The UK government has dropped its controversial plan to mandate an encryption backdoor into Apple’s cloud storage systems, according to a statement by US Director of National Intelligence Tulsi Gabbard. The decision reportedly came after months of consultation between UK officials, including direct involvement by US President Donald Trump and vice president JD Vance.
The UK government and Apple have yet to publicly comment on the matter. Apple was saddled with a secret court order by the UK government that prevented it from disclosing the encryption backdoor order, with the issue only coming to light with it opting to pull its “advanced data protection” feature from the UK market and requesting its legal right to review of the order by the Investigatory Powers Tribunal (IPT). The feature was removed there in February of this year, and as of now there is no indication of if or when it will return.
US government pressure altered UK encryption backdoor plans
The encryption backdoor story to this point has been a strange one due to the nature of the UK government’s Technical Capability Notices (TCN), which can be issued along with what is essentially a gag order preventing tech firms from discussing the fact that they have been given an order. Any members of the media aware of the order are similarly restricted from reporting on it.
The story broke in early February of this year as anonymous insiders reported the issuance of a TCN to Apple to reporters with the Washington Post and BBC. The story was seemingly confirmed shortly after when Apple abruptly pulled its “advanced data protection” feature from the UK market, which allows users to encrypt their stored cloud data in such a way that neither Apple nor any third parties have the ability to access it. Apple then appealed to the IPT, which determined that the British government could not keep the “bare details” of the case private.
One of the big points of contention with the proposed encryption backdoor was that UK authorities were reportedly demanding universal access to the stored cloud data of Apple users, reaching beyond national borders. After the story broke in February, Gabbard publicly commented that the US had “grave concerns” about the possibility of the UK government having open access to US citizen data and said that US intelligence agencies would be examining the situation.
The UK government has responded to the story by saying that it does not comment on operational matters such as TCNs, but has long had joint security and intelligence arrangements with the US and that it is cognizant of potential violations of the privacy rights of US citizens in these operations and its obligations under the Data Access Agreement and the CLOUD Act. Apple has previously made more general statements about never including encryption backdoors in its products, to include resisting repeated pressure from US law enforcement agencies to unlock encrypted phones since at least 2015. The company was scheduled for the IPT to hear its objection to the TCN order early next year, and it is now unclear if this will proceed.
UK retains broad legal ability to demand encryption backdoors
While this appears to be an individual victory for Apple, the UK’s Investigatory Powers Act continues to provide it with the ability to issue such TCN orders to tech companies and to restrict both them and the media from letting the public know about them.
The news came as British Prime Minister Keir Starmer and numerous other European leaders visited the US to discuss the possibility of reaching a peace deal in the Russian invasion of Ukraine. Trump had previously told Starmer that he “can’t do this” with regards to the Apple encryption backdoor, and Vance has made statements calling the scheme “crazy” and echoing broad cybersecurity industry consensus that any such backdoor will inevitably be found and exploited by malevolent hackers.
There is some precedent in this area, though it comes from the US rather than the UK. In 2013 the Snowden leaks revealed that the NSA had an ongoing program that offered large payments to certain tech companies to build backdoors into their products for their use, including making a $10 million payment to RSA to insert an encryption backdoor into bit generator Dual_EC_DRBG (the default option for its then-widely-used BSAFE encryption library). At least one of China’s APT groups is widely believed to have found and actively exploited this, possibly tied to an earlier compromise of RSA servers.
US pressure would not have been the end of the UK’s troubles in forcing an encryption backdoor on Apple; there were also indications that the European Court of Human Rights would get involved if the plan moved forward. And many other countries would have likely joined the fray had Apple acquiesced, as the UK government was seeking for the encryption backdoor to provide access to any Apple cloud storage account anywhere in the world.
Adam McKissock, Principal Security Consultant at Black Duck, notes that due to reporting restrictions the likely measure of progress on this will be seeing Apple’s advanced security features return to the UK one day: “Dropping a universal ‘backdoor’ demand is a win for everyone’s security and civil liberties. Mandating a ‘technical capability’ to read end-to-end encrypted iCloud data would have created a permanent weakness that criminals and hostile states could also exploit. It was especially troubling that the order asserted reach into the data of people outside the U.K. If this reversal holds, the next step is clear: allow Apple to restore Advanced Data Protection for U.K. customers and commit-explicitly-that powers under the Investigatory Powers Act will not be used to require systemic weakening of encryption. Lawful access should remain targeted, case-by-case, and under due process. We don’t make the internet safer by making it less secure.”
Casey Ellis, Founder at Bugcrowd, agrees that this is a big “W” for cybersecurity and that global pushback is likely to isolate the UK on this issue: “It’s good to see this getting reversed. Deliberately weakening the security posture of everyone to enable the surveillance of a few is a universally bad solution, prone to unintended exploitation by cybercriminals and hostile states, over-reach, and creeping abuse. Encryption is essential for civil liberty, and backdoors undermine security for everybody. It’s also good to see aspects of global collaboration happening here. Once a global precedent around this type of thing is established, there’s a real risk of that triggering a race to the bottom.”
And Satish Swargam, Principal Security Consultant at Black Duck, notes that the recent campaigns by the “Typhoon” Chinese hacking groups illustrate precisely why encryption backdoors are likely doomed to fail: “The UK government has taken the right step to abandon its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens. Salt Typhoon is an example where nation states have exploited backdoor mechanisms and compromised on our data privacy. In late 2024, U.S. officials announced that hackers affiliated with Salt Typhoon had accessed the computer systems of nine U.S. telecommunications companies, later acknowledged to include Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, and Windstream. The attack targeted U.S. broadband networks, particularly core network components, including routers manufactured by Cisco, which route large portions of the Internet. In October 2024, U.S. officials revealed that the group had compromised internet service provider (ISP) systems used to fulfill CALEA requests used by U.S. law enforcement and intelligence agencies to conduct court-authorized wiretapping. Attacks such as these show how the backdoor methods could be vulnerable and exploited by hackers. Hence even court authorized requests to access data via backdoor should be assessed with caution and not taken for granted.”
