Apple customers, privacy advocates, and security sleuths have now had the weekend to stew over the news of the iGadget maker’s decision to bend to the UK government and disable its Advanced Data Protection (ADP) feature.
It comes in lieu of installing a fully fledged backdoor, as was reportedly requested by the Home Office just weeks earlier. It also now means Apple users can no longer enjoy the end-to-end encryption (E2EE) protection from which they and their iCloud data previously benefited.
That leaves users, like this reporter, who are so deeply and regrettably entrenched in the company’s fabled “ecosystem” – both in terms of hardware and software – with fewer privacy-first options available to them.
Many of Apple’s users choose its products for the company’s longstanding pro-privacy position. With that now measurably weakened in the UK, it leaves those who relied on Notes for storing sensitive information, Freeform for scribbles, and Reminders for, well, reminders, in need of alternatives.
Not ones to sit back and just go with the flow, we’ve listed some substitutes to the standard iApps so you can still enjoy much of the functionality of Apple’s main cloud-powered software without the threat of the UK combing through your personal data.
Notes
Perhaps the app most used by this scribe, Notes is a supremely useful tool that almost immediately syncs documents between iDevices thanks to iCloud. With ADP now revoked in the UK, the E2EE protection it used to have is no longer, and cannot be trusted for sensitive info.
When it comes to cloud-enabled note-taking apps, there are plenty on the market from which to choose, but not many offer all the advanced features of Notes, or the digital whiteboard functionality of Freeform, plus encryption in a single package.
Standard Notes is a good option that’s free, provides unlimited device syncing, while using E2EE, 2FA, and offers password-protection options for individual notes on top of that. Like many alternatives to Notes, it has paid tiers that afford additional functionality such as advanced note-taking formats and note revision histories. The most expensive tier ($120/yr) also allows for hardware security key support and 100GB worth of storage for other files like media and documents. Essentially an iCloud replacement with limited storage capacity.
Joplin is another good one, an open source option offering E2EE, 2FA, and collaborative notes, but all cloud-based features come at a price and there is no on-device encryption. Obsidian is similar: Even basic features like device syncing come with a price, although that does come with E2EE via a personalized vault hosted by DigitalOcean.
Signal’s Note to Self feature can be used for basic, unformatted text, as well as images, videos, and voice memos. It offers device syncing for free, and CEO Meredith Whittaker has long said Signal would exit the UK before breaking E2EE for the government. Advanced note-taking features are nonexistent though.
Microsoft OneNote is another alternative that could work. Like Standard Notes, it offers 128-bit AES password protection for individual notes for a layer of privacy for the most sensitive information, but storage falls short of using E2EE.
Reminders
Forgetful so-and-sos rely on reminder apps for all manner of things. However, in doing so those absent-minded people could reveal more than they’d perhaps bargained for about their daily goings-on, and such, which could in theory be used to surveil their past and future movements.
Lunatask offers a nice solution here, marketed as an all-in-one bundle, which also includes note-taking, as well as habit-tracking and journaling. It has the all-important E2EE even in its free tier, and the only paid tier is $6 per month when paying annually, or $220 for a lifetime plan.
A decent open source option is Proton Calendar, which uses the same E2EE it uses in its namesake email platform and is available across web and mobile. Plus, the free version will be fine for most people if it’s just reminders and calendar functionality they’re after. It only comes with 1GB of storage, so either pay up or look elsewhere if you want to use it as a long-term mail solution.
Photos
Screenshots, images, and videos can all reveal more about a person than they’d perhaps like. One of the better alternatives to Apple Photos is Ente – an open source app with many of the features Apple users will expect from a photos app, like collaboration, and cross-platform sharing with family members (at a cost).
It also has E2EE, and preserves encrypted photos in three different clouds in three different locations, one of which is in an underground fallout shelter – not a pleasant thought.
Voice Memos
Encrypted voice apps appear to be in short supply, which is a shame because Voice Memos is a versatile little tool. Unfortunately, these are backed up into Apple’s iCloud, so we need an alternative.
There remains the opportunity to simply stick with Voice Memos and turn off iCloud backups. You can use the recording and clipping features as normal, upload the final file to whichever secure storage platform you choose, and delete it from the device.
Voice Recorder & Audio Editor is a paid alternative available on the App store and despite its data still likely to be scooped up in an iPhone or iPad’s device backups, which are now at the mercy of the UK gov should they be uploaded to iCloud, each recording can be password-protected. If you go with this option, watch for naming conventions in the recording file names – they shouldn’t give the file’s contents away.
iCloud Drive
Apple’s cloud storage offering is no longer end-to-end encrypted. Anything stored there can be snooped at by the UK government if they can secure a warrant.
As already mentioned, Proton’s suite of services are all open source and end-to-end encrypted. Throwing some money there will get you close to a full iExperience and is an option many privacy-minded folks chose even before Friday’s news.
Filen is another popular one that is heavily marketed as an all-in-one solution designed around client-side E2EE, while also offering photo storage with a familiar UI, collaborative note-taking, and instant messaging.
A more mainstream option would be Dropbox, which added E2EE last year, although previous breaches may dissuade some.
Messages and more
Encrypted messaging apps are often the focus of the UK’s snooping ambitions dressed under the guise of concern over terrorism and child exploitation. Signal is the go-to for many journalists keeping their sources safe, while WhatsApp is the more mainstream option.
Like Apple, Meta has always championed encryption but the world’s most popular messaging app, which still uses E2EE, remains the prime focus of those who want protected chats to be a thing of the past. Who’s to say if Zuck will follow Apple in eventually having to ditch encryption, at least for the UK market?
It’s a solid option for now, however, unlike iMessage the backups of which are now no longer safe from the UK gov in iCloud. It should be said the iMessages and FaceTime calls remain encrypted in transit, just backups are affected.
Also up for grabs are Safari bookmarks, Siri shortcuts, and Wallet passes, neither of which have suitable alternatives.
How it works
Lawyers speaking to The Register said the legal mechanisms used to acquire iCloud data hinge on the Investigatory Powers Act 2016, sometimes referred to as the Snooper’s Charter.
Apple was likely served with a Technical Capability Notice (TCN) by the Home Office, which can compel telecoms operators to technically comply with warrants that demand access to information. Apple’s ADP would prevent this with its E2EE, so the UK used a TCN to get rid.
Crucially, Apple will still keep data encrypted, but the encryption will be carried out server-side, meaning Apple can reverse it at will, should a law enforcement or national security body issue the company with a Judge-approved warrant under the Snooper’s Charter.
Will Richmond-Coggan, partner at Freeths specializing in privacy and cybersecurity disputes, said: “Insisting on this level of access, even with judicial supervision of the process, may well place the UK on a collision course with previous decisions made in the European Court of Human Rights, which has previously ruled (in the case of a similar attempt by Russia to broaden the scope of its domestic surveillance capabilities) that this contravened people’s privacy rights.
“In turn, there is concern that it may well prejudice the UK’s adequacy status with the EU which underpins the current free flow of data between the EU and the UK, potentially increasing the costs of doing business in Europe.”
Heavy fallout
The reaction to Apple’s decision has been overwhelmingly negative and to its credit, its official response last week acknowledged its own regret at being driven to such lows.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple told The Register.
Others have been less reserved in their criticisms, like Malwarebytes’ senior privacy advocate David Ruiz, who said the whole furor “has extremely dangerous and idiotic potential” on a global scale.
“This is only bad news and it is difficult to call it anything other than a disaster. The loss of end-to-end encryption for cloud storage is wholesale bad – it leaves users less secure and private – but the global consequences tip this into far worse territory.
“To demand access to the world’s data is such a brazen, imperialist maneuver that I’m surprised it hasn’t come from, well, honestly, the US. This may embolden other countries, particularly those in the ‘Five Eyes’ [alliance] to make a similar demand of Apple.”
Unsurprisingly, privacy groups like Big Brother Watch have also dispiritedly weighed in, calling it “outrageous” and “draconian.”
It said in a statement: “This decision by Apple is the regrettable consequence of the Home Office’s outrageous order attempting to force Apple to breach encryption. As a result, from today Apple’s UK customers are less safe and secure than they were yesterday – and this will quickly prove to have much wider implications for internet users in the UK.
“No matter how this is framed, there is simply no such thing as a ‘back door’ that can be limited only to criminals or that can be kept safe from hackers or foreign adversaries. Once encryption is broken for anyone, it’s broken for everyone, and as we have cautioned: This will not stop with Apple.
“We once again call on the Home Office to immediately rescind this draconian order and cease attempts to break encryption before the privacy rights of millions are eroded and the UK further ostracises itself from other democracies around the world.”
US politicians have already voiced opposite to the UK government’s request and warned this could have implications for intelligence sharing. ®