In the beginning of February, Apple may have received a secret order requiring the company to create an encryption backdoor. According to a leak, the UK government demanded blanket, covert access to all sorts of encrypted data globally. After that demand, Apple decided to disable Advanced Data Protection for iCloud in the UK, issuing an official statement. What does that mean for the law enforcement, and what consequences are expected for the end users?

How Advanced Data Protection for iCloud Works

Apple’s Advanced Data Protection for iCloud is an optional security feature that enables end-to-end encryption for most iCloud data, ensuring only users can access their information. Encryption keys are stored exclusively on the users’ designated trusted devices, preventing even Apple from decrypting data.

• What’s covered: iCloud Backup, Photos, Notes, and more
• Unprotected data: some data remains unprotected to ensure compatibility with third-party tools and services (e.g. Mail, Contacts, Calendar)
• How to enable: manual activation in Settings is required, followed by adding a recovery method (trusted contact or recovery key)
• Purpose: additional protection against breaches and unauthorized access. Losing access to both recovery options can result in permanent data loss
• Drawbacks: shifts recovery responsibility to users; Apple cannot assist in data recovery
• Availability: available globally with few exceptions. Apple does not maintain an official list of countries where ADP is or is not available

Some cloud data remains end-to-end encrypted even if Advanced Data Protection is turned off or not enabled. The data includes iCloud Keychain (stores logins and passwords), Health, Safari browsing history and tabs, and more. Apple will not return any of these data when serving law enforcement requests; however, Elcomsoft Phone Breaker can be used access these categories if provided with the user’s Apple ID, password, two-factor authentication, and a screen lock passcode or system passwords to one of the user’s trusted devices. Notably, there are no forensic tools on the market supporting cloud extractions from accounts with Advanced Data Protection for iCloud enabled.

A Secret Order

In a long, comprehensive article published by Ars Technica, the media noted that the Technical Capability Notice was reportedly issued by the UK Home Office under the Investigatory Powers Act (IPA). The 2016 law states the “Duty not to make unauthorised disclosures” of the existence or contents of a warrant issued under the act.

Apple’s Statement

Apple, a long-time advocate of encryption, did not take this decision lightly. In an official statement, the company expressed its disappointment:

“Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature. ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices. We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy. Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before. Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said in its statement shared with Forbes.

While law enforcement may regain access to iCloud data after the abolition of Advanced Data Protection, this comes at a significant cost to user privacy. Even though our own tool Elcomsoft Phone Breaker will once again work on affected accounts, the broader implications of this decision are far more concerning.

A Precedent with Global Consequences

As soon as you weaken encryption for one, you’ve weakened it for everyone.
Joe Hancock, Head of Cyber at Mishcon de Reya

In the digital age, privacy and security are often framed as competing interests. Governments argue that sacrificing some privacy is necessary to maintain public safety, and this is a valid point if investigative activities are performed under a legal framework. But what if the legal framework itself is flawed, allowing government agencies for covert, global access to user’s personal information? History has shown that this trade-off is rarely fruitful. Instead, it leads to a reality where neither privacy nor security is truly protected. The recent developments involving Apple and the UK government’s demand for an encryption backdoor demonstrate this dilemma in action, proving once again that when privacy is compromised under the guise of security, the real outcome is a loss for everyone.

What happens in the UK will not stay in the UK. If Apple is forced to comply with one government’s demand for a backdoor, others – such as the U.S., Australia, or EU – will inevitably follow suit. Once a precedent is set, the floodgates open. This is not speculation; history shows that government surveillance laws, once enacted, rarely scale back. Instead, they expand, and the erosion of privacy accelerates.

The argument that “if you have nothing to hide, you have nothing to fear” is dangerously flawed. Privacy is not about secrecy – it is about control over one’s personal information. Security is not about access – it is about trust in the systems that protect our data. When one is sacrificed for the other, both are ultimately lost.