Top cryptography experts join calls for UK to drop plans to snoop on Apple’s encrypted data

The Home Office’s intervention has raised alarm bells among members of congress in the US, who have raised concerns that the move will weaken the security and privacy of ordinary American citizens as well as government officials and government agencies that use Apple computers and iPhones for official business.

Apple introduced its Advanced Data Protection for iCloud (APD) as an optional security feature in December 2022. It allows users to extend Apple’s end-to-end encryption from messaging to personal data, including photos, notes and iCloud backups, offering according to Apple, invaluable protection for users’ private information from threats to data security.

Risk to UK data sharing with EU

Robin Wilton, senior director of the Internet Society, one of the signatories to the letter, said that the Home Office’s plans could threaten Britain’s data protection adequacy status with the EU, potentially disrupting the exchange of data between companies in the UK and the EU.

“The UK government has insisted not only on accessing Apple’s data, but insisted on access to it even after it reaches the United States. That raises questions whether the UK can retain its adequacy under GDPR,” he told Computer Weekly.

In an open letter prepared by the Global Encryption Coalition, a network of civil society groups, businesses and trade associations, cyber security experts warn that the UK’s move to create a back-door into people’s personal data jeopardises the security and privacy of millions of people, undermines the UK tech sector and sets a dangerous precedent for global cyber security.

The letter has been signed by prominent cyber security experts, including cryptographer Phil Zimmerman, inventor of the email encryption software PGP, Ronald Rivest one of the inventors of the RSA encryption algorithm, cybersecurity author Bruce Schneier, and

David R. Jefferson, former supercomputer scientist at the US Lawrence Livermore National Laboratory. It remains open for further signatures until 20 February.

UK tech industry will suffer reputational damage

The letter warns that the move by the UK government to secretly undermine the security of Apple’s encrypted storage, creates the risk that Apple and other technology companies may pull their services out of the UK just as the UK government is stressing the role of tech companies in boosting economic growth.

“For some global companies, they may choose to leave the UK market rather than face the global reputational risks that breaching the security of their products would entail. UK companies will also suffer reputational damage, as foreign investors and consumers will consider whether their products are riddled with secret UK government-mandated security vulnerabilities,” it warns.

Leaks to the Washington Post revealed that the Home Office issued a Technical Capability Notice (TCN), under Section 253 of the Investigatory Powers Act 2016 requiring Apple to provide access to encrypted data stored by Apple users anywhere in the world on its iCloud service. 

If the move succeeds, it would mean “the world’s second-largest provider of mobile devices would be built on top of a system security flaw, putting all of its users’ security and privacy at risk, not just in the UK but globally.”

Risk to UK national security

The letter warns that government moves against encryption, threaten to undermine the UK’s national security. 

“For national security professionals and government employees, access to end-to-end encrypted services allows them to safeguard their personal life. Ensuring the security and privacy of government officials is vital for helping prevent extortion or coercion attempts, which could lead to greater national security damage,” it says.

According to the letter, the consensus among cybersecurity experts is that there is no way to provide government access to end-to-end encrypted data without breaking end-to-end encryption.

It cites Ciaran Martin, former director and founder of the UK government’s National Cyber Security Centre, part of GCHQ, who wrote in a 2021 paper that “E2EE [end-to-end encryption] must expand, legally unfettered, for the betterment of our digital homeland.”

Undermining the confidentiality of cloud services would have a harmful impact on people at the greatest risk, including families, survivors of domestic violence, and LGBTQ+ individuals, the letter argues. “For these and other groups, the confidentiality guaranteed by end-to-end encryption can be critical in preventing harassment and physical violence,” it says.

International human rights bodies have recognised the importance of end-to-end encryption to enable people to communicate and express their views safely and securely, the signatories argue. The European Court of Human Rights has confirmed the importance of anonymity in “promoting the free flow of ideas and information” including protecting people from reprisals for their views.

In a landmark case in February 2024, the ECHR found that an order issued by Russia to the messaging app, Telegram, requiring it to disclose technical information including encryption keys breached human rights law.

“To ensure the national and economic security of the United Kingdon, the Home Office must end its technical capability notice forcing Apple to break its end-to-end encryption,” the letter states. 

Human rights groups that have signed the letter include Article19, Access Now, Digital Rights Ireland, Privacy International and Big Brother Watch.