The UK government has demanded that Apple creates a backdoor in its encrypted cloud service, in a confrontation that challenges the US tech firm’s avowed stance on protecting user privacy.
The Washington Post reported on Friday that the Home Office had issued a “technical capability notice” under the Investigatory Powers Act (IPA), which requires companies to assist law enforcement in providing evidence.
The demand, issued last month, relates to Apple’s Advanced Data Protection (ADP) service, which heavily encrypts personal data uploaded and stored remotely in Apple’s cloud servers, according to the Post, which said this was a “blanket” request that applied to any Apple user worldwide. The ADP service uses end-to-end encryption, a form of security that means only the account holder can decrypt the files and no one else can – including Apple.
Apple declined to comment. However, in a submission to parliament last year it flagged its concerns about the IPA, saying it provided the government with “authority to issue secret orders requiring providers to break encryption by inserting backdoors into their software products”.
Apple touts privacy as one of its “core values” and describes it as a “fundamental human right”.
The Apple document refers to the ADP feature, claiming that “reporters and technical experts across the globe” welcomed it as an “invaluable protection” for private data.
The submission also indicates that Apple would refuse to cooperate with a request, saying the company would “never build a backdoor” and would rather withdraw “critical safety features” from the UK market.
However, the submission also points out that the IPA allows the UK government to impose requirements on companies based in other countries that apply to users globally.
Alan Woodward, a professor of cybersecurity at Surrey University, said the UK government had “lit the blue touch paper on a truly enormous fight in the never-ending saga of the encryption debate”.
He added: “I don’t see how this is to be resolved, as Apple has made such a big point of privacy for users. If they accede to this technical notice their reputation will be in tatters. They’re bound to challenge it.”
End-to-end encryption has become a battleground between successive UK governments and tech companies, with ministers arguing that the technology prevents law enforcement agencies from tackling criminals, including child abusers.
Companies are also barred from revealing whether they have received a technology capability notice under the IPA. The Washington Post reported that by the time Apple made its submission in March last year the US-based company had been informed that a notice might be served on it. The newspaper said the Biden administration had been tracking the matter since the UK government told Apple it might demand access, and Apple had said it would refuse.
A Home Office spokesperson said: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices.”
The submission related to amendments to the IPA passed last year under Rishi Sunak’s government and included giving ministers power to clear in advance any product changes that could alter the UK government’s ability to access users’ data.
One expert warned that the multinational nature of the order could lead to a clash with the EU, which has an agreement with the UK allowing the free flow of personal data between the EU and UK – such as a company in Europe using a datacentre in the UK. The agreement comes up for review this year.
“This may provide a backdoor for access to European citizen data which could go against our ability to retain the rights to share personal data without restriction between the UK and Europe,” said Ross McKenzie, a data protection partner at the UK law firm Addleshaw Goddard.
