{"id":107972,"date":"2025-03-19T13:10:59","date_gmt":"2025-03-19T17:10:59","guid":{"rendered":"https:\/\/cdt.org\/?post_type=insight&p=107972"},"modified":"2025-03-25T12:13:16","modified_gmt":"2025-03-25T16:13:16","slug":"secrets-secrets-are-no-fun-the-united-kingdoms-secret-war-on-encryption","status":"publish","type":"insight","link":"https:\/\/cdt.org\/insights\/secrets-secrets-are-no-fun-the-united-kingdoms-secret-war-on-encryption\/","title":{"rendered":"Secrets, Secrets Are No Fun: the United Kingdom’s Secret War on Encryption<\/strong>"},"content":{"rendered":"\n

Late last week, <\/em>a <\/em>secret<\/em><\/strong> tribunal in the U.K. <\/em>reportedly<\/em><\/a> held a <\/em>secret<\/em><\/strong> hearing on an appeal by U.S. tech giant, Apple, of a <\/em>secret<\/em><\/strong> order Apple reportedly received from the U.K. to compromise its users’ privacy and cybersecurity worldwide.<\/em><\/p>\n\n\n\n

The British government is attacking encryption, and the casualties could include the privacy and cybersecurity of millions worldwide. The U.S. should demand that the U.K. withdraw its order, or else terminate the U.K.\u2019s  unique access to the troves of user data it obtains from U.S. tech companies. <\/p>\n\n\n\n

The U.K. Ambushes Encryption<\/strong><\/p>\n\n\n\n

Recent reports<\/a> suggest that the British Home Office has secretly issued a Technical Capability Notice (TCN) to Apple under the Investigatory Powers Act (IPA) of 2016<\/a>, commonly known as the \u201cSnoopers\u2019 Charter,\u201d compelling the company to introduce a backdoor into its end-to-end encrypted cloud storage service, \u201cAdvanced Data Protection<\/a>\u201d (ADP). The Snooper\u2019s Charter, which has long<\/a> concerned CDT<\/a>, prohibits<\/a> the recipient of a TCN from disclosing the existence or contents of the notice to anyone without the permission of the Secretary of State, so Apple can neither confirm, nor deny, the existence of the demand. <\/p>\n\n\n\n

Assuming the reports are true, such backdoor access would allow British officials to require Apple to provide in decrypted form content that any user \u2014 not only in the U.K., but worldwide \u2014 has uploaded to the cloud using ADP. This type of order has no known precedent in major democracies \u2014 for good reason. <\/p>\n\n\n\n

Introducing backdoors into end-to-end encryption means introducing systemic security flaws, as the U.K. knows<\/a>. Across the world, cybersecurity experts agree<\/a> that there is no way to provide government access to end-to-end encrypted data without breaking end-to-end encryption. News of the U.K. order to Apple sparked global alarm<\/a>. Backdoors into encryption jeopardize all users\u2019 privacy and cybersecurity because criminals specifically look to exploit these vulnerabilities. Nevertheless, the U.K. has decided to ambush encryption with its notice. As President Trump put it: \u201cThat\u2019s something, you know, you hear about with China<\/a>.\u201d<\/p>\n\n\n\n

In the case of Apple, the world\u2019s second largest provider of mobile devices, introducing backdoor access into its encrypted cloud service would mean putting millions of users at risk. To make matters worse, the most harmful impact would fall on those who rely on encryption because they are already most vulnerable, including domestic violence survivors<\/a>, LGBTQ+ persons<\/a>, and others. These risks must not be tolerated.<\/p>\n\n\n\n

Apple Fights Back in the Shadows<\/strong><\/p>\n\n\n\n

Rather than capitulate to the U.K.\u2019s demand, Apple made the principled<\/a> decision<\/a> to cease offering ADP in Great Britain, and it has reportedly appealed<\/a> the notice to the Investigatory Powers Tribunal<\/a>, which has the authority to review complaints against U.K. intelligence services. British law requires Apple to comply with the notice even while its appeal is pending. As a result, British authorities may insist that Apple build a backdoor to ADP even though it does not offer ADP in the U.K. Apple may challenge such a fully extraterritorial mandate as disproportionate under applicable law. <\/p>\n\n\n\n

To make matters worse \u2014 again<\/em> \u2014 the entire review process is also<\/em> shrouded in secrecy. Similar to how the recipient of a TCN is prohibited from disclosing the existence or contents of the notice, the Investigatory Powers Tribunal proceedings can be kept secret. This means the U.K. Home Office can place Apple, or any other service provider, under a strict gag order when it issues a TCN. The chilling result: the public does not know if other encrypted services have received such notices and, if so, which of them complied with those notices, putting user data at risk. <\/p>\n\n\n\n

This blatant lack of transparency severely inhibits public discourse, making it impossible for stakeholders \u2014 including cybersecurity experts, civil rights organizations, and the general public \u2014 to understand the full implications and challenge the U.K.\u2019s policy. Apple may or may not be the first recipient of a notice that requires undermining encryption, but it\u2019s unlikely to be the last. In any case, policies that affect millions of users and global cybersecurity ought not be fought out in the shadows. <\/p>\n\n\n\n

Another CLOUD Looms in the U.S.<\/strong><\/p>\n\n\n\n

Despite the U.K. Home Office issuing the TCN under its own domestic law, the U.S. is not without means to respond. The US-UK CLOUD Act Agreement<\/a> (Agreement) entered into effect under the authority of the U.S. CLOUD Act<\/a> and gives the U.S. substantial leverage over the U.K. in surveillance matters. <\/p>\n\n\n\n

The CLOUD Act allows U.S. providers to disclose user data directly to foreign states under the laws of those foreign states, with certain conditions. Those conditions include limiting disclosures to cases involving serious crimes, preventing disclosure of information of Americans or anyone physically located in the U.S., and most importantly, requiring that the U.S. has entered an executive agreement with the requesting state that certifies the state\u2019s laws and practices meet certain human rights standards. Countries with CLOUD Act agreements with the U.S. can bypass the cumbersome process under mutual legal assistance treaties (MLATs), as well as the probable cause requirement for compelled disclosure of communications content that applies in the MLAT context, and most importantly for the U.K., can engage in real time wiretapping of the users of U.S. tech companies, which MLAT processes and U.S. law do not otherwise permit. All CLOUD Act agreements are reciprocal, so the U.S. should enjoy the same benefits as partner states. <\/p>\n\n\n\n

So far, the U.S. has entered into only two CLOUD Act agreements: one with Australia<\/a>, and one with the U.K.<\/a>, which entered into force on October 3, 2022. So what can be done?<\/p>\n\n\n\n

Light Through the CLOUD<\/strong><\/p>\n\n\n\n

The CLOUD Act, and the US-UK CLOUD Act Agreement, present a significant opportunity for the U.S. to meaningfully pressure the U.K. to withdraw its demand to Apple. By law<\/a>, the US-UK CLOUD Act Agreement expires after five years unless renewed, which means the Agreement will expire in October 2027 unless renewed. <\/p>\n\n\n\n

The U.S. Department of Justice quietly recertified<\/a> the US-UK CLOUD Act Agreement in November 2024, around the Thanksgiving congressional recess. The recertification report sent to Congress, which is required by the Act, provides several key insights<\/a> about the U.K.\u2019s conduct under the Agreement, not least that the U.K. issued more than 20,000 requests to U.S. service providers \u2014 almost all of which included wiretapping surveillance \u2014 while the U.S. issued a mere 63 to British providers. This dramatic imbalance owes to the geographic concentration of major service providers in the U.S., but it also demonstrates the overwhelming importance of the Agreement to the U.K. and its relative lack of importance to the U.S., and provides a powerful lever for the U.S. to wield. After all, the Trump Administration could, under the terms of the Agreement<\/a>, unilaterally terminate it without cause and with only 30 days notice.  <\/p>\n\n\n\n

The recertification report subtly hints that the DOJ knew about the TCN issued to Apple, or other attacks on encryption in the U.K. The report states that although new laws in the U.K., such as the Investigatory Powers (Amendment) Act of 2024<\/a> that expanded surveillance authority under the IPA, did not violate the requirements of the CLOUD Act (per the DOJ), the DOJ had nonetheless \u201ctaken the opportunity […] to remind the U.K. of the the statute\u2019s requirement that the terms of the Agreement shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.\u201d At a minimum, the DOJ should also have \u201ctaken the opportunity\u201d to warn Congress that the U.K. was preparing to use newly acquired powers under British law to undermine the security of Americans\u2019 encrypted data and those of people around the world. <\/p>\n\n\n\n

The U.S. Seeks Answers<\/strong><\/p>\n\n\n\n

Congress has, in fact, taken steps to leverage the CLOUD Act and the US-UK CLOUD Act Agreement to seek answers from top U.S. and U.K. officials. In a letter<\/a> to the Director of National Intelligence (DNI), Tulsi Gabbard, Senator Ron Wyden (D-OR) and Representative Andy Biggs (R-AZ) urged the U.S. to \u201c[give] the U.K. an ultimatum: back down from this dangerous attack on U.S. cybersecurity, or face serious consequences.\u201d The letter also asked DNI Gabbard to provide Congress with unclassified answers to critical questions, like whether the Trump Administration had any awareness of the TCN.<\/p>\n\n\n\n

In her response<\/a>, DNI Gabbard expressed that she shared a \u201cgrave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a \u2018backdoor\u2019 that would allow access to Americans personal encrypted data.\u201d She further noted that such a TCN would be a \u201cclear and egregious violation of Americans\u2019 privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors,\u201d while committing to using her office to investigate the matter further. <\/p>\n\n\n\n

Most recently, a bipartisan group of members of Congress also urged<\/a> the IPT to open its hearing to the public, and former Secretary of Homeland Security Michael Chertoff said the U.K. should reconsider its move to break encryption<\/a>. <\/p>\n\n\n\n

These actions are the appropriate first steps, but the DOJ should also weigh in and urge the U.K. to reverse course, and Congress should modify the CLOUD Act itself to preclude agreements with states whose laws authorize orders to compel decryption by providers of end-to-end encrypted services. Such providers cannot decrypt data or communications without introducing serious security vulnerabilities and, as Apple was here, could effectively be compelled to cease the offer of such service, to the detriment of cybersecurity in the U.S. and abroad. In the meantime, if the U.K. refuses to withdraw the order, the U.S. should terminate the Agreement. <\/p>\n\n\n\n

***<\/p>\n\n\n\n

The U.K.\u2019s secret war on encryption threatens global cybersecurity and sets a dangerous precedent for government overreach. With secret orders, secret appeals, and secret hearings, the U.K. is undermining public trust and digital safety from the shadows. The U.S. must continue to  demand transparency and accountability. If the U.K. refuses to back down, Congress and the Trump administration should take decisive action to protect the security of Americans\u2019 data. Encryption is not just a policy debate\u2014it is a fundamental pillar of people\u2019s privacy and security, and it must be protected.<\/p>\n","protected":false},"featured_media":86100,"template":"","content_type":[7251],"area-of-focus":[7257,806,799],"class_list":["post-107972","insight","type-insight","status-publish","has-post-thumbnail","hentry","content_type-blog","area-of-focus-european-surveillance","area-of-focus-government-surveillance","area-of-focus-us-surveillance"],"acf":[],"_links":{"self":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight"}],"about":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/types\/insight"}],"version-history":[{"count":2,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107972\/revisions"}],"predecessor-version":[{"id":107974,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/insight\/107972\/revisions\/107974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/media\/86100"}],"wp:attachment":[{"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/media?parent=107972"}],"wp:term":[{"taxonomy":"content_type","embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/content_type?post=107972"},{"taxonomy":"area-of-focus","embeddable":true,"href":"https:\/\/cdt.org\/wp-json\/wp\/v2\/area-of-focus?post=107972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}