Apple recently announced that it would cease providing users in the United Kingdom with Advanced Data Protection end-to-end encryption. This change stemmed from the UK Home Office’s demand that Apple create a backdoor to some encrypted cloud data, which could allow the government to access this information.1 Apple, which has approximately half of the UK market share,2 chose to curb end-to-end encryption rather than provide a backdoor that could be accessed by governments and criminals alike.
The UK government has created a dangerous precedent, and privacy and security professionals around the world ought to be concerned. Their order and the removal of end-to-end encryption in the United Kingdom is problematic. Additionally, governments appear to have conflicting attitudes toward privacy, which ultimately can lead to the erosion of individuals’ right to privacy. It is worth noting, though, that the United Kingdom is not the first country to demand something like this: The United States Federal Bureau of Investigation (FBI) asked Apple to bypass an iPhone’s security features nearly a decade ago in the aftermath of a terrorist attack.3 Other countries may follow the UK government’s lead and request backdoors from technology providers.
I’ve written this column with Hanlon’s razor in mind: “Never attribute to malice that which is adequately explained by stupidity.”4 I’ve generously assumed that the UK order wasn’t an attempt at surveillance and was instead a misguided effort to tackle crime, and this column explores why their approach is flawed.
Cause for Concern
The UK government put Apple in a tough position, and Apple shouldn’t be faulted for pulling end-to-end encryption. In fact, halting end-to-end encryption may have been an effort at transparency with Apple customers. Had Apple complied by providing a backdoor, they may not have been permitted to notify users about it, leading to users unknowingly being surveilled by the UK government.5 Instead, those in the United Kingdom who have not turned on Advanced Data Protection will not be able to turn it on moving forward, and those who enabled it will have to disable it to use their iCloud account.6 While far from ideal, at least Apple users in the United Kingdom are aware of how their data is safeguarded.
The UK government could have used the backdoor to track terrorism and child abuse.7 However, it isn’t possible to install a backdoor that will only impact those supporting terrorism or child abuse; surveillance measures, by their very nature, impact everyone. This could include government officials who may use the technology in question. Additionally, if law enforcement can leverage a backdoor, so can malicious hackers, and this puts everyone at risk.
It is also naïve to assume that criminals don’t have sophisticated ways to evade surveillance. End-to-end encryption in the United Kingdom is not provided for iCloud backups, iCloud Drive, photos, notes, reminders, Safari bookmarks, Siri shortcuts, voice memos, wallet passes, and Freeform.8 Are criminals engaging in nefarious activities, creating voice notes about their plans or detailed reminders about their exploits? I’m assuming not. However, innocent people use these tools for sensitive purposes, e.g., tracking health symptoms, drafting private communications, and I worry that government access to these tools will do more to violate privacy than reduce crime.
Perhaps the most concerning outcome is the precedent the United Kingdom has created. Around the world, conversations around encryption and backdoors emphasize how investigators want access to digital spaces frequented by criminals and innocent people alike. The UK government’s order for the removal of Apple’s end-to-end encryption led to those in the area having less protection, ultimately exacerbating privacy, security, and surveillance concerns. What will stop other governments from requesting something similar? The US FBI has expressed support for encrypted content to be provided in a readable manner if required by court order.9
Apple is just one of many providers that offer end-to-end encryption. In the past, Apple took a stand against creating backdoors.10 There is no definitive proof, but it is possible that other vendors have also been asked by government entities to create backdoors. For example, the Swedish prime minister has requested backdoor access to the messaging app Signal, which could lead to Signal not offering their services in the country.11 Not all enterprises will prioritize security and privacy the way Apple and Signal have. It is quite possible that other vendors have complied with backdoor requests, putting their customers at risk.
Backdoors are also concerning because of insider threats. Government and law enforcement staff, just like those working in the private sector, could be insider threats. Those with backdoor access to technology could misuse their privileges for personal or political reasons. For example, a police officer in Australia allegedly used a police internal database to find information about his ex-girlfriend, whom he allegedly assaulted.12 While this case is not tied to a backdoor, it illustrates that insider threats must be taken seriously for government entities, and deliberately creating backdoors and privacy loopholes could lead to misuse from government officials or law enforcement.
Inconsistencies Galore
The United Kingdom has its own version of the General Data Protection Regulation (GDPR).13 It outlines enterprise obligations for processing personal information. It, understandably, seeks to protect the personal data of those in the United Kingdom from privacy violations caused by enterprises. But what about privacy violations led by the government? If governments value and want to protect privacy and security, why do they also secretly order enterprises to create backdoors? Government bodies are sending mixed messages by promoting privacy laws and regulations while also expanding their surveillance capabilities.
Myriad privacy laws and regulations have led cross-border data transfers to become a complex, thorny issue. Government surveillance further complicates this. Anyone outside of the United Kingdom interacting with an Apple user in the United Kingdom could be impacted by this change. Security leaders in the United States are examining the United Kingdom’s capabilities and evaluating if they’re in violation of any data-sharing agreements between the countries.14
Government bodies are sending mixed messages by promoting privacy laws and regulations while also expanding their surveillance capabilities.Privacy, Security, and Transparency
The United Kingdom backdoor order illustrates how critical privacy and security literacy is, especially for policy makers and law enforcement agencies. Even if a backdoor can solve or even prevent crime, it comes with tremendous risk. That risk, which is widespread and could have devastating consequences, must be weighed against any possible benefit.
Privacy and security professionals must be able to communicate clearly with less-technical audiences. If law enforcement proposes surveillance measures that could cause harm, the privacy and security experts who work with them must convey the dangers and work to prevent them. Quantifying the magnitude of harm could prevent dangerous backdoors from being requested.
One of my previous Journal articles15 emphasized the importance of transparency in developing trustworthy AI, but transparency is critical for trust in all technology, not just AI. Many privacy laws and regulations seek to promote transparency between enterprises and customers, which is valuable. But what about transparency between a government and its constituents? The secretive nature of the UK Apple backdoor order doesn’t foster trust between UK residents and the government. In fact, the UK request only became public knowledge because an insider leaked the news to the media.16
Selectively applying privacy, security, and transparency does not lead to a more safe, secure, and trustworthy world. Enterprises are, justifiably, held to high standards when it comes to ethical behavior. The standard should be just as high for government bodies.
Endnotes
1 Ikeda, S.; “iCloud End-to-End Encryption No Longer Available in UK After Secret Backdoor Order,” CPO Magazine, 24 February 2025
2 World Population Review, iPhone Market Share by Country 2024
3 Selyukh, A.; Domonoske; C.; “Apple, The FBI And iPhone Encryption: A Look at What's at Stake,” NPR, 17 February 2016
4 Britannica, “Hanlon’s Razor”
5 Menn, J.; “U.K. Orders Apple to Let it Spy on Users’ Encrypted Accounts,” The Washington Post, 7 February 2025
6 Apple, “Apple Can no Longer Offer Advanced Data Protection in the United Kingdom to New Users,” 24 February 2025
7 Lim, W. C.; “UK Once Again Calling for Backdoor Into iCloud Data With Secret Order,” CPO Magazine, 18 February 2025
8 Apple, “Apple Can no Longer”
9 Doffman, Z.; “FBI Warns iPhone, Android Users—We Want ‘Lawful Access’ to All Your Encrypted Data,” Forbes, 24 February 2025
10 Gheorghe, A.; “Apple Declines FBI Requests to Create Backdoor,” Bit Defender, 17 February 2016
11 Asokan, A.; “Signal Threatens to Leave Sweden,” Data Breach Today, 26 February 2025
12 McLeod, C.; “NSW Police Officer Charged With Domestic Violence Offences Allegedly Looked Up Ex-Partner on Cops Database,” The Guardian, 16 May 2024
13 Information Commissioner’s Office, “The UK GDPR”
14 Gallagher, W.; “US Intelligence Backs Apple Over UK Encryption Backdoor Demands,” Apple Insider, 26 February 2025
15 Kazi, S.; “Developing Trustworthy AI: Understanding the Inputs,” ISACA Journal, vol. 4, 2024
16 Ikeda; “iCloud End-to-End Encryption”
SAFIA KAZI | AIGP, CIPT
Is a privacy professional practices principal at ISACA. In this role, she focuses on the development of ISACA’s privacy-related resources, including books, white papers, and review manuals. Kazi has worked at ISACA for more than 10 years, previously working on the ISACA Journal and developing the award-winning ISACA Podcast.