Apple’s Advanced Data Protection Rollback: Are Your Personal Data and Privacy at Risk? 

Blog
Written By Harry Gough

Apple’s decision to remove its highest-level data security tool for UK customers has sparked concern and confusion among users about what protections remain. Following a notice issued by the UK Government under the Investigatory Powers Act, requiring Apple to create a ‘back door’ to its encrypted iCloud storage, the company has blocked new users from accessing its Advanced Data Protection (ADP) feature, with plans to disable it for existing users in the future. 

Why has this change been made and how does it affect your data, especially if you are a high-profile individual? We offer some practical steps you can take to mitigate the risks to your information and data.  

What is the importance of this and what is the impact? 

Security and privacy have been major selling points for Apple and many customers have long relied on the in-built protections they offer. The ADP tool is an opt-in additional service that offers end-to-end encryption for data stored in their iCloud, ensuring only the individual can access the data stored. The UK Government’s demand to create a ‘back door’ to this data would change the nature of this, giving them access to data that currently not even Apple themselves have been granted to, for the purpose of enhanced surveillance.   

There are two critical issues relating to data that manifest from this request. Firstly, in relation to data privacy, if Apple are served a warrant to provide data on a UK national, they must comply, changing the very nature of their relationship with customer information. Secondly in relation to data security, if Apple services were compromised, or there's a malicious insider, then personal and sensitive data could be more accessible, creating a security weakness that has not previously been an issue.  

By removing ADP access, Apple sends a strong message to the UK Government. This request is excessive and sets a global precedent for accessing other applications or datasets, creating security risks exploitable by malicious actors. 

As a cyber security expert, this decision is difficult to hear. While many users were unaware of the availability of the ADP feature, some may argue that not much has changed. As we move deeper into a digital world, the data we accumulate and that is accumulated about us online grows, as does the insight it provides into our lives, both digital and physical. The removal of ADP is a step in the wrong direction of making security a default, potentially setting a dangerous precedent in the longer term.  

Mitigating the risks to your data – some practical solutions 

Relying on inbuilt solutions can no longer be your only line of defence, especially if you are a high-profile individual and have access to sensitive information.  With the threat landscape growing by the day, you must be prepared to put in place proactive protections to comprehensively protect your data. For example, you may want to consider taking some of the following steps.  

  • Use messaging services that are not run by Apple that still offer end-to-end encryption, for example WhatsApp or Signal. But be mindful that the messages are not included in your iCloud backup in their decrypted form. Adjust the settings to turn off the iCloud backup for the chosen app and turn on the end-to-end encryption feature within the app. 

  • For users of Apple devices, if you are registered in a country outside of the UK, Advanced Data Protection will still be available to you allowing you to  enable advanced encryption for iCloud

  • Consider where your data is held and how sensitive it is. Avoiding cloud storage for extremely sensitive data is recommended, but keep in mind this does reduce the convenience of accessing information on-the-go and requires you to manage your own local backups. 

  • Securing your data where you can by adding extra layers of proactive security. Encrypting data in transit using a VPN is a good example of this but should not be used in isolation.  

Proactive Device Protection 

coc00n secures the mobile devices of high risk and high value individuals against cyber-attacks at a level only previously available to those under government protection. 

Our team has over 25 years' experience at the forefront of cybersecurity within GCHQ and the UK’s National Cyber Security Centre where they devised, developed and implemented projects that protected the UK’s most high-risk institutions and individuals against cyber threats. 

By focusing on proactive protections, such as securing access to cloud services as well as your data in transit, coc00n provides an invisible wrapper around your device to protect your reputation, your financial position and your professional status against compromise.  

With coc00n, your devices are secured, your data remains private, and your interests are protected.  

If you would like to discuss your phone security and ensure your personal data remains private, our Cyber Concierge team are happy to advise.  Get in touch to find out more.  

About the author 

Harry Gough is coc00n’s Chief Operating Officer. He has almost a decade of experience at the forefront of cyber security within government, devising and implementing systems to protect the UK’s most high-risk institutions and individuals against cyber threats. 

Harry Gough
Previous

The Signal Scandal: A Lesson in Secure Communication and Risk Management
Next

Mobile phone theft: Securing your data with proactive measures