UK security officials have ordered Apple to create a “backdoor” in its encrypted iCloud storage, the Washington Post reported Friday – a bombshell move that Apple has been increasingly publicly resisting.
Home Office officials have served Apple with a so-called Technical Capability Notice (TCN) the Post claimed, citing unnamed sources.
The TCN would have been issued under the Investigatory Powers Act (IPA) which Apple publicly condemned in early 2024 as granting "unprecedented and sweeping surveillance powers" – emphasising that it lets the government "issue secret orders to attempt to force providers to break encryption by inserting backdoors into their software products."
“We do not comment on operational matters, including for example confirming or denying the existence of any such notices," a Home Office spokesperson told reporters. The Stack has contacted Apple for comment.
See also: Spying on MPs and breaking encryption? New UK legislation damned as “unprecedented” – and “deeply troubling”
The iPhone maker is likely to stop offering encrypted storage in the UK, rather than break security promises it made to its users globally, the Washington Post's Joseph Menn reported, citing unnamed sources.
The move comes after Apple in December 2022 introduced a new, optional data security feature called Advanced Data Protection for iCloud, which lets Apple users extend end-to-end encryption (E2EE) to their Photos, Notes and iCloud backups among other forms of personal data.
UK versus Apple: Punching back publicly
“The IPA’s existing powers are already extremely broad and pose a significant risk to the global availability of vitally important security technologies,” Apple said in a forceful March 7, 2024 submission to the UK’s Investigatory Powers Public Bill Committee that warned proposed amendments to the law would "undermine fundamental human rights". (Those amendments received royal assent in April 2024.)
“Under the current law, the UKG can issue a 'Technical Capability Notice' that seeks to obligate a provider to remove an 'electronic protection' to allow access to data that is otherwise unavailable due to encryption.
“In addition, the Secretary of State ('SoS') has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public…” Apple wrote. "The breadth of these reforms is unprecedented, and the potential impact on the security of technology users across the world cannot be understated."
See also: The world’s first fully specified, end-to-end encryption standard just landed. That's big.
For their part, the UK’s spooks are seemingly finding it increasingly fraught and expensive to sustain visibility into electronic communications, despite very generous (Apple argued illiberal) legislation supporting them.
There have been noises emanating from within government suggesting that it should take blunter and more forceful action.
As a 2023 Home Office report on the operation of the Investigatory Powers Act 2016 put it: “While both retention notices and technical capability notices are intended to be technology agnostic, the government must consider whether to be increasingly prescriptive when imposing technical requirements on TOs [telecommunications operators] to ensure cost effective and efficient solutions continue to be delivered.
"Without the ability to levy technical requirements on TOs, or to benchmark the level of government reimbursement, there is a continuing risk that capabilities become prohibitively expensive as technology continues to evolve," UK officials wrote.
