Last week, Apple announced that it withdrew Advanced Data Protection from its UK users.
This announcement came after the UK government demanded that Apple give its security services access to user data, in order to help them crack down on crime. They argued that these data protection laws, whilst beneficial for most people, were stopping police forces from being able to catch criminals.
The problem is that opening up these systems to governments also makes them vulnerable to hackers and data breaches – potentially putting people’s personal information at risk.
What is Advanced Data Protection?
Advanced Data Protection provides a layer of protection over iCloud data, which includes things like images and iMessage.
This protection, in the form of encryption, means governments (and even Apple) are unable to read the data in the Cloud.
Advanced Data Protection currently protects all elements stored in the Cloud, including photos, voice memos, wallet passes and more. For those of us in the UK, this means the data is now potentially accessible by law enforcement, although they do need a warrant to access it.
For many, this has raised questions about how secure Apple data now is. And in a world where cybercriminals are a serious threat, could this affect Apple’s reputation as a secure place to store information?
Commenting on the news, Apple said:
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy. Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before.
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the UK. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
To find out more about what this could mean for UK consumers, we asked the experts. Here’s what they had to say:
Our Experts
- Dominic Holden, Director in the Dispute Resolution team at Lawrence Stephens
- David Ruiz, Senior Privacy Advocate at Malwarebytes
- Jacob Kalvo, Co-Founder & CEO at Live Proxies
- Elvis Sun, Software Engineer at Google & Founder of PressPulse
- Matthew Hodgson, CEO at Element
- David Johnston, Code Maintainer at Morpheus
- Cache Merrill, Founder at Zibtek
- Tom Gaffney, Director of Business Development and Embedded Security at F-Secure
- Sarah Bone, CMO and Co-Founder of YEO Messaging
- Paul DeMott, Chief Technology Officer at Helium SEO
- Mark Wilshaw, Cyber Security Services Manager and Information Security Manager at SYTECH
- Nicola Cain, CEO & Principal Consultant at Handley Gill Limited
- Pierre Noel, Field CISO EMEA at Expel
- David Gourlay, Partner at Law Firm, MFMac
- Ayush Trivedi, Co-Founder and Director of Audacix
- Katherine Howard, Head of Education and Wellbeing at Smoothwall by Qoria
- Professor Raj Rajarajan, Professor of Security Engineering & Director Institute for Cyber Security, City St George’s, University of London
- Paige Schaffer, CEO of Iris® Powered by Generali
For any questions, comments or features, please contact us directly.
Dominic Holden, Director in the Dispute Resolution team at Lawrence Stephens
“Balancing privacy rights with the needs of national security is a tightrope that tech companies walk daily. In this case, it appears Apple have begun to teeter.
“End-to-end encryption allows users to more effectively secure their data and better protect it from hackers and other bad actors. However, it can also allow criminals to plot and conduct illicit activity.
“Aside from whether the public trust that a back door such as this will not be misused by the government, the danger of a back door is that it also creates a vulnerability which a hacker may be able to exploit.
“Apple’s decision to withdraw UK user’s ability to encrypt data removes an effective weapon to protect against hacking, whilst hackers and other bad actors will likely migrate to alternative encrypted services that the government cannot access.”
David Ruiz, Senior Privacy Advocate at Malwarebytes
“This is only bad news and it is difficult to call it anything other than a disaster. The loss of end-to-end encryption for cloud storage is wholesale bad—it leaves users less secure and private—but the global consequences tip this into far worse territory.
“Security officials asked not only that Apple allow the UK government access to UK residents’ encrypted cloud storage, but that the UK government get access to any Apple user’s encrypted cloud storage. To demand access to the world’s data is such a brazen, imperialist manoeuvre that I’m surprised it hasn’t come from, well, honestly, the US. This may embolden other countries, particularly those in the “Five Eyes,” to make a similar demand of Apple.
“What’s particularly galling is that, for more than a decade, the EU has made a justifiable fuss about data transfer between our two nations. The thinking was that EU citizens’ data could not be reasonably protected when it crossed into America because of our own NSA surveillance programs. This is why we’ve had trade agreements to iron out the details (Safe Harbor was the agreement we used for a while but it was struck down in 2015. That paved the way for a new agreement called the US-UK Privacy Shield).
“With the UK’s order, I legitimately do not know what happens to US-UK Privacy Shield. The last time we saw an order of this magnitude was before the Snowden revelations when The Guardian revealed that the FBI had asked Verizon for the call details records for all incoming and outgoing calls in the United States for the past three months. We never learned what the FBI was so afraid of, but we did learn that they’d been emboldened by a post-9/11 surveillance regime that gave them nearly everything they wanted.
“In short, the loss of end-to-end encryption is bad, yes. But the global impact of this demand has extremely dangerous and idiotic potential.”
Jacob Kalvo, Co-Founder & CEO at Live Proxies
“The removal of the much talked about Advanced Data Protection (ADP) feature in the UK is an important event affecting the privacy and security of consumers in the UK. ADP encrypts highly sensitive data- like images and documents stored in iCloud- on a basis of end-to-end encryption, which means only the account holder has the key to the decryption; not even Apple can access that data. This security feature ensures that personal information stays away from prying eyes, including those from governments and malicious actors.
“However, in response to a request by the government of the UK under the Investigatory Powers Act (IPA), Apple found itself obliged to turn off this feature in the UK. The law enforcement request requires technology providers like Apple to access data if requested; in this respect, it violates the very service ADP offered in terms of encryption.
“Thus, UK consumers’ iCloud data will no longer be protected by protection given through encryption. Apple will continue to employ standard encryption but can access it, which means that with a warrant if presented, the access will be provided to law enforcement. This dramatically puts UK users at higher risk especially since cybercriminals typically attempt to exploit weak points in data protection. Thus, I would strongly advise UK customers to double-check their measures for securing private information.
“This could involve things like the use of third-party encryption services to encrypt data before uploading it to cloud services, and changes to passwords on a regular basis; products that allow for both authentication and MFA across the board on all accounts. There should also be consideration of the possibility of using encrypted local backups or services that uphold strong encryption policies for privacy. It is an urgent message to the rest of the planet about how privacy is being eroded by governmental regulations. In this set of times, people need to learn and do something to at least cover their backs in an ever-increasing world of connectivity and surveillance.”
For any questions, comments or features, please contact us directly.
Elvis Sun, Software Engineer at Google & Founder of PressPulse
“Apple’s new data protection laws are a significant step forward in consumer privacy, and as someone who has worked on both the engineering and business sides of tech, I’d like to share my perspective:
“The Rise of Privacy-First Design:
“Businesses are being pressured by the new regulations to implement privacy-first design principles. This implies that rather than considering user privacy as an afterthought, apps, and services must now give it a top priority from the beginning. For example, developers are urged to use strong encryption techniques, anonymize user data, and collect as little data as possible. In addition to assisting businesses in meeting legal requirements, privacy-first design fosters user trust. Customers should give preference to apps that use on-device processing or end-to-end encryption and search for those that explicitly outline their data practices in their privacy policies. Sensitive information is kept safe and within the user’s control thanks to these features.
“For consumers looking to maximize these protections, I recommend:
“Using Hide My Email feature for online services
“The “Hide My Email” feature for online services is a suggested remedy for customers looking to optimize the protections provided by these new laws. This feature adds an extra degree of security and privacy by enabling users to generate distinct, random email addresses to use when registering for different services.
“Note: The views and opinions I express above are entirely my own, stemming from my personal experiences and observations. They don’t reflect Google’s stance on any matter.”
Matthew Hodgson, CEO at Element
“It’s not a surprise to see Apple switch off end-to-end encrypted iCloud for the UK. It had no choice. You cannot offer a secure service and then backdoor it – because it’s no longer a secure service.
“According to our research, 83% of UK citizens want the highest level of security and privacy possible, yet the UK government has just put Apple’s UK customers’ data at risk.
“It is impossible to have a safe backdoor into an encrypted system. Time and again it has been proven that any such point of entry is exploited by bad actors. Salt Typhoon is the current and obvious example, which has seen law enforcement backdoors in the US public telephone network being hijacked by a cyberattack group believed to be operated by the Chinese government. The US is urging its citizens to use end-to-end encrypted services.
“The last 70 years of geopolitical stability is fracturing before eyes, and the UK is increasing its defence spending. Simultaneously we’re witnessing the UK undermining end-to-end encryption; a key part of the nation’s cybersecurity.”
David Johnston, Code Maintainer at Morpheus
“In response to a secret UK government order under the Investigatory Powers Act, Apple has discontinued its optional Advanced Data Protection (ADP) feature for iCloud in the UK as of February 21, 2025. The order demanded that Apple create a backdoor to access end-to-end encrypted iCloud data globally, which would have compromised user privacy worldwide.
“Instead of complying, Apple removed ADP for new UK users and plans to phase it out for existing users, who will need to disable it manually to continue using iCloud. ADP provided end-to-end encryption for additional iCloud data categories like backups, photos, and notes.
“While this change removes that enhanced protection in the UK, default end-to-end encryption for 14 key iCloud categories (e.g., Health data, passwords, iMessage, and FaceTime) remains intact. The move reflects Apple’s refusal to build a backdoor, prioritizing user security despite reducing optional encryption options for UK customers. It’s good to see Apple taking this stand to protect user privacy.”
For any questions, comments or features, please contact us directly.
Cache Merrill, Founder at Zibtek
“Apple’s new data protection measures represent a significant advancement for consumer privacy. By enforcing stricter guidelines for how apps collect, store, and share data, these regulations ensure that users have clearer insights and more control over their personal information.
“At its core, Apple is setting a higher industry standard by mandating robust encryption, transparent consent protocols, and on-device data processing where feasible. This shift not only minimizes the risk of unauthorized data breaches but also encourages a culture of privacy-first development among third-party app creators.
“However, while these changes offer enhanced safeguards, they are not a substitute for personal cybersecurity vigilance. Consumers should complement these protections by maintaining strong, unique passwords, enabling two-factor authentication, and keeping devices up to date with the latest security patches.
“Regularly reviewing app permissions and privacy settings can further bolster personal security. In essence, while Apple’s initiatives mark a proactive stride in protecting digital identities, the responsibility of securing personal data ultimately remains a shared effort between technology providers and end-users. Staying informed and taking proactive steps will empower consumers to navigate the evolving digital landscape with greater confidence and resilience.”
Tom Gaffney, Director of Business Development and Embedded Security at F-Secure
“When encryption gets chipped away, it’s not just privacy that suffers—it’s safety. Apple’s decision shields its principles, but UK users are left exposed to hackers who’ll exploit any weakness. This mess proves why strong, accessible security matters more than ever. UK consumers shouldn’t have to fend for themselves because of a government overreach.”
Sarah Bone, CMO and Co-Founder of YEO Messaging
“Last week the UK government issued a “technical capability notice” under the Online Safety Act, requiring Apple to provide access to encrypted iCloud backups. In response, Apple announced that it would discontinue its Advanced Data Protection feature for UK users, rather than compromise its encryption standards. Apple argues that weakening encryption compromises user privacy and security by creating potential backdoors that could be exploited negatively by hackers or government regimes.
“Apple’s latest data protection measures are a big win for consumer privacy, reinforcing its stance as a leader in digital security. Expanding encryption and on-device processing means even Apple can’t access certain user data, a major step forward. However, while these safeguards add critical layers of security, they don’t make users invulnerable. Privacy features are only as strong as the habits of the people using them.
“One key challenge is account recovery. With stronger encryption, losing access to your device or Apple ID could mean permanently losing your data. Additionally, while these updates limit external access to personal information, hackers don’t need to break encryption when they can manipulate human behaviour. Phishing, social engineering, and weak passwords remain some of the biggest vulnerabilities, regardless of new security measures.
“Consumers should actively review their privacy settings, enable multi-factor authentication (MFA), and remain cautious of unsolicited messages or requests for personal information. While Apple’s updates are a step in the right direction, data protection is a shared responsibility. The best security comes from a combination of strong technology and informed user behaviour—because even the most secure systems are only as safe as the people using them.”
For any questions, comments or features, please contact us directly.
Paul DeMott, Chief Technology Officer at Helium SEO
“Personally, I’ve seen first hand how tech companies, including Apple, are adapting to the growing need for data privacy. With Apple’s new data protection laws, they are making strides toward offering consumers more control over their personal information. From the way I see it, these changes are designed to protect user data from misuse and limit how much personal data can be shared with third parties.
“For users, these updates mean they’ll have better transparency and control over their data. Apple’s new features give you the power to track what data apps can access and allow you to limit certain permissions. The data-sharing transparency updates are also a big deal. Apps now have to clearly list their data collection practices before you even download them. You’ve probably noticed those pop-up prompts that give you a snapshot of an app’s data policy.
“While Apple’s data protection features are a great start, I recommend using additional methods like VPNs and strong passwords to ensure that your data remains as secure as possible. Even with all the built-in protections, a little extra effort on your part can go a long way in keeping your digital life safe. Because with every shift in data protection, comes the consumer’s responsibility to stay proactive.”
Mark Wilshaw, Cyber Security Services Manager and Information Security Manager at SYTECH
“The removal of Apple’s Advanced Data Protection (ADP) does lower the level of security for a user if they had previously opted to turn this feature on. iCloud uses end to end encryption to protect user data. To encrypt data, there must also be a key to decrypt the data when a user or device wants to view it. When using ADP, the decryption key is stored on the users ‘trusted devices’.
“This means that if a users’ iCloud account became compromised by a hacker, they would not be able to read any of the personal data on the account as they are not accessing the account from one of these ‘trusted devices’. With ADP being disabled, the decryption keys are stored on Apple servers meaning that any user accessing the account, genuine or malicious, would be able to read the data.
“The alternative is for a user to take the protection of their data into their own hands. There are free and open source tools available, such as Cryptomator, which allows a user to encrypt their own data and manage the decryption keys without requiring a great deal of technical knowledge to do so.
Nicola Cain, CEO & Principal Consultant at Handley Gill Limited
“If you back up your iPhone or use iCloud to store the photos on your device, Apple takes steps to secure that data during its transfer to Apple’s servers and while it is stored on Apple’s servers using encryption. Apple stores the encryption keys so it can help you regain access to your data. It is also able to give law enforcement bodies, for example, access to your data because it has those keys. Apple also offers its users a service called Advanced Data Protection (ADP), which offers end-to-end encryption of such data but stores the encryption key on your device and Apple could not assist you in recovering access.
“Because of this, only a small proportion of Apple users upgraded to ADP, which offers the strongest level of protection but prevents Apple from accessing or giving anyone else access to the data. Having been reported that the UK government issued a notice to Apple requiring it to introduce a back door to its end-to-end encryption to permit government access, Apple announced that it would cease to offer its ADP service in the UK. Users requiring this high level of security may wish to look to third party storage providers.”
For any questions, comments or features, please contact us directly.
Pierre Noel, Field CISO EMEA at Expel
“Apple is caught between a rock and a hard place. Providing a backdoor to their encryption—no matter the motivation—means that attackers will eventually find a way to gain access and exploit it. Historically, technology providers that complied with similar government demands have not fared well.
“The UK government’s approach here is short-sighted and fails to consider broader implications. For example: where does it leave iCloud users seeking strong protections? While there are plenty of available tools, even free and open-source, to secure data, they lack the seamless integration of Apple’s original offerings, exposing users to risk. That alone makes this demand for a backdoor counterproductive: anyone needing strong data encryption will still find a way.
“However, Apple’s open refusal to comply with the secret mandate reinforces their commitment to transparency, one of the most important principles for any technology provider hoping to maintain user trust. But this refusal also means removing a layer of protection for Apple’s UK users, so ultimately it’s the end-users that suffer.”
David Gourlay, Partner at Law Firm, MFMac.
“Apple’s decision to remove its opt-in Advanced Data Protection security feature from UK customers, in response to the UK Government’s demand to access user data, raises serious cybersecurity and privacy concerns. Apple’s enhanced protections, which include end-to-end encryption, are designed to safeguard user data from cyber threats. Whilst the UK Government’s position appears driven by a desire for increased law enforcement access, in doing so it has the potential to weaken protections available to UK based users.
“Although end-to-end encryption can have an adverse impact on child safety and protection, weaker encryption could result in vulnerabilities for cybercriminals to exploit. Increased risks of data breaches, surveillance, and unauthorised access to personal information could follow. Furthermore, Apple’s decision could encourage other governments to make similar demands, thereby undermining global privacy standards. Whilst Apple’s security features are designed to strengthen cybersecurity, government challenge illustrates the ongoing battle between user privacy and state surveillance.
“This recent development will place the onus on UK based users to take extra care to safeguard their personal data. UK based users should review app permissions, enable multi-factor authentication, regularly update their security settings, use encrypted messaging services where necessary and remain ever vigilant to phishing scams.”
Ayush Trivedi, Co-Founder and Director of Audacix
“Apple’s decision to remove Advanced Data Protection (ADP) for UK users has sparked debate about privacy and government oversight. ADP offered end-to-end encryption for iCloud data, ensuring only users could access their information—even Apple couldn’t decrypt it. However, under pressure from the UK’s Investigatory Powers Act, Apple withdrew the feature rather than compromise its global security standards.
“For consumers, this reduces privacy. While standard encryption remains, Apple now holds decryption keys if legally required, increasing risks of cyberattacks or unauthorized access. As someone with years incybersecurity, I see this as a wake-up call for individuals and businesses to take more responsibility for their data.
“Even privacy-focused companies can bend under regulatory pressure. True data security starts with the user—not the provider.
“To stay protected, users should explore encrypted storage alternatives or locally encrypt sensitive data before uploading it to the cloud. While Apple’s decision is disappointing, it underscores the need for proactive digital security measures.”
For any questions, comments or features, please contact us directly.
Katherine Howard, Head of Education and Wellbeing at Smoothwall by Qoria
“While strong encryption is important for user privacy, these advancements can inadvertently create blind spots for child protection, especially when it comes to the sharing of Child Sexual Abuse Material (CSAM) and explicit content. Alarmingly, this is something we are seeing more of than ever before, with children as young as eight participating in sharing, and being victimised, driven in part by emerging AI technology.
“Therefore, as Apple reconsiders its approach to encryption following the UK Government’s concerns, we urge them to take this opportunity to also consider implementing robust child safety measures across their platforms.
“We believe technology companies have a responsibility to balance data security with safeguarding, and it’s crucial they work together with all stakeholders – from safeguarding experts to educators – in order to ensure an integrated, collaborative approach to protect our most vulnerable users.”
Professor Raj Rajarajan, Professor of Security Engineering & Director Institute for Cyber Security, City St George’s, University of London
“Access to encrypted mobile data has become a challenge due to the Online Safety Act 2023 in the UK and requirements by the law enforcement agencies. When data is encrypted at rest, and in transit, it’s difficult for law enforcement agencies to get access to it for terrorism or criminal investigation. This makes their jobs very difficult as they then need to monitor network traffic patterns to identify potential terrorism or criminal related activities.
“The recent act to remove encryption by Apple is not welcome news for consumers, as they are now vulnerable to cyber threats, online fraud and other forms of online harms given that their data is now accessible and can be misused or sold on the dark web by cyber criminals.
“However, in the topology of the future internet, neither the mobile operator or the device should have control over the consumer’s data. It is the user who should be able to share their data with the relevant usage policies attached so that it is safe and secure and used for the specific purpose it has been approved for in the first place by the data owner.
“User-centric data sharing models, with the right levels of privacy and access control built into them, will help to achieve the level of privacy the user would like to apply to their personal data, empowering them to have total control over their data.”
Paige Schaffer, CEO of Iris® Powered by Generali
“While British citizens must yield to their government, the same cannot be said for Apple. When faced with a request to provide backdoor access to consumers’ encrypted data, the iPhone company took a firm stance on user privacy. Rather than compromise its security standards, Apple chose to withdraw its Advanced Data Protection (ADP) tool from the UK market. This feature, which offered end-to-end encryption for iCloud data and backups, ensured that only users—not even Apple—could access their stored information. Now, with ADP removed, sensitive user data is more vulnerable to cyber threats and potential government surveillance.
“The UK government defends its position by citing national security concerns, arguing that law enforcement needs access to encrypted data to combat crime and terrorism. However, this decision comes at a significant cost: diminished privacy rights for millions of users. By weakening encryption, the government risks exposing personal data to bad actors.
“Now more than ever, UK consumers should take proactive steps to safeguard their data:
- Educate yourself on your rights under UK GDPR.
- Explore alternative encrypted storage solutions.
- Enable multi-factor authentication wherever possible.
“Most importantly, advocate for strong data protection policies. National security and personal privacy should not be mutually exclusive.”
For any questions, comments or features, please contact us directly.
