Apple Takes U.K. to Court Over Demand To Weaken Encryption

Last month, Reason reported on the United Kingdom's demand for access to any Apple user's digital information stored in its cloud storage service, iCloud. Since those data are end-to-end encrypted by default, this would require the tech giant to create an intentional vulnerability in its security protocols—the likes of which could be exploited by sophisticated criminals or hostile governments.

"If the U.K.'s order stands, Apple will either have to weaken every user's security worldwide or cease operating in Europe altogether," I wrote at the time. "Either move would be disastrous, either to the company's bottom line or to its users' data privacy."

As it turns out, Apple tried to split the difference, but the company is also reportedly taking the U.K. to court over the order.

"Apple can no longer offer Advanced Data Protection in the United Kingdom to new users," the company announced last week. "We are deeply disappointed that our customers in the UK will no longer have the option to enable Advanced Data Protection (ADP), especially given the continuing rise of data breaches and other threats to customer privacy."

As The Washington Post first reported, the U.K.'s Home Office issued an order that Apple must "create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud."

"As we have said many times before," Apple pledged, "we have never built a backdoor or master key to any of our products or services and we never will."

By default, Apple provides end-to-end encryption on 14 of its products, like saved passwords; first introduced in December 2022, ADP adds encryption protection to nine more, including Photos, Voice Memos, and iCloud data and backups.

In its announcement, Apple advised that the original 14 products would remain end-to-end encrypted, but users in the U.K. could no longer enable ADP if they had not done so already. It also advised that while "Apple cannot disable ADP automatically," these users "will be given a period of time to disable the feature themselves to keep using their iCloud account."

This week, Apple is apparently fighting back: The BBC reports that Apple "has appealed to the Investigatory Powers Tribunal." Under U.K. law, the tribunal is "an independent public body exercising judicial functions" regarding "complaints about the use of intrusive powers such as phone-tapping by intelligence services, law enforcement agencies and public authorities."

Indeed, Apple is right to resist: As I noted last month, it would be impossible to design a vulnerability to encryption that can only be exploited by police, or with a court order, or any other exception you can imagine. By definition, any encryption "back door" open to law enforcement could also be exploited by hackers.

European authorities have long pushed for an exception to end-to-end encryption, and tech firms have resisted. A provision in the U.K.'s Online Safety Act 2023 could require tech companies to scan all users' messages for forbidden content before they were encrypted; Meredith Whittaker, president of the secure messaging app Signal, told the BBC in 2023 her company "would absolutely, 100% walk" if forced to comply.

The U.K. government later said it would not enforce this provision of the law, admitting the technology to securely do what it was asking did not exist.

When news first broke of the U.K.'s order to Apple, many free speech advocates spoke out in opposition. "The United Kingdom government's order to Apple to allow security authorities access to encrypted cloud data severely harms the privacy rights of users in the UK and worldwide," Amnesty International and Human Rights Watch said in a joint statement.

Academics, scientists, and civil society organizations including TechFreedom, the Competitive Enterprise Institute, the Freedom of the Press Foundation, and the R Street Institute jointly signed letters asking U.K. officials to "withdraw" the order and U.S. officials to "act swiftly to protect Americans, and Internet users everywhere, from having their stored communications exposed to access by malicious governments and non-state actors."

In a letter of their own, Sen. Ron Wyden (D–Ore.) and Rep. Andy Biggs (R–Ariz.) asked Director of National Intelligence Tulsi Gabbard to "giv[e] the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences."

"I share your grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a 'backdoor' that would allow access to Americans personal encrypted data," Gabbard wrote in reply. "Any information sharing between a government—any government—and private companies must be done in a manner that respects and protects the U.S. law and the Constitutional rights of U.S. citizens."

President Donald Trump told The Spectator that during a meeting with U.K. Prime Minister Keir Starmer, "We told them you can't do this….That's something, you know, that you hear about with China."