Apple Ordered to Create Backdoor for UK Government Access to Encrypted iCloud Backups
The UK government has reportedly ordered Apple to create a backdoor that would give security officials access to users’ encrypted iCloud backups. If implemented, British security services would have access to the backups of any user worldwide, not just Brits, and Apple would not be permitted to alert users that their encryption was compromised.
Secret Order Based on Investigatory Powers Act
The secret order, issued last month, is based on rights given under the UK’s Investigatory Powers Act of 2016, also known as the Snoopers’ Charter. Officials have apparently demanded blanket access to end-to-end encrypted files uploaded by any user worldwide, rather than access to a specific account.
Apple’s Response
Apple’s iCloud backups aren’t encrypted by default, but the Advanced Data Protection option was added in 2022, and must be enabled manually. It uses end-to-end encryption so that not even Apple can access encrypted files. In response to the order, Apple is expected to simply stop offering Advanced Data Protection in the UK. This wouldn’t meet the UK’s demand for access to files shared by global users, however.
Appeal and Implementation
Apple has the right to appeal the notice on the basis of the cost of implementing it and whether the demand is proportionate to security requirements, but any appeal cannot delay implementation of the original order.
Technical Capability Notice and Criminal Offenses
The UK has reportedly served Apple a document called a technical capability notice. It’s a criminal offense to even reveal that the government has made a demand. Similarly, if Apple did cede to the UK’s demands then it apparently would not be allowed to warn users that its encrypted service is no longer fully secure.
Industry Reaction and Consequences
“There is no reason why the UK [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption,” Apple told the British parliament in March 2024 amidst a discussion of an amendment to the Investigatory Powers Act. It has previously pushed back against other UK attempts to legislate backdoors to encrypted communications.
Security services and lawmakers in the UK have consistently pushed back against end-to-end encryption services, arguing that the technology makes it easier for terrorists and child abusers to hide from law enforcement. “End-to-end encryption cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes,” a UK government spokesperson told The Guardian in 2022 after Apple first introduced end-to-end encryption.
US agencies including the FBI have expressed similar fears in the past, but have more recently begun recommending encryption as a way to counter hackers linked to China. In December 2024 the NSA and FBI joined Canada, Australia, and New Zealand’s cyber security centers in recommending web traffic be “end-to-end encrypted to the maximum extent possible,” in new security best practices. UK security services didn’t join them.
Conclusion
If Apple grants the UK government access to encrypted data, it’s likely that other countries, including the US and China, will see the opportunity to demand the same right. Apple will have to decide whether to comply, or remove its encryption service entirely. Other tech companies would almost certainly face similar requests next.
FAQs
Q: What is the Investigatory Powers Act of 2016? A: The Investigatory Powers Act of 2016 is a UK law that gives government agencies the power to collect and access data from internet and phone companies.
Q: What is end-to-end encryption? A: End-to-end encryption is a type of encryption that ensures that only the sender and intended recipient can access the encrypted data.
Q: Will other tech companies be affected by this order? A: Yes, if Apple grants the UK government access to encrypted data, it’s likely that other countries will see the opportunity to demand the same right, and other tech companies would almost certainly face similar requests next.
Q: Will Google and Meta be affected by this order? A: Google and Meta have not commented on whether they have received governmental requests for backdoors. However, Google has offered encrypted Android backups by default since 2018, and Meta also offers encrypted backups for WhatsApp users.
Q: What is a technical capability notice? A: A technical capability notice is a document that requires a company to modify its technology to comply with a government request.
