About a year ago, the UK government threatened to force Apple to install a backdoor into iCloud data for its use. Anonymous sources report that the company has recently been handed a secret order to do that, one that it has limited ability to take legal recourse against.
Given its prior privacy stances, it seems very unlikely that Apple will comply. It does have an appeals process available, but is required to start working on providing the backdoor access as that plays out. A very possible outcome is that end-to-end encryption of iCloud data will cease to be available in the UK, but the issue potentially extends well beyond its borders.
Global Apple security threatened by UK’s iCloud data order
Apple’s “Advanced Data Protection” was introduced in 2022, and immediately raised hackles with a UK government that has made clear for some time that it does not want true encryption available to the public. The option end-to-end encrypts all data on devices, including iCloud data (which previously was not protected and provided law enforcement a loophole to getting around Apple’s otherwise staunch device security).
The U.K. Investigatory Powers Act of 2016 has been invoked to justify a demand for a universal backdoor to iCloud data, a law that not only allows this but requires Apple and anyone else familiar with the order to keep it secret (under threat of criminal charges). Anonymous inside sources, confirmed by an anonymous US official, revealed the order to Washington Post reporters.
Apple is required to begin complying with the order immediately. It does have the right to an appeal, centered on a panel of government-appointed technical experts determining if the order is feasible and realistic to implement. The issue of privacy invasion does not come up until the appeal then goes before a judge, who is asked to determine if the government’s request is proportionate and necessary.
While Apple might simply discontinue end-to-end encrypted iCloud data in the UK, going back to the pre-2022 state, the backdoor that the UK Home Office is requesting would apply to all Apple devices globally. This has spurred members of a number of United States congressional oversight committees to petition new National Intelligence Director Tulsi Gabbard to withdraw US government cooperation with UK cybersecurity agencies if the Apple order goes forward.
Apple likely to resist UK iCloud data order, but path forward remains uncertain
The resolution to the situation likely hinges on how pushy the UK wants to be about demanding backdoor access to the world’s iCloud data. Removing the Advanced Data Protection feature in the country is a very possible compromise, though it would be the first nation that Apple would formally drop the setting in. A global backdoor seems like a dealbreaker, as it would totally undermine faith in Apple’s device security.
The UK government likely keeps these orders secret and threatens leakers with prison to stop the exact response that this story has generated. In addition to possibly facing political pressure from the US, a 100+ member group calling itself the Global Encryption Coalition has signed a joint letter protesting the action (including a number of significant software and privacy companies). The order could also cause problems with international data transfers from the EU, where the existence of a wide-open government backdoor could very well annul the UK’s adequacy decision.
