The United Kingdom has made a bold demand to Apple, purporting to require the company to create a backdoor to access encrypted cloud backups of all users worldwide. As reported by The Washington Post, this order, issued under the U.K.’s Investigatory Powers Act of 2016 —dubbed the “Snoopers’ Charter”— mandates full access to encrypted material, setting off alarms for privacy advocates and tech companies alike. But could such a thing happen in the United States? And if not, why?

What the UK is Doing and Its Global Impact

The U.K. government has served Apple with a “technical capability notice” under the Investigatory Powers Act (IPA), which compels tech companies to assist in government surveillance operations. Unlike a typical warrant that seeks access to specific individuals’ data based on reasonable suspicion, this order demands blanket access to all encrypted cloud backups, effectively dismantling Apple’s end-to-end encryption protections worldwide. This is unprecedented among major democracies and threatens to undermine privacy rights on a global scale.

The demand not only applies to Apple’s services within the U.K. but extends to all users worldwide who utilize iCloud’s Advanced Data Protection feature. This would mean that users in countries with stronger data privacy laws, such as those under the EU’s General Data Protection Regulation (GDPR), could also see their data compromised. If Apple were to comply, it could set a precedent that authoritarian governments might exploit, demanding similar backdoor access under their national security justifications.

If that weren’t bad enough, let’s talk about what this means for U.S. companies and individuals. Apple is hardly the only company offering encrypted cloud storage. If Apple caves to the U.K., you can bet that Google, Microsoft and any other provider with encrypted services will face similar demands. And when that happens, data privacy won’t just be eroded — it will be obliterated. Governments worldwide will line up like kids at a candy store, each demanding their own special access key. The U.K. will have done the dirty work of setting the precedent, and everyone else — from authoritarian regimes to supposedly democratic allies—will happily exploit it.

How Apple Cloud Encryption Works and What Would Be Required to Bypass It

Apple’s iCloud encryption system, particularly with the Advanced Data Protection feature, is designed to provide end-to-end encryption for certain types of user data, ensuring that only the user holds the decryption key. Unlike standard encryption methods where Apple retains the ability to decrypt stored information, this enhanced security model prevents Apple — or any third party — from accessing protected backups without the user’s credentials.

For Apple to comply with the U.K.’s request under the IPA, it would need to fundamentally alter its encryption model in one of the following ways:

Creating a Master Decryption Key: Apple would have to introduce a universal key or escrow system that allows decryption of all user backups, fundamentally breaking the principle of end-to-end encryption. This would not only weaken security but also expose all iCloud users to potential abuse by hackers and other state actors.

Modifying the iCloud Encryption Architecture: Apple could be forced to alter how it generates and stores encryption keys, potentially requiring that keys be stored on Apple-controlled servers rather than being device-specific. This would make it easier for law enforcement to request access but would also introduce significant security vulnerabilities.

Compromising Device Security: If Apple cannot comply via iCloud changes, the U.K. could attempt to force modifications at the device level, such as requiring Apple to push software updates that covertly weaken encryption protections.

Any of these changes would compromise Apple’s security promises, potentially leading the company to withdraw Advanced Data Protection from the U.K. market to avoid compliance.

Could This Happen in the U.S.?

The short answer: Not exactly, but not for lack of trying. The U.K. demand is striking because it targets all users globally, rather than compelling access to a single suspect’s data. While the U.S. has not gone this far, there have been numerous attempts by federal agencies to undermine encryption, including proposals like the Clipper Chip in the 1990s, the USA PATRIOT Act’s surveillance expansions, and more recently, the USA CLOUD Act. CALEA required telecommunications providers to design their (then newly digital) networks in such a way that they could be intercepted by law enforcement or intelligence agencies. The U.S. government has also pressured tech companies into facilitating access to encrypted communications, most notably in the 2016 case where the FBI sought to compel Apple to unlock an iPhone belonging to the San Bernardino shooter. Apple resisted, and the case never set a legal precedent as the FBI ultimately accessed the phone through a third party.

What U.S. Companies and Individuals Can Do About It

First, U.S. companies should brace themselves. If Apple caves, the floodgates will open, and every government with a law enforcement or intelligence agency will start demanding similar access. Tech firms need to take a stand, much like Apple did against the FBI in 2016, and refuse to implement such dangerous security backdoors. With a vast amount of data stored on cloud services, if foreign governments (even friendly ones) can compel cloud providers not only to produce encrypted messages but to actively create and deploy technologies to defeat encryption, then all communications are at risk – not just from government surveillance but from the consequences of weakened security.

For individuals, the takeaway is simple: Assume that cloud storage is no longer safe. If this move succeeds, your “secure” backups will be about as private as a billboard on Times Square. U.S. users should:

Enable local encryption before syncing anything to the cloud. Apps like Cryptomator can encrypt your files before they even touch cloud servers. This way, you — and only you — hold the key to these.

Pressure lawmakers to prevent similar actions from occurring in the U.S.

The NSA, the PCLOB, and Unchecked Surveillance

If the U.S. were to take a similar approach to the U.K., the question would arise: who, if anyone, could stop it? The Privacy and Civil Liberties Oversight Board (PCLOB) was created to serve as a check against excessive surveillance, but its effectiveness has been compromised by political maneuvering.

On Jan. 27, 2025, President Trump fired all of the Democratic members of the PCLOB, effectively crippling its ability to function. This move rendered the board impotent as an oversight body and raised concerns about its ability to monitor and regulate intelligence agencies, particularly concerning transatlantic data transfers under the EU-U.S. Data Privacy Framework. Without a functioning PCLOB, there is little independent oversight of intelligence agencies’ activities, making it easier for them to demand similar access to encrypted communications without meaningful resistance.

Sauce for the Goose

The U.K.’s demand for Apple to create an encryption backdoor is unprecedented in its scope and potential consequences. The weakening of independent oversight mechanisms, such as the PCLOB, only increases the likelihood that similar actions could occur in the U.S. If the U.K. succeeds, it could set a dangerous precedent that other nations, including the U.S., might seek to follow. Tech companies and privacy advocates will need to remain vigilant to prevent a gradual erosion of digital security and personal privacy.

Recent Articles By Author