Category: Cyber Security | Published: 2025-07-30
WhatsApp Shut Out of High-Stakes Encryption Fight
The Investigatory Powers Tribunal (IPT), which hears complaints about UK surveillance and investigatory powers, has rejected an application by WhatsApp to intervene in two linked legal challenges over the use of secret government powers to weaken encryption.
The challenges stem from a reported Technical Capability Notice (TCN) issued by the Home Office in January 2025. Under the UK’s Investigatory Powers Act, a TCN can compel a company to build or alter technology to ensure it can be accessed by government agencies under lawful authority.
In this case, the order reportedly demanded that Apple provide access to encrypted user data stored globally on its iCloud platform, including material protected by its Advanced Data Protection (ADP) service.
Apple responded in February by withdrawing the ADP feature from UK users, publicly stating that it would never build _“a backdoor or master key”_ into its products. The move drew attention on both sides of the Atlantic, triggering concerns in the US about the implications for American users and businesses.
In March, Privacy International, Liberty, and two individual claimants filed a legal challenge to the secrecy and legality of the Home Office’s reported actions. Apple launched its own legal case in parallel.
Then, in April, the Home Office attempted to argue that the full case should be heard behind closed doors. This was rejected by the IPT following objections from ten media organisations. The tribunal opted instead for a novel legal approach which was to proceed on the basis of _“assumed facts”,_ allowing as much of the hearing as possible to be held in public while preserving the government’s right to “neither confirm nor deny” the existence of the order.
WhatsApp applied to intervene in both cases in June, citing the risk of a precedent that could erode the encryption protections used by billions of people. However, on 23 July, the Tribunal refused the application. A seven-day public hearing will now go ahead in early 2026, combining Apple’s case and the Privacy International-led challenge.
A Public Hearing, But Based on Assumed Facts
Although much of the government’s activities around encryption remain secret, the IPT has ruled that the bulk of Apple’s and Privacy International’s legal arguments will be heard in open court at a seven-day hearing, now scheduled for early 2026.
In a bid to balance transparency with national security, the tribunal will proceed on the basis of _“assumed facts”_ rather than actual confirmation of the Home Office’s reported order. The government will be permitted to maintain its official _“neither confirm nor deny”_ (NCND) position on the existence of the TCN, even though details have been widely leaked and reported.
Why?
It seems that this approach allows both Apple’s and Privacy International’s legal arguments to be made in public, without requiring sensitive details to be aired in a closed court. The IPT had previously rejected attempts by the Home Office to keep the entire case behind closed doors, following objections from a coalition of media outlets including the BBC, The Guardian and Computer Weekly.
A Frustrated WhatsApp Pushes Back
WhatsApp expressed clear frustration at the decision to exclude it from proceedings. CEO Will Cathcart previously submitted written evidence raising concerns that the UK order sets _“a dangerous precedent for security technologies that protect users around the world”._
Cathcart stated: _“We’ve applied to intervene in this case to protect people’s privacy globally. Liberal democracies should want the best security for their citizens. Instead, the UK is doing the opposite through a secret order.”_
Following the ruling, a WhatsApp spokesperson added: _“This is deeply disappointing, particularly as the UK’s attempt to break encryption continues to be shrouded in layers of secrecy. We will continue to stand up to governments that try to weaken the encryption that protects people’s private communication.”_
The company has repeatedly warned that mandating backdoors, i.e. ways for governments to access encrypted systems, would compromise security not just for criminals, but for all users, exposing communications to cybercriminals and hostile states.
Apple Takes a Stand (And a Step Back)
Apple has also taken a firm stance against the Home Office’s demands. For example, in February 2025, it withdrew its Advanced Data Protection (ADP) service from UK customers, rather than comply with the TCN’s reported requirements.
ADP enables users to encrypt their iCloud backups using end-to-end encryption, meaning not even Apple can access the data. The feature remains available in other countries.
In a statement at the time, Apple said: _“As we have said many times before, we have never built a backdoor or master key to any of our products or services, and we never will.”_
Apple’s legal challenge is separate from the civil liberties group case, but will be heard during the same week as part of the IPT’s coordinated hearing.
Why This Matters and What’s at Stake
The case matters because it has significant implications for privacy, national security, and the power of democratic oversight. At its heart is a tension between the UK government’s claim that it must access encrypted data to fight terrorism and child abuse, and the tech industry’s position that weakening encryption threatens the security of everyone.
Technical Capability Notices, while rarely discussed in public, give the Home Office power to compel companies to make their systems interceptable. This can include designing or modifying services to allow for lawful access, which is something encryption advocates have long argued is incompatible with true end-to-end encryption.
Smokescreen?
Campaigners such as Privacy International argue that the UK is using national security as a _“smokescreen”_ to bypass proper scrutiny and safeguards. Legal Director Caroline Wilson Palow criticised the government’s NCND stance, saying: _“We are being forced to sustain the fiction that the order does not exist, which may hinder our ability to grapple fully with its legal ramifications.”_
Privacy International’s challenge also questions the lawfulness and necessity of the regime underpinning TCNs, including whether they are being used proportionately and with sufficient parliamentary oversight.
International Repercussions and Political Fallout
It seems that the Home Office’s efforts have not only raised legal alarms but have also sparked diplomatic tensions. For example, the Financial Times recently reported that UK officials are now exploring ways to de-escalate the row with the US government, which sees the order against Apple as a breach of sovereignty.
US President Donald Trump and Director of National Intelligence Tulsi Gabbard have both condemned the UK’s actions, warning that attempts to access the encrypted data of US citizens could be considered a hostile act.
Gabbard described the move as _“a clear and egregious violation”_, and there have been calls in Washington for changes to the US CLOUD Act to limit the extraterritorial reach of UK orders.
What Comes Next?
The Tribunal’s case management order paves the way for a high-profile legal test in early 2026. The hearing is expected to include arguments on the legal limits of the UK’s investigatory powers, the technological realities of encryption, and whether governments can compel private firms to compromise the security of their own systems.
The hearing’s outcome may shape the future of encrypted communications not only in the UK, but globally. If the IPT upholds the TCN, it could embolden similar efforts in other jurisdictions. If it rul