UK Can’t Help Itself: Back To Demanding Apple Break Encryption After “Backing Down” Just Months Ago

from the security-theater dept

Well, that didn’t last long. Remember back in August when we reported that the UK had supposedly “backed down” from its dangerous demand that Apple create encryption backdoors? Remember how the Trump administration (mainly Tulsi Gabbard and JD Vance) went around patting themselves on the back for tough-arming the UK into acquiescence?

At the time, we highlighted that getting the UK to back down was undoubtedly a good thing, but the reporting on it mentioned a “secret deal” which raised a lot of new questions. Apparently, we were right to be concerned. It appears that Gabbard and Vance negotiated a hollow victory that allowed them to get fawning press coverage, while the UK government could still demand encryption backdoors.

It turns out that “backing down” was more like a tactical retreat, because according to a new Financial Times report, British officials are right back at it — this time with an only slightly tweaked but still terrible demand.

The UK government has ordered Apple to allow access to encrypted cloud backups of British users, after a previous attempt to issue a broader demand that included US customers drew a furious backlash from the Trump administration.

The UK Home Office demanded in early September that Apple create a backdoor into users’ cloud storage service, but stipulated that the order applied only to British citizens’ data, according to people briefed on the matter.

A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations’ efforts to secure a trade agreement.

In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK.

So let’s recap this insanity: Earlier this year, the UK demanded Apple break encryption globally. Apple shut down its Advanced Data Protection service in the UK rather than comply. There was massive pushback, including from the Trump administration. The UK then supposedly “backed down” in what was described as a “mutually beneficial agreement” between the US and UK. Now, just weeks later, they’re back with basically the same demand, just geographically limited.

Which raises the obvious question: what exactly was that “mutually beneficial” deal? Because it’s starting to look suspiciously like the US told the UK “fine, spy on your own people all you want, just leave ours alone.”

And here we are again. Apple is still unable to offer its most secure cloud storage to UK users, and now the UK government is doubling down on making its own citizens less safe. The company’s response remains appropriately defiant:

“Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users,” Apple said on Wednesday. “We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

It added: “As we have said many times before, we have never built a back door or master key to any of our products or services and we never will.”

As for all that pressure from Trump administration officials like Tulsi Gabbard and JD Vance that supposedly convinced the UK to back down? Well, according to the FT report, that pressure seems to have evaporated:

Members of the US delegation raised the issue of the request to Apple around the time of Trump’s visit, according to two people briefed on the matter. However, two senior British government figures said the US administration was no longer leaning on the UK government to rescind the order.

Translation: The US got what it wanted and is now perfectly happy to let the UK spy on British citizens. So much for standing on principle.

Once again, it appears that the Trump administration is happy to sign short-sighted, limited deals that sell out principles in favor of getting headlines that pump up their own efforts misleadingly.

This whole saga perfectly illustrates the fundamental problem with trying to create “limited” backdoors. You can’t create a vulnerability that only works for the “good guys”—any backdoor becomes a vulnerability for everyone. And you certainly can’t create geographically limited encryption weaknesses:

Caroline Wilson Palow, legal director of the campaign group Privacy International, said the new order might be “just as big a threat to worldwide security and privacy” as the old one.

She said: “If Apple breaks end-to-end encryption for the UK, it breaks it for everyone. The resulting vulnerability can be exploited by hostile states, criminals and other bad actors the world over.”

What’s especially frustrating is how this plays out politically. The Trump administration gets to look like the defender of American privacy rights while throwing British users under the bus. The UK government gets to claim it’s only targeting its own citizens (or, rather, not to say anything at all because it gets to hide behind the Investigatory Powers Act gag orders). And Apple gets stuck in the middle, forced to choose between protecting user security and maintaining access to a major market.

The UK’s Investigatory Powers Act continues to be the gift that keeps on giving to authoritarians worldwide. Every time the UK pushes these boundaries, it provides cover for more repressive regimes to make similar demands. “If the UK can demand backdoors, why can’t we?” becomes the rallying cry for authoritarians around the world.

And let’s not forget the forced secrecy component that makes all of this even more insidious. These Technical Capability Notices come with built-in gag orders, so Apple can’t even warn its users directly of what’s happening and that their data might be compromised. It’s surveillance with a side of deception.

The only reason we know about any of this—including the original order earlier this year—is because of leaks to the press.

The UK government’s approach here is particularly cynical. They’re betting that limiting their demand to UK users will reduce international pressure while still giving them the surveillance capabilities they want. And the Trump admin appears to be ignorantly playing along.

Once more for those in the back: there is no such thing as a “limited” encryption backdoor. Any vulnerability introduced into Apple’s systems creates risks for all users, regardless of nationality. The technical architecture doesn’t respect geographic boundaries, and neither will the criminals and hostile actors who inevitably discover and exploit these weaknesses.

This is exactly what we warned would happen when we wrote about that secretive “agreement” in August. Secret deals around fundamental rights are never good news, and this latest development proves why. The UK got what it wanted — permission to spy on its own citizens without international interference.

The only silver lining is that Apple continues to refuse to comply, but that puts the company in an impossible position. How long can they maintain this stance while being locked out of offering their best security features to UK users?

The UK government is making its own citizens less safe while setting a dangerous precedent for authoritarians worldwide. The fact that they’re doing it with apparent US acquiescence just makes it worse.

Filed Under: backdoors, encryption, jd vance, tulsi gabbard, uk

Companies: apple