The Dangers Lurking in the U.K.’s Plan for Electronic Eavesdropping

On Feb. 7, the Washington Post reported that U.K. security officials demanded that Apple provide access to encrypted iCloud material regardless of the data’s location. This technical capability notice requires that Apple be able to:

provide and maintain the capability to—
(a) disclose the content of communications or secondary data in an intelligible form where reasonably practicable;
(b) remove electronic protection applied by or on behalf of the telecommunications operator to the communications or data where reasonably practicable.

In particular, since users only rarely supply their own cryptographic systems, this means that Apple’s Advanced Data Protection for iCloud (ADP), which provides end-to-end encryption with user-supplied keys, must be breakable by Apple. This is a contradiction in terms; end-to-end encrypted communications are designed so that only the sender and the receiver can read them. ADP is set up so that the user’s devices—and only the user’s devices—have access to data stored in the iCloud. It’s a terrific form of security. But that’s not how His Majesty’s government sees it. The order, issued in the name of national security, requires that Apple provide access to iCloud data no matter where in the world the data resides.

Were Apple to accede to the U.K.government’s requirements, we would all be less secure. Sophisticated criminals would take the extra steps necessary to secure their data; after all, there is nothing that any government can do to prevent that. Instead, it would be the general public—those for whom data security isn’t a top priority in their daily lives—who would be at risk.

This would set a terrible precedent for cybersecurity. It is, however, the U.K. law. So Apple has responded in the only sensible way it could: new U.K. users no longer have access to ADP protection and current ones will lose ADP protections soon. This doesn’t necessarily satisfy the U.K. requirements, which is access to iCloud data for any user in the world. But if the U.K. government is able to receive the data with the electronic protections stripped off, then so is any other nation in the world. History shows that if a backdoor is put into a “secured” communications system, then adversaries can find a way in. Two instances are wiretap-compliant switches in Greece and a commercial firewall—but there are many, many more. Our partners across the pond appear not to have taken to heart those lessons or that of Salt Typhoon.

In October 2024, media outlets reported that Chinese hackers penetrated U.S. telecommunications services and internet service providers (ISPs). They accessed the system storing law-enforcement wiretapping orders, thus providing the Chinese government and its allies with information on which foreign agents have been exposed. As I wrote in Lawfare last fall, this is “an intelligence failure roughly on par with putting Kim Philby in charge of the FBI’s Russia counterintelligence office.” The foreign adversaries also targeted phones of the 2024 presidential campaigns, including those of the candidates. In addition, they were able to access unencrypted text messages and, in some cases, access voice calls.

Vulnerabilities in the telephone signaling systems allowed entry into the phone networks. As I also described in Lawfare, greater centralization of wiretapping capabilities that were a result of the Communications Assistance for Law Enforcement Act simplified the Chinese hackers’ ability to determine targets of U.S. wiretap orders. Lack of end-to-end encryption enabled their reading of text messages. In response, the “Four Eyes”—the Five Eyes, the intelligence alliance of Australia, Canada, New Zealand, the United Kingdom, and the U.S. with the U.K. declining to participate—issued guidance on securing communications, including, “Ensure that traffic is end-to-end encrypted to the maximum extent possible.”

Apple’s development of ADP supports society’s security and human rights, something the U.K. requirements fail to value. Do consumers need such strong protections? Absolutely. The politician’s daughter wants assurance that the photos of her and her lover are protected against the efforts of those who want to embarrass her father. A remote worker needs to know her documents in the cloud are secured from snoopers as she transits borders. Journalists, human rights workers, and other members of civil society need to be able to keep their files secure from spies, foreign and domestic. The security needs that ADP fills are for all of society. And yes, the bad guys will use this too and thus be harder to catch. But blocking the masses from good security to simplify the catching of criminals, the best of whom would nonetheless find ways to thwart surveillance, is poor public safety practice. U.K. security officials should know better.

The failure to recommend the use of end-to-end encryption for securing communications is not the only way the U.K. is an outlier on securing peoples’ information. The 2024 Investigatory Powers Act allows British intelligence agencies to conduct “bulk” collection of communications records: the who, when, and with whom of phone calls and emails. A 2016 U.K. government report on the operational case for bulk collection has some anecdotal claims on why such collection is important.

I don’t buy it. The first of Edward Snowden’s disclosures on National Security Agency (NSA) surveillance was a U.S. Foreign Intelligence Surveillance Court order requiring Verizon to provide the government with the telecommunications records of all calls within its system that were within the U.S. or between the U.S. and another nation. Communications metadata—who calls whom when and for how long (and what IP address communicates with another)—can be remarkably revelatory, exposing the organization of a terrorist group, a person’s plans to grow marijuana, or uncovering a CIA agent and informants.

The U.S. intelligence community had not anticipated the public uproar that ensued with the disclosure of the bulk metadata collection program. President Obama sought to calm the situation by explaining that no content was being accessed under the bulk metadata collection; public opinion was not assuaged. The president created a high-level advisory committee to review U.S. surveillance technologies with an eye to maintaining public trust. The committee’s report recommended ending the bulk communications data collection program, then authorized under Section 215 of the USA Patriot Act. The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency of the U.S. government, studied the program in detail. The board’s ability to dispassionately conduct a detailed examination of the program’s results was invaluable to making decisions about the worth of the program. PCLOB’s report noted:

[W]e have not identified a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack. And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect. In that case, moreover, the suspect was not involved in planning a terrorist attack and there is reason to believe that the FBI may have discovered him without the contribution of the NSA’s program.

The PCLOB report then recommended:

The Section 215 bulk telephone records program lacks a viable legal foundation under Section 215, implicates constitutional concerns under the First and Fourth Amendments, raises serious threats to privacy and civil liberties as a policy matter, and has shown only limited value. As a result, the Board recommends that the government end the program.

The NSA’s collection of bulk domestic communications metadata ended after the passage of the USA Freedom Act of 2015. The government could still obtain the communication records, with the records stored at the communications providers, not at the NSA. Within a few years the program ended. First, the NSA observed “technical irregularities” in the collection and deleted several years worth of collection. Shortly afterward, the NSA abandoned the program entirely; it simply wasn’t efficacious. Yet here is the U.K. determined to do bulk communications collection.

Despite the Salt Typhoon breach and the lack of efficacy of bulk communications records, His Majesty’s government is nonetheless determined to collect it all. This is a different approach than that taken by the U.S., which has recently acted on the national security risks of access to personal data. A recent regulation forbids the sale of bulk personal data and government data to countries of concern. While the U.K. is not providing iCloud data or call detail records to its adversaries, the nation’s choice to block first-class security on iCloud data and to collect and store personal information that could, at some point, fall into the wrong hands is shortsighted and not in the best interests of security.

The best security stance is to secure all the data you can as best you can, just as Apple has designed with ADP. Collect only what is efficacious, since the more you collect, the more that can leak. U.K. security officials are ignoring these fundamental precepts at their peril, and with their effort to do so in Apple’s Advanced Data Protection for iCloud, potentially endangering the safety and security of themselves and many others across the globe at the same time.

Acknowledgement: This post benefited from comments by Josh Benaloh.