The UK government order is an attempt to force Apple to provide access to encrypted user data, including device backups that can include contact lists, as well as location and messaging history, for any Apple user worldwide. The secret order, which the Washington Post reported was issued in January 2025 by the Home Office, the interior ministry, concerns Advanced Data Protection, an iPhone option that uses end-to-end encryption on data stored in the cloud, and means Apple has no access to user data stored on its servers. The UK government should drop the order.
“If these reports are true, this is an alarming overreach by the UK authorities seeking to access the private data of not only people in the UK, but anyone worldwide with an Apple account,” said Zach Campbell, senior surveillance researcher at Human Rights Watch. “People rely on secure and confidential communications to exercise their rights. Access to device backups is access to your entire phone, and strong encryption to prevent this access should be the norm by default.”
News reports said that the UK government ordered Apple to build a back door into its products under the Investigatory Powers Act, a 2016 surveillance law that includes provisions allowing the government to order companies to remove “electronic protection” of user data. The law also prohibits the recipients of these orders, in this case Apple, from acknowledging or commenting on them. The new UK order, according to the Washington Post, "requires blanket capability to view fully encrypted material” for Apple users worldwide, including users with no apparent connection to the UK.
Encryption is a crucial enabler of human rights online and offline. Human rights defenders, journalists, and everyone else rely on the security and privacy of their devices to protect them not only from unlawful government spying, but also from cybercrime and other attacks from non-state actors. Weakening encryption, or mandating back doors, leaves all users more vulnerable. Governments should support strong encryption, and companies should build it into their products and services by default.
The United Kingdom is a party to several international and regional treaties enshrining the right to privacy and data protection rights. The vital role of encryption as an enabler of privacy and human rights has been widely recognized including by United Nations bodies, the United Nations High Commissioner for Human Rights and human rights experts. The UN General Assembly and the Human Rights Council in several resolutions, have called upon states to refrain from interfering with encryption technologies. UN resolutions also encourage technology companies to secure and protect the confidentiality of digital communications and transactions, including measures for encryption, pseudonymization and anonymity. A 2015 report by the United Nations special rapporteur on freedom of expression specifically urged governments to avoid all measures that weaken security for individuals online, such as mandated back doors.
Both Amnesty International and Human Rights Watch have been critical of the Investigatory Powers Act since its inception. In written evidence to the Joint Committee on the Draft Investigatory Powers Bill in 2016, Human Rights Watch recommended that the UK should refrain from undermining encryption and digital security. It specifically said that the legislation should be amended to ensure that authorities are prohibited from imposing obligations on internet service providers to weaken security measures or design their systems to incorporate measures for exceptional access into encryption by UK authorities.