Earlier this month reports emerged that the UK government issued an order to Apple to give it access to users’ encrypted data, reigniting the debate around digital privacy.
The issue centered around Apple’s Advanced Data Protection (ADP) tool, which is a feature that uses end-to-end encryption to ensure only users that are signed in on a trusted device can view their personal files, excluding even Apple from accessing the data.
The order issued by the government, which will not be published, would have required Apple to give authorities a backdoor through which it could access the encrypted data for UK users. Apple has consistently reiterated that it opposes creating any backdoors for its encryption because it defeats the entire purpose of encryption – so it opted to simply turn off ADP in the UK, meaning that not all customer data stored via iCloud will be fully encrypted.
I believe the UK government’s decision is a total travesty, both from the perspective of global privacy and cybersecurity, as well as its ability to compete in the global tech industry.
Firstly, from a consumer rights perspective this is an unquestionable loss. Though the government maintains that encryption backdoors are important for combatting crime this logic totally misses the myriad ways in which encryption protects citizens.
Modern cryptography techniques have been a huge leap forward in terms of protecting people’s private data. Encryption means you can access your bank account from your phone securely, or view medical records online without worrying about cyber criminals intercepting your communications.
The bottom line is that in the internet age encryption is vital for almost all digital services and the continued attempts by governments to ensure they have a master key not only violates privacy, but undermines the overall security of the internet.
UK demands could set privacy and security back decades
What the government fails to understand is that compromising the integrity of end-to-end encryption will introduce a raft of new harms for individuals and businesses alike.
As previously stated, introducing a backdoor to break encryption defeats the purpose of the entire exercise and gives malicious actors an easy target for compromising the most sensitive data.
The UK government has made similar attempts at circumventing encryption layers used by private companies in the past as noted in a 2015 paper published in the Journal of Cybersecurity looking at the security implications of requiring ‘exceptional access’ to information systems.
In the paper, researchers perfectly laid out why government efforts to access information would hinge on developers coming up with designs that minimized the impact of breaches, but that this is “unworkable in practice” and would set the global cybersecurity community back decades.
“The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” the researchers wrote.
The UK government is setting a dangerous precedent by insisting its agencies be given a backdoor to private companies’ encryption systems. It frequently lambasts other governments such as China for privacy violations, but the latter still allows Apple’s ADP technology in the region.
I’m far from alone in my feelings of disappointment in the government for pushing ahead with its decision. Experts from across the tech sector have argued that undermining encryption is unacceptable.
In an unpublished letter shared on X, Meredith Whittaker, president of the Signal Foundation, which has warned it may have to quit the UK if it continues to undermineend–to-end encryption, wrote that the move puts sensitive information belonging to UK businesses and citizens at “grave risk from malicious actors”.
“Technically illiterate” request risks harming UK’s tech ambitions
The current government follows the last in citing its ambition for the UK to become a global tech hub and unlock AI opportunities. But by taking actions like this, it is seriously shooting itself in the foot.
Legal experts such as Will Richmond-Coggan, a partner specializing in cybersecurity and privacy disputes at Freeths LLP, said Apple’s decision to turn off ADP could have a domino effect on other major tech companies, warning “the UK may no longer be seen as a safe destination for personal data”.
“If that in turn results in the UK losing its adequacy status with the EU, every company doing business in Europe will be subject to additional costly compliance obligations, hampering the government's plans for growth, and a closer European political relationship.”
Whittaker described the move as “technically illiterate” restating that Signal would sooner stop operating in the UK than compromise its encryption.
“The UK's technically illiterate demand also undermines its ambitions to become a tech hub. You can’t be tech friendly while eroding the foundation of cybersecurity on which robust tech depends. Encryption is not a luxury – it is a fundamental human right essential to a free society that also happens to underpin the global economy,” she argued.
This furore all started with the UK government taking exception to an optional feature that the majority of users don’t have turned on – making a mountain of a molehill – but it could have major consequences.
The government should roll this back, and quickly, if it wants to send the right signals to global business and regain any credibility it has on discussions on privacy and cybersecurity.
