Secrets, Secrets Are No Fun: the United Kingdom’s Secret War on Encryption
Late last week, a secret tribunal in the U.K. reportedly held a secret hearing on an appeal by U.S. tech giant, Apple, of a secret order Apple reportedly received from the U.K. to compromise its users’ privacy and cybersecurity worldwide.
The British government is attacking encryption, and the casualties could include the privacy and cybersecurity of millions worldwide. The U.S. should demand that the U.K. withdraw its order, or else terminate the U.K.’s unique access to the troves of user data it obtains from U.S. tech companies.
The U.K. Ambushes Encryption
Recent reports suggest that the British Home Office has secretly issued a Technical Capability Notice (TCN) to Apple under the Investigatory Powers Act (IPA) of 2016, commonly known as the “Snoopers’ Charter,” compelling the company to introduce a backdoor into its end-to-end encrypted cloud storage service, “Advanced Data Protection” (ADP). The Snooper’s Charter, which has long concerned CDT, prohibits the recipient of a TCN from disclosing the existence or contents of the notice to anyone without the permission of the Secretary of State, so Apple can neither confirm, nor deny, the existence of the demand.
Assuming the reports are true, such backdoor access would allow British officials to require Apple to provide in decrypted form content that any user — not only in the U.K., but worldwide — has uploaded to the cloud using ADP. This type of order has no known precedent in major democracies — for good reason.
Introducing backdoors into end-to-end encryption means introducing systemic security flaws, as the U.K. knows. Across the world, cybersecurity experts agree that there is no way to provide government access to end-to-end encrypted data without breaking end-to-end encryption. News of the U.K. order to Apple sparked global alarm. Backdoors into encryption jeopardize all users’ privacy and cybersecurity because criminals specifically look to exploit these vulnerabilities. Nevertheless, the U.K. has decided to ambush encryption with its notice. As President Trump put it: “That’s something, you know, you hear about with China.”
In the case of Apple, the world’s second largest provider of mobile devices, introducing backdoor access into its encrypted cloud service would mean putting millions of users at risk. To make matters worse, the most harmful impact would fall on those who rely on encryption because they are already most vulnerable, including domestic violence survivors, LGBTQ+ persons, and others. These risks must not be tolerated.
Apple Fights Back in the Shadows
Rather than capitulate to the U.K.’s demand, Apple made the principled decision to cease offering ADP in Great Britain, and it has reportedly appealed the notice to the Investigatory Powers Tribunal, which has the authority to review complaints against U.K. intelligence services. British law requires Apple to comply with the notice even while its appeal is pending. As a result, British authorities may insist that Apple build a backdoor to ADP even though it does not offer ADP in the U.K. Apple may challenge such a fully extraterritorial mandate as disproportionate under applicable law.
To make matters worse — again — the entire review process is also shrouded in secrecy. Similar to how the recipient of a TCN is prohibited from disclosing the existence or contents of the notice, the Investigatory Powers Tribunal proceedings can be kept secret. This means the U.K. Home Office can place Apple, or any other service provider, under a strict gag order when it issues a TCN. The chilling result: the public does not know if other encrypted services have received such notices and, if so, which of them complied with those notices, putting user data at risk.
This blatant lack of transparency severely inhibits public discourse, making it impossible for stakeholders — including cybersecurity experts, civil rights organizations, and the general public — to understand the full implications and challenge the U.K.’s policy. Apple may or may not be the first recipient of a notice that requires undermining encryption, but it’s unlikely to be the last. In any case, policies that affect millions of users and global cybersecurity ought not be fought out in the shadows.
Another CLOUD Looms in the U.S.
Despite the U.K. Home Office issuing the TCN under its own domestic law, the U.S. is not without means to respond. The US-UK CLOUD Act Agreement (Agreement) entered into effect under the authority of the U.S. CLOUD Act and gives the U.S. substantial leverage over the U.K. in surveillance matters.
The CLOUD Act allows U.S. providers to disclose user data directly to foreign states under the laws of those foreign states, with certain conditions. Those conditions include limiting disclosures to cases involving serious crimes, preventing disclosure of information of Americans or anyone physically located in the U.S., and most importantly, requiring that the U.S. has entered an executive agreement with the requesting state that certifies the state’s laws and practices meet certain human rights standards. Countries with CLOUD Act agreements with the U.S. can bypass the cumbersome process under mutual legal assistance treaties (MLATs), as well as the probable cause requirement for compelled disclosure of communications content that applies in the MLAT context, and most importantly for the U.K., can engage in real time wiretapping of the users of U.S. tech companies, which MLAT processes and U.S. law do not otherwise permit. All CLOUD Act agreements are reciprocal, so the U.S. should enjoy the same benefits as partner states.
So far, the U.S. has entered into only two CLOUD Act agreements: one with Australia, and one with the U.K., which entered into force on October 3, 2022. So what can be done?
Light Through the CLOUD
The CLOUD Act, and the US-UK CLOUD Act Agreement, present a significant opportunity for the U.S. to meaningfully pressure the U.K. to withdraw its demand to Apple. By law, the US-UK CLOUD Act Agreement expires after five years unless renewed, which means the Agreement will expire in October 2027 unless renewed.
The U.S. Department of Justice quietly recertified the US-UK CLOUD Act Agreement in November 2024, around the Thanksgiving congressional recess. The recertification report sent to Congress, which is required by the Act, provides several key insights about the U.K.’s conduct under the Agreement, not least that the U.K. issued more than 20,000 requests to U.S. service providers — almost all of which included wiretapping surveillance — while the U.S. issued a mere 63 to British providers. This dramatic imbalance owes to the geographic concentration of major service providers in the U.S., but it also demonstrates the overwhelming importance of the Agreement to the U.K. and its relative lack of importance to the U.S., and provides a powerful lever for the U.S. to wield. After all, the Trump Administration could, under the terms of the Agreement, unilaterally terminate it without cause and with only 30 days notice.
The recertification report subtly hints that the DOJ knew about the TCN issued to Apple, or other attacks on encryption in the U.K. The report states that although new laws in the U.K., such as the Investigatory Powers (Amendment) Act of 2024 that expanded surveillance authority under the IPA, did not violate the requirements of the CLOUD Act (per the DOJ), the DOJ had nonetheless “taken the opportunity […] to remind the U.K. of the the statute’s requirement that the terms of the Agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” At a minimum, the DOJ should also have “taken the opportunity” to warn Congress that the U.K. was preparing to use newly acquired powers under British law to undermine the security of Americans’ encrypted data and those of people around the world.
The U.S. Seeks Answers
Congress has, in fact, taken steps to leverage the CLOUD Act and the US-UK CLOUD Act Agreement to seek answers from top U.S. and U.K. officials. In a letter to the Director of National Intelligence (DNI), Tulsi Gabbard, Senator Ron Wyden (D-OR) and Representative Andy Biggs (R-AZ) urged the U.S. to “[give] the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences.” The letter also asked DNI Gabbard to provide Congress with unclassified answers to critical questions, like whether the Trump Administration had any awareness of the TCN.
In her response, DNI Gabbard expressed that she shared a “grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a ‘backdoor’ that would allow access to Americans personal encrypted data.” She further noted that such a TCN would be a “clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors,” while committing to using her office to investigate the matter further.
Most recently, a bipartisan group of members of Congress also urged the IPT to open its hearing to the public, and former Secretary of Homeland Security Michael Chertoff said the U.K. should reconsider its move to break encryption.
These actions are the appropriate first steps, but the DOJ should also weigh in and urge the U.K. to reverse course, and Congress should modify the CLOUD Act itself to preclude agreements with states whose laws authorize orders to compel decryption by providers of end-to-end encrypted services. Such providers cannot decrypt data or communications without introducing serious security vulnerabilities and, as Apple was here, could effectively be compelled to cease the offer of such service, to the detriment of cybersecurity in the U.S. and abroad. In the meantime, if the U.K. refuses to withdraw the order, the U.S. should terminate the Agreement.
***
The U.K.’s secret war on encryption threatens global cybersecurity and sets a dangerous precedent for government overreach. With secret orders, secret appeals, and secret hearings, the U.K. is undermining public trust and digital safety from the shadows. The U.S. must continue to demand transparency and accountability. If the U.K. refuses to back down, Congress and the Trump administration should take decisive action to protect the security of Americans’ data. Encryption is not just a policy debate—it is a fundamental pillar of people’s privacy and security, and it must be protected.
