In a significant move that impacts global security protocols, the UK government has reportedly mandated Apple to create a backdoor for accessing users’ encrypted iCloud backups. This order, if enacted, would grant British security services access to the backups of any user worldwide, not just UK residents, and Apple would be prohibited from notifying users that their encryption has been compromised.
The Washington Post reports that this secret directive, issued last month, is rooted in the UK’s Investigatory Powers Act of 2016, commonly referred to as the Snoopers’ Charter. Officials are demanding unrestricted access to end-to-end encrypted files uploaded by users globally, rather than targeting a specific account.
While Apple’s iCloud backups are not encrypted by default, the Advanced Data Protection option introduced in 2022 must be enabled manually to ensure end-to-end encryption, meaning even Apple cannot access the encrypted files. In light of the UK’s demands, Apple may choose to discontinue the Advanced Data Protection feature in the UK, although this would not satisfy the UK’s requirement for access to global user data.
Apple retains the right to appeal the notice, citing the costs of implementation and the proportionality of the demand in relation to security needs. However, any appeal would not delay the enforcement of the original order.
The UK has issued a technical capability notice to Apple, and revealing that such a demand has been made constitutes a criminal offense. Furthermore, should Apple comply with the UK’s request, it would not be permitted to inform users that its encrypted service is no longer fully secure.
Apple expressed its concerns to the British parliament in March 2024, stating, “There is no reason why the UK [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption,” amid discussions on amendments to the Investigatory Powers Act. The company has previously resisted other UK attempts to legislate backdoors into encrypted communications.
UK security officials and lawmakers have consistently challenged end-to-end encryption, arguing that it facilitates hiding for terrorists and child abusers from law enforcement. A UK government spokesperson stated, “End-to-end encryption cannot be allowed to hamper efforts to catch perpetrators of the most serious crimes,” as reported by The Guardian in 2022 when Apple first launched end-to-end encryption.
In a similar vein, US agencies, including the FBI, have voiced concerns in the past but have recently begun endorsing encryption as a countermeasure against hackers linked to China. In December 2024, the NSA and FBI, alongside cyber security centers from Canada, Australia, and New Zealand, recommended that web traffic be “end-to-end encrypted to the maximum extent possible,” establishing new security best practices. Notably, the UK security services did not join this initiative.
If Apple complies with the UK government’s request for access to encrypted data, it could set a precedent that may encourage other nations, including the US and China, to demand similar access. Consequently, Apple would face the dilemma of either complying or discontinuing its encryption services entirely. Other tech companies are likely to encounter similar demands in this evolving landscape.
Google has provided encrypted Android backups by default since 2018, and Meta also offers encrypted backups for WhatsApp users. Representatives from both companies declined to comment to The Washington Post regarding whether they have received government requests for backdoors. Google’s Ed Fernandez reaffirmed that the company “can’t access Android end-to-end encrypted backup data, even with a legal order,” while Meta reiterated a previous statement asserting that no backdoors would be implemented.
