Privacy advocates worry that a change in an iPhone security feature in the United Kingdom, and the ongoing battle between Apple and the UK government, could have worldwide ripple effects.
Earlier this year, the UK demanded, under the Investigatory Powers Act, that Apple create a backdoor to allow the government to access encrypted data on people’s phones. But instead of making a backdoor, Apple burned the whole house down in the UK market, pulling the data protection tool, to avoid having to comply.
“As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will,” Apple said in a statement, adding that it was “gravely disappointed” by the government request.
As a result, an estimated 35 million iPhone users in the UK do not have access to the optional end-to-end encryption feature called Advanced Data Protection, which ensures that only users can access their personal data, such as photos and messages.
Apple has lodged an appeal with the UK Investigatory Powers Tribunal seeking to overturn the order, and calls have grown for the hearing to be made public.
Data and privacy experts are alarmed.
“This is only bad news, and I’m finding it difficult to call it anything other than a disaster. The loss of end-to-end encryption for cloud storage is wholesale bad — it leaves users less secure and private — but the global consequences tip this into far worse territory,” said David Ruiz, online privacy expert at Malwarebytes.
“What’s particularly galling is that, for more than a decade, the EU has made a justifiable fuss about data transfer between our two nations,” Ruiz said.
The thinking was that EU citizens’ data could not be reasonably protected when it crossed into the U.S. because of the National Security Agency surveillance programs. Trade agreements are intended to iron out the details, Ruiz said, pointing to a Safe Harbor agreement used before it was struck down in 2015, and an agreement called the US-UK Privacy Shield which has been in place since then.
“With the UK’s order, I legitimately do not know what happens to the US-UK Privacy Shield,” he said.
The last time there was an order of this magnitude was the Edward Snowden revelations, when The Guardian revealed that the FBI had asked Verizon for the call details records for incoming and outgoing calls in the United States.
A data security ‘earthquake’ sending tremors across world
Ruiz isn’t alone in his concerns.
“This is a wake-up call for CISOs navigating the intersection of security, privacy, and government oversight,” says Dray Agha, security operations manager at Huntress Labs.
Agha says that while the government wants access to the data, building such a backdoor would create a systemic risk. Oonce a vulnerability is introduced, it’s only a matter of time before unintended actors exploit it.
“If governments can access data, so can adversaries: cybercriminals, hostile nation-states, and malicious insiders,” Agha said, adding that the absence of strong encryption in iCloud increases the risk of insider threats, unauthorized government access, and potential data breaches.
Similar data privacy battles could be coming to the U.S. and other nations.
Ruiz says that this may embolden the “Five Eyes” nations (a so-called intelligence alliance consisting of Australia, New Zealand, Canada, USA, and UK), to make a similar demand of Apple.
“Privacy’s global dominos are wobbling,” said Javad Abed, an assistant professor of information systems at Johns Hopkins Carey School of Business. “This is a policy earthquake.”
Whether in the UK or globally, the ability to control your own encryption and data sovereignty is becoming a non-negotiable pillar of personal security, Agha said, and users need to recognize that the UK move is a symptom of the growing tension between governments and personal security.
To start, people should check the privacy settings on their phones.
Many consumers have older phones, and those who don’t have auto updates enabled may miss critical security updates, which could include messaging apps that allow for end-for-end encryption. Settings on transferred apps might not migrate with a new phone.
“If users have enabled end-to-end encryption for apps on your prior phone, it’s also a good idea to check that the settings are enabled on the new phone as well,” Agha said.
The same advice applies to non-Apple phone users. “Samsung is not immune, so Galaxy fans should be concerned,” Agha added.
U.S. privacy protections and government surveillance
Abed says the U.S. government has a long history of wrestling with tech companies over encryption and that the FBI has frequently argued that encryption hampers law enforcement.
“Some lawmakers might see the UK situation as a playbook,” he said.
UK success in this battle could embolden the U.S. to pursue executive action or application of existing statutes to accomplish a similar aim, but Abed says the U.S. does have strong free speech protections and a fragmented legislative process that would make requiring a backdoor more difficult. “And the bipartisan backlash would be fierce,” he said, citing senators on both sides of the aisle — Rand Paul (R-KY) and Ron Wyden (D-OR) — who have pushed back against weakening protections.
Elle Farrell-Kingsley, a UK-based futurist and tech expert who has helped formulate AI policy research for UK Parliament, says the strong constitutional protections and existing legal precedents that favor encryption in the U.S. are a solid starting point for a broad phone user security firewall.
There does tend to be bipartisan interest in regulating online platforms, especially when it comes to child safety. “What makes the UK’s Online Safety Act particularly noteworthy is now its extraterritorial reach,” Ferrell-Kingsley said, noting that foreign companies serving UK users must comply with the law, which could theoretically affect U.S.-based firms that offer encrypted messaging services in the UK.
She noted that similar proposals have been vaguely discussed in the U.S., such as the proposed EARN IT Act, which would create liability risks for companies that offer encrypted messaging without access for law enforcement. It has been introduced specifically to address child safety concerns, but some civil liberties groups say it is a license for government surveillance.
Ferrell-Kingsley says that if the UK’s regulatory body enforces compliance, companies would need to decide whether to create UK-specific versions of their products, withdraw services from the UK entirely (as Apple has done with certain features or threaten to leave the UK entirely, as encrypted messaging app Signal has done), or risk penalties.
While she thinks replication of action in the U.S. is unlikely, the consequences would be significant.
“If U.S. lawmakers follow the UK’s example, it could lead to expanded government surveillance and a rollback of strong privacy protections,” she said.
“In short, the loss of end-to-end encryption is bad, yes,” Ruiz said. “But the global impact of this demand has extremely dangerous and idiotic potential.”