The United Kingdom issued a secret order requiring Apple to create a backdoor for government security officials to access encrypted data, The Washington Post reported today, citing people familiar with the matter.
UK security officials “demanded that Apple create a backdoor allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud,” the report said. “The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.”
Apple and many privacy advocates have repeatedly criticized government demands for backdoors to encrypted systems, saying they would harm security and privacy for all users. Backdoors developed for government use would inevitably be exploited by criminal hackers and other governments, security experts have said.
The UK is reportedly seeking access to data secured by end-to-end encryption with Apple’s Advanced Data Protection, which prevents even Apple from seeing user data. Advanced Data Protection is an optional setting that users can enable for iCloud backups, photos, notes, and other data.
“Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the UK,” The Washington Post paraphrased its sources as saying. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States.”
Apple opposes UK snooping powers
The Technical Capability Notice was reportedly issued by the UK Home Office under the Investigatory Powers Act (IPA). The 2016 law is nicknamed the Snoopers’ Charter and forbids unauthorized disclosure of the existence or contents of a warrant issued under the act.
“Apple can appeal the UK capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government’s needs. But the law does not permit Apple to delay complying during an appeal,” the Post wrote.
The UK Home Office told the BBC and Washington Post that it does not “comment on operational matters, including for example confirming or denying the existence of any such notices.”
We contacted Apple and will update this article if we receive any comment. Apple previously made its stance public when it formally opposed the UK government’s power to issue Technical Capability Notices in testimony submitted in March 2024 and warned that it would withdraw security features from the UK market if forced to comply.
Apple submitted written evidence to oppose expansions of the government powers, saying the law was already too broad. Apple’s testimony said:
The IPA’s existing powers are already extremely broad and pose a significant risk to the global availability of vitally important security technologies. Under the current law, the UKG [UK government] can issue a ‘Technical Capability Notice’ that seeks to obligate a provider to remove an ‘electronic protection’ to allow access to data that is otherwise unavailable due to encryption. In addition, the Secretary of State (‘SoS’) has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public without the SoS’s express permission.
Moreover, the IPA purports to apply extraterritorially, permitting the UKG to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally. Together, these provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.
Privacy groups criticize UK order
The changes to the Investigatory Powers Act that Apple opposed last year “included giving the government the power to veto new security measures before they were implemented” and “were passed into law,” the BBC wrote today.
The BBC said it spoke to sources about the order issued to Apple, writing that “the government notice does not mean the authorities are suddenly going to start combing through everybody’s data. It is believed that the government would want to access this data if there were a risk to national security—in other words, it would be targeting an individual, rather than using it for mass surveillance.”
The BBC report said UK authorities would have to follow a legal process and “request permission for a specific account in order to access data—just as they do now with unencrypted data.” But the BBC also quoted the nonprofit Privacy International as saying the demand issued to Apple is an “unprecedented attack” on privacy and “sets a hugely damaging precedent and will embolden abusive regimes the world over.”
The Surveillance Technology Oversight Project (S.T.O.P.), a US-based privacy group, said the UK is hurting its own citizens’ privacy and making Apple users more vulnerable around the world. “Not only would this make countless users more at risk to be surveilled by governments, you would open up the door to a vast array of threats from hackers and cyber criminals. You can’t have a platform that is both secure and operating as a long arm of the government,” the group said.
The Computer & Communications Industry Association, a US tech industry group, said the recent Salt Typhoon breach makes it clear that “end-to-end encryption may be the only safeguard standing between Americans’ sensitive personal and business data and foreign adversaries.”
“Reports that Apple has been secretly ordered by the UK government to weaken its encryption, including in the United States, are a troubling development, if accurate,” the CCIA said. “Decisions about Americans’ privacy and security should be made in America, in an open and transparent fashion, not through secret orders from abroad requiring keys be left under doormats.”