In the wake of the UK’s demand for a law enforcement backdoor, Apple has pulled its encrypted iCloud backup service from the UK.  Has the UK government made an unforced error? 

In a separate development, US lawmakers are urging a re-evaluation of the US-UK cyber-security programs, claiming that the UK move compromises the security of their citizens. The game changer was a Chinese State hack of the US telecoms systems last autumn,  known as Salt-Typhoon, which prompted a shift in the geo-political position on encrypted services. All of this is putting the UK is in a tight spot.  As such, a demand to insert a back-door into encrypted communications services is arguably a mistaken approach.

Neither the UK government nor Apple have acknowledged the backdoor demand, and all that is known about it is based on a report in the Washington Post on 7 February. From what is understood,  the UK government has used the Investigatory Powers Act – also known as the “Snoopers’ Charter”  - to  issue tech giant Apple with a “Technology Capability Notice” demanding the insertion of security backdoors into encrypted cloud storage. It’s understood the UK is asking for access to all iCloud users’ data worldwide. It targets Apple’s little-known optional service called Advanced Data Protection (ADP) that encrypts iCloud backups, including  notes and photos. Just as this article went online, Apple announced to the media that it was withdrawing ADP from the UK market. 

The Technology Capability Notice is controversial because it could compromise the privacy and security of people’s phones, not only in the UK but elsewhere in the world. As cybersecurity experts are quick to point out,  hostile actors seek to exploit the backdoor for malicious purposes, to attack not merely individuals but companies and government authorities. Moreover, it would drive a coach and horses through the development of next-generation data security technologies.

The Investigatory Powers Act  is the UK legal framework for requiring communications companies to assist law enforcement agencies, including by interception of calls and messages. Crucially, it was amended before the 2024 General Election, with the passing of the  Investigatory Powers  (Amendment) Act 2024,  inserting an  obscure change to lock in the global technology providers who offer communications services in the UK, but whose infrastructure is largely or entirely overseas .  

The Act does not state explicitly that it addresses encrypted services, but there has been a tacit understanding in policy circles that it does. There was minimal opposition in the UK Parliament, with little understanding  of who the affected stakeholders would be. Debates were characterised by a failure to grasp concerns about the possible impacts of asking encrypted services to intercept their users’ communications. 

The consequences of mandated backdoors in encrypted services have until recently been dismissed by governments. However,  a change of view by the UK’s key allies was prompted last year by “Salt Typhoon” a cyber-attack by the Chinese State on US  wire-tapping systems operated by telecoms companies such as AT&T and Verizon.

 “Salt Typhoon” used  surveillance backdoors in the US  telecommunications systems  - backdoors  that had been mandated under the Communications Assistance for Law Enforcement Act [CALEA] of 1994. CALEA required US phone companies to create a possibility for  interception into what were then the “new” digital phone networks. The requirement was expanded to include broadband networks in 2006.  

The hack exposed the security threats inherent in legally-mandated backdoors, according to a letter to the Federal Communications Commission in October last year from Senator Ron Wyden, a US politician who has a long track record of speaking out against online surveillance. Confirmation  that the Chinese government hackers had obtained call records data and private information of American citizens came from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) last November. According to Senator Wyden, the call records of the President and Vice President were compromised, “providing a perfect example of the dangers of surveillance backdoors”.

Until recently, the  UK’s key “Five Eyes” allies who co-operate on surveillance have maintained a common position  calling for intercepting or filtering of encrypted communications, but some have shifted  position as a consequence of “Salt Typhoon”. The US government is now recommending the use of encrypted services, especially for people in prominent public positions. This shift is underscored by Senator Wyden who writes to the head of US intelligence services on 13 February,  that, “ after years of pushing for weaker encryption and surveillance backdoors, it seems that the US government has finally come around to a position [that] strong end-to-end encryption protects national security”. Senator Wyden calls for a re-evaluation of the US security relationship with the UK in light of what he says is the “damage” that would be caused by the Technology Capability Notice. The letter is cc'd to Lord Peter Mandelson, UK Ambassador to Washington. 

Our other “Five Eyes” allies – Australia,  New Zealand and Canada –  have followed suit.  The EU has also issued a similar recommendation, despite having a legislative proposal on the table that would require backdoors inserted into encrypted messaging platforms – that law is as far as we know, on hold.  

It would have been been foreeseable that an incident like “Salt Typhoon” would set a red flag. The incident is a perfect illustration of the global political  battle over the value of encryption to keep people safe and secure online.  Encrypted technologies  have become a flashpoint in security policy, offering an alternative way  to protect individuals and businesses from the “bad guys” compared with traditional  law enforcement methods.

This flashpoint lies at the core of the policy debate. Companies like Apple, WhatsApp and Google have only recently, within the last 10-15 years, become players in the communications technology field. [See my other article How WhatsApp holds structural power ] It has been a rapid and meteoric rise to prominence over the old former monopoly telecoms companies. The UK and other governments need to recognise this new power dynamic shift and adjust their approach to regulation accordingly. Only then will they resolve the encryption issue.

Pursuing this Technology Capability Notice looks like an unforced error, and a rather untimely one given other important foreign policy priorities facing the UK government at this moment. There is still an opportunity  to pull back and revise its position.

---

If you liked this article, you may also like to read my analysis of Whats App and structural power. 

If you would like to contact me, please do so via the contact page. 

Please remember to credit me as “Dr Monica Horten” if you cite my article.