Apple and the long secret arm of the UK Government

Edit: 13 March 2025 - You can find more about what happened next on our case page

On February 21st, Apple disabled their ‘advanced data protection’ service for UK customers. That means no-one in Great Britain can now enable a powerful security safeguard that people who use Apple devices everywhere else on the planet can: user controlled end-to-end encryption of stored data.

This is likely in response to a disturbing secret government power. Well, that’s what we think happened. We can’t know for sure.

The UK Government has given themselves the power to serve companies anywhere in the world notices that order them to undermine the security of their users, products, or services in secret. The company can’t tell anyone, they can’t even publicly say they’ve received one. They can’t say if they disagree, they can’t let users know they’ve been affected, and they can’t question the power in open court because the secret order is, well, secret. The notice affects millions of people, who aren’t allowed to find out it exists.

All that we actually know for sure is this: people in Great Britain will not be able to turn on this security safeguard anymore, and that their data is less secure than the data of Apple users elsewhere.

Leak

As a result of a leak to the Washington Post on February 5 2025, we can assume this is because Apple have received one of these secret notices.

This power has existed since 2016, however this is the first time we’re aware of it being used. Whoever leaked it’s existence has committed a criminal offence under Investigatory Power Act.

For more of our work against this extreme power see our 2023 submission.

Apple can’t say it’s received the order because that would be an offence. Even talking to lawyers to challenge the order will be difficult because they can’t say it exists. They can’t even say if they’re complying or contesting it.

This is evidenced by the UK Government’s response to global media requests asking how and why this could affect people around the world: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”

Apple warned Parliament about what it might do when Parliament was deciding to approve expansions of the secret power in 2023.

“Under the current law, the [United Kingdom’s Government (UKG)] can issue a ‘Technical Capability Notice’ that seeks to obligate a provider to remove an ‘electronic protection’ to allow access to data that is otherwise unavailable due to encryption. In addition, the Secretary of State (‘SoS’) has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public without the SoS’s express permission. Moreover, the IPA purports to apply extraterritorially, permitting the UKG to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally. Together, these provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.”(emphasis added by us)

We can do the arithmatic and presume that thanks to media coverage and Apple’s foreshadowing, that this is what has now happened.

This means we are now able to openly discuss the secret order that would be criminal to disclose, while the government that issued an order affecting millions of people will neither confirm nor deny it’s existence, even when the whole world is talking about it.

This order applies globally. Our guess is that this move by Apple is perhaps designed to try to limit the damage, and not undermine security for all of their customers.

Unfortunately only outrage works now

We tried to stop this secret power from becoming enshrined in law in 2016.

We’ve repeatedly litigated repeatedly against a series of extraordinary powers held by the UK Government - but because this one is secret when its issued, it’s really hard for us to act.

We must all use these rare public opportunities to call out this extraordinary power. No government should be able to suspend security for users anywhere - whether in their country or affecting users world-wide.

This is just the first step by Governments. If the UK Government is allowed to get away with this absurd case, then what’s absurd will have to become an operational norm.

At the moment you can choose to download other storage apps in the App Store and that grant you full control over your encryption choices, on a range of other providers’ servers. But there is no guarantee that those won’t be targeted next or already have been.

The reality is that, unless something changes, we will never know what is secure for sure, because it’s all done by secret order by a ‘democratic’ government.

Read why PI believes that the UK Government’s secret power to undermine security everywhere is ridiculous, and disturbing.