US lawmakers say UK has ‘gone too far’ by attacking Apple’s encryption
US politicians are calling for Congress to rewrite the US Cloud Act to prevent the UK issuing orders to require US tech companies to introduce ‘backdoors’ in end-to-end encrypted messaging and storage
US lawmakers are calling on the Trump administration to revisit its data-sharing agreement with the UK, following growing disquiet that a secret legal order issued by the UK against Apple will damage the privacy and security of US citizens.
Politicians on both sides of the US political divide say the UK has “gone too far” by ordering Apple to weaken an encryption service used by people around the world to secure their data, including messages, photographs and files.
The House Judiciary Subcommittee on Crime and Government Surveillance heard on 5 June that the order would allow the UK to exploit US-UK law enforcement data sharing agreements made under the US Cloud Act to obtain data held by Apple on cloud servers in the US.
Lawmakers are calling on the US Department of Justice (DOJ) to invoke a 30-day termination clause in UK-US data sharing agreements to put pressure on the UK to withdraw its demands from Apple. They are also calling for amendments to the act to prevent the UK from issuing further similar notices to US tech companies.
The committee heard that the UK has issued more than 20,000 demands for data from US technology companies under the Cloud Act, largely for live interception, compared to only 63 US demands to British providers, mostly for stored data.
“Unfortunately, one of our closest allies, the United Kingdom, is taking advantage of its authorities under the Cloud Act and is attacking America’s data security and privacy,” said committee chair Andy Biggs, republican representative for Arizona.
Biggs said the UK’s order against Apple “threatens the privacy and security rights, not only of those living in the UK, but of Apple users all over the world”. He added: “This is a dangerous precedent, and if not stopped now, could lead to future orders by other countries.”
It empowers the US Department of Justice (DOJ) to enter into agreements with the UK or other countries to give them access to data held by US technology companies, either in real time or from storage in the cloud.
The Cloud Act is neutral about encryption, but once a US company is ordered to create a “backdoor” in its end-to-end encrypted services, then the UK could serve a production order for information that was previously inaccessible.
Under Cloud Act agreements, tech companies are required to disclose data to UK law enforcement directly under the provisions of UK law, without the requirement for a US warrant. In return, US law enforcement agencies are able to obtain data held on servers in the UK.
The UK Home Office issued a secret order requiring Apple to extend UK law enforcement and intelligence agencies’ access to encrypted data stored in iCloud to Apple’s Advanced Data Protection (ADP) service, in a move leaked to the Wall Street Journal in February 2025.
The existence of the order, known as a technical capability notice (TCN), was confirmed when Apple withdrew its ADP service for UK users in February while continuing to provide the service to people overseas. Apple is now challenging the legality of the order in the UK’s Investigatory Powers Tribunal.
Order would expose US to cyber threats
Jamie Raskin, representative for Maryland and the top Democrat on the committee, said the TCN would expose the US to threats from cyber criminals and foreign states, including espionage, consumer fraud and ransomware.
“Backdoors to encrypted technology are not capable only of letting good guys in while keeping the bad guys out…these design weaknesses can be exploited by foreign governments seeking to compromise our national security”
Jamie Raskin, Democrat representative for Maryland
“Backdoors to encrypted technology are not capable only of letting good guys in while keeping the bad guys out…these design weaknesses can be exploited by foreign governments seeking to compromise our national security,” he added.
He said that UK demands to have access to encrypted communications would be analogous in the physical world to the government having access to “all our private conversations…at a restaurant or walking in a park because there might be some information they want to get”.
Encryption is critical to national security
Giving evidence to the committee, Susan Landau, professor of cyber security and policy at Tufts University, said protecting the private data of American citizens is a critical aspect of protecting US national security.
Giving examples, she said: “Protecting the private communications of a CEO’s son-in-law, the files of an American who has family working in China, or the draft research papers of a graduate student in genomics who has not yet filed a patent on her work, is protecting both the individuals and the economic and national security of our nation.”
Proposals to amend the Cloud Act
Evaluate whether the Cloud Act and the US-UK agreement are working as intended, and renegotiate the agreement if necessary to ensure Americans’ rights are protected.
Invoke the 30-day termination clause in the US-UK agreement to pressure the UK to withdraw the order to Apple.
Prohibit countries from issuing orders that undermine encryption or cyber security.
Allow tech companies to notify the US government when they receive orders that undermine encryption or cyber security.
Require more frequent reporting from the Department of Justice on the operation of the Cloud Act.
Include cyber security and network security as criteria for entering into agreements between the US and other countries to share data under the Cloud Act.
Journalists, human rights organisations, civil society groups, remote workers, business people travelling overseas, family members who want to keep wills or financial information, all need end-to end encryption, she told the committee.
“The technology that Apple developed protects our national security and the security and privacy of ordinary Americans. It should be widely used and widely available,” added Landau.
Chinese hackers exploited law enforcement access
Landau said Chinese hackers have already exploited access mechanisms designed for US law enforcement to access US telephone networks in a hacking operation dubbed Salt Typhoon.
Chinese hackers were able to exploit technical measures, installed under the Communications Assistance Law Enforcement Act (CALEA), to access a database of US wiretap targets, allowing China to learn which Chinese spies had been discovered by the US. They were also able to access the private data of President Donald Trump and vice-president Vance.
The US National Security Agency (NSA) began advocating for greater use of strong encryption in the US in 2000, winning support from former directors of the NSA, executives at the Department of Homeland Security and the FBI, the committee heard.
Australia, Canada, New Zealand and the US recommended in December 2024 that end-to-end encryption be used whenever possible following the discovery of the Salt Typhoon attacks. The UK was the only Five Eyes partner to refuse to sign.
Richard Horne, director of GCHQ’s National Cyber Security Centre, told Computer Weekly, when asked about the Apple case, that there was no conflict between privacy and security.
“We take the view that privacy and security can both be met. And clearly, we’re not going to comment on a lot of speculation and matters for the Home Office. But we do take the view that you can achieve both objectives,” he said.
UK mandates imposed in ‘closed secret hearings’
Richard Salgado, former director of law enforcement and information security at Google, told the committee that the UK’s actions threatened US cyber security and the competitiveness of US technology suppliers.
Salgado, a consultant on geopolitical cyber security and surveillance, and lecturer at Harvard and Stanford law schools, said the threat was magnified when the UK’s mandates are “imposed in closed secret hearings and the outcomes concealed”.
“If there’s still a real debate about whether security should yield to government surveillance, it doesn’t belong behind closed doors in a foreign country. It shouldn’t be settled in secret proceedings run by foreign officials and with outcomes unknown even to the US government.”
Risk from other countries
Caroline Wilson Palow, director and general counsel at Privacy International, told lawmakers that there were concerns that if the UK could order Apple to deliberately weaken its encryption, other orders against US companies would follow.
“If the UK government succeeds in maintaining this order against Apple, it is likely further such orders targeting end-to-end encryption may follow. Other American companies, given their global reach, will be targets,” she said.
Notices could also be used to force tech companies to undermine security in other ways – for example, by sending false security updates or requiring them to refrain from fixing a vulnerability in their systems, she said.
If the UK government succeeds in maintaining this order against Apple, it is likely further such orders targeting end-to-end encryption may follow
Caroline Wilson Palow, Privacy International
The committee heard that Australia, the only other country with a Cloud Act agreement, had a similar technical capability notice regime to the UK. Canada, which is negotiating a Cloud Act agreement with the US, has an almost identical provision to the US. The European Union, which is also negotiating a Cloud Act agreement, has been considering measures that would undermine end-to-end encryption.
“More countries, therefore, might soon be targeting US companies and undermining the security and privacy of their users worldwide while also taking advantage of Cloud Act processes,” said Wilson Palow.
Landau said one of the most disturbing aspects of the UK’s TCN regime is that it claims to be able to serve notices entirely outside of the provisions of the Cloud Act.
There is nothing in the Cloud Act to prevent a country like Turkey or South Africa, or other countries with less respect for human rights, from serving similar orders against US tech companies.
Golden age of surveillance
Greg Nojeim, senior director of the non-profit Centre for Democracy and Technology, said Congress and the US DOJ should act to protect the privacy and security of America’s data against threats from countries, including the UK, that benefit from Cloud Act agreements.
“The UK would have Apple withdraw the service worldwide or compromise its protections so that no matter where you went, even to your office next door…if you downloaded your iMessages [to the cloud], you would not be able to protect them with encryption. The situation is intolerable,” he told lawmakers.
“Unfortunately, one of our closest allies, the United Kingdom, is taking advantage of its authorities under the Cloud Act and is attacking America’s data security and privacy”
Andy Biggs, Republican representative for Arizona
Although law enforcement agencies claim intelligence is “going dark” because of encryption, in reality, it is a golden age of surveillance, the committee heard.
“There’s never been more human thought available to law enforcement agencies around the world in the history of mankind than today. They get it from social media, they get it from data brokers, they get it from all kinds of sources,” said Nojeim.
“The TCNs are super extra-territorial. The UK authorities can issue orders to companies outside the UK and order them to alter their equipment outside the UK, so they can wiretap people who are outside the UK,” he said.
Because it is a criminal offence for a technology company to reveal the existence of a TCN, it is not possible to know how many other TCN notices have been issued against US tech firms, the lawmakers heard.
Calls to amend Cloud Act
The experts giving evidence urged the US government to press the UK to drop its action against Apple, and to commit to giving guarantees to refrain from similar action against other US companies, or withdraw cooperation agreements under the Cloud Act.
Congress should also amend the Cloud Act to require that cooperating countries respect free speech and security. There should be a requirement for foreign governments, including the UK, to agree not to impose surveillance or “anti-security” measures on US companies.
Republican representative Biggs said the DOJ should immediately issue a 30-day termination notice unless the UK agrees transparency over its TCN notice with Apple.
“I agree that this is an important moment to pressure the UK, because if we don’t push back now, then the UK may issue many more of these orders in the future, entirely in secret, and we won’t know about them,” said Privacy International’s Wilson Pallow.
Democrat representative Raskin said the UK’s requirement for blanket secrecy over the Apple order “completely undermines” the ability of Congress and oversight bodies around the world, including civil rights advocates, from being able to question whether it was an “acceptable violation” of US privacy and security.
Timeline: Row over Home Office’s order for Apple to include a backdoor into its encrypted cloud storage
14 March: The Investigatory Powers Tribunal holds a day-long secret hearing into an appeal brought by Apple against a government notice requiring it to provide law enforcement access to data encrypted by its Advanced Data Protection service on the iCloud, despite calls for the hearing to be opened to the public.
