Apple is once more under pressure to provide its users with a way for the government to access data from locked phones — but this time, the United Kingdom is asking.
Bloomberg reports that the UK wants Apple’s help unlocking phones in relation to citizens of Great Britain.
The Home Office has resurrected the request after dropping a previous, broader demand that could have had implications for users around the world, according to the Financial Times. Apple, which had disabled its Advanced Data Protection feature for British customers during the dispute, is likely to challenge any order that would significantly weaken end-to-end encryption.
What changed in the United Kingdom iCloud access request
And this time around, per the FT’s report, the ask from UK authorities has been simplified — being only access to iCloud accounts associated with UK users. The administration had been said to have earlier this year proposed a global backdoor — an ask that drew criticism on the other side of the Atlantic and eventually was abandoned. Narrowing the scope might make the proposal more politically palatable at home, but it doesn’t solve the fundamental technical problem: cryptography does not neatly bend to borders.
Apple has argued that building a special access mechanism for one jurisdiction puts everyone at risk. The firm put the rollout of Advanced Data Protection (ADP) in the UK on ice and has, as the FT reported, taken the somewhat unusual step of contesting it at the Investigatory Powers Tribunal, which is a specialist court that hears differences over UK surveillance powers.
How Advanced Data Protection comes about
Apple’s expansion of end-to-end encryption as an opt-in feature in iCloud is a use of ADP that softens how few categories already have strong cryptography to the most sensitive data types like your encrypted device and message backups. With ADP turned on, the encryption keys are stored on user devices instead of Apple servers. Such a design makes it impossible even for Apple itself to decrypt its customers’ data, no matter the court order, and has been meant to protect customers from criminals as well as insider- and state-level hacking.
Independent security researchers tend to favor architectures in which there are no server-side keys since centralized key stores are honeypots. IBM’s well-documented cost-of-breach studies and incident information from a number of national cyber agencies continue to highlight the very real fact that your cloud backup is an extremely lucrative target for crooks. That’s consistent with the body of evidence too: for every override you build, you also create something that attackers will spend unlimited time and resources trying to steal or reverse-engineer.
The legal levers underlying the United Kingdom’s ask
The dispute is perched on the fault line of the UK’s Investigatory Powers Act (IPA), under which government can issue technical capability notices ordering providers to maintain intercept/store functionality. Recent consultations in regard to the revamping of the IPA have looked at making companies inform the Home Office prior to sending new security offerings down the wire, and turning them off locally if they fail to match a notice. And that vision runs against contemporary encryption, because the most advanced encryption is specifically designed to make it impossible for companies to unilaterally decrypt customer content.
Complicating things, the cloud is cross-border in nature. UK notices also potentially apply to extraterritorial conduct, but companies will additionally face obligations under other laws (including US law enforcement access requests pursuant to the CLOUD Act and EU data adequacy requirements). Any indication that privacy protections are being eroded in the UK can be played back into adequacy discussions, and corporate risk assessments around offering certain features in the market.
Industry and civil society backlash over UK plans
Privacy International cautioned that a UK-only requirement for decryption would remain part of a larger issue, as when one has a backdoor in code, there is potential for universal exposure. That view reflects long-held positions by outfits like the Electronic Frontier Foundation and cryptographers who have warned, from the days of the “Clipper Chip,” that exceptional access can be turned to the advantage of adversaries.
Apple has said repeatedly that it will not create a master key to break into its services. The company has previously said it would rather pull some features in territories and markets over breaking end-to-end encryption — a stance other secure messaging providers took when the UK was debating its Online Safety Act scanning proposals. Security officials, as I suggested, seek one of the two forms of narrowly targeted access that we really need for serious crime and national security purposes; the question is whether “narrow” means manageable without undermining the system as a whole.
What this means for UK-based iCloud users
UK customers, for now, are stuck in the middle. ADP is not being restored for British users, and therefore iCloud backups for those users depend on keys held by Apple, which allows account recovery and lawful access but provides weaker protections against mass server compromise than end-to-end encryption. If the government is successful, and Apple does not comply or maintains E2EE, users in Great Britain could experience a delay in advanced security features being implemented or fragmentation of the product compared to other countries.
The stakes are not abstract. The UK’s own breach surveys and regulator casework reveal a regular drumbeat of incidents impacting public bodies, small businesses, and consumers. In a world where criminals routinely exfiltrate and ransom backup data, the result of this fight will decide whether everyday users in one of Apple’s farthest-reaching markets are able to opt into what is already the highest level of protection Apple can provide for their data stored on its cloud.
What happens next will probably depend on the specifics of any technical capability notice and whether courts are prepared to accept that code can be made to respect borders. The FT’s report suggests that London is seeking a compromise that appears homegrown. Encryption math — and the global internet — has a way of taking local solutions and making them behave like global ones.
