Facing pressure from the United States, Apple and dozens of industry advocates, including the Global Encryption Coalition, the United Kingdom has backed down from its January 2025 order requiring Apple to offer a backdoor to its encrypted cloud data.The news came at 10 p.m. Eastern, Aug. 18, as Tulsi Gabbard, US Director of National Intelligence (DNI), said in a post on X that the UK had agreed to drop its mandate for Apple to offer a backdoor that the US government claimed would have let bad actors violate the privacy of American citizens. Digital privacy advocates worldwide have long claimed that allowing any government to have a backdoor to encrypted data would be a dangerous move in the internet era, creating vulnerabilities that would let would-be bad actors and nation-states gain access to the personal data of ordinary citizens.“If reports are true, it’s good that the British government has dropped its demand for a backdoor into Apple’s optional end-to-end encryption feature,” said Thorin Klosowski, security and privacy activist at the Electronic Frontier Foundation (EFF). “Any encryption backdoor built for government puts everyone at greater risk of hacking, identity theft, and fraud. EFF has always stood against government intrusion into the private lives of users and advocated for strong privacy guarantees, including the right to confidential communication.”Casey Ellis, founder at Bugcrowd, was also very pleased to see the UK back down on its backdoor order.“It's good to see this getting reversed,” said Ellis. “Deliberately weakening the security posture of everyone to enable the surveillance of a few is a universally bad solution, prone to unintended exploitation by cybercriminals and hostile states, over-reach, and creeping abuse. Encryption is essential for civil liberty, and backdoors undermine security for everybody.”Technically, the UK issued what’s called a technical capability notice (TCN) to Apple under its Investigatory Powers Act of 2016. It required Apple to provide UK authorities access to encrypted user data, including cloud backups. In effect, the TCN pushed Apple to build a backdoor into its end-to-end encrypted cloud services.In introducing its Advanced Data Protection (ADP) service in 2023, Apple made cloud backups only viewable on Apple devices. So, to comply with the TCN, Apple simply opted to turn off the ADP feature for UK users.Efforts to reach Apple for comment on the case as well as find out if they planned to turn the ADP feature on for UK users were unsuccessful.In response to the ongoing events around the UK backdoor order, Nojeim said Congress needs to amend the CLOUD Act in the following three ways:Nojeim added that whatever they do, Congress must "outlaw" data security agreements that let the government issue encryption backdoor orders, claiming they will open up unwanted vulnerabilities."Backdoors can create vulnerabilities that will be exploited by the bad guys," said Nojeim.
Apple’s been here before
A backdoor into an Apple device became a big issue following the Dec. 2, 2015, terrorist attack in San Bernadino that killed 14 people and wounded another 22.As part of its investigation, the FBI obtained a search warrant for an encrypted Apple iPhone 5c. The FBI wanted Apple to write software to get around the encryption, but Apple refused.“I was at the 2016 RSA conference when Attorney General Loretta Lynch addressed the issue of the San Bernardino attack,” said Morgan Wright, senior fellow at the Center for Digital Governemnt. “She said that no one company has the right to define the national security policy of the United States. In her prepared remarks, she talked about the specific issue of the conflict between the [then-emerging] US and UK encryption law, and how it puts companies in legal jeopardy for failing to comply because of US law, and how the UK could not pass laws restricting the freedom of speech of Americans."Wright pointed out that now the DNI is pushing back on the UK once again, getting them to drop the TCN.“Would the FBI and the US intelligence community love to have access to the encrypted communications of our adversaries?” posed Wright. “Yes. But to enable it for one group, it would be enabled for all groups, and that appears to be a bridge too far at this point.”Gregory T. Nojeim, director of the security and surveillance project at the Center for Democracy and Technology (CDT), explained to lawmakers before the House Judiciary Committee on June 5, 2025, that the UK was encouraged to issue the TCN under the CLOUD Act of 2018.In his testimony, Nojeim said the CLOUD Act did two primary things:- It granted US law enforcement agencies new powers to compel US companies to disclose communications and data on US and foreign users that’s stored overseas when the US companies can exercise control over that data;
- The law empowered DOJ — without congressional approval — to enter into executive agreements with foreign countries through which US providers can disclose user data, from storage and in real time, directly to foreign states under the laws of those foreign states, subject to certain requirements.
- Require that all foreign surveillance orders under the CLOUD act should be authorized by a court or another independent tribunal.
- Make the factual basis for a surveillance order much stronger; today’s language around the evidentiary standard is too vague.
- Foster more transparency and notice, for example, by not putting companies under gag orders that bar them from revealing they have received such orders.




