Note: the following is based on my understanding of the law, derived from reading the legislation, government reports, and other sources. It in no way constitutes legal advice, and should not be relied upon as such. I am not a legal professional, merely someone with an unhealthy interest in law.
In recent months, Apple has become embroiled in a dispute with the UK Government over its Advanced Data Protection (ADP) feature. This feature, designed to enhance user privacy and security, has been surreptitiously challenged by the UK Government, which upon being leaked to the press, has led to a significant (and now public) legal and political standoff. In this article, I explain what ADP is, the context surrounding the dispute, and my opinion on the matter.
When data is sent to and stored on Apple's servers, it is usually encrypted during transit and at rest using an encryption key stored on Apple's servers. This provides protection for your data against malicious actors who may wish to access it either when in transit or when stored on Apple's servers. Notwithstanding this protection, Apple may access the data if required, for example, to comply with a law enforcement request.
Advanced Data Protection, as the name implies, provides further protection for your data by storing the ecryption key locally (on your device) rather than on Apple's servers. Whilst this means that forgetting your passcode may result in the loss of your data, it also means that Apple is technically prohibited from accessing your raw (unencrypted) data, even if legally compelled to. Of course, the caveat here is that you must trust Apple's implementation of ADP - as with any technology.
In 2016, The UK passed the Investigatory Powers Act (IPA), which (as amended), provides the UK Government with the power to compel a postal operator or telecommunications operator to provide assistance with various warrants and authorisations. Said powers are derived from Part 9 of the Act, which allow the creation of a Technical Capability Notice (TCN). Authorisations a TCN can involve are limited to Parts 2, 3, 5, and 6 of the Act, relating to:
Note: A well written article I read implies that TCNs can only be used for bulk interception in the bulk warrants part. Perhaps this is due to s 255(11), which mentions only bulk interception, with no reference to bulk acquisition or bulk equipment interference. However, my understanding suggests this subsection is only relevant to s 255(10)(b), which refers to the enforceability of a notice if the person to whom it is given is outside of the UK. No such restriction is in place for orders given to a person within the UK. I welcome any clarifications if my interpretation is incorrect.
The Investigatory Powers (Technical Capability) Regulations 2018, a statutory instrument, further defines and elaborates on the scope of the obligations which may be placed upon operators. In relation to interception, of particular relevance is Sch 1, Pt 1, para 8, which creates the obligation:
To provide and maintain the capability to—
Clearly, the IPA is a piece of legislation designed to provide the UK Government with draconian and intrusive powers to monitor its and foreign nationals/residents, and with the usage of a TCN, coerce companies into providing the capability to conduct such monitoring. The stipulations in the regulations appear to provide the government with the legal power to compel companies to "break" encryption.
In 2025, as first reported by The Washington Post, and later by the BBC amongst others, the dispute revolves around a government demand for Apple to provide a backdoor to its encryption. The backdoor would allow relevant officials in the UK to retrieve all the content any Apple user worldwide has uploaded to iCloud. As the disclosure of the contents, or existence of such a demand is a criminal offence under the IPA, details are elusive. Both the Home Office and Apple have refused to comment on the matter.
The secret order apparently mandates the capability to view fully encrypted content, such as that encrypted by Advanced Data Protection. Particularly shocking is the fact that this tool must provide the capability of acquiring the data of any user worldwide, which is seemingly legal, given the IPA s 253(8) states: "a technical capability notice may be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom)".
A Notice from Apple on February 24th 2025 announced the removal of the offer to UK users of ADP. Other users worldwide are not affected. This means that UK users now have lower levels of data security.
Despite this, as the order applies worldwide, the removal of ADP in the UK has little effect on the legal demand. Removing ADP in the UK does not absolve Apple of the responsibilites of the order. Apple was possibly hoping that the UK government would rescind the order given the publicity and subsequent removal of ADP in the UK. Perhaps telling is the fact that Apple has continued to contest the order at the secretive Investigatory Powers Tribunal (IPT). If the government had indeed rescinded the order, why would Apple continue to challenge it?
On 7th April 2025, after a legal challenge by civil liberties groups and media organisations, a judge ruled that the challenge by Apple at the IPT must be held in public. There have been few subsequent media reports on the issue. There are likely to be several legal issues with the UK government's actions.
For UK users, the damage has already been done. A TCN only induces an operator to provide the capability to conduct various intrusive acts. The actual interception of communications etc. still requires separate warrants or authorisations to be in place. As ADP is no longer available to UK users, data is now easy pickings for intelligence agencies and law enforcement, subject to the relevant warrants and authorisations being issued. Your iCloud data is no longer protected against such acquisition. I would argue, however, that this is preferable to building backdoors into encryption mechanisms, for reasons I outline below.
For international users, the outcome of the dispute is less clear, but is worth keeping a close eye on. The temerity of the UK government in believing it has the right to access data of foreign citizens and residents is astounding. The TCN to "break" encryption is without precedent, and consequently, is likely to be pivotal in deciding the future relationships between governments and technology companies, particularly in the privacy and encryption space.
There are several possible legal issues with the TCN. In 2022, the UK and USA signed a bilateral agreement under the CLOUD Act, streamlining the process of requesting data from servers located in each other's jurisdictions, without the need for cumbersome requests under Mutual Legal Assistance Treaties (MLATs). However, under said agreement, the UK government cannot compel a company to provide data on U.S. citizens, nationals, permanent residents, or persons located within the USA. As the TCN applies worldwide, this is a clear conflict. Despite this, a TCN is not a warrant or authorisation to do so, merely to provide the capability to do so. There may also be challenges under the Human Rights Act 1998, which incorporates the European Convention on Human Rights (ECHR) into UK law.
Some people may be of the view that the UK government is justified in its aims.
However, I believe such a view is dangerous.
At its most basic level, encryption protects information by using mathematical models to
scramble the data, where only the parties with the encryption key can unscramble it.
It is not possible to break encryption. Members of Parliament may wish to legislate to change the
laws of mathematics, but an Act declaring that 2 + 2 = 5 does not make it so.
The most concerning way in which encryption can be "broken" is by creating a flawed implementation, otherwise known as a backdoor. This could take the form of a master key or a deliberate vulnerability in the encryption mechanism to decrypt data without the user's specific key. A weaker encryption algorithm could also be used, which would allow the data to be decrypted more easily, but this would also weaken the security of the data protected by the encryption mechanism. Whilst the idea that such a backdoor can be safely used may be alluring, the premise is implausible. Once a backdoor has been created, it is liable to being exploited by anyone with the knowledge of its existence. A recent example is the WannaCry attack, which crippled unpatched Windows PCs worldwide in 2017. The attack was made possible by a United States National Security Agency (NSA) developed exploit, which was then stolen and utilised by bad actors. Rather than report the known vulnerability, NSA agents believed that the exploit would be kept secret and used for the public good. The result was an estimated 300,000 PCs across 150 countries being affected.
Another possible method to ensure government access is to compromise key management. Encryption keys could be stored on Apple's servers (as they are without ADP), or in escrow. This would be a far more palatable solution than a typical backdoor, as the keys could be stored safely at a government or third party escrow. The question remains whether Apple would need to notify users of the new arrangement, or risk being legally liable for breaching the terms of service. Of course, this also means that ADP would provide no benefit over Apple's existing encryption mechanisms, as the keys would still be stored on server. A further issue remains: due to the notice being global in nature, this model would have to be replicated worldwide. I am personally doubtful that foreign countries would be willing to sacrifice cyber sovereignty and welcome the UK having access to its citizens' data.
The issue of "breaking" encryption is not a new one. Successive UK governments have abhored encrytion, particularly end-to-end encryption, which prevents both snooping and obtaining data for legitimate investigation of offences. Nevertheless, the issue of "breaking" encryption is not one that can be solved via willpower or legislation. It is a technical issue, and one for which the answer is intangible.
As someone who never utilised ADP, I am not personally affected by the removal of the feature in the UK. My grievances lie with the fact that the UK has sought to implement backdoors into encryption, an inherently dangerous exercise. Even more concerning is the global nature of the order, which in an age of cyber sovereignty, will infringe on the right of countries to legislate and have control over the internet within their own borders.
I am also disappointed in the UK's actions, which despite a constant denigration of other countries' human rights records, appear to be infringing on the rights of tech users worldwide. I hope that the UK government will see the hypocrisy of its actions, rescind the order, and no longer seek to undermine the security of not only its own citizens, but users globally.