The United Kingdom government is once again leaning on Apple for unrestricted access to the cloud backup data of its users. The office of the Home Secretary has quietly served the company with an order under the U.K. Investigatory Powers Act of 2016, only made known to the public via inside sources speaking to Washington Post reporters under condition of anonymity as disclosure can bring criminal charges. The order mandates that Cupertino install a backdoor to iCloud data for the government’s exclusive use, something that could essentially destroy end-to-end encryption on its devices and provide access to the information of users outside of the UK.
The secret order can be appealed to an equally secret panel of UK government “technical experts,” but Apple is required to comply immediately. The government has floated this idea before, and Apple previously rejected it and said that it would not cooperate. The move comes as part of a broader effort by the UK government to essentially put a legal end to encryption in the name of easier tracking of terrorism and child abuse suspects.
iCloud data request flies in the face of longstanding Apple policy
The order appears to go beyond simply requiring Apple to unlock a particular user’s encrypted iCloud data upon request, instead demanding a dedicated backdoor that UK intelligence and law enforcement can use to explore accounts at will. The UK also wants global access, with the ability to pore through the iCloud data of users located in other countries.
Apple has firmly rejected providing such access before in the UK, and has stood its ground on even more limited access in cases in the United States before. There is not yet an indication of how the company has responded to this request, but the most likely outcome would be putting an end to the ability to end-to-end encrypt iCloud data in the UK at minimum.
The U.K. Investigatory Powers Act of 2016 provides the government with the ability to serve communications companies with a “technical capability notice” compelling them to add features such as backdoors. The order cannot legally be refused, though it can be appealed to a non-public technical panel who would consider implementation details and eventually refer the case to a judge to decide if the request is proportional to the government’s legitimate law enforcement need. Apple would have to go ahead with implementing the requested access while the appeal process plays out, however.
These notices are also served entirely in secret, and disclosing to the public that one has been served can bring criminal charges. Apple would also not be able to warn users that such a backdoor had been implemented and that their encrypted iCloud data was no longer entirely safe. The Home Office has refused to comment on the Washington Post story.
Backdoors directly threaten Apple’s core consumer appeal
The type of fully encrypted iCloud data the UK government is after is the kind protected by Apple’s optional Advanced Data Protection setting, which first became available in 2022. This is not on by default in most cases and requires users to go through manual steps to enable it, but removes iCloud data from the reach of anyone but the user once implemented.
Apple’s business model relies heavily on hardware, which makes up just about half of its total annual revenue, and it is a leader in that category in no small part because it has developed a brand image of superior privacy and security. The company has thus stuck to its guns about user privacy and encryption rights even when facing high pressure from the US government. That old nemesis may now be providing it with some support, however, as members of several congressional oversight committees have written appeals to newly minted National Intelligence Director Tulsi Gabbard asking her to withdraw cooperation with UK cybersecurity agencies if the country will not back off from its backdoor plans.
A coalition of tech, cybersecurity and civil society organizations is also jumping into the fight. The Global Encryption Coalition has sent the UK government a joint letter urging it to reconsider the dangers of the order. There are over 100 signatories at present including Privacy International, Mozilla, SurfShark VPN, the Internet Society and the Canadian Civil Liberties Association, with new signatures open until February 20.
If it is confirmed that Apple has complied with the order, the issue could also complicate international relationships in Europe. The UK presently has an adequacy decision that allows transfer of EU personal data under the terms of the GDPR, but the possibility of unfettered government access to international data has been the primary factor in scuttling adequacy decisions to date. It raises questions about the UK’s intent to keep its proposed backdoor access to iCloud data in the shadows, possibly hoping that the EU and other regions that might be subject to its snooping would not be aware of the order.
And Apple has previously indicated that it might challenge such an order in the EU courts, pointing out a potential conflict with a prior European Court of Human Rights ruling and a violation of established bloc rights to individual privacy.
