hanohiki - stock.adobe.com
Home Office ‘backdoor’ seeks worldwide access to Apple iCloud users’ data, court documents confirm
A court filing states that a government order against Apple would give it the capability to access communications and metadata of customers using the iCloud service anywhere in the world
The Home Office sought access to data and messages stored by Apple users on its cloud storage in the UK and overseas by demanding a “backdoor” to Apple’s iCloud service, a court ruling has revealed.
A UK government order against Apple requires the company to “remove electronic protection where practicable” on data stored by Apple users on its cloud-based backup service, including beyond the borders of the UK.
A court ruling suggests the UK has not yet dropped demands to access the data of US Apple users, despite an announcement by the US director of national intelligence, Tulsi Gabbard, that the UK had backed down following a major diplomatic row with the US.
The document, based on “assumed facts”, reveals that the Home Office order goes wider than giving access to data stored by Apple users on the company’s Advanced Data Protection (ADP) service, which it withdrew from the UK following the Home Office’s actions, and covers all data stored by Apple users on its iCloud service.
Apple launched a legal challenge against the Home Office at the Investigatory Powers Tribunal (IPT), an independent body that rules on the lawful use of surveillance powers, in March, after the Home Office imposed the order in January.
Apple is challenging the Home Office’s use of a secret order, known as a technical capability notice (TCN), to require it to introduce mechanisms to allow the UK to access data and messages stored by users on iCloud.
According to a court decision, issued by the Investigatory Powers Tribunal on Wednesday 27 August, the Home Office powers apply extraterritorially beyond the UK. “The obligations are not limited to the UK or users of the service in the UK, they apply globally in respect of the relevant data categories of all iCloud users,” it stated.
Apple required to disclose messages and data
The Home Office order against Apple requires the tech company “to provide and maintain a capability to disclose categories of data stored within a cloud-based backup service”, according to the filing, meaning that Apple is required to hand over messages and data stored on iCloud.
This could include encryption keys, photographs and metadata that can identify a person, device, service used or websites visited, but not the content viewed on a website.
The Home Office has refused to confirm or deny the existence of the technical capability notice, despite its existence having been widely leaked.
The IPT has decided to proceed on the basis of “assumed facts”, allowing the case to be heard in open court, without the risk of breaching secrecy around the order, in hearings scheduled for early 2026.
TCN does not allow bulk interception
An analysis of the IPT decision, approved by two senior judges, shows that the TCN does not give UK intelligence services or law enforcement the ability to conduct bulk surveillance on material stored on Apple’s iCloud.
Under the Investigatory Powers Act, the TCN requires Apple to provide technical capabilities to allow targeted interception of communications.
This means police and intelligence services can apply for interception warrants to obtain data stored on Apple’s iCloud from targeted individuals, organisations or premises.
They can also apply for “thematic warrants” to target multiple people, organisations or premises simultaneously, if surveillance forms part of a “single investigation” or “operation”.
Apple argues that the TCN prevents the company from offering its Advanced Data Protection service worldwide. The service allows users to independently encrypt their data on iCloud in a way that cannot be read by Apple.
The company withdrew its ADP service from the UK in February, in the wake of the order. “As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will,” Apple said in a statement.
The Home Office TCN sparked a major diplomatic row between the UK and the US, with the UK attracting criticism from US president Donald Trump, vice-president JD Vance and the director of national intelligence Tulsi Gabbard, who argued that it could undermine US citizens’ privacy and civil liberties.
Gabbard announced on social media site X on 19 August that the UK had agreed to drop demands for a “backdoor” that would allow access to the data of US citizens, although the terms of the agreement are unclear.
IPA amendments extended reach of ‘backdoor’ orders
The legal filing also reveals that the Home Office began the process of issuing the TCN against Apple before the introduction of critical amendments to the Investigatory Powers Act (IPA) 2016 that impacted TCNs, but did not complete the process until after the amendments had partially come into force.
The Investigatory Powers (Amendment) Act 2024 includes measures to extend the reach of TCNs to technology companies that are not based or controlled in the UK, provided that they operate services to UK users.
The government is expected to argue in hearings at the IPT next year that the TCN is proportionate, as the government is required to obtain a warrant for each target for interception, which must be approved by a judicial commissioner.
It is expected to say that the powers created by the TCN are not an attempt to expand surveillance powers, but to maintain existing powers that were in place before Apple introduced automatic encryption tools.
Government lawyers are also expected to argue that the approval of the TCN by a judicial commissioner provides sufficient legal and privacy safeguards.
Legal arguments will focus on advanced encryption
Apple is unlikely to succeed in legal arguments that the Home Office should not be able to access encrypted data on iCloud in cases where Apple already has the encryption keys.
However, it is expected to present arguments against Home Office demands that it remove users’ rights to encrypt data with their own encryption keys using Apple’s Advanced Data Protection service.
Commentators say the case will raise new areas of law. The only legal precedent is a case involving the encrypted messaging service Telegram, which implied that systematically weakening encryption is a disproportionate interference with the right to privacy under Article 8 of the European Convention on Human Rights.
Bernard Keenan, a lecturer in law at UCL and a specialist in surveillance law, said the assumed facts appear to be “a lot more specific than the government would have wanted – it’s pretty easy to infer the terms of the order”.
He said the UK government had massively underestimated international objections to the TCN.
“First, the extent to which Apple, as a ‘surveillance intermediary’, is prepared to resist requests to weaken the security of its devices in response to law enforcement requests,” he said.
“Second, the government also underestimated the attitude of key members of the Trump administration to the balance between privacy and state power.”
Timeline of UK government’s order for backdoor access into Apple’s encrypted iCloud service
- 19 August: US says UK has agreed to drop encryption ‘backdoor’ demands against Apple – US and UK end diplomatic row over UK encryption ‘backdoor’ order against Apple, but it remains unclear whether Apple will restore advanced encryption services to UK users.
- 23 July: WhatsApp is refused right to intervene in Apple legal action on encryption ‘backdoors’ – Investigatory Powers Tribunal to hear arguments in public over lawfulness of secret UK order requiring Apple to give UK law enforcement access to users’ encrypted data stored on the Apple iCloud.
- 21 July: UK may be seeking to pull back from Apple encryption row with US – UK government officials say that attempts by the Home Office to require Apple to introduce ‘backdoors’ to its secure encrypted storage service will cross US red lines.
- 12 June: Apple encryption row: Does law enforcement need to use technical capability notices? History shows that law enforcement can bring successful prosecutions without the need for the Home Office to introduce ‘backdoors’ into end-to-end encryption.
- 11 June: WhatsApp seeks to join Apple in legal challenge against Home Office encryption orders – WhatsApp today applied to intervene in an Investigatory Powers Tribunal case that is considering the UK’s ability to issue a technical capability notice on Apple to ‘weaken encryption’.
- 11 June: Government using national security as ‘smokescreen’ in Apple encryption row – Senior conservative MP David Davis says the Home Office should disclose how many secret orders it has issued against telecoms and internet companies to Parliament.
- 5 June: US politicians are calling for Congress to rewrite the US Cloud Act to prevent the UK issuing orders to require US tech companies to introduce ‘backdoors’ in end-to-end encrypted messaging and storage.
- 15 April: The Investigatory Powers Tribunal is a semi-secret judicial body that has made significant legal rulings on privacy, surveillance and the use of investigatory powers. What does it do and why is it important?
- 7 April: Investigatory Powers Tribunal rejects Home Office arguments that identifying the ‘bare details’ of legal action by Apple would damage national security, leaving open the possibility of future open court hearings.
- 2 April: Apple has appealed to the Investigatory Powers Tribunal over an order by home secretary Yvette Cooper to give the UK access to customers’ data protected by Advanced Data Protection encryption. What happens next?
- 7 February: Tech companies brace after UK demands backdoor access to Apple cloud – The UK has served a notice on Apple demanding backdoor access to encrypted data stored by users anywhere in the world on Apple’s cloud service.
- 10 February: Apple: British techies to advise on ‘devastating’ UK global crypto power grab – A hitherto unknown British organisation, which even the government may have forgotten about, is about to be drawn into a global technical and financial battle, facing threats from Apple to pull out of the UK.
- 13 February: UK accused of political ‘foreign cyber attack’ on US after serving secret snooping order on Apple – US administration asked to kick UK out of 65-year-old UK-US Five Eyes intelligence sharing agreement after secret order to access encrypted data of Apple users.
- 14 February: Top cryptography experts join calls for UK to drop plans to snoop on Apple’s encrypted data – Some of the world’s leading computer science experts have signed an open letter calling for home secretary Yvette Cooper to drop a controversial secret order to require Apple to provide access to users’ encrypted data.
- 21 February: Apple withdraws encrypted iCloud storage from UK after government demands ‘backdoor’ access – After the Home Office issued a secret order for Apple to open up a backdoor in its encrypted storage, the tech company has instead chosen to withdraw the service from the UK.
- 26 February: US intelligence chief Tulsi Gabbard probes UK demand for Apple’s encrypted data – A secret order issued by the UK against Apple would be a ‘clear and egregious violation’ if it provides backdoor access to Americans’ encrypted data, says US director of national intelligence.
- 5 March: Apple IPT appeal against backdoor encryption order is test case for bigger targets – The Home Office decision to target Apple with an order requiring access to users’ encrypted data is widely seen as a ‘stalking horse’ for attacks against encrypted messaging services WhatsApp, Telegram and Signal.
- 11 March: Secret London tribunal to hear appeal in Apple vs government battle over encryption – A secret tribunal is due to meet at the High Court in London to hear tech giant Apple appeal against a Home Office order to compromise the encryption of data stored by its customers on the iCloud service worldwide.
- 13 March: US Congress demands UK lifts gag on Apple encryption order – Apple and Google have told US lawmakers that they cannot tell Congress whether they have received technical capability notices from the UK.
- 14 March: The Investigatory Powers Tribunal holds a day-long secret hearing into an appeal brought by Apple against a government notice requiring it to provide law enforcement access to data encrypted by its Advanced Data Protection service on the iCloud, despite calls for the hearing to be opened to the public.
- 24 March: Gus Hosein, executive director of Privacy International – Why I am challenging Yvette Cooper’s ‘secret backdoor’ order against Apple’s encryption.
- 31 March: Apple devices are at ‘most risk’ in UK following government ‘backdoor’ order, Lord Strasburger tells the House of Lords as a Home Office minister declines to give answers.
Read more on Regulatory compliance and standard requirements
-
![]()
US says UK has agreed to drop encryption ‘backdoor’ demands against Apple
By: Bill Goodwin
-
![]()
Senator warns of new UK surveillance risks to US citizens following Apple ‘backdoor’ row
By: Bill Goodwin
-
![]()
WhatsApp is refused right to intervene in Apple legal action on encryption ‘backdoors’
By: Bill Goodwin
-
![]()
UK may be seeking to pull back from Apple encryption row with US
By: Bill Goodwin