The British government has ordered Apple to grant it secret access to its customers’ encrypted cloud storage data using controversial surveillance powers known as the “Snoopers’ Charter”, in a move that could weaken security for iPhone users all over the world.
Last month the US tech group received a “technical capability notice” under the UK Investigatory Powers Act, requiring the iPhone maker to create a “back door” to its encrypted iCloud storage service, according to people familiar with the matter.
The move would enable law enforcement and security services to tap iPhone back-ups and other cloud data that is otherwise inaccessible, even to Apple itself. The law has extraterritorial powers, meaning UK law enforcement could access the encrypted data of Apple customers anywhere in the world, including in the US.
The UK’s demand is the latest flashpoint in a long-running battle between the tech industry and law enforcement over the use of encryption in messaging apps and storage services.
Billions of people worldwide rely on encryption in apps provided by tech companies including Apple, Google, Meta and Signal to secure their personal data. However, security and law enforcement officials argue it shields criminals, terrorists and child abusers, making it harder to gather digital evidence for prosecutions and intelligence critical for national security.
A Home Office spokesperson said: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” Apple declined to comment.
The Washington Post first reported the UK’s order to Apple.
“Using technical capability notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah, rather than a tech leader,” said Meredith Whittaker, president of the Signal Foundation, the non-profit that runs the secure messaging app. “If implemented, the directive will create a dangerous cyber-security vulnerability in the nervous system of our global economy.”
The UK Investigatory Powers Act, dubbed the “Snoopers’ Charter” by critics when it was passed in 2016, was updated last year in the final weeks of the Conservative government before July’s election.
Under the legislation, which has been widely criticised by human rights campaigners and privacy activists as well as Silicon Valley tech companies, recipients of technical capability notices are not allowed to acknowledge their existence or warn users that their security had been weakened, unless the Secretary of State grants permission to do so.
Apple has previously said the rules would force it to withdraw secure services to UK customers because it “would never build a back door into its products”, suggesting that it may opt to switch off Advanced Cloud Protection rather than compromise encryption.
Security officials have long grappled with the tension between users’ privacy and the occasional need for enhanced surveillance.
“When so much plotting takes place on the internet, our ability to track the online activity of those who mean us harm is utterly crucial,” Ken McCallum, head of the UK’s domestic intelligence agency MI5, said in a speech last October.
“Maintaining proportionate, lawful access to such communications in the face of ever-more prevalent encryption is sometimes our only means of detecting and understanding these threats. Privacy and exceptional lawful access can coexist if absolutist positions are avoided. World class encryption experts are confident of this,” he added.
In 2016, Apple fought a high-profile battle against the US Federal Bureau of Investigation, which wanted Apple to help it break into an iPhone used by a gunman in the San Bernardino terror attack.
In early 2024, when the latest amendments to the Investigatory Powers Act were moving through parliament, Apple said it was “deeply concerned” the changes put users’ privacy at risk.
“It’s an unprecedented over-reach by the government and, if enacted, the UK could attempt to secretly veto new user protections globally, preventing us from ever offering them to customers,” Apple said at the time.
Last month, the head of Europol slammed tech companies’ resistance to co-operating with police over access to encrypted messages, saying they had a “social responsibility” to open up criminals’ data.
Apple rolled out Advanced Data Protection for iCloud in early 2023 as an optional service that users must choose to turn on. By contrast, Apple’s iMessage service, like its rivals WhatsApp and Signal, is encrypted end-to-end by default.
People in the tech industry are concerned that by targeting a relatively little-known Apple service, the UK could set a precedent that would then be used to compel tech companies to create back doors in more popular apps.
The Information Technology and Innovation Foundation, a Washington-based not-for-profit think-tank that counts several Big Tech companies including Apple and Meta among its funders, called the UK’s move a “dangerous and unjustified over-reach that threatens the security and privacy of individuals and businesses around the world”.
“Demanding that companies deliberately undermine their own security features crosses a critical red line,” said Daniel Castro, ITIF’s vice-president.
“Because the UK’s order applies globally, its harmful effects will extend far beyond its borders, undermining the security of users worldwide . . . Allowing one nation to set a precedent that compromises global digital security should not go unchallenged.”
Read the full article here
