UK backdoor order to Apple raises bipartisan concerns
U.S. officials fear that gaps in existing law may enable countries to target U.S. companies with data access requests that harm user privacy and security.
U.S. policymakers say the U.K. overstepped in asking Apple to create a backdoor access point into encrypted cloud services and are considering how to protect other U.S. companies from receiving similar orders.
Earlier this year, media outlets, including The Washington Post, reported that Apple received a technical capability notice from the U.K. under the authority of its Investigatory Powers Act. The notice required Apple to build a backdoor for U.K. law enforcement to access a user's encrypted data stored on the cloud. Apple launched the Advanced Data Protection (ADP) privacy feature for cloud services in 2022, which enhanced its cloud security with end-to-end encryption.
A U.S. company subject to a U.K. technical capability notice can't reveal its existence to U.S. officials, according to experts speaking during a hearing Thursday held by the House Judiciary Subcommittee on Crime and Federal Government Surveillance. Instead of complying with the order, Apple removed ADP for its cloud users in the U.K.
If Apple had complied, it "would've compromised the communication security of its users in the U.S. and worldwide," testified Gregory Nojeim, senior counsel and director of the security and surveillance project at the nonprofit Center for Democracy & Technology. The issue is ongoing as Apple and other organizations, including U.K.-based Privacy International, are challenging the legality of the U.K. order.
"We don't know how many other U.S. providers have received one of these orders," Nojeim said. "If they have received one, they are gagged and can't say so."
Halting the U.K.'s ability to issue such an order to a U.S. company may involve amending the Clarifying Lawful Overseas Use of Data (CLOUD) Act. The law, enacted in 2018, aimed to speed authorities' access to information held by big U.S. tech companies for critical investigations into serious crimes, such as terrorism, cybercrime and sexual exploitation of children.
U.S. lawmakers voiced concerns about how foreign countries might use the act.
"Unfortunately, one of our closest allies, the United Kingdom, is taking advantage of its authorities under the CLOUD Act and is attacking America's data security and privacy," committee chairman Rep. Andy Biggs (R-Ariz.) said during the hearing.
U.K. backdoor order raises bipartisan concern
Under the CLOUD Act, allies such as the U.K. can enter into bilateral agreements with the U.S. to obtain user data from large service providers like Apple to assist with law enforcement investigations. While the U.S. has an agreement with the U.K., other contracts are currently being negotiated with Canada and the European Union.
Biggs said the U.K.'s order to Apple to create a backdoor for government officials into its encrypted cloud system indicates that the CLOUD Act isn't adequately protecting Americans' privacy and security. Biggs said he's called on President Donald Trump's administration to evaluate whether the CLOUD Act and the U.S. agreement with the U.K. is "working as intended" and whether the U.S. should renegotiate the agreement to "ensure our rights are protected."
This order sets a dangerous precedent and, if not stopped now, could lead to future orders by other countries.
Rep. Andy Biggs (R-Ariz.) Chairman, House Judiciary Subcommittee on Crime and Federal Government Surveillance
"This order sets a dangerous precedent and, if not stopped now, could lead to future orders by other countries," he said. "Providing law enforcement with the tools to conduct investigations is a laudable and important goal. But the U.K., seemingly emboldened by its agreement with the United States under the CLOUD Act, has issued an order that will affect people all over the world, and this is a step too far."
Rep. Jamie Raskin (D-Md.), echoed Biggs' concerns about the U.K.'s backdoor order to Apple. He said the U.S. "should not sit idly by" and should assess what needs to change to prevent future orders against other U.S. companies.
Caroline Wilson Palow, legal director and general counsel at Privacy International, shared policymakers' fears that more countries could soon target U.S. companies, enabled by CLOUD Act processes.
"If the U.K. government succeeds in maintaining this order against Apple, it is likely further such orders targeting end-to-end encryption may follow," she testified. "Other American companies, given their global reach, will be targets."
Backdoors create security risks
Raskin pointed out that "backdoors are intentional, designed weaknesses."
"These designed weaknesses can be exploited by foreign governments seeking to compromise our national security, steal our intellectual property and monitor us in our daily lives and workplaces," he said.
Attempts at mandating lawful access into complex technological systems create vulnerabilities that are dangerous to U.S. national security, Susan Landau, professor of cybersecurity and policy at Tufts University, testified during the hearing.
She pointed to the 2024 Salt Typhoon hack and how Chinese hackers penetrated lawfully mandated backdoors to infiltrate high-profile telecommunications companies, including AT&T and Verizon. The Salt Typhoon hackers accessed communications of government officials, including Trump and Vice President J.D. Vance.
"Apple's advanced data encryption protects people's data; it's an important and needed technology," she said. "I urge you to ensure the U.K.'s efforts to improve its own investigatory capabilities do not come at its expense."
Makenzie Holland is a senior news writer covering big tech and federal regulation. Prior to joining Informa TechTarget, she was a general assignment reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.
