In January, the United Kingdom’s Home Office—equivalent to the United States’s Department of Homeland Security—secretly demanded that Apple provide, upon request, backdoor access to any account on iCloud (Apple’s file-storage service) on the planet. U.K. law forbids Apple from disclosing the order’s existence, but the news leaked in February. Earlier this month, the BBC reported that the company has filed a secret appeal with the Investigatory Powers Tribunal, the modern-day Star Chamber that oversees the U.K.’s sweeping surveillance apparatus. A restricted hearing supposedly occurred on March 14.
The American response to the U.K.’s behavior has, refreshingly, transcended party lines. Senator Ron Wyden, a Democrat, and Representative Andy Biggs, a Republican, jointly condemned “what is effectively a foreign cyberattack waged through political means.” Two other Democratic lawmakers warned that Britain is “undermin[ing] U.S. law, public policy, and information security.” Tulsi Gabbard, the Trump administration’s director of national intelligence, called the U.K.’s move an “egregious violation of Americans’ privacy and civil liberties.” President Trump himself compared the secret order with “something you hear about with China,” adding that the U.K. “can’t do this.”
Finally, a reason to check your emails.
Sign up for our free newsletter today.
Nonetheless, Apple faces an uphill battle. It must argue that the U.K. violated the Investigatory Powers Act of 2016, widely known as the Snoopers’ Charter, which authorizes the British government to intercept communications, engage in bulk data collection, and compel telecom and software companies to give access to users’ data. While it appeals, Apple has pulled the service being attacked, Advanced Data Protection (ADP), from the U.K. Whether the Home Office will accept this partial retreat, or insist that the tech giant dismantle the feature globally, remains to be seen.
In the United States, Apple iPhone users can still use ADP, thereby protecting certain data stored in iCloud—including photos, files, and notes—with end-to-end encryption that even the government cannot break. In the United Kingdom, however, Apple has now removed this option, under government pressure. There is a real risk it could be forced to do the same here. U.S. policymakers must act to prevent that outcome.
At the heart of the issue is encryption technology. End-to-end encryption ensures that only users with the correct password (or cryptographic key, to be precise) can access their data. For messaging apps like Signal or WhatsApp, this means messages can be read only by the sender and recipient. For iCloud backups, it means only the user—not even Apple—can see the stored content in its unscrambled form.
If, as the U.K. demands, Apple built a backdoor, iCloud would, by definition, no longer be end-to-end encrypted. And as any cybersecurity expert will confirm, there is no such thing as a backdoor that only the government can use. Once created, it is only a matter of time before a backdoor gets exploited—whether by hackers, foreign adversaries, or rogue insiders.
The United States has not always defended strong encryption, but recent events have raised Americans’ awareness of what’s on the line. When wokeness was ascendant, some conservatives came to view data privacy as a bulwark against an increasingly progressive administrative state and even the possibility of a social-credit system. Meantime, Republicans and Democrats alike have grown frustrated with the FBI’s persistent failure to curb abuses of its surveillance powers. More recently, Salt Typhoon—the Chinese Communist Party’s operation to infiltrate America’s telecommunications infrastructure—has driven home, even to national security hawks, that a backdoor for good guys is also a backdoor for bad ones.
The U.K. has taken a different path. For years, it has tried to reduce the encryption debate to a matter of child safety alone. State-funded campaigns cast encryption as useful only to predators—and not, say, political dissidents. In one proposed advertisement, apparently shelved, an adult and child, each typing on a smartphone, were to sit in public in a glass box that slowly grows opaque.
The U.K.’s Online Safety Act of 2023 empowers Ofcom, the U.K.’s telecom regulator, to require platforms to deploy specific technologies in the name of public safety. This opens the way for the government to scan all private messages for illegal content. The government has yet to impose such a requirement—but its attack on Apple shows where things are headed.
Child protection is an important goal, obviously, but the U.K. refuses to reckon with the cost of creating a digital panopticon. Nor is it being candid about what it can already do. With time, money, and a warrant, state actors can break into most smartphones. What the U.K. officials really want is the capacity to peer into every smartphone easily and at will.
The stakes are high. If the U.K. succeeds in compelling Apple to sabotage its own security, autocratic regimes—as well as other putatively liberal ones—will take note and follow suit.
The U.S. must respond. A good start would be to revisit the terms of the U.S.-U.K. CLOUD Act agreement, which allows Britain to obtain data from U.S. tech firms without American oversight. Though the agreement bars the U.K. from targeting U.S. persons or collecting data in bulk, these guardrails now appear inadequate. It turns out we cannot trust the Brits to respect cybersecurity on our shores.
If the U.K. wants to devalue its own rights, that is its choice. But we should defend ours. When we broke from Great Britain, we wisely chose to write our liberties down. As the U.K.’s unwritten constitution fades, our courts still uphold the First and Fourth Amendments.
The Supreme Court has affirmed every American’s right to be free from state inquiry into his library’s contents. Our papers have moved to the cloud, and His Majesty’s government wants a look. Americans know how to react to such royal intrusions.
Photo by Peter Nicholls/Getty Images
