Unlock the White House Watch newsletter for free
Your guide to what the 2024 US election means for Washington and the world
Tulsi Gabbard, the US director of national intelligence, has hit out at the UK’s demand that Apple build a “back door” in its iCloud security system, saying such a move would be an “egregious violation” of Americans’ privacy that may breach the two countries’ data agreement.
Responding to a letter from Democratic Senator Ron Wyden and Republican congressman Andy Biggs, Gabbard said she shared their “grave concern” that it could allow British authorities to access Americans’ personal data and had instructed lawyers and intelligence officials to investigate the matter.
“I share your grave concern about the serious implications of the UK, or any foreign country, requiring Apple or any company to create a ‘back door’ that would allow access to Americans’ personal encrypted data,” Gabbard wrote to the US lawmakers. “This would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors.”
Apple last week withdrew its most secure cloud storage service from the UK, saying it “can no longer offer” Advanced Data Protection (ADP) for iCloud in the country.
The move came after it emerged that Apple had received a secret “technical capability notice” last month under the UK Investigatory Powers Act, demanding it to allow law enforcement to access encrypted data stored in the cloud.
Under the IPA, which was updated last year in the final weeks of the previous Conservative government, recipients of a technical capability notice are not allowed to discuss it. Gabbard said she was not made aware of the order before it was reported in the press earlier this month.
Law enforcement officials have clashed with tech companies for more than a decade over the use of encryption, which investigators say shields criminals and impedes inquiries into terrorists and child abusers.
Tech companies including Apple and WhatsApp’s parent Meta have argued that encryption provides vital protection for consumers as they entrust more and more of their personal information to smartphones, messaging apps and online storage services.
The UK and US struck a bilateral data access agreement in 2019, allowing the countries to share evidence related to terrorism and other serious crimes after approval from a judge or other independent authority.
Gabbard said her legal team was examining the implications of the UK’s demand for that agreement, known as the Cloud Act, adding that an “initial review” suggested the UK “may not issue demands for data of US citizens, nationals or lawful permanent residents”.
“I look forward to ensuring the UK government has taken necessary actions to protect the privacy of American citizens, consistent with the Cloud Act and other applicable laws,” she said.
Earlier this month, Wyden and Biggs called on the administration of US President Donald Trump and Apple to “tell the UK it can go straight to hell with its secret demand”, saying: “The US government must not permit what is effectively a foreign cyber attack waged through political means.”
Apple itself cannot access data stored using ADP’s “end-to-end” encryption system. Complying with the UK’s order would require Apple in effect to breach its own security, without its users’ knowledge.
Unlike its standard iCloud storage system, which Apple is able to decrypt upon receipt of a legal warrant, activating ADP requires users to hold the only key able to unlock their data.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy,” Apple said last week.
“As we have said many times before, we have never built a back door or master key to any of our products or services and we never will.”