NCSC, GCHQ, UK Gov't expunge advice to “use Apple encryption”

Original Article ↗ Hacker News Discussion ↗

What changed and why it matters

  • UK security agencies and legal guidance sites quietly removed prior advice telling people (including at‑risk citizens and professionals) to use Apple’s Advanced Data Protection (ADP) / iCloud end‑to‑end encryption.
  • This coincides with the UK using Investigatory Powers Act (IPA) powers to compel Apple to provide access (“backdoor”) to encrypted iCloud data, leading Apple to pull ADP for UK users.
  • Some commenters see this as the government trying to erase an embarrassing contradiction; others say it’s simply because the feature no longer exists in the UK, so the advice became incorrect.

Government contradictions and motives

  • One part of government had been recommending Apple’s encryption to protect data from hostile foreign governments; another part is now demanding systemic access for UK authorities.
  • Several see the core motive as gaining access to encrypted data without alerting targets (unlike approaching individuals for keys).
  • A minority suggests a more benign angle: pressure from victims’ families in cases where phones can’t be unlocked—but others argue a competent government should still refuse backdoors.

Apple’s options and legal/geo‑political angles

  • Commenters outline Apple’s choices: weaken security globally, turn off ADP in the UK only, exit the UK market, or fight in (secret) courts.
  • There’s discussion of a secret appeal under the IPA, and the fact that UK providers are gagged from acknowledging such orders.
  • Some point to possible conflict with the US CLOUD Act and note US officials questioning whether the UK’s demand is even lawful under that treaty.
  • Others speculate about Five Eyes dynamics and whether the US already has access paths that are no longer being shared.

Backdoors vs end‑to‑end encryption (technical debate)

  • Strong consensus: you “can’t backdoor encryption without making it insecure,” especially at global scale.
  • A few argue a “master key” or per‑user key escrow in HSMs might be workable; others dismantle this with scale, coercion, insider abuse and high‑value‑target arguments.
  • UK law (RIPA Part III) already lets authorities compel individuals to hand over keys, but commenters stress scale: mass cloud access is far more dangerous than case‑by‑case device searches.

Platform lock‑in, regulation, and alternatives

  • One camp blames Apple’s walled garden: if users could freely choose backup providers or self‑host with first‑class UX, UK policy would matter less.
  • Counter‑argument: any “sufficiently big” provider (or a fully open backup API) would just be targeted by the same UK powers, or banned from app stores or the country altogether.
  • Some see EU‑style competition rules (DSA, anti‑lock‑in measures) as helpful; others note EU institutions are also pursuing broad access to encrypted data and are “not your friend” on privacy.
  • Android’s restricted backup APIs and iOS’s lack of third‑party parity are cited as structural problems, but there are worries about stalkerware and data leakage if backups are opened too widely.

Civil liberties, secret courts, and the UK’s direction

  • Many describe the UK as sliding toward a “surveillance state,” citing:
    • IPA powers and secrecy,
    • restrictions on protests and “buffer zones,”
    • examples of people arrested for silent prayer or minor forms of demonstration.
  • Secret courts and gagged orders are widely condemned; one side insists some secrecy is necessary for national security, others answer that democracy requires the public at least know such powers are being used.
  • Overall mood: a mix of anger, dark humor, and resignation about “frog‑boiling” erosion of digital rights in the UK, EU, and US alike.