UK Government’s secret Apple data access order challenged by Privacy International and Liberty

The groups say that the move from the UK government will have ‘global consequences’, opening up a back door to billions of people’s personal data, including personal messages and documents, that could be accessed by hackers and oppressive governments. Liberty and Privacy International warn this would particularly impact marginalised groups, such as political dissidents and religious and LGBT+ communities, who could be targeted or put under surveillance.

Media reporting suggests that the TCN has worldwide effect. If that is correct, the TCN will impact the privacy rights of both UK and non-UK Apple users, say the claimants in legal complaints filed on Thursday 13 March.

The groups, Mr Hosein and Mr Wizner say they are direct victims of the decision. They have asked for their complaints to be joined to the complaint understood to have been made by Apple.

An urgent challenge has also been issued to the secrecy of a hearing it is understood will be held over the matter tomorrow, Friday 14 March 2025.

The TCN, apparently issued under section 253 of the IPA, requires Apple to remove or modify certain protections from material stored by Apple users on an advanced encrypted version of its cloud service, iCloud, giving the UK Government back-door access to the encryption that protects that data.

Seemingly rather than comply with the TCN, Apple has removed the Advanced Data Protection (ADP) encryption for UK users, which users had been able to opt into using since it was introduced in December 2022.

It is understood that a secret hearing tomorrow will hear an application by Apple to the Investigatory Powers Tribunal to challenge the TCN, although this has not been publicly confirmed by Apple or the Tribunal.

On behalf of Privacy International and Liberty, Leigh Day has filed submissions in the Investigatory Powers Tribunal calling for the secrecy order to be removed and arrangements made for the hearing to be held in public. Privacy International and Liberty are also challenging the TCN process, where the relevant notices are issued secretly, including on the basis that this breaches privacy and free expression rights.

The campaign groups say the hearing, whose existence only became known through press leaks, should be held in public. Whatever will be aired in the meeting should be open to public scrutiny, say the groups. 

ADP allows Apple iCloud users to have their data secured so only the users can access the data. If reports about the TCN are correct, this may be the first time a major democracy has ordered a technology company to deliberately weaken an end-to-end encrypted service.

Privacy International and Liberty fear this TCN, or similar TCNs in the future, could be used to undermine end-to-end encryption essential to the protection of privacy and free expression. Privacy International, Liberty, Mr Hosein and Mr Wizner say these protections are fundamental to their personal and professional lives.

The TCN affects rights of the people in this complaint, millions in the United Kingdom and potentially billions of others across the world as the geographic scope of the order is unclear. Other similar TCNs could exist and be issued in the future.

Privacy International and Liberty say giving users control of who can access their data is crucial, particularly for those whose jobs, beliefs or characteristics require enhanced security. Journalists, researchers, lawyers, civil society, and human rights defenders rely on encryption because it protects them and their sources, clients and partners, from surveillance, harassment and oppression.

They say access to secure and trustworthy end-to-end encryption services is crucial for those who are discriminated against, persecuted or criminalised because of who they are. Vulnerable populations such as religious minorities, LGBT communities, people living with HIV, or political opponents in authoritarian states are particularly dependent on the ability to form communities, communicate and build their lives in spaces without fear of repression or retribution and free of intrusion by powerful actors who may wish to do them harm.

The Claimants say the TCN is, very clearly, being used for a purpose that is not compatible with, and not permitted by, the Investigatory Powers Act.

They say the TCN does not meet the statutory requirements in the Regulations. In particular, encryption is a separate function carried out on a separate chip on a mobile phone, and is therefore separate from the telecommunications service being provided.

 

Privacy International, Liberty, Gus Hosein and Ben Wizner are represented by Tessa Gregory and Tom Short from Leigh Day who have instructed  Ben Jaffey KC  and Celia Rooney from Blackstone Chambers. 

 

 

“The UK's use of a secret order to undermine security for people worldwide is unacceptable and disproportionate. The challenge that PI, Liberty and the individual claimants file today aims to shed a light on this deeply troubling power.

 

People the world over rely on end-to-end encryption to protect themselves from harassment and oppression. No country should have the power to undermine that protection for everyone.”

 

“End-to-end encryption is an essential security tool that protects our personal data, including our bank details, health information, private conversations and images. It’d be an entirely reckless and unprecedented move from the UK Government to open up a back door to this data, and one that will have global consequences.

“This move shows a complete lack of understanding from the Government about how important our personal information is to us. Not only would any future government be able to access whatever they wanted, but it creates a door for hackers and foreign governments to access our private data too. This poses enormous threats to our privacy rights that we should all be concerned about. Human rights activists, LGBT+ communities and political dissidents from across the globe would all be at risk of being targeted if a backdoor is created.

“These plans have been universally criticised, from marginalised communities to tech firms to the US government and beyond. We need concrete guarantees from the UK Government that they won’t proceed with these plans.” 

 

 

“Our clients believe that the reported use of a Technical Capability Notice by the Home Secretary to force Apple to break open its encrypted data storage service is an issue that ought properly to be subject to public scrutiny. The Home Secretary’s position of neither confirming nor denying that that she has even served a TCN will raise alarm bells for anyone who relies on privacy for their work or in their personal lives. We hope the Investigatory Powers Tribunal will recognise that such a potential incursion into privacy should be the subject of open, public hearings.”