UK Government Demands Apple Create Back Door for Cloud Access

Security officials in the United Kingdom have mandated that Apple develop a back door that permits them to access all content uploaded to the cloud by any Apple user worldwide, according to sources familiar with the situation.

The undisclosed order issued last month by the British government requires comprehensive access to view fully encrypted material, not just assistance in accessing a specific account. This request lacks precedent in major democracies and signifies a potential setback for tech companies that have long resisted government exploitation of their services against users.

Rather than compromise the security assurances it made to users, Apple may cease offering encrypted storage in the U.K. However, this adjustment would not meet the U.K. demand for backdoor access to services in other countries, including the United States.

The U.K. Home Secretary’s office has issued a technical capability notice to Apple, compelling the company to provide access as outlined in the U.K. Investigatory Powers Act of 2016, which permits law enforcement to require assistance from businesses to gather evidence.

Critics have dubbed this law the Snoopers' Charter, which makes it illegal to disclose that such a request has been made by the government. An Apple spokesperson declined to comment on the issue.

Apple has the option to appeal the U.K. capability notice through a secret technical panel, which would consider the cost implications of the requirement, or to a judge who would assess whether the request is proportional. However, the law does not allow Apple to postpone compliance during the appeal process.

In March, as Apple anticipated this potential requirement, the company advised Parliament that there was no justification for the U.K. government to dictate whether citizens globally could benefit from the security advantages of end-to-end encryption.

The Home Office stated that they do not publicly discuss technical demands, including confirmation or denial of such notices.

Senior officials from the Biden administration have been monitoring the situation since the U.K. first indicated it might pursue access, and Apple suggested it would refuse this demand. It remains unclear whether the Biden administration objected to the U.K. request.

One consultant advising the U.S. government on encryption matters expressed shock at the U.K. government’s demand for Apple’s assistance in spying on users outside the U.K. without their governments' awareness. A former White House security adviser confirmed the order's existence.

This matter revolves around cloud storage that can only be unlocked by users themselves, not Apple. Apple initiated its Advanced Data Protection option in 2022, which had been stalled after FBI objections during the Trump administration.

Although many iPhone and Mac users do not enable this feature, it provides enhanced protection against hacking and eliminates a common method for law enforcement to access users' pictures, messages, and other data stored on iCloud. Regrettably, iCloud storage is often targeted by U.S. search warrants that can be executed without the user's knowledge.

Authorities worldwide have voiced concerns about the surge in encryption usage across various communication platforms beyond basic phone traffic, which is permissible to monitor with a court's consent in the U.S.

Specifically, the U.K. and the FBI have claimed that encryption facilitates hiding for terrorists and child abusers. Tech companies assert their right to privacy communications, arguing that law enforcement backdoors can be misused by criminals and oppressive governments.

Most electronic communication is encrypted to some extent while passing through private systems, enabling intermediaries like email providers and internet access companies to obtain plaintext when police requests are made.

However, more tech solutions are using end-to-end encryption, denying intermediaries access to the digital keys needed to reveal the content. This includes Signal messages, Meta's WhatsApp and Messenger texts, and Apple’s iMessages and FaceTime calls, which usually lose end-to-end protection when backed up in the cloud; that is not an issue with Apple's Advanced Data Protection feature.

Apple has championed privacy as a key selling point for its products since successfully contesting a U.S. order to unlock an iPhone owned by a deceased terrorist in 2016. While it has attempted to find middle ground, plans to scan devices for illegal content were halted amid significant backlash from privacy advocates.

Google, which has provided encrypted backups for Android phones by default since 2018, could be of greater interest to U.K. officials. Google spokesperson Ed Fernandez referenced that no government has sought backdoor access, implying that no such measures have been adopted.

Meta has also implemented encrypted backups for WhatsApp but has not publicly commented on government requests.

If the U.K. were to secure access to encrypted data, it might encourage other countries like China to demand similar backdoor access, which could prompt Apple to withdraw the service instead of compliance.

The struggle for storage privacy in the U.K. is not unforeseen; U.K. officials previously expressed disapproval of Apple's intent to enforce stringent encryption measures for storage. A spokesperson referenced that strong encryption could obstruct efforts to apprehend serious criminals, particularly regarding child safety laws.

Post the Home Office’s draft provision for the backdoor order, Apple foreshadowed what might follow.

During a parliamentary discussion concerning amendments to the Investigatory Powers Act, Apple cautioned that the law permits the government to pursue backdoors applicable globally. The company asserted that these provisions could compel it to withdraw vital security benefits from the U.K. market, depriving users of necessary protections.

Apple maintained that applying the act concerning strong encryption would conflict with the European Court of Human Rights ruling, which stated laws requiring companies to produce end-to-end encrypted communications risk weakening encryption mechanisms for all users, thus violating privacy rights.

In the U.S., despite longstanding complaints regarding encryption from law enforcement, the recent focus has pivoted to significant breaches by suspected Chinese agents. In a joint briefing with FBI officials, a Department of Homeland Security representative advised Americans to utilize encrypted services for privacy.

Officials from Canada, New Zealand, and Australia have supported these recommendations, while those in the U.K. have not.