UK Gov Pushes AGAIN For iCloud Backdoor

The UK government has reportedly issued a fresh order instructing Apple to enable access to encrypted iCloud backups for British users, narrowing an earlier demand that had sought global access.

The New Order

According to reports in the Financial Times, the Home Office served Apple with a new Technical Capability Notice (TCN) in early September requesting a mechanism to access encrypted cloud backups for UK citizens. TCNs are formal notices issued under the Investigatory Powers Act 2016, a law that grants UK authorities the power to compel technology companies to make technical modifications to support lawful access to data.

The September notice reportedly differs from an earlier version issued in January by limiting the demand to British users only. The original order had requested access to encrypted iCloud data for users globally. At the time, that broader approach prompted some diplomatic and legal pushback, particularly from the United States.

How This One Differs From January’s Demand

The first TCN issued by the UK government sought a capability to unlock encrypted iCloud backups for any Apple user, regardless of nationality, if the user had enabled Apple’s Advanced Data Protection (ADP) feature. ADP is an optional setting that allows iCloud backups and other key data to be protected with end-to-end encryption, meaning not even Apple can decrypt the data.

That earlier order triggered an international dispute, with senior figures in the US government accusing the UK of overreach. In August, US Director of National Intelligence Tulsi Gabbard told the FT that the UK had “agreed to drop” its demand that would have affected US citizens’ protected data.

This latest September order appears to be a UK-only version that avoids direct infringement on US users’ rights, but the technical implications are still contested.

Apple’s Position

Apple has repeatedly rejected the idea of building a backdoor into any of its systems. For example, as the company said in a statement responding to the latest reports: “As we have said many times before, we have never built a back door or master key to any of our products or services and we never will”.

Blocked

Since February, Apple has actually blocked new users in the UK from enabling Advanced Data Protection, and has said existing users will eventually be required to disable it to continue using iCloud. A company support page confirms that ADP remains unavailable in the UK, although it is still offered in other regions, including the US and the EU.

ADP expands the categories of iCloud data protected by end-to-end encryption from 14 to 23, e.g. covering device backups, Photos, Notes and more. Without it, Apple holds the encryption keys, allowing the company to comply with valid legal requests for data access. With ADP, only the user has the key, and data can only be decrypted on that user’s trusted devices.

What The Home Office Says

The Home Office has not confirmed the existence of the order. In a statement, a government spokesperson said: “We do not comment on operational matters, including, for example, confirming or denying the existence of any such notices. We will always take all actions necessary at the domestic level to keep UK citizens safe.”

In reality, UK officials have consistently argued that encrypted technologies (and apps) can obstruct investigations into serious crimes, terrorism, and child sexual abuse, and that investigative capabilities must evolve in line with technological change.

The Legal Process And The Secrecy Fight

Apple has challenged aspects of the January TCN through the Investigatory Powers Tribunal (IPT), which is a specialist UK court that hears complaints about surveillance powers. In April, the IPT ruled against the Home Office’s attempt to keep the proceedings entirely secret, confirming Apple as the complainant and the Home Secretary as the respondent.

Campaign groups including Privacy International and Liberty have also mounted linked legal challenges, arguing that forcing Apple to weaken its encryption undermines users’ privacy and security. Those cases were due to be heard early next year, but the revised September order may now restart parts of the legal process.

Why This Is So Contentious (In Technical Terms)

End-to-end encryption ensures that data is only readable by the intended user. Critics of the UK’s approach say any attempt to introduce a backdoor, no matter how narrowly defined, undermines this principle and creates a new vulnerability. The point made by many critics is that if Apple breaks end-to-end encryption for the UK, it essentially breaks it for everyone and the resulting vulnerability could simply be exploited by all manner of bad actors, e.g. hostile states, cybercriminals and more.

Technical experts also argue that encryption systems can’t be designed with selective access for law enforcement without also weakening defences against broader threats. This has been a long-standing argument in the encryption debate, and is echoed by cryptographers, industry bodies and digital rights advocates.

The US Dimension

The earlier global demand strained relations between the UK and US governments. For example, key figures in President Trump’s administration, including Vice President JD Vance and DNI Tulsi Gabbard, reportedly urged the UK to abandon the request, warning that it could compromise data belonging to US citizens and damage transatlantic privacy agreements.

Also, during President Trump’s state visit to the UK in September, technology cooperation and investment were key topics. Around the same time, two US officials reportedly raised the Apple issue again. However, it’s been reported (by the FT) that the US is no longer pressuring the UK to rescind the latest order, which is most likely due to its narrowed scope.

Users

For now, UK users can’t newly enable Advanced Data Protection and those who already had it enabled before February are expected to lose access to the feature in the coming months. Apple has not set a public deadline, but its statement suggests existing users will eventually need to disable ADP to continue using iCloud services.

As noted earlier, the feature is actually designed to protect user data such as device backups, messages, photos, and documents, all of which are frequently targeted in data breaches. For example, when launching ADP, Apple cited industry research showing that global data breaches exposed more than 1.1 billion records in 2021, with personal data the most common target.

According to Apple’s own security whitepaper, even without ADP, iCloud still uses strong encryption standards and safeguards, but the ability for Apple to decrypt data under lawful request remains. In fact, with ADP enabled, Apple itself can’t access the data, even if compelled by authorities.

Reactions

Privacy groups have condemned the new order as a dangerous precedent. For example, Liberty and Privacy International have both warned that undermining encryption could affect not just privacy but also national security, by creating a mechanism that could be exploited by hostile states and criminal networks.

The UK’s data and security sectors have also expressed concerns that these policies could make the UK less attractive for tech investment. Also, companies required to disable privacy features in one country may be less willing to roll out services there, or may find it harder to meet customer expectations around security and compliance.

How It’s Being Framed

That said, the UK government continues to argue that TCNs are an essential part of modern law enforcement. For example, the Investigatory Powers Act, which came into force in 2016 and is sometimes referred to as the “Snoopers’ Charter” by critics, enables agencies to issue notices requiring companies to maintain technical capabilities to support interception, access, or decryption of data when authorised by a warrant.

Supporters of the law argue that it brings transparency and legal oversight to digital investigations. Opponents, however, say it gives the state too much power to interfere with private systems and sets dangerous global precedents. It’s worth noting here that the UK is one of only a few democracies that can legally issue binding demands to alter product security design.

What Does This Mean For Your Business?

It could be said that the revised order is a tactical retreat rather than a change of position. For example, by narrowing its demand to apply only to British users, the UK government has stepped back from the diplomatic tensions caused by its earlier global request, but the core issue remains basically unchanged. At the heart of this case is whether it’s technically and ethically possible to give law enforcement selective access to encrypted data without weakening protections for everyone.

For UK businesses, the implications are not just theoretical. A climate where privacy features are disabled or restricted by law could make the UK a less competitive market for privacy-conscious users and global technology providers. If firms like Apple are required to re-engineer core security features for one jurisdiction, others may follow suit or withdraw certain services altogether. This not only risks fragmenting digital service offerings but also complicates compliance strategies for businesses handling sensitive customer data.

For campaigners and civil society groups, the revised notice confirms their fears that UK authorities are continuing to seek access to encrypted systems by design. Their argument, echoed by technologists, is that any backdoor (even if limited to one region) introduces a broader vulnerability. Once a system can be compromised by one party, it is inherently more exposed to exploitation by others, whether state-sponsored attackers or criminal groups.

From Apple’s perspective, enabling a backdoor anywhere sets a precedent everywhere. The company has positioned itself as a defender of user privacy and security, and any concession in the UK could undermine that stance globally. Its refusal to offer even a limited workaround suggests it sees this issue not as a local policy dispute but as a line it is unwilling to cross.

Whether or not the Home Office ultimately enforces the order, this case highlights the ongoing tension between national security objectives and the technical realities of encryption. It also raises difficult questions about sovereignty in the digital age, specifically, to what extent one country can demand changes to global technologies that affect millions of users.

The Investigatory Powers Tribunal proceedings and linked legal challenges now take on renewed importance. With the order revised but not withdrawn, courts and campaigners will be watching closely to see how far the UK is willing to go to enforce access, and whether Apple is willing to comply. What happens next will shape the limits of lawful access not just in Britain, but in democratic societies worldwide.