In early February, The Washington Post obtained evidence that the British government had sent a so-called “technical capability notice” that requires Apple to allow them access to encrypted content stored on iCloud. At issue was Apple’s “Advanced Data Protection” (ADP) program that allows for iCloud backups—storing photos, contact lists, and other personal information—to be end-to-end encrypted (E2E).
E2E encryption is a method that prevents anyone, even Apple, from accessing content uploaded to iCloud. Apple implemented this as part of a years-long effort to expand user privacy. While services such as iMessage are E2E encrypted by default, the ADP program is opt-in, and most users do not enable it. Those that do enjoy greater protection from data breaches and more control over their data.
The British government’s notice, sent by the Home Office, required Apple to make that content available to national security officials. However, because of the mathematics underlying E2E encryption, such an order would likely result in content becoming accessible to hackers and thieves, threatening user privacy. Even more concerning, the British government did not simply ask Apple to install a backdoor for iPhone users in the U.K.; they asked for this vulnerability to be added to all iPhones worldwide.
Recent updates to Britain’s 2016 Investigatory Powers Act (IPA) require Apple to keep the order a secret, comply immediately, or face severe penalties. When Apple was warned in 2024 that such an order was coming, they threatened to stop offering ADP in the U.K. and to appeal the decision in court. However, the IPA requires Apple to comply with the order without delay, even during the appeal process. Furthermore, merely removing E2E encryption in the U.K. would not satisfy the order, as the IPA allows the British government to access data worldwide.
There is no precedent for this order in a major democracy, and this should concern all companies and countries that do business with the United Kingdom. While the U.S. government initially opposed Apple’s implementation of ADP and was able to delay it for a few years, recent cyberattacks by China on American infrastructure have shifted their position. The FBI and other American intelligence agencies now recommend that E2E encryption be used whenever possible, including messaging, storage, and cybersecurity. The reasoning behind this proposal is simple: it is much easier to attack one centralized vulnerability than to attack 330 million individual targets.
The U.S.’s updated guidance has been supported by every other member of the Five Eyes Intelligence Alliance—Australia, Canada, and New Zealand—except for the U.K. If Apple obeys the British order, devices and systems across the entire Western world would be more vulnerable to Chinese cyberattacks.
Apple still has some options, such as appealing to the European Court of Human Rights (ECHR), which has tended to favor E2E encryption in recent rulings, as well as withdrawing all operations from the U.K. Apple should be applauded for their efforts to protect user privacy, but the United States must back them up. The U.S. should put diplomatic pressure on the British government to withdraw the order and impose sanctions on specific technologies should they refuse.
The U.S. does not export many high-risk technologies to China, which, surprisingly, has not attempted to gain worldwide access to encrypted user data through national security orders (ADP is not available in China). If a country is mandating that American technology be weakened for their mass surveillance operations, that country should not have access to our most advanced tools.
Congress has the most important responsibility in this situation. Like the European Union, the U.S. must pass comprehensive privacy laws requiring user data to be stored securely and be E2E encrypted where possible. Additionally, we should prohibit U.S. companies or companies operating in the U.S. from providing confidential user information to foreign governments. It should also be illegal to store U.S. user data in countries with lax privacy laws—just as the EU prohibits European user data from being stored in the U.S.
There is already precedent for this: TikTok’s American operations now run on servers run by the American company, Oracle. Such laws would keep American user data secure and inaccessible to foreign adversaries and authoritarian states. The U.K. does not have a legally binding Bill of Rights, but America does—and it is time to enforce it.
Be First to Comment