The UK government has reportedly backed down from its dangerous demand that Apple build encryption backdoors, following pressure from the Trump administration. But the secretive nature of this “mutually beneficial” agreement should make us deeply suspicious about what was actually traded away.
The UK government has backed down on a controversial demand for Apple to build a “back door” into its technology to access private user data following pressure from the Trump administration.
We had written about this—and how dangerous it was—the day the news leaked that the UK had issued such an order. In response, Apple turned off its iCloud encryption in the UK, making everyone way less safe.
Of course, I say “leaked” because the demands to Apple were never officially discussed by the UK government, who hoped to keep this unconscionable attack on everyone’s privacy a total secret. Since then, Apple has been fighting it out (still in secret) in the UK to try to get this order blocked, though it was believed that they only had limited legal routes to stopping it.
But there was widespread condemnation about this move by the UK government, and this is one of those cases where that includes from the Trump administration, who is taking credit for convincing the UK to back down. Of course, the UK is making no comment whatsoever, and the secret nature of the deal—which includes a source saying that the agreement was “mutually beneficial—to the US and the UK should raise some questions:
Gabbard said that over the “past few months,” she had been “working closely with our partners in the UK,” alongside President Donald Trump and Vice President JD Vance, on the agreement.
A source familiar with the discussions told CNN that Gabbard spoke with her counterpart in the UK, Deputy National Security Advisory Matt Collins, a few times about the issue, including once when the UK delegation visited the White House. Vance was also personally involved in reaching a deal, engaging in direct conversations with British government officials to come to what was considered a “mutually beneficial” agreement for both countries, a White House official told CNN.
“This agreement between our two governments maintains each country’s sovereignty while ensuring close cooperation on data,” a White House official said.
Reading between the lines here, it sounds like the US may have threatened to cut off access to some of the intelligence data it collects if the UK went through with the plan.
Of course, it would be more reassuring if the US government itself wasn’t still trying to push through its own attacks on encryption. Federal law enforcement officials, federal elected officials, and state legislators are still pushing efforts to undermine encryption in the US.
So, yes, I’m glad that Gabbard and Vance were able to pressure the UK to drop this completely brain-dead and dangerous idea, but it would be nice if they got their allies in the US government to step down on this issue as well. And, also if they came clear as to what the deal with the UK is regarding “close cooperation on data.”
The broader lesson here is that we should be happy that the UK is backing down, but we shouldn’t celebrate too quickly when governments make these kinds of secretive deals around fundamental rights. Yes, it’s good that the UK backed down from its most aggressive position. But until we know what was traded in return, and until both countries abandon their broader anti-encryption agendas, it’s still unclear if this is a real victory for digital rights or more like a tactical retreat in a much longer war against privacy.
In a stunning display of government overreach, the UK has effectively forced Apple to disable its iCloud encryption for British users. Earlier this month, we wrote about the UK wielding the Investigatory Powers Act — aka “The Snooper’s Charter” — to demand Apple create a backdoor in its iCloud encryption for all users globally. Despite Apple’s long-standing warnings that it would rather exit the UK market than compromise encryption, the UK government doubled down.
The ensuing public outcry and warnings of “serious consequences” from US politicians fell on deaf ears. While the government’s exact demands remain secret (because of course they do), Apple’s response speaks volumes: they’re shutting down iCloud encryption for UK users entirely rather than create a global backdoor.
Apple disabled its most secure data storage offering for new customers in Britain on Friday rather than comply with a secret government order that would have allowed police and intelligence agencies to access the encrypted content.
That sounds like the UK isn’t backing down.
This is a terrible result for everyone, making Apple users globally (but especially in the UK) more vulnerable. Law enforcement’s tired narrative frames this as a trade-off between privacy and safety, but that’s dangerously wrong. Encryption isn’t just about privacy — it’s a fundamental security mechanism that protects against identity theft, financial fraud, corporate espionage and much more. This move effectively dismantles both privacy and safety, not because law enforcement lacks investigative tools, but because they’re really just lazy and demanding a “convenient” backdoor that inevitably creates new security risks.
While this compromise gives UK law enforcement their coveted access to British users’ iCloud data, it creates a dangerous precedent and leaves user data vulnerable to bad actors ranging from cybercriminals to hostile nation-states. Even worse, this “solution” likely falls short of the government’s reported demands for global backdoor access — suggesting this might just be round one of a longer fight.
Had Apple complied with the U.K.’s original demands, they would have been required to create a backdoor not just for users in the U.K., but for people around the world, regardless of where they were or what citizenship they had. As we’ve saidtimeandtime again,any backdoor built for the governmentputs everyone at greater risk of hacking, identity theft, and fraud.
This blanket, worldwide demand put Apple in an untenable position. Apple has long claimed it wouldn’tcreate a backdoor, and in filings to the U.K. government in 2023, the companyspecifically raised the possibility of disabling featureslike Advanced Data Protection as an alternative. Apple’s decision to disable the feature for U.K. users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology. The U.K. has chosen to make its own citizens less safe and less free.
Mike Salem, UK country associate for the Consumer Choice Center, called on opposition parties to voice their discontent and demand the government outlines its reasoning.
“The UK government has set a precedent, and cast a new reputation that underscores the erosion of personal liberties and privacy in a digital age where these values are needed more than ever,” he said.
“This marks a very sad day for the basic principle of consumer privacy in the 21st century, depriving users of the tools that leave UK citizens exposed to governments, criminals and malicious hackers. The fact this has been done without debate, oversight or advance warning to UK Apple users is extremely concerning,” Salem said.
David Ruiz, senior privacy advocate at Malwarebytes, described the news as a “disaster” for the UK and one with potential global consequences.
“To demand access to the world’s data is such a brazen, imperialist manoeuvre that I’m surprised it hasn’t come from the US. This may embolden other countries, particularly those in the Five Eyes, to make a similar demand of Apple,” he argued.
Others have pointed out that if Apple had caved to the UK’s stupid demand, they would have almost immediately faced identical demands from other countries, including Russia, Turkey, Iran… you name it.
It is difficult to think of a more shortsighted move than what the UK has done here. It has put its own citizenry at greater risk, while threatening some of the basic fundamentals of private storage.
It’s good that Apple is taking a stand, but it feels like this is just one battle in a war that is far from over.
In a stunning escalation that confirms our worst fears, the UK government has finally shown its true hand on encryption — and it’s even worse than we predicted. According to a bombshell report from Joseph Menn at the Washington Post, British officials have ordered Apple to create a backdoor that would allow them to access encrypted content from any Apple user worldwide.
This comes after years of the UK government’s steadily mounting assault on encryption, from the Investigatory Powers Act to the Online Safety Act. While officials repeatedly insisted they weren’t trying to break encryption entirely, those of us following closely saw this coming. Apple even warned it might have to exit the UK market if pushed too far.
Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.
The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.
Let’s be super clear here: The UK government is demanding that Apple fundamentally compromise the security architecture of its products for every user worldwide. This isn’t just about giving British authorities access to British users’ data — it’s about creating a master key that would unlock everyone’s encrypted data, everywhere.
This is literally breaking the fundamental tool that protects our privacy and security. Backdoored encryption is not encryption at all.
The technical reality is stark: You can’t create a backdoor that only works for “good guys.” Any vulnerability built into the system becomes a vulnerability for everyone — state actors, cybercriminals, and hostile nations alike. And right now, it’s worth recognizing that any government (including our own) can be seen as a “hostile nation” to many.
Even if Apple withdraws from the UK market entirely, as the Post reports they’re considering, it won’t satisfy the UK’s demands:
Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the U.K., the people said. Yetthat concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States.
This global reach is particularly concerning given the UK’s membership in the Five Eyes intelligence alliance. Any backdoor created for British authorities would inevitably become a tool for intelligence and law enforcement agencies across the US, Australia, Canada, and New Zealand — effectively creating a global surveillance capability without any democratic debate or oversight in those countries.
If the UK does this, it means that the FBI will be able to use it to read anyone’s data.
The UK government’s approach here is particularly insidious. While Apple can appeal the order, their appeal rights are bizarrely limited: They can only argue about the cost of implementing the backdoor, not the catastrophic privacy and security implications for billions of users worldwide. This reveals the UK government’s complete indifference to the fundamental right to privacy.
Even more alarming is the forced secrecy component.
One of the people briefed on the situation, a consultant advising the United States on encryption matters, said Apple would be barred from warning its users that its most advanced encryption no longer provided full security. The person deemed it shocking that the U.K. government was demanding Apple’s help to spy on non-British users without their governments’ knowledge. A former White House security adviser confirmed the existence of the British order.
This gag order component is particularly chilling — the UK isn’t just demanding the power to break encryption globally, they’re demanding the right to force Apple to actively deceive its users about the security of their data. After years of dismissing concerns about the Investigatory Powers Act as “exaggerated,” the UK government is now proving its critics right in the most dramatic way possible.
The implications here cannot be overstated. This would represent the single largest coordinated attack on private communications in the digital age. It’s not just about government surveillance — it’s about deliberately introducing vulnerabilities that would be exploitable by anyone who discovers them, from hostile nation-states to criminal organizations.
The timing of this demand is nothing short of breathtaking in its recklessness. We are quite literally in the midst of dealing with the catastrophic fallout from the Chinese Salt Typhoon hack — where state-sponsored hackers exploited a government-mandated backdoor in our telephone infrastructure to conduct widespread surveillance. This hack alone should have permanently ended any discussion of intentionally weakening encryption. It’s a real-world demonstration of exactly what security experts have been warning about for decades: backdoors will inevitably be discovered and exploited by bad actors.
The irony here is almost painful: The FBI itself has been actively encouraging Americans to use encrypted communications specifically because our telephone infrastructure remains compromised by Chinese hackers. Yet at this precise moment — when we’re witnessing firsthand the devastating consequences of compromised security — the UK government is demanding we create an even bigger, more dangerous, more consequential backdoor?
This is beyond dangerous. There is no reasonable rationale for this.
There’s a good chance that the UK is doing this right now knowing that the US is totally distracted by everything that Musk and Trump are doing to dismantle the US government. But given how much Trump seems to hate the FBI right now, it seems like even more of a reason for him to call this out as an attack on Americans and our privacy. Does he want the FBI reading his data as well?
Senator Ron Wyden, who has been a tireless champion of encryption, is reasonably angry about this and is calling on both Apple and Trump to “tell the UK to go to hell.”
Trump and Apple better tell the UK to go to hell with its demand to access Americans’ private, encrypted texts and files. Trump and American tech companies letting foreign governments secretly spy on Americans would be an unmitigated privacy and national security disaster.
Trump and Apple better tell the UK to go to hell with its demand to access Americans’ private, encrypted texts and files. Trump and American tech companies letting foreign governments secretly spy on Americans would be an unmitigated privacy and national security disaster.
Wyden calling out Trump here actually makes a lot of sense. Given Trump’s current antagonistic relationship with federal law enforcement, he might be uniquely positioned to recognize this for what it is — a foreign government demanding the power to spy on Americans, including him personally. The FBI, which would inevitably gain access to this backdoor through Five Eyes sharing agreements, would have unprecedented access to everyone’s communications — a scenario that should alarm privacy advocates across the political spectrum.
This is, without hyperbole, a five-alarm fire for digital privacy and security. The UK government is attempting to fundamentally reshape global digital security through a secretive demand, hoping the world is too distracted to notice or resist. They’re not just asking for a key to their own citizens’ data — they’re demanding the power to unlock everyone’s digital life, everywhere, while forcing Apple to lie about it.
The stakes couldn’t be higher. This isn’t just about privacy — it’s about the future of secure communication itself. Don’t let this slip by in the chaos of the moment. The UK government is betting on our distraction and apathy. Let’s prove them wrong.
The UK government thinks the 2016 Investigatory Powers Act is due for an overhaul. But it has plenty of opposition. Some of the proposed amendments actually appear to be illegal. And at least one major tech company has threatened to exit the market if the proposed amendments become law.
On 8 November, the government introduced legislation to update the Investigatory Powers Act 2016.
The Investigatory Powers (Amendment) Bill was announced in the King’s Speech and will make urgent and targeted amendments to the existing act to ensure our country is kept safe and our citizens protected from harmful threats.
[…]
These amendments will enhance our national security by keeping the public safer from threats such as terrorism, hostile activity from foreign powers and serious and organised crime. The UK is a world leader in ensuring privacy can be protected without compromising security. The bill will maintain and enhance the existing high standards for safeguarding privacy in the 2016 act.
First off, there’s the standard claim that this will do something about national security. Those two words are capable of shutting down certain brains (including those handling judicial challenges) and bypassing objections by making it appear anyone opposing surveillance power expansion must want the terrorists to win.
Second, there’s the hilariously ridiculous claim that the UK is a “world leader in ensuring privacy.” London has been a camera-riddled dystopia for years — a dystopia made even worse by the routine addition of error-prone facial recognition tech. For years, the UK government has compromised privacy to achieve, at best, minimal gains in security.
Finally, claiming there’s anything in the 2016 Investigatory Powers Act that even remotely approaches “high standards for safeguarding privacy” is ludicrous. Claiming that adding even more data retention demands and surveillance options will somehow “enhance” these (lol) “high standards” is even more asinine.
But that’s how UK leaders are portraying this turn of events, spring-boarding off the King’s Speech to push another round of privacy violations and security compromises under the pretense of making the nation safer.
These officials even pretend this won’t give the government more snooping power than it already has.
The targeted reforms will not create new powers in the act. They will instead modify elements of the existing legislation to ensure it is proportionate, provides agencies and oversight bodies with appropriate resilience mechanisms and maintains and enhances the existing measures.
This sure looks like a new power. According to this fact sheet, service providers will now be required to retain certain internet browsing records created by their users. Here’s how things stand now:
There is no current requirement in law for CSPs to keep ICRs [internet connection records] and this information may therefore be unavailable to law enforcement agencies, meaning that often they can only paint a fragmented intelligence picture of a known suspect. Internet protocol (IP) address resolution identifies the sender of online communications.
So, if the government currently doesn’t have access to these records because CSPs (communication service providers) aren’t required to keep them, and the government issues a mandate to retain these records solely for the purpose of being able to access them on demand, that sure seems like a “new power,” even if the collection is being off-loaded (via government mandate) to providers who were never previously obligated to collect or retain this data.
The proposed changes would also expand the definition of bulk personal datasets (BPDs) to cover data collected by third parties, like data brokers. And, while this isn’t technically a “new” power it is definitely an expansion of the government’s existing power:
The bill would also increase the duration of a BPD warrant from six to twelve months in order to better demonstrate the necessity and proportionality of retaining and examining the data, the case for which can be made more effectively over this longer time period.
The government would be able to collect more and hold onto it longer. On top of that, privacy protections for datasets will no longer be equal across all datasets. The amendments would allow the government to declare some datasets more equal than others, lowering privacy protections as needed to access sets that were previously either off-limits or subject to enough restrictions the government rarely got a chance to view or retain them.
Then there’s this phrase, which says things about “resilience” when it clearly means lowering the bar for warrant acquisition:
Increasing resilience of the warranty authorisation processes to allow greater operational agility for the intelligence agencies and National Crime Agency. This will help to ensure they can always get lawful access to information in a timely way so that they can respond to the most serious national security and organised crime threats.
“Greater operational agility” is just a fancy way of saying “make things easier.” When you start altering the rules to increase law enforcement efficiency, you tend to turn protected rights into privileges that only need to be respected when they’re not inconveniencing law enforcement.
None of this is law. Yet. But it’s clear those heading the government firmly believe this is the right way to go.
For years, the UK government has sought to expand its surveillance powers. And, for years, it has rarely been prevented from doing so. Sure, there’s been a bunch of bureaucratic inactivity and unforced errors (like Brexit) that make it a bit more difficult to push legislation through, but the UK government’s thirst for more power has never been slaked.
So, the push continues. The original IPA (Investigatory Powers Act) did a lot of damage to internet users’ security and placed plenty of burdens on service providers. But, because things like terrorism and the sexual abuse of children continue to exist, these key leverage points have been deployed repeatedly as supposed justification for things like breaking/criminalizing encryption and forcing service providers to collect and store massive amounts of data on their customers.
What never seems to bother those pushing these amendments is the uncomfortable fact that the powers they desire might violate existing laws in the UK and elsewhere in the world. The latest round of revisions have been opened up for public comment. One of the first to comment publicly is Ioannis Kouvakas of Just Security in an article pointing out how the proposed changes may be considered illegal outside of the UK.
Here’s what’s being proposed, as summarized by Kouvakas:
The proposed revisions include five objectives pertaining to changes in the notices regime within the IPA, the process through which the government can ask private companies to carry out surveillance on its behalf, such as interception of communications and equipment interference (hacking). The proposed changes to the IPA notices regimes include an obligation to comply with the content of a potential notice during the review period and before a notice is actually served, an obligation to disclose technical information about the company’s systems during the same review period, measures to strengthen the extraterritorial application of the notices and obligations for companies to give advance notice to the U.K. Secretary of State before implementing any technical changes.
As Kouvakas notes, the “notices and obligations” include things like breaking encryption — or at least weakening encryption to the point it can easily be broken if the government wants access. Introducing user security features requires notifying the Secretary of State. Not only that, but the language strongly suggests that even patching security flaws requires prior notification of the UK government, which gives the government the opportunity to reject proposed patches if it feels these fixes might interfere with its surveillance programs.
UK users’ security protections will be subservient to the government’s wishes and desires. Definitely not ideal. But the proposed changes go further. They demand extraterritorial cooperation — something that will violate international law and appears to be something the UK government simply doesn’t have the power to mandate. (Well, it has the power to mandate this, it just doesn’t have the power to force anyone outside of the UK to comply with the mandate.)
What’s being added here suggests the government isn’t happy that tech companies (most of them located in the US) have told the UK government they either won’t comply with these mandates or will simply stop offering their services in the UK.
The government’s insistence on the extraterritoriality of notices perhaps stems from the strong resistance it might have faced from companies refusing to comply with IPA requirements. As the text of the consultation highlights, “for our investigatory powers to remain effective against a backdrop of rapid technological change, companies must work openly and willingly with us…Additionally, we believe that it would be appropriate to strengthen the enforcement options available for non-compliance with the notices regimes. We propose to draw on existing precedent in wider UK legislation as a starting point for these options”
This addition would allow the government to engage in enforcement efforts that go beyond the (likely futile) civil litigation instigated by the UK Secretary of State. So most likely the levying of fines and fees against foreign service providers. Again, the UK government may not have the power to force any company to actually pay these fees, but it does make it easier to pass additional legislation that criminalizes use of these services or prevents tech companies from re-entering the market at a later date.
The effect on international law is more disturbing. In the wake of multiple revelations about abusive deployments of phone-compromising malware offered by a handful of tech companies, legislation has been introduced (and passed) elsewhere in the world that mandates proactive efforts to secure personal devices and eliminate exposed exploits. The UK government simply does not want this to happen, so it has set itself against the rest of European neighbors by attempting to mandate a hands-off (or, at least, an “ask permission first”) approach to device security.
Against this backdrop, the main issue Objectives 3 and 4 jointly pose is that the United Kingdom could breach international human rights law by, for example, preventing a communications services provider from either fixing security gaps in software through the provision of security updates or applying advanced protections such as end-to-end encryption to their services, at a global level. Specifically, these measures not only are unlikely to survive the necessity and proportionality test enshrined in Article 8 of the European Convention on Human Rights (ECHR), which guarantees the right to respect for private life, but they could also result in failure to respect the human rights of individuals located abroad.
Once again, this will have no effect domestically because the UK government has already decided it no longer wants to be a part of any union overseen by its European neighbors. But the extraterritorial demands proposed in the amendments place obligations on entities located elsewhere in the world, which the UK government believes should be complied with, even if its demands violate foreign laws.
What the UK government wants is global application of domestic policy. It wants service providers to violate laws in their home countries in order to comply with UK-specific mandates. It wants device makers and software developers to offer either UK-specific, pre-compromised versions of their offerings or simply to break everything for everyone everywhere just to make it easier for the UK government to engage in the surveillance it claims is essential to the nation’s survival.
Neither of these options are practical. Nor are they lawful — not as long as the UK government feels it can impose its will on entities located outside of its borders. But the UK continues to persist. And it apparently won’t stop until the rest of the world gives it what it wants.
Apple fought the law and — contrary to the song lyrics — it won. Years later, Apple decided it would get ahead of the law enforcement curve by attempting to engage in client-side scanning of iPhone users’ content. That worked out less well for Apple, which (at least momentarily) decided making governments happy was more important than protecting its customers.
Since setting itself on fire, Apple has reverted to its former self: the company that prides itself on user privacy and security. Plenty of world governments hate Apple for doing this. But they don’t have any leverage. Apple products and services are far more popular with government constituents than the governments themselves. So, when governments start making unreasonable demands, the simplest solution is to GTFO.
Apple has consistently opposed the act, originally dubbed a “snooper’s charter” by critics. Its submission to the current consultation is nine pages long, opposing:
having to tell the Home Office of any changes to product security features before they are released
the requirement for non-UK-based companies to comply with changes that would affect their product globally – such as providing a backdoor to end-to-end encryption
having to take action immediately if a notice to disable or block a feature is received from the Home Office, rather than waiting until after the demand has been reviewed or appealed against
Apple says:
It would not make changes to security features specifically for one country that would weaken a product for all users.
Some changes would require issuing a software update so could not be made secretly
The proposals “constitute a serious and direct threat to data security and information privacy” that would affect people outside the UK
This is Apple’s response to proposed changes to the “Snooper’s Charter,” a.k.a. the Investigatory Powers Act. Apple has already expressed extreme reluctance to engage in encryption breaking or client-side scanning as proposed by the European Union.
Amendments to the IPA would undermine Apple’s security features. Because of that, Apple’s comment submission lets the UK government know that if it moves ahead with these changes, UK customers will no longer have access to FaceTime or iMessage. And if those two offerings aren’t available, it hardly makes senses for UK residents to purchase iPhones if they wish to have access to secure communications options.
And this latest government intrusion would be on top of whatever eventually makes its way into the Online Safety Act, a parallel bit of legislation which would impose client-side scanning on service providers. And that imposition means those offering end-to-end encryption would have to weaken or break their encryption to spy on users’ communications. This proposal has also faced heavy resistance, but proponents of the law seem pretty fucking resilient and have refused to back down from these demands, unlike the EU Commission, which has pretty much abandoned its demands for broken encryption. (Also of note: the EU Court of Justice found IPA’s predecessor to be unlawful back in 2016. Brexit makes this meaningless, but it does demonstrate how far outside the bounds of respected rights this proposal treads.)
If the UK government decides it’s more important to give the government power than give constituents secure communication options, UK residents will end up having to utilize whatever options remain. And those options will be far less secure and far more sketchy than those long-offered by tech companies who have spent years improving the security of their offerings.
