An unprecedented letter from the US Congress, released today, accuses the UK of “a foreign cyberattack waged through political means”. The claim refers to a Home Office secret demand last month (reported by CW here, here and here) that Apple break the security protecting its Advanced Data Protection cloud security system to let British spies into anyone’s secure files.
In a letter to the recently appointed US Director of National Intelligence (DNI) Tulsi Gabbard, Senator Ron Wyden of Colorada and Representative Andy Biggs of Arizona bluntly ask the administration to kick the UK out of the 65-year-old UK-USA signals intelligence sharing agreement, commonly known as “Five Eyes” if they do not now withdraw the demand to Apple.
”If the U.K. does not immediately reverse this dangerous effort, we urge you to reevaluate U.S.-U.K. cybersecurity arrangements and programs as well as U.S. intelligence sharing with the U.K,” the new DNI is advised.
Politically, on other issues, the signatories are on opposed sides of US politics. Wyden is a liberal democrat who has campaigned for healthcare and the environment; Biggs is a loud Trump supporter and a noted organiser of the “MAGA squad”. Wyden, from Oregon, serves on the Senate Intelligence and Finance Committee; Biggs, from Arizona, chairs the House Judiciary Subcommittee on Crime and Federal Government Surveillance. Their unified complaint against British tactics and conduct is potentially a unique event in the turbulent political period since Donald Trump’s accession.
Damage to information sharing with US
The letter was also copied to incoming British Ambassador Peter Mandelson. The British Embassy, Home Office and DNI have not made any official comment on the letter at the time of writing.
The representatives have asked the DNI to tell Congress if the administration accepts British claims that it can impose “gag orders” on demands to American companies to provide user data, or to make technical changes to their systems and software. They also demand to know if the Home Office warned the US Government about the January notice, before it was revealed in the press.
The British move against Apple also threatens to prejudice recent valuable gains in co-operative information sharing. It took four years for the US and Britain to agree a Data Access Agreement in 2022 that does allow Apple to provide data and files from UK iCloud Accounts, provided that the user has not turned on advanced security. This arrangement was authorised under the “CLOUD” Act (“Clarifying Lawful Overseas Use of Data”) and was, according to the Department of Justice, “the first agreement of its kind, allowing each country’s investigators to gain better access to vital data to combat serious crime in a way that is consistent with privacy and civil liberties standards.”
The data flows both aways, allowing US agents automatic access to British controlled data. “Under the Data Access Agreement, service providers in one country may respond to qualifying, lawful orders for electronic data issued by the other country, without fear of running afoul of restrictions on cross-border disclosures “, the DoJ noted.
Home office ‘greedy for everything’
According to UK academic and industry sources, the recent better level of access to some iCloud data may have caused the Home Office to get “impatient and greedy for everything”, and to proceed without legally required technical caution. According to reliable industry sources, the recent notice was not first scrutinised by the statutory Technical Advisory Panel (TAP), which includes vetted outside cryptosecurity and computer science experts. If this is correct, then the UK “Judicial Commissioner” who authorised the Notice to Apple and the Home Secretary may both have been misled, requiring the procedure for issuing the Notice to be reviewed.
The representatives reminded DNI Gabbard that at her confirmation hearing she stated that “backdoors lead down a dangerous path that can undermine Americans’ Fourth Amendment rights and civil liberties”, warning later that compulsory “mechanisms to bypass encryption or privacy technologies undermines user security, privacy, and trust and poses significant risks of exploitation by malicious actors.”
“We urge you to put those words into action by giving the U.K. an ultimatum”, their letter concludes. “Back down from this dangerous attack on U.S. cybersecurity or face serious consequences.”
Beijing could exploit UK ‘backdoor’
American cryptographers and cryptosecurity experts back the demand and have warned that “Beijing would quickly exploit the British order to allow access to encrypted data”. “The U.S. should pass laws that forbid U.S. companies from installing encryption backdoors at the request of foreign countries”, according to Matt Green, a leading cryptographer and professor of computer science at John Hopkins University. “This would put companies like Apple in a bind. But it would be a good bind!”