Technology companies are bracing themselves for more attacks on encryption after the UK government issued an order requiring Apple to create a backdoor to allow security officials access to content uploaded on the cloud by any Apple phone or computer user worldwide.
The government has used powers under UK surveillance laws to issue a secret order requiring Apple to provide the UK with the ability to access all encrypted material stored by any Apple users on its cloud servers anywhere in the world, the Washington Post revealed.
The move will put pressure on Apple to withdraw encrypted cloud storage from users in the UK, leaving British consumers without the capability to store files, documents or financial information in a way that will provide them with strong protection from hacking attacks or accidental breaches by cloud providers.
People in the technology industry told Computer Weekly that the UK has shown antipathy towards encryption and that it would not be surprising if more technology companies were hit with similar demands from UK officials seeking the ability to access users’ encrypted data. WhatsApp and Facebook Messenger are potential targets.
The home secretary served Apple with a technical capability notice (TCN) in January, ordering it to provide the government with backdoor access to material stored by Apple users on its encrypted cloud service, the Washington Post revealed.
The notice, issued under the Investigatory Powers Act 2016, makes it a criminal offence for a technology company to reveal the existence of any technical capability notice served against it.
The Investigatory Powers Act gives powers to the government to issue TCNs to remove or modify “electronic protection” applied by tech companies to communications data, under Section 253, part 5(c).
A Home Office spokesperson said: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices.”
The TCN requires Apple to give the government access to data encrypted and stored on Apple’s iCloud. Apple introduced Advanced Data Protection (ADP) for iCloud as an optional security feature in December 2022.
ADP allows users to extend Apple’s end-to-end encryption from messaging to personal data, including photos, notes and iCloud backups. According to Apple, the service, to which users need to opt in, offers invaluable protection for users’ private information from threats to data security.
Matthew Hodgson, CEO of Element, a secure communications platform used by governments, said the disclosure that a TCN had been served was unprecedented.
“This is the first time the existence of a technical capability notice under the Investigatory Powers Act appears to have leaked and represents a terrifying escalation in the fight to protect users from blanket surveillance,” he said.
Apple could be forced to remove security in UK
In evidence to Parliament in March, addressing the government’s plans to extend the Investigatory Powers Act 2016, Apple warned that powers in the Act were “extremely broad and pose a significant risk to the global vitality of important security technologies”.
End-to-end encryption was one of the most important security features available to protect information stored in the cloud, ensuring that only users, rather than cloud storage companies, can access their personal data and communications, the company said.
It provides an “essential layer of additional security” because it ensures that malicious actors cannot obtain access to users’ data even if they are able to breach a cloud service provider’s datacentre.
The technology shields citizens from unlawful surveillance, identity theft, fraud and data breaches, and serves as an invaluable protection for journalists, human rights activists and diplomats who may be targeted by malicious actors, the company said.
Apple raised concerns that the IPA “purports” to apply outside the borders of the UK, permitting the UK to claim the right to impose “secret requirements on providers located in other countries and that apply to their users globally”.
“These provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections,” it wrote.
Technology companies are concerned that providing backdoor access to encrypted storage would make it impossible to comply with data protection and compliance regulations, including General Data Protection Regulation (GDPR), placing further pressure on them to withdraw services from the UK.
The UK’s Five Eyes allies have taken a broader view of encryption. In an advisory last year, the US Canada, Australia and New Zealand recommended widespread use of encryption, including end-to-end encryption, to mitigate threats from China, which infiltrated US telecoms networks in the Salt Typhoon attack.
UK’s battle against encryption
The UK, which notably did not add its name to the Salt Typhoon advisory, has fought a long-running battle with technology companies over encryption. Last year, the National Crime Agency singled out Meta for criticism over its plans to introduce end-to-end encryption on its Facebook Messenger and Instagram services.
And in 2024, the government failed to ease industry concerns that the “spy clause” in the Online Safety Bill, which aims to crack down on child abuse and other harmful online content, would fundamentally weaken end-to-end encrypted services.
Claims by a junior minister to the House of Lords that “there is no intention by the government to weaken the encryption technology used by platforms” did little to reassure tech companies.
Dangerous precedent
Jurgita Miseviciute, head of public policy at Proton, an encrypted communications provider, said the move against Apple would create a dangerous precedent.
“Backdoors to encryption that only let the good guys in are impossible. Regardless of intent, compromising encryption creates vulnerabilities that are sure to be exploited not just by authorities beyond the UK, but by malicious actors as well,” she said.
Backdoors to encryption that only let the good guys in are impossible. Regardless of intent, compromising encryption creates vulnerabilities that are sure to be exploited not just by authorities beyond the UK, but by malicious actors as well
Jurgita Miseviciute, Proton
“Removing access to end-to-end encryption in the UK for people’s files would be a huge step backwards that would create a two-tier system, erode trust, and expose British users to surveillance and cyber threats,” she added.
Matthew Hodgson, CEO of Element, said the compromise of the US telecoms network by Salt Typhoon showed that surveillance backdoors were a “catastrophically flawed idea”.
“Apple should withdraw from the UK rather than comply with this order, and make it clear that becoming complicit in a surveillance state is a line they will not cross,” he said.
Robin Wilton, senior director for the Internet Society, a global non-profit, said it was “beyond disappointing” that the UK government was using the Investigatory Powers Act to break end-to-end encryption for Apple’s cloud service.
“It is stunning that just days after the UK’s National Audit Office released a report that the ‘cyber threat to the UK government is severe’, the UK government would launch an attempt to weaken the security and privacy of a service that its citizens, including government employees, rely on,” he added.