EFFecting Digital Freedom

U.K. vs. Encryption: What Does It Mean For Privacy Worldwide?

by Joe Mullin

The encryption backdoors are here.

Earlier this year, the U.K. government pressured Apple to provide access to end-to-end encrypted cloud backups, or what Apple calls Advanced Data Protection (ADP).  Instead of complying - which would introduce an encryption backdoor into iCloud backups - Apple has chosen to remove the encrypted backup feature for U.K. customers entirely.

The change makes U.K. customers more vulnerable to surveillance and malicious hacking.  But this is just one skirmish in a crypto war that's been ongoing for decades.  Since the 1990s, law enforcement and national security agencies in Western democracies have been engaged in a misguided push to undermine encryption.  EFF and other advocates for strong encryption have pushed back, pointing out that there's no backdoor that only works for the "good guys" (and never will be).

Even though this demand was made by the U.K., if agreed to it would amount to a blanket, worldwide backdoor.  Any backdoor built for any government puts everyone at greater risk.  Just last October, millions of U.S. communications were compromised by the Salt Typhoon hack, in which a Chinese government-backed hacking group was able to infiltrate some of the same "lawful access" systems built by U.S. Internet service providers for law enforcement.

How We Got Here

In 2016 the U.K. passed the Investigatory Powers Act (IPA), also known as the "Snooper's Charter" because it grants the government broad surveillance powers, including the ability to compel companies to facilitate government access to private user data.  According to news reports, this is the authority that the U.K. government tried to use to force Apple to weaken ADP.

Apple's Advanced Data Protection feature, introduced in 2022, ensures that files stored in iCloud - including backups, messages, and photos - are end-to-end encrypted, meaning that not even Apple can access them.  End-to-end encryption is already applied, by default, to photos or chats sent in iMessage.  ADP just makes iCloud backups as secure as those chats and photos.

Faced with the choice of weakening encryption for everyone or removing the option of ADP for U.K. users, Apple chose to degrade its offerings in that country.  Apple has had a long-standing promise that it will never build a backdoor into its products or services.  But by throwing out its strongest level of encryption in one country, it's rung an alarm bell to tell us all that our privacy and security are at risk.

Ramifications Around the World

There's no doubt that other countries - including non-democratic regimes - will look to the U.K. backdoor as an example to be followed.  At this point, users in any other country can use ADP; but police in other countries will want the same type of access that U.K. officials have demanded.  The French parliament is currently debating a proposal to degrade encryption in the name of fighting drug traffickers.

Weakening encryption not only puts us all at greater risk of identity theft and fraud; it violates fundamental human rights.  That's not hyperbole: last year, the European Court of Human Rights ruled that government-required encryption backdoors that weaken encryption can lead to general and indiscriminate surveillance of the communications of all users, and violate the human right to privacy.  Encrypted communications are the digital world's closest emulation of private, in-person conversation.  That's something we all have a right to.

What Users Can Do Now

Apple is fighting the order.  But for now, the removal of ADP means iCloud backups of Apple users in the U.K., are more vulnerable to government access and malicious actors.  But Apple isn't the only company offering end-to-end encrypted backups.  Chat backups in WhatsApp as well as backups from Samsung Galaxy phones have end-to-end encryption options that can be enabled, as do many chat apps, including Signal.

For Apple users outside the U.K., now is a good time to turn on ADP if you haven't already, and encourage others to do so.  A few additional steps are required, including either creating a recovery key for your data (since Apple won't have one) or designating a person as a trusted contact.  In addition to providing more protection for yourself and those around you, the spread of end-to-end encryption also creates a new political reality: the more people who use the feature, the harder it will be for governments to shut it down.

We must demand that our governments oppose encryption backdoors.  Digital rights organizations like EFF offer advocacy tools that make it easy to contact your elected representatives and speak up on behalf of encryption.  We can and must tell our own leaders that we won't accept the path the U.K. has gone down - a road that makes its own citizens less safe and less free.