The British government secretly asked Apple last month to give it a key to the end-to-end encryption it offers for iCloud backups of mobile devices—a key that would unlock any such backup in the world, The Washington Post reports.
“The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies,” writes the Post’s Joseph Menn, an experienced information-security journalist whose background includes a long-ago membership in a hacking collective called Cult of the Dead Cow.
Citing “people familiar with the matter,” Menn says Apple’s likely response would be to stop offering that encryption option in the UK but noted that the order issued by the UK’s Home Office covers backups made elsewhere.
Apple added the more secure backup option, dubbed Advanced Data Protection for iCloud, in December 2022. It encrypts additional categories of data—starting with device backups but also including photos, notes, reminders, and voice memos, among others—with a key stored only on the user’s trusted devices.
Apple’s standard backup options, which include the ability to make a local and encrypted backup of an entire device, already use e2e encryption to protect saved passwords, Safari browsing history, health data, call history and iMessage chats.
None of these backup options fully encrypt iCloud email, contacts, and calendars, which Apple’s support note explains is the result of “the need to interoperate with the global email system” and the lack of built-in support for such encryption in the open standards used by its contacts and calendar apps.
Google has provided end-to-end encrypted backup for Android devices since 2018 (and last year expanded them to Google Maps location history), but the Home Office’s order does not cover that firm, Menn reports.
The Post’s story quotes the Home Office, the UK’s rough equivalent of the US Department of Homeland Security, offering a non-response: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices.”
The Home Office’s site has no recent mention of this issue but does include a post about reducing mobile phone theft in which Home Secretary Yvette Cooper urges “companies including Apple, Google and Samsung, and law enforcement to join forces to build on existing anti-theft security measures and help design out and disincentivize phone theft by making phones effectively worthless to criminals.”
Apple did not provide Menn with a comment and did not answer an email sent to its press office requesting one Friday morning, but his story cites the statement Apple provided to Parliament in March: “There is no reason why the U.K. should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption.”
Law enforcement agencies in the US have made similar requests to tech companies for back-door workarounds for their encryption. But in December, the FBI broke with that pattern by urging Americans to adopt encrypted calling and messaging after extensive hacks of US telecom firms by “Salt Typhoon” state-sponsored Chinese hackers.
Recommended by Our Editors
The 2016 law enabling the Home Office’s reported order, the Investigatory Powers Act, includes provisions authorizing the government to issue “technical capability notices” to companies compelling them to assist government investigators and banning them from disclosing the existence or content of these notices.
In 2024, Parliament amended the Act—against Apple’s strong objections—to require tech companies to notify the government of “relevant changes” that might impede law-enforcement investigations.
Early reaction to this news among US free-market and civil-liberties advocates seems exceedingly unamused.
The Information Technology & Innovation Foundation, a Washington think tank, posted a lengthy statement from Vice President Daniel Castro, calling the reported UK move “a dangerous and unjustified overreach that threatens the security and privacy of individuals and businesses around the world.”
Alex Stamos, former chief information security officer at Facebook, current CISO at the cybersecurity firm SentinelOne, and a computer-science professor at Stanford University, posted a shorter reaction on Bluesky: “This is bad bad bad.”
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Rob Pegoraro
Contributor
