The Home Office sought access to data and messages stored by Apple users on its cloud storage in the UK and overseas by demanding a ‘back door’ to Apple’s iCloud service, a court ruling has revealed.
A UK government order against Apple requires the company to “remove electronic protection where practicable” on data stored by Apple users on its cloud-based back-up service, including beyond the borders of the UK.
A new court ruling suggests the UK has not yet dropped demands to access data of US Apple users, despite an announcement by the US director of National Intelligence, Tulsi Gabbard, that the UK had backed down following a major diplomatic row with the US.
The document based on “assumed facts” reveals that Home Officer order goes wider than giving access to data stored by Apple users on the company’s Advanced Data Protection Service – which it withdrew from the UK following the Home Office’s actions – and covers all data stored by Apple users on Apple’s iCloud service.
Apple launched a legal challenge against the Home Office at the Investigatory Powers Tribunal, an independent body that rules on the lawful use of surveillance powers in March, after the Home Office imposed the order in January.
Apple is challenging the Home Office use of a secret order, known as a Technical Capability Notice (TCN), to require to it to introduce mechanisms to allow the UK access to data and messages stored by users on the iCloud.
According to a court decision, issued by the Investigatory Powers Tribunal on Wednesday, the Home Office powers apply extraterritorially beyond the UK. “The obligations are not limited to the UK or users of the service in the UK, they apply globally in respect of the relevant data categories of all iCloud users,” it sates.
Apple required to disclosed messages and data
The Home Office order against Apple requires the tech company “to provide and maintain a capability to disclose categories of data stored within a cloud based backup service,” according to the filing, meaning that Apple is required to hand over both messages and data stored on the iCloud.
This could include encryption keys, photographs, and metadata that can identify a person, device, a service used, or web sites visited, but not the content viewed on a web site.
The Home Office has refused to confirm or deny the existence of the Technical Capability Notice, despite its existence having been widely leaked.
The IPT has decided to proceed on the basis of “assumed facts” allowing the case to be heard in open court, without the risk of breaching secrecy around the order, in hearings scheduled for early 2026.
TCN does not allow bulk interception
An analysis of the IPT decision, approved by two senior judges, shows that the TCN does not give UK intelligence services or law enforcement the ability to conduct bulk surveillance on material stored on Apple’s iCloud.
Under the Investigatory Powers Act, the TCN requires Apple to provide technical capabilities to allow targeted interception of communications.
This means that police and intelligence services can apply for interception warrants to obtain data stored on Apple’s iCloud from targeted individuals, organisations or premises.
They can also apply for “thematic warrants” to target multiple people, organisations or premises simultaneously, if surveillance forms part of a “single investigation” or “operation”.
Apple argues that the TCN prevents the company from offering its Advanced Data Protection service world-wide. The service allows users to independently encrypt their data on the iCloud in a way that it cannot be read by Apple.
The company withdrew its ADP service from the UK in February in the wake of the order “As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” Apple said, in a statement.
The Home Office TCN sparked a major diplomatic row between the UK and the US, with the UK attracting criticism from president Trump, vice president JD Vance and director of national intelligence Tulsi Gabbard, who argued that it could undermine Americans’ privacy and civil liberties.
Gabbard announced on the social media site X on 19 August that the UK had agreed to drop demands for a “back door” that would allow access to data of US citizens, although the terms of the agreement are unclear.
IPA amendments extended reach of ‘back door’ orders
The legal filing also reveals that the Home Office began the process of issuing the TCN against Apple before the introduction of critical amendments to the Investigatory Powers Act 2016 that impacted TCNs, but did not complete the process until after the amendments had partially come into force.
The Investigatory Powers (Amendment) Act 2024 included measures to extend the reach of TCNs to technology companies that are not based or controlled in the UK, provided that they operated services to UK users.
The government is expected to argue in hearings at the IPT next year that the TCN is proportionate as the government is required to obtain a warrant for each target for interception, which must be approved by a judicial commissioner.
It is expected to say that the powers created by the TCN are not an attempt to expand surveillance powers but to maintain existing powers that were in place before Apple introduced automatic encryption tools.
Government lawyers are also expected to argue that the fact that the TCN has been approved by a judicial commissioner provides sufficient legal and privacy safeguards.
Legal arguments will focus on advanced encryption
Apple is unlikely to succeed in legal arguments that the Home Office should not be able to access encrypted data on the iCloud in cases where Apple already has the encryption keys.
However it is expected to present arguments against Home Office demands that it removes users rights to encrypt data with their own encryption keys using Apples’ Advanced Data Protection service.
Commentators say the case will raise new areas of law. The only legal precedent is a case involving the encrypted messaging service Telegram, which implied that systematically weaking encryption is a disproportionate interference with the right to privacy under Article 8 of the European Convention on Human Rights.
Bernard Keenan, a lecturer in law at UCL and a specialist in surveillance law said the assumed facts appear to be “a lot more specific than the government would have wanted – its pretty easy to infer the terms of the order.”
He said the UK government had massively underestimated international objections to the TCN.
“First, the extent to which Apple as a ‘surveillance intermediary’ is prepared to resist requests to weaken the security of its devices in response to law enforcement requests,” he said.
“Second, the government had also underestimated the attitude of key members of the Trump administration to the balance between privacy and state power,” he added.
Source link
