US politicians furious at UK demand for encrypted Apple data

Two US lawmakers have strongly condemned what they call the UK’s “dangerous” and “shortsighted” request to be able to access encrypted data stored by Apple users worldwide in its cloud service.

Senator Ron Wyden and Congressman Andy Biggs have written to national intelligence director Tulsi Gabbard saying the demand threatens the privacy and security of the US.

They urge her to give the UK an ultimatum: “Back down from this dangerous attack on US cybersecurity, or face serious consequences.”

The BBC has contacted the UK government for comment.

“While the UK has been a trusted ally, the US government must not permit what is effectively a foreign cyberattack waged through political means”, the US politicians wrote.

If the UK does not back down Ms Gabbard should “reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing”, they suggest.

The request for the data emerged last week.

It applies to all content stored using what Apple calls “Advanced Data Protection” (ADP).

This uses end-to-end encryption, where only the account holder can access the data stored. Apple itself cannot see it.

It is an opt-in service, and not all users choose to activate it.

The demand was first reported by the Washington Post, quoting sources familiar with the matter, and the BBC has spoken to similar contacts.

The Home Office said then: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”

Apple declined to comment, but says on its website that it views privacy as a “fundamental human right”.

The order has been served by the Home Office under the Investigatory Powers Act, which compels firms to provide information to law enforcement agencies.

Under the law, the demand by the Home Office cannot be made public.

Senator Wyden and Congressman Biggs say agreeing to the request would “undermine Americans’ privacy rights and expose them to espionage by China, Russia and other adversaries”.

They state that Apple does not make different versions of its encryption software for each country it operates in and, therefore, Apple customers in the UK will use the same software as Americans.

“If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans’ phones, tablets, and computers, undermining the security of Americans’ data, as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products.”

The move by the UK government has stunned experts and worried privacy campaigners, with Privacy International calling it an “unprecedented attack” on the private data of individuals.

However the US government has previously asked Apple to break its encryption as part of criminal investigations.

In 2016, Apple resisted a court order to write software which would allow US officials to access the iPhone of a gunman – though this was resolved after the FBI were able to successfully access the device.

That same year, the US dropped a similar case after it was able to gain access by discovering the passcode of an alleged drug dealer.

Similar cases have followed, including in 2020, when Apple refused to unlock iPhones of a man who carried out a mass shooting at a US air base. The FBI later said it had been able to “gain access” to the phones.

It is understood that the UK government does not want to start combing through everybody’s data.

Rather it would want to access it if there were a risk to national security – in other words, it would be targeting an individual, rather than using it for mass surveillance.

Authorities would still have to follow a legal process, have a good reason and request permission for a specific account in order to access data – just as they do now with unencrypted data.

Apple has previously said it would pull encryption services like ADP from the UK market rather than comply with such government demands – telling Parliament it would “never build a back door” in its products.

WhatsApp, owned by Meta, has also previously said it would choose being blocked over weakening message security.

But even withdrawing the product from the UK might not be enough to ensure compliance – the Investigatory Powers Act applies worldwide to any tech firm with a UK market, even if they are not based there.