UK Encryption Crackdown Imperils Privacy, Security & Free Speech

Berin Szóka is President and Santana Boulton is a Legal Fellow at TechFreedom.

In January, the United Kingdom government issued an order to require Apple to break end-to-end encryption (E2EE) for users of its cloud storage services. To comply with the “technical capability notices (TCNs),” Apple must create a backdoor into encrypted cloud storage on its users’ devices—to all of them, not just specific accounts. These secret TCNs represent a massive overreach: they compel Apple to expose private data without transparency or accountability. Such demands have no precedent in democratic countries and would have far-reaching consequences not only for UK residents but for Internet users worldwide. Already today, various news outlets reported Apple will cease offering top-tier data security services for new UK users.

In letters issued today to the UK and US governments, our organization, TechFreedom, has been joined by ten civil society organizations, scholars of fundamental rights law, and computer security experts in opposing these demands. Similar demands may already have been sent to other cloud services under the Investigatory Powers Act of 2016 but under gag orders—so we would only know if the press had reported them. Any company facing such an order would face a difficult choice: either be forced to create a backdoor into its system, exposing users to malicious actors, or abandon E2EE altogether. Apple chose the latter. That’s better than the alternative. As the United Nations High Commissioner for Human Rights warned in a 2022 report, the “adverse effects” of restricting E2EE “are not necessarily limited to the jurisdiction imposing the restriction; rather, it is likely that back doors, once established in the jurisdiction of one State, will become part of the software used in other parts of the world.” At least Apple has avoided building technical backdoors. But abandoning E2EE still exposes users to grave risks and undermines the trust and security that digital platforms rely on.

Whether or not Apple appeals the TCNs, it’s only a matter of time before someone sues on behalf of Apple’s users. Despite Brexit, the UK remains bound by the European Court of Human Rights (ECtHR’s) interpretations of the European Convention on Human Rights. As our UK letter explains, the Court has already ruled that encryption is vital for protecting privacy, freedom of expression, and safeguarding individuals and businesses from cyber threats such as hacking, fraud, and identity theft. “Outright bans [of encryption] by Governments,” the Court said, “cannot be justified as they would prevent all users within their jurisdictions from having a secure way to communicate.”

There is no realistic prospect that the ECtHR will uphold the UK’s demands, but the appeal process moves slowly. Someone suing on behalf of Apple users would first have to exhaust all appeals in UK courts before bringing their suit to the ECtHR, which sits in Strasbourg. In the meantime, no new user would be able to activate E2EE for iCloud (which Apple calls “Advanced Data Protection” (ADP)). Apple says that “current UK users will eventually need to disable this security feature.” It’s not clear what “eventually” means, but the UK probably won’t wait anywhere near long enough for courts, even UK courts, to rule on the legality of the TCNs. And Apple’s concession leaves new users unprotected while the wheels of justice turn. It was inevitable that Apple would give in to pressure, but it’s far from the end of the story.

The UK government is highly unlikely to be satisfied with Apple’s limited compliance with the TCNs: Not only will existing users continue to have access to ADP (E2EE), at least temporarily, but as 9to5Mac notes: “Even with Advanced Data Protection off, some iCloud features are always end-to-end encrypted. This includes features like the password keychain, data stored in Apple Health, Wi-Fi passwords, Safari history, and more.” And then there’s the question of global reach: something like 5 million UK citizens live outside the UK—and these are, on average, probably more likely to be of interest to UK intelligence agencies than those UK citizens living within the realm. Of course, Apple has no reliable way of identifying them. So what’s the company supposed to do? And what about UK users who attempt to activate ADP while traveling outside the UK—maybe for extended periods? How easy will it be for them to change their address or billing method? It’s not hard to see the problem from the UK government's perspective: if any UK users can turn on ADP, the ones with the most to hide certainly will. So, in the end, it’s hard to see how the UK government could be satisfied with Apple continuing to offer ADP anywhere.

In short, while Apple’s initial compliance may appear limited, the TCNs could well affect Apple users globally, including in the United States. Of course, the UK is not bound by the US Constitution. But in a borderless world, Americans’ First and Fourth Amendment rights would be meaningless if Apple and other cloud service providers are forced to comply, as our letter to the US government explains. Every American has “the right to be free from state inquiry into the contents of his library.” By demanding access to encrypted cloud storage for users worldwide, the UK is vitiating Americans’ First Amendment rights “to receive information and ideas” and Fourth Amendment rights to be secure in our “papers and effects.” These rights mean nothing unless Americans’ private information is secure. Government snooping chills speech—it discourages those who, “motivated by fear of economic or official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of [their] privacy as possible,” must keep their thoughts and communication secure from prying eyes.

Our present moment perfectly illustrates the point: through its Salt Typhoon hacking operation, the Chinese Communist Party is putting this right to information security into doubt. Salt Typhoon has compromised at least nine telecom firms—apparently by accessing our governments’ backdoors into telecom networks. If the UK government’s action is left to stand, the result will be the creation of more backdoors for the CCP and other adversarial nations to exploit.

We cannot wait for ECtHR to protect Internet users. Someone should challenge the TCNs on behalf of Apple users immediately in UK courts. But the US government may be able to help (for once). Congress could enact a law prohibiting American tech companies from providing encryption backdoors to any country. Barring swift congressional action, the federal government should use all leverage at its disposal to convince the UK Home Office to change course. In particular, the US could threaten to terminate the UK-US Cloud Act agreement of 2019 if the UK does not withdraw its demands to Apple. This agreement has been of considerably greater value to the UK than to the US. It is already past its five-year term and is ripe for reconsideration anyway.

The stakes for users are high. Even if the UK accepts Apple’s geographically limited compliance, the precedent set here will enable authoritarians and criminals everywhere. Whatever UK courts and the ECtHR ultimately decide, it may be only pressure from policymakers in Washington that could defend the rights of Internet users—if they aren’t too distracted by attacking Europe over content moderation.

Watch this space.