would have you believe that we don’t have to choose between privacy and security by weakening encryption. That we’re still safe online. And that only criminals have anything to fear. This is a lie. It’s demonstrably untrue and privacy and security experts around the world are clear on this.
If you care about this issue as much as I care about your right to privacy, then sign my petition. And if you aren’t a UK resident, please share the petition, share this article with your family, friends, and online following. Let’s make enough noise that our voices are heard. And let’s tell the UK government (and any other government who might try) to get the hell out of our data.
Comments