The UK government has requested access to encrypted data stored by Apple users globally within its cloud service.
At present, only the Apple account holder has the ability to access this data; the company itself is unable to view it.
This request has been issued by the Home Office under the Investigatory Powers Act (IPA), which mandates that companies provide information to law enforcement agencies.
Apple has refrained from commenting but states on its website that it considers privacy to be a “fundamental human right.”
According to the law, the specifics of the request cannot be disclosed to the public.
The Washington Post was the first to report this information, citing sources familiar with the situation, and the BBC has also consulted similar contacts.
The Home Office remarked: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”
Privacy International has described this as an “unprecedented attack” on individual privacy.
“This is a conflict the UK should not have initiated,” stated Caroline Wilson Palow, the charity’s legal director.
“This overreach establishes a profoundly damaging precedent and will encourage oppressive regimes worldwide.”
The request pertains to all content stored using what Apple refers to as “Advanced Data Protection” (ADP).
This system employs end-to-end encryption, ensuring that only the account holder can access the data stored; even Apple itself is unable to view it.
Participation in this service is optional, and not all users opt to enable it.
While it enhances data security, it also presents a significant drawback: if access to the account is lost, the data becomes irretrievable.
The number of users who choose to utilize ADP remains unclear.
It is also crucial to understand that the government notice does not imply that authorities will begin to scrutinize everyone’s data indiscriminately.
It is believed that the government seeks access to this data only in situations where national security is at risk, indicating a focus on specific individuals rather than engaging in mass surveillance.
Cybersecurity professionals concur that once a vulnerability is established, it is merely a question of time before malicious entities exploit it.
Moreover, withdrawing the product from the UK may not suffice to guarantee compliance, as the Investigatory Powers Act has a global reach for any technology company operating in the UK market, regardless of its base of operations.
To date, no Western government has successfully compelled major technology companies, such as Apple, to compromise their encryption protocols. The US government has made prior requests for such actions, but Apple has consistently declined. In 2016, Apple resisted a judicial order to develop software that would enable US authorities to access the iPhone of a shooter, although the situation was ultimately resolved when the FBI managed to access the device independently.
That same year, the US government abandoned a comparable case after it successfully accessed the device by uncovering the individual’s passcode.
Subsequent incidents have occurred, including in 2020, when Apple refused to unlock the iPhones belonging to an individual involved in a mass shooting at a US military base.
The FBI later reported that it had managed to “gain access” to the devices.
The technology company has the option to appeal the government’s request; however, it cannot postpone the execution of the ruling during the appeal process, even if the ruling is later overturned, as stipulated by the legislation.
The government contends that encryption facilitates criminal activities, and the FBI in the US has also expressed concerns regarding the ADP tool.
Professor Alan Woodward, a cybersecurity expert from Surrey University, expressed his astonishment at the developments, while privacy advocacy group Big Brother Watch characterized the reports as “concerning.”
“This ill-conceived effort to combat crime and terrorism will not enhance safety in the UK but will undermine the fundamental rights and civil liberties of the entire populace,” the organization stated.
The NSPCC, a children’s charity in the UK, has previously indicated that encryption is a critical issue in the fight against child exploitation, as it allows offenders to share concealed content.
But Apple says that privacy for its customers is at the heart of all its products and services.
In 2024 the company contested proposed changes to the Investigatory Powers Act, calling it an “unprecedented overreach” of a government.
The changes also included giving the government the power to veto new security measures before they were implemented. They were passed into law.
“The main issue that comes from such powers being exercised is that it’s unlikely to result in the outcome they want,” said Lisa Forte, cyber security expert from Red Goat.
“Criminals and terrorists will just pivot to other platforms and techniques to avoid incrimination. So it’s the average, law abiding citizen who suffers by losing their privacy.”