The IT Nerd

By Vincentas Baubonis

Apple swore it would never build a backdoor. But by killing end-to-end encryption (E2EE) for UK users, it just left the door open. Under pressure from the British government, Apple quietly pulled Advanced Data Protection (ADP) – stripping UK users of their strongest defense against mass surveillance. Now, authorities can demand access to iCloud backups, something even Apple couldn’t touch before.

But here’s where it gets even messier: Apple didn’t just roll over – it fought back. Instead of complying with the UK’s sweeping demand for a built-in “back door,” Apple appealed. US officials are now investigating whether the UK violated the CLOUD Act.

Bad news for UK users? Absolutely. But here’s the real kicker: this isn’t just a UK problem. If people think their iCloud data is safe just because they don’t live in the UK, they might want to rethink that.

1. The UK just became the weakest link in Apple’s security model.

Encryption’s strength depends on its weakest point. By stripping UK users of ADP, Apple has created a jurisdiction where iCloud data is less protected by default. End-to-end encryption requires all participants to have ADP enabled to maintain the highest level of security. This means that any iCloud file, photo, or backup shared with a UK user is now more exposed than it would be elsewhere. 

By stripping UK users of ADP, Apple has created a high-value target for attackers. If UK iCloud data is no longer encrypted end-to-end, it’s more vulnerable to hacking, government surveillance, and legal demands. If that data is shared with a non-UK user, their data is also at risk – even if they still have ADP enabled.

Cybercriminals and state-backed hackers actively exploit low-security regions to gain footholds into global systems. Look no further than Russia’s 2020 SolarWinds attack, where attackers targeted less-secure systems to pivot into US federal networks. Creating an intentionally weaker iCloud environment in the UK gives adversaries an entry point that could be exploited to compromise data beyond British borders.

2. This creates a precedent for more governments to demand the same.

Governments worldwide are watching Apple’s move closely. If the UK can pressure Apple into rolling back encryption, other countries may demand similar concessions.

The FBI has long pushed for encryption backdoors, arguing that law enforcement needs access to private communications. In 2020, then-Attorney General William Barr pressured Apple to weaken encryption in the name of national security. The UK’s success gives US agencies leverage to try again.

The EU is currently debating legislation that could mandate message scanning in encrypted apps, including Apple’s iMessage. The UK’s demand will encourage lawmakers pushing for surveillance-based security policies.

Authoritarian regimes like China and Russia have previously sought access to Apple user data. If a democratic country like the UK can force Apple to roll back encryption, regimes with less regard for privacy will use this as justification for even harsher demands. Simply put: if Apple caves once, expect more governments to have similar requests.

3. Weak encryption could fuel the growing wave of cyberattacks. 

Encryption is a core cybersecurity defense. When end-to-end encryption is removed, data can become a bigger target for cybercriminals and state actors.

Last year’s numbers show how active cyber criminals are:

• Mobile malware continued to rise – 6.7 million attacks involving malware, adware or potentially unwanted mobile apps were blocked in Q3 2024 by the Kaspersky Lab alone.
• The average cost of a data breach reached 4.88 million USD.
• Ransomware attacks surged, and nearly all the key numbers – ransomware gangs, targets and payouts – went up; for instance, the medium ransom payment skyrocketed from less than 199,000 USD in early 2023 to 1.5 million USD in June 2024.

4. Apple’s credibility on privacy is crumbling. 

Apple has long marketed itself as a privacy-first company. It famously fought the FBI’s demand to unlock an iPhone in the 2016 San Bernardino case, refusing to build a backdoor. But its decision to proactively disable ADP under UK pressure suggests that its commitment to encryption is negotiable when governments apply enough force.

Apple’s statement claimed it was “deeply disappointed” by the UK’s move, but disappointment doesn’t undo the damage. It appears that Apple doesn’t control its own encryption policies anymore – governments do.

What can users do?

If you’re a non-UK user, your data might still be protected – for now. You should approach Apple services with caution:

• Avoid iCloud for sensitive backups – consider using encrypted alternatives like Proton Drive, Tresorit, or self-hosted storage.
• Encrypt locally before uploading – use tools like Cryptomator to encrypt files before storing them in the cloud.
• Follow legislative debates on encryption – policies like the UK’s could soon come to other countries.
• Pressure Apple to resist further rollbacks – public outcry influences corporate decision-making. If users accept this, more encryption rollbacks will follow. In other words, the power to strengthen data security is also in users’ hands.

ABOUT THE EXPERT

Vincentas Baubonis is an expert in Full-Stack Software Development and Web App Security, with a specialized focus on identifying and mitigating critical vulnerabilities in IoT, hardware hacking, and organizational penetration testing. As Head of Security Research at Cybernews, he leads a team that has uncovered significant privacy and security issues affecting high-profile organizations and platforms such as NASA, Google Play, and PayPal. Under his leadership, the Cybernews team conducts over 7,000 pieces of research annually, publishing more than 600 studies each year that provide consumers and businesses with actionable insights on data security risks.