UK’s iCloud Encryption Crackdown Explained: Your Questions Answered on Apple’s Decision and How it Affects You

The UK government’s latest demand from Apple has caused a major conversation about digital privacy, encryption, and government surveillance. With Apple withdrawing its Advanced Data Protection (ADP) feature in the UK rather than complying with the government’s order, many users are left with questions.

• How does this affect your iCloud data, whether you’re in the UK or not?
• Can the government now access your photos, backups, and messages?
• Are alternative services like Google, Android, or Samsung any better?
• What are the risks, and what are your options for securing your data?

With this Q&A feature, we break down the key details, security implications, and next steps for UK users—and why this could be a turning point for global encryption policy.

What exactly did the UK government demand from Apple?

The specific details of the Technical Capability Notice (TCN) issued to Apple are not public due to the secretive nature of the Investigatory Powers Act (2016), which was amended in 2023 to expand government access to encrypted data. Reports from the Washington Post suggest the UK Labour government under Prime Minister Keir Starmer demanded compliance with the order by creating a backdoor into their encryption.

Why did Apple choose to withdraw ADP instead of complying?

Apple has consistently opposed government backdoors, arguing that any compromise in encryption, even for one government, creates a security risk for all users globally. If Apple built a decryption tool, it could be exploited by hackers or demanded by authoritarian regimes. By withdrawing ADP in the UK, Apple likely aims to avoid setting a precedent and to pressure the UK government while reinforcing its brand as a privacy-focused company. It’s also possible that Apple privately negotiated with the UK government but couldn’t reach a compromise.

What happens to UK users who already enabled ADP?

Existing UK users with ADP won’t lose encryption immediately, but Apple has confirmed they will eventually need to disable the feature. The exact timeline remains unclear — Apple’s February 21 announcement did not specify specific dates, suggesting a phased approach. Users might receive notifications asking them to opt out voluntarily or could face automatic disabling via a future software update. Until then, their data remains end-to-end encrypted.

What data can governments access without ADP?

Without ADP, most iCloud data reverts to Apple’s standard encryption, meaning Apple can decrypt and provide access if compelled by a legal order. This includes:

• Photos, videos, documents, notes, and device backups
• Email content (if using iCloud Mail or a different provider but the account is backed up to iCloud)
• iMessage chats (if iCloud backups are turned on)

Some data, like real-time iMessages and Health data, may still retain end-to-end encryption depending on user settings.

Losing ADP increases UK users’ vulnerability to data breaches because their iCloud data, once decrypted by Apple, could be exposed if Apple’s systems are hacked. Standard iCloud encryption is robust against external threats, but high-profile breaches (e.g., past celebrity iCloud leaks) show it’s not infallible. Foreign entities could also target this data if they penetrate Apple’s infrastructure, though there’s no evidence of state-sponsored hacks yet. The risk isn’t immediate for most users but grows over time as cybercriminals adapt, making UK users a softer target compared to those with ADP elsewhere.

What are the Security Risks for UK Users?

Losing ADP increases UK users’ vulnerability to data breaches because their iCloud data, once decrypted by Apple, could be exposed if Apple’s systems are hacked. Standard iCloud encryption is robust against external threats, but high-profile breaches (e.g., past celebrity iCloud leaks) show it’s not infallible. Foreign entities could also target this data if they penetrate Apple’s infrastructure, though there’s no evidence of state-sponsored hacks yet. The risk isn’t immediate for most users but grows over time as cybercriminals adapt, making UK users a softer target compared to those with ADP elsewhere.

Governments aside, what are the UK government’s next steps?

The UK government could escalate by fining Apple for non-compliance, though Apple’s removal of ADP might technically satisfy the notice by removing the contested capability. The government may also target other encrypted services like WhatsApp, Signal, or ProtonMail with similar demands. The 2023 amendments to the Investigatory Powers Act allow the UK to issue preemptive decryption demands on tech firms, meaning broader enforcement is possible. However, political backlash and pushback from the tech industry might slow down aggressive enforcement. That’s why challenging the UK government is important.

What legal basis does the UK have for this demand?

The Investigatory Powers Act (2016)—sometimes called the Snooper’s Charter—was updated in 2023 to expand government power to issue Technical Capability Notices. These notices require companies to remove encryption or other security measures if deemed necessary for national security and proportionate. This appears to be the first major use of the amended law against a tech giant like Apple, setting a precedent that could encourage other countries, such as EU nations or Australia, to follow suit. This is a test case for global encryption policy, though secrecy limits transparency.

Why hasn’t Apple explicitly confirmed the UK order?

Apple has not officially confirmed receiving a Technical Capability Notice, likely due to a gag order under the Investigatory Powers Act. This law prohibits companies from disclosing such requests to avoid tipping off targets or causing public backlash. However, Apple’s decision to withdraw ADP and its statement expressing disappointment strongly imply that it received a legally binding order. Silence could also be a strategic choice, keeping the focus on the impact of withdrawal rather than escalating a legal battle it cannot win.

What does this mean for US-UK relations?

This could strain US-UK tech relations, particularly given comments from figures like JD Vance criticizing European overreach on American firms. The US and UK share intelligence via the Five Eyes alliance, but this dispute (at least, as far as it looks) highlights divergent views on privacy versus security. Apple might lobby the US government to pressure the UK, especially if it sees this as a threat to America’s tech dominance. Diplomatic fallout seems unlikely to escalate significantly, but it could complicate future transatlantic tech policy talks, especially if other EU nations follow suit.

Do any lawmakers in the US want to ban this type of encryption?

Yes, some US lawmakers have pushed to limit or effectively end strong encryption, particularly end-to-end encryption, by requiring tech companies to provide law enforcement access to encrypted data. While they don’t always frame it as “ending encryption” outright, their proposals would undermine its effectiveness by mandating backdoors or weaker standards, which many experts argue amounts to the same thing. This has been a recurring theme in Congress over the years.

Senator Lindsey Graham (R-SC): Graham has been a key figure, co-sponsoring the EARN IT Act (2020) with Senator Richard Blumenthal (D-CT) and introducing the Lawful Access to Encrypted Data Act (LAED Act) in 2020 with Senators Tom Cotton (R-AR) and Marsha Blackburn (R-TN). Both bills aimed to force tech companies to unlock encrypted data under court orders, effectively targeting E2EE.

Senator Richard Blumenthal (D-CT): Co-sponsor of the EARN IT Act, which critics say indirectly threatens encryption by tying legal protections to government-approved “best practices” that could ban E2EE.

Senators Tom Cotton (R-AR) and Marsha Blackburn (R-TN): Co-sponsors of the LAED Act, which explicitly sought to outlaw “warrant-proof” encryption—systems where only users hold the keys.

These efforts often have bipartisan support, driven by concerns over crime and national security.

Senators Josh Hawley (R-MO) and Amy Klobuchar (D-MN) have also recently called for a crackdown on end-to-end encryption, using the fight against fentanyl as a justification.

Should global Apple users be concerned about the UK’s move against encryption?

Yes, global users should be concerned because the UK’s action sets a dangerous precedent that could inspire other governments to demand similar backdoors, weakening digital privacy worldwide. If Apple complies with one government’s demand to weaken encryption, it may face pressure from other nations, including the EU, Australia, India, or China, to do the same. This risks creating a domino effect where end-to-end encryption is gradually eroded across multiple jurisdictions.

Moreover, any security loophole introduced for the UK could be exploited by hackers or authoritarian regimes, endangering global Apple users. Apple’s current refusal to comply suggests it is drawing a line to protect its security model worldwide, but if the UK succeeds in enforcing its demands, Apple and other tech companies may struggle to resist similar pressures elsewhere.

For now, users outside the UK still benefit from full encryption protections, but privacy advocates worry that if this case goes unchallenged, governments may target other encrypted services, such as WhatsApp, Signal, or Google Drive, making digital privacy harder to maintain globally.

What about those iCloud users that didn’t have Advanced Data Protection (ADP) turned on?

For most users, this change doesn’t affect them because the majority of iCloud users never had ADP enabled in the first place. Apple’s standard iCloud encryption, which was always the default, means Apple already holds the keys to decrypt most stored data and can provide access when legally required. This means that users who never switched on ADP were always using the less secure version of iCloud storage, and their data was already accessible to Apple and, by extension, law enforcement with a legal order.

However, for privacy-conscious users in the UK who did enable ADP, this decision does impact their security. Without ADP, their iCloud data will eventually revert to standard encryption, meaning Apple can access it again if compelled. While this is currently a UK-specific change, privacy advocates worry that it could set a precedent for other governments to demand similar access, potentially eroding encryption protections worldwide over time.

If ADP is available in your region, you should turn it on.

Even WITH Apple’s Advanced Data Protection turned on, what data could Apple and the government potentially see?

Quite a lot.

Here are the parts that were never end-to-end encrypted:

• iCloud Mail
• Contacts
• Calendars
• iCloud Data on the Web (Apple says, “You have the option to turn on data access on iCloud.com, which allows the web browser that you’re using and Apple to have temporary access to data-specific encryption keys provided by your device to decrypt and view your information.
• Metadata and usage information, including “dates and times when a file or object was modified are used to sort your information, and checksums of file and photo data” (which “are used to help Apple de-duplicate and optimize your iCloud and device storage — all without having access to the files and photos themselves.”). Specific examples of the app specific metadata and usage information that was never end-to-end encrypted includes:
  • iCloud Backup:
    • Name, model, color, and serial number of the device associated with each backup
    • List of apps and file formats that are included in the backup
    • Date, time, and size of each backup snapshot
  • iCloud Drive:
    • The raw byte checksums of the file content and the file name
    • Type of file, when it was created, last modified, or last opened
    • Whether the file has been marked as a favorite
    • Size of the file
    • Signature of any app installers (.pkg signature) and bundle signature
    • Whether a synced file is an executable
  • Photos:
    • The raw byte checksum of the photo or video
    • Whether an item has been marked as a favorite, hidden, or marked as deleted
    • When the item was originally created on the device
    • When the item was originally imported and modified
    • How many times an item has been viewed
  • Notes:
    • Date and time when the note was created, last modified, or last viewed
    • Whether the note has been pinned or marked as deleted
    • Whether the note contains a drawing or handwriting
    • The raw byte checksum of content from an imported or migrated note
  • Safari Bookmarks:
    • Whether the bookmark resides in the favorites folder
    • When the bookmark was last modified
    • Whether the bookmark has been marked as deleted
  • Messages in iCloud:
    • When the last sync was completed and whether syncing has been disabled
    • Date when content was last modified
    • Error codes
    • Type of message, such as a normal iMessage, SMS, or tapback
• iWork collaboration
• The Shared Albums feature in Photos
• Content shared via the “anyone with the link” feature
• Any data that was shared with an Apple user that doesn’t have end-to-end encryption enabled e.g. Messages sent to someone that has iCloud Backup enabled but not Advanced Data Protection, Notes shared with someone that has iCloud Backup enabled but not Advanced Data Protection.

I’m thinking of switching to Google or Android because of the UK’s encryption dispute with Apple. Is that a better move for privacy?

Not necessarily. Google or Android isn’t a monolith — Google’s services (like Drive and Photos) and Android’s open ecosystem differ from what Samsung or other manufacturers layer on top.

Privacy-wise, none of these options universally outshine Apple, especially if end-to-end encryption (E2EE) is your priority. Google’s core services don’t use E2EE by default for Drive, Photos, or backups, meaning Google can access your data and comply with law enforcement requests.

Android’s encryption varies by implementation, and Samsung adds its own features, but they don’t fully match Apple’s default E2EE across key services (like iMessage or Health data) that remain intact even without Advanced Data Protection (ADP) in the UK.

What about Samsung?

Samsung, as a major Android manufacturer, uses Google’s ecosystem for services like Google Drive, Google Photos, and phone backups, but it also layers its own features on top. Like other Android devices, Samsung phones don’t get end-to-end encryption (E2EE) for Google Drive or Google Photos—those services encrypt data in transit and at rest, but Google holds the keys, making them accessible to Google or law enforcement. For phone backups, Samsung relies on Google’s E2EE system (since Android 9 Pie), which encrypts app data and settings using your credentials, not Google’s. However, Samsung offers Samsung Cloud, which provides an optional E2EE feature called Enhanced Data Protection (introduced with One UI 5.1.1 in 2023). If you enable it, your backups to Samsung Cloud—like contacts or calendar data—can be E2EE, unlike Google’s broader cloud services. So, Samsung gives you somewhat of an extra encrypted option, but it’s not default and doesn’t cover everything (e.g., photos synced to Google Photos).

Does Google Drive use end-to-end encryption?

No, Google Drive does not offer true end-to-end encryption (E2EE). Files are encrypted in transit (using TLS) and at rest (with AES-256), but Google holds the encryption keys. This means Google can decrypt your files if required—say, for a legal warrant—or if their systems are breached, a hacker could potentially access unencrypted data after compromising Google’s infrastructure. You can add client-side encryption via third-party tools (like Cryptomator) or Google Workspace’s enterprise option, but that’s not standard for personal users. Compared to Apple’s iCloud with ADP (now unavailable in the UK), where users control the keys, Google Drive is less private by design.

What about Huawei or other major Android smartphones? Do they change the encryption picture?

Huawei, a Chinese Android player, doesn’t rely on Google services due to US sanctions (post-2019), so it skips Google Drive, Photos, and Google backups entirely. Instead, Huawei uses its own Huawei Mobile Cloud, which offers encrypted backups for photos, contacts, and more, but it’s not E2EE by default—Huawei holds the keys unless you use specific encryption settings. Huawei’s HiSuite software for PC backups also encrypts data, sometimes with user-set passwords, but research shows these can be decrypted with effort, suggesting weaker protection. Unlike Samsung, Huawei lacks Google’s E2EE phone backup system and faces scrutiny over potential Chinese government access, though no hard evidence confirms backdoors. End-to-end encryption is banned in China anyway so using Chinese services is inherently less secure in terms of privacy.

I keep hearing about Google Drive, Google Photos, and phone backups. Are they all the same thing?

No, they’re distinct services with different purposes, even though they’re all tied to your Google account. Google Drive is a cloud storage platform for files—like documents, videos, or anything you manually upload. Google Photos is a specialized service for storing and organizing your pictures and videos, often syncing automatically from your phone. Phone backups, on the other hand, are a feature of Android that saves device-specific data—like settings, app data, and call logs—to Google’s servers. Think of Drive as a general file locker, Photos as your photo album, and backups as a snapshot of your phone’s configuration and data.

Regarding Google, what kind of stuff gets stored in each one?

Here’s the breakdown:

Google Drive: Anything you choose to upload—PDFs, Word docs, spreadsheets, random videos, or even folders. It’s manual unless you set up syncing from your device or apps.

Google Photos: Primarily photos and videos from your phone’s camera roll, synced automatically if you enable it (via the Google Photos app). You can also upload other images manually, but it’s built for media.

Phone Backups: Device-specific data like app settings, Wi-Fi passwords, call history, SMS (if enabled), and some app data (if developers opt in). It doesn’t include your full photo library or random files unless they’re part of an app’s backup scope.

They overlap a bit—e.g., a photo could be in Photos and Drive if you upload it twice—but they’re designed for different needs.

Is everything encrypted the same way across these services?

No, encryption differs:

Google Drive: Encrypted in transit (TLS) and at rest (AES-256), but Google holds the keys. They can decrypt your files if needed (e.g., for law enforcement). No end-to-end encryption (E2EE) unless you add it manually with tools.

Google Photos: Same deal—encrypted in transit and at rest, but Google has the keys. No E2EE, so your photos aren’t fully private from Google or legal requests.

Phone Backups: Encrypted end-to-end since Android 9 Pie (2018). The key is tied to your Google account password and device lock screen credentials, stored in Google’s Titan Security Module. Google can’t decrypt this without your input, unlike Drive or Photos.

So, if I switch from Apple’s Advanced Protection version of iCloud to Google’s suite of products, I would be less protected?

Yes.

If I switch to Android and use these, am I safer from the UK government than with Apple?

Not really. The UK’s issue with Apple was about iCloud’s Advanced Data Protection (ADP), which offered E2EE. Without ADP, iCloud’s standard encryption (Apple holds the keys) is like Google Drive and Photos—accessible to the company and thus to governments with warrants. Android phone backups are E2EE, which is safer from Google or the UK snooping without your credentials, but Drive and Photos aren’t, leaving most of your cloud data as vulnerable as non-ADP iCloud. You’re not dodging the problem—just shifting where it applies.

Do de-googled phones come with their own encrypted cloud backups?

No, de-googled phones—like those running GrapheneOS or LineageOS—don’t include built-in cloud services with encryption. Unlike Samsung (with Samsung Cloud’s optional E2EE) or Google (with non-E2EE Drive), they strip out Google’s ecosystem entirely and don’t replace it with a default cloud. You’re left to back up locally (e.g., to a computer with manual encryption) or pick your own cloud service. There’s no out-of-the-box E2EE cloud solution baked in.

Does switching to a de-googled phone help if I use cloud services anyway?

Not much, if you pick non-E2EE clouds like Google Drive or Dropbox. De-googled phones avoid Google’s data harvesting, but they don’t fix the encryption gap—Drive, Photos, or Huawei’s Mobile Cloud (non-E2EE by default) still let the provider decrypt your data. Switching from, say, a Samsung phone with Google’s non-E2EE services to a de-googled one is useless for privacy if you just plug in the same unencrypted clouds. You’re back to square one, with your backups exposed to companies or governments.

Do you have any recommendations for keeping my documents and photos securely backed up?

Yes, check out our recommendations here.

We also have a members post with recommendations for specific photos apps.

This battle is far from over—whether Apple will face further pressure, how other tech companies will respond, and whether legal challenges arise remain key questions in the fight for encryption.

For users concerned about privacy, this situation underscores the need to take control of their own data security. Whether that means using end-to-end encrypted services, backing up data locally, or switching to alternative platforms, individuals must weigh the risks and make informed choices. As governments push for more access and tech giants weigh their responses, one thing is clear: the future of digital privacy is at a crossroads, and what happens next in the UK could shape encryption policies worldwide.