Sign up to Newsletter

PI’s opinion: How the UK Government is making security harder for everyone

PI believes that the UK Government’s secret power to undermine security everywhere is ridiculous, and disturbing.

Explainer
Post date
22nd February 2025
Apple(fruit) sliced in half

Imagine this: a power that secretly orders someone anywhere in the world to abide and the receiver can’t tell anyone, can’t even publicly say if they disagree, and can’t really question the power in open court because the secret order is, well, secret. Oh and that power affects billions of people’s security and their data. And despite being affected, we too can’t question the secret order.

In this piece we will outline what’s ridiculous, the absurd, and the downright disturbing about what’s going on.

All that we actually know is this: all people in Great Britain today will not be able to turn on a security safeguard that people who use Apple devices everywhere else on the planet can: end-to-end encryption of stored data.

As a result of a leak to the Washington Post on February 5 2025, we can assume this is because the UK Government has used its power to issue secret orders against companies anywhere in the world to reduce or undo or even not implement security.

But, even we don’t really know for sure.

Advocacy
Two kites with eyeballs flying in blue sky

PI response to UK Government consultation on Technical Capabilities Notices

Among the myriad of surveillance powers it already possesses, the UK government wants the power to stop companies - anywhere in the world - from making security improvements to their services without approval. To fall under this power, the company only has to service UK users, and yet the effects will be felt by every user, every where.

Continue reading

Now, we’re in a good position to understand what’s going on. We’ve been fighting this secret power since its earliest incarnations (arguably the 1990s) and monitor such laws arising elsewhere (to our knowledge no other Parliament has ever allowed its government to use such extreme powers post-WWII). But even for us, it’s hard to say.

Any such order would be secret. Apple can’t say it’s received the order because that would be an offence under this law - the Investigatory Powers Act. Talking to lawyers would even be hard, because you can’t quite say such an order exists. They can’t even say if they’re complying or contesting it.

And the Government won’t tell either. In response to global media requests asking how and why this could affect millions of people around the world, all they will say is: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”

Ridiculous

The implicated technology for this specific order appears to be encrypted file storage on iCloud through the ‘Advanced Data Protection’ option. At the moment the order does not affect the other encrypted services that Apple provides such as encrypted messaging, keychains, or devices.

Put more simply, a photo taken on an iPhone is immediately encrypted on that device - this protects it from thieves and hackers. That photo, sent over iMessage to family members, is encrypted in transit to those family members - protecting it from people it wasn’t sent to.

Those are all end-to-end encrypted, secured so that no one can exploit your data. If anyone in that family decides to store that photo on iCloud, then they can choose for it to also to be end-to-end encrypted with a flip of a switch. This means that no-one, not even Apple, can view it. Note that, surprisingly this feature is not enabled by default, and that’s frustrating, especially when it comes from a company that claims privacy to be one of its core values. Though now we think this order from the UK Government may be part of the explanation why it isn’t by default. Until it is on, your data sits on Apple servers encrypted to keys held by Apple.

The UK Government aren’t targeting the photo or the message - yet. They’re targeting the switch. That’s what the UK government want access to, for everyone in the world. It doesn’t matter what you store, it doesn’t matter where you live - the British government are coming for your ability to use this function to secure your data. But we don’t know for sure, because we haven’t seen the order.

Absurd

Here’s the absurd: as of yesterday, if that family is based in the UK, that switch no longer exists.

According to the Washington Post, “British customers who already have Advanced Data Protection will be warned later to disable it or lose access to iCloud.”

So, British users lose access to a service we are legally allowed to use (encryption) because of a secret order by the UK Government. Put another way, the UK Government cannot legally stop people from using encryption, but they want to make it really really hard.

Apple even warned Parliament that is what they would do, when Parliament were deciding to approve expansions of the secret power in 2023.

“Under the current law, the UKG can issue a ‘Technical Capability Notice’ that seeks to obligate a provider to remove an ‘electronic protection’ to allow access to data that is otherwise unavailable due to encryption. In addition, the Secretary of State (‘SoS’) has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public without the SoS’s express permission. Moreover, the IPA purports to apply extraterritorially, permitting the UKG to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally. Together, these provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.”(emphasis ours)

But, the order applies globally. So our guess is that this move by Apple is perhaps designed to try to stop it from affecting every one of their users.

Unfortunately only outrage works now

So, we can do the math and presume that - thanks to media coverage and Apple’s foreshadowing to Parliament - we can now openly discuss this secret order that would be criminal to disclose, while the government that issued the order affecting millions if not billions of people neither confirms nor deny the existence of this chilling order, even when the whole world is talking about it.

We tried to stop the secret order power from becoming enshrined in law in 2016. We’ve litigated repeatedly against a series of extraordinary powers held by the UK Government - but because this one is secret when it is issued, it’s really hard for us to act.

We must all use these rare public opportunities to call out this extraordinary power. No government should have the power to suspend security, or to halt security innovation, for users anywhere – whether in their country or affecting users world-wide.

This is just the first step by Governments. If the UK Government is allowed to get away with this absurd case, then they will shift to full implementation. At the moment that family can choose to download other apps in the App Store and you can properly encrypt the storage on a range of other providers’ servers — probably 5 button pushes rather than 1. Those services will be targeted next.

If they aren’t targeted, then this is the most outrageous thing about this order: the UK Government knows it can’t stop security, but it can stop it from being easy for most people. So who are the only ones with security at the end of that day? People willing to click 5 times rather than only once.

And if all the other services are targeted (or have been already and complied in secret without the Washington Post uncovering it), then the UK Government will be responsible for undermining global information security at a time when the world needs it most. And none of us might ever find out or end up waiting for the next press leak to tell us what security-conscious company the UK Government is after this month so we can move to the few ones left.

Finally, the reality is that we will likely never really know if this comes to pass because it’s all done by secret order. From a democratic government.

Now we know these orders can apply to any security improvement to any system anywhere in the world. So imagine a future where there is a huge data breach. In the past we could presume the service provider wasn’t prioritising security that could have prevented the breach. But now we have to also assume that maybe that company wanted to secure the systems but one government far away had secretly ordered them to not stopped do so. A democratic government.