Category: Cyber Security | Published: 2025-11-04
The New Order
According to reports in the Financial Times, the Home Office served Apple with a new Technical Capability Notice (TCN) in early September requesting a mechanism to access encrypted cloud backups for UK citizens. TCNs are formal notices issued under the Investigatory Powers Act 2016, a law that grants UK authorities the power to compel technology companies to make technical modifications to support lawful access to data.
The September notice reportedly differs from an earlier version issued in January by limiting the demand to British users only. The original order had requested access to encrypted iCloud data for users globally. At the time, that broader approach prompted some diplomatic and legal pushback, particularly from the United States.
How This One Differs From January’s Demand
The first TCN issued by the UK government sought a capability to unlock encrypted iCloud backups for any Apple user, regardless of nationality, if the user had enabled Apple’s Advanced Data Protection (ADP) feature. ADP is an optional setting that allows iCloud backups and other key data to be protected with end-to-end encryption, meaning not even Apple can decrypt the data.
That earlier order triggered an international dispute, with senior figures in the US government accusing the UK of overreach. In August, US Director of National Intelligence Tulsi Gabbard told the FT that the UK had _“agreed to drop”_ its demand that would have affected US citizens’ protected data.
This latest September order appears to be a UK-only version that avoids direct infringement on US users’ rights, but the technical implications are still contested.
Apple’s Position
Apple has repeatedly rejected the idea of building a backdoor into any of its systems. For example, as the company said in a statement responding to the latest reports: _“As we have said many times before, we have never built a back door or master key to any of our products or services and we never will”._
Blocked
Since February, Apple has actually blocked new users in the UK from enabling Advanced Data Protection, and has said existing users will eventually be required to disable it to continue using iCloud. A company support page confirms that ADP remains unavailable in the UK, although it is still offered in other regions, including the US and the EU.
ADP expands the categories of iCloud data protected by end-to-end encryption from 14 to 23, e.g. covering device backups, Photos, Notes and more. Without it, Apple holds the encryption keys, allowing the company to comply with valid legal requests for data access. With ADP, only the user has the key, and data can only be decrypted on that user’s trusted devices.
What The Home Office Says
The Home Office has not confirmed the existence of the order. In a statement, a government spokesperson said: _“We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices. We will always take all actions necessary at the domestic level to keep UK citizens safe.”_
In reality, UK officials have consistently argued that encrypted technologies (and apps) can obstruct investigations into serious crimes, terrorism, and child sexual abuse, and that investigative capabilities must evolve in line with technological change.
The Legal Process And The Secrecy Fight
Apple has challenged aspects of the January TCN through the Investigatory Powers Tribunal (IPT), which is a specialist UK court that hears complaints about surveillance powers. In April, the IPT ruled against the Home Office’s attempt to keep the proceedings entirely secret, confirming Apple as the complainant and the Home Secretary as the respondent.
Campaign groups including Privacy International and Liberty have also mounted linked legal challenges, arguing that forcing Apple to weaken its encryption undermines users’ privacy and security. Those cases were due to be heard early next year, but the revised September order may now restart parts of the legal process.
Why This Is So Contentious (In Technical Terms)
End-to-end encryption ensures that data is only readable by the intended user. Critics of the UK’s approach say any attempt to introduce a backdoor, no matter how narrowly defined, undermines this principle and creates a new vulnerability. The point made by many critics is that if Apple breaks end-to-end encryption for the UK, it essentially breaks it for everyone and the resulting vulnerability could simply be exploited by all manner of bad actors, e.g. hostile states, cybercriminals and more.
Technical experts also argue that encryption systems can’t be designed with selective access for law enforcement without also weakening defences against broader threats. This has been a long-standing argument in the encryption debate, and is echoed by cryptographers, industry bodies and digital rights advocates.
The US Dimension
The earlier global demand strained relations between the UK and US governments. For example, key figures in President Trump’s administration, including Vice President JD Vance and DNI Tulsi Gabbard, reportedly urged the UK to abandon the request, warning that it could compromise data belonging to US citizens and damage transatlantic privacy agreements.
Also, during President Trump’s state visit to the UK in September, technology cooperation and investment were key topics. Around the same time, two US officials reportedly raised the Apple issue again. However, it’s been reported (by the FT) that the US is no longer pressuring the UK to rescind the latest order, which is most likely due to its narrowed scope.
Users
For now, UK users can’t newly enable Advanced Data Protection and those who already had it enabled before February are expected to lose access to the feature in the coming months. Apple has not set a public deadline, but its statement suggests existing users will eventually need to disable ADP to continue using iCloud services.
As noted earlier, the feature is actually designed to protect user data such as device backups, messages, photos, and documents, all of which are frequently targeted in data breaches. For example, when launching ADP, Apple cited industry research showing that global data breaches exposed more than 1.1 billion records in 2021, with personal data the most common target.
According to Apple’s own security whitepaper, even without ADP, iCloud still uses strong encryption standards and safeguards, but the ability for Apple to decrypt data under lawful request remains. In fact, with ADP enabled, Apple itself can’t access the data, even if compelled by authorities.
Reactions
Privacy groups have condemned the new order as a dangerous precedent. For example, Liberty and Privacy International have both warned that undermining encryption could affect not just privacy but also national security, by creating a mechanism that could be exploited by hostile states and criminal networks.
The UK’s data and security sectors have also expressed concerns that these policies could make the UK less attractive for tech investment. Also, companies required to disable privacy features in one country may be less willing to roll out services there, or may find it harder to meet customer expectations around security and compliance.
How It’s Being Framed
That said, the UK government continues to argue that TCNs are an essential part of modern law enforcement. For example, the Investigatory Powers Act, which came into force in 2016 and is sometimes referred to as the “Snoopers’ Charter” by critics, enables agencies to issue notices requiring companies to maintain technical capabilities to support interception, access, or decryption of data when authorised by a warrant.
Supp