Is the UK accessing encrypted Apple data?

Regular GRC speaker Caro Robson was interviewed on BBC News to shed some light on the story, so we asked her to give us some more insights…

What has Apple been ordered to do?

Any issue connected with serious crime and terrorism is necessarily kept secret, so we don’t know what was served on Apple. However, from the reporting, it seems the UK may have served a ‘technical capability notice’ on them, under the Investigatory Powers Act 2016.

What is a ‘technical capability notice’?

A technical capability notice (TCN) is a requirement for any telecommunications operator, which is defined broadly under the Act, to fulfil “any applicable obligations specified in the notice.” This is often technical changes to systems, so that a future warrant or authorisation to access data under the Act can be fulfilled within 24 hours.

Does this mean the UK government can access all user data?

If the notice served on Apple is a technical capability notice, then it does not mean that the UK government is getting access to data immediately. It means that Apple has been identified by the government as holding data that may potentially be relevant to future investigations into serious crime or counter-terrorism, and accessing it without technical changes would take too long to meet an urgent operational need. So this is a request to take technical measures in advance of there being an urgent requirement.

TCNs can be served to facilitate a future warrant for the interception of communications, an authorisation to obtain communications data (metadata about communications rather than their content) or a warrant for “interference” with equipment, such as unlocking a mobile phone. Each of these represents an intrusion into the privacy of users, so the Act sets out processes and safeguards that must be followed before any data is shared with law enforcement or intelligence agencies.

Could the UK government access encrypted Apple data in future?

In the case of access to communications content, an interception warrant would be required. The Secretary of State (a senior government minister) would have to be satisfied that obtaining the communications was a necessary and proportionate response to a threat to national security or for an investigation into serious crime. There is also an additional safeguard in the form of review by an independent Judicial Commissioner from the Investigatory Powers Commissioner’s Office (IPCO), known as the “double-lock.”

Can Apple appeal against the notice?

Apple is entitled to reasonable compensation for its costs under the Investigatory Powers (Technical Capability) Regulations 2018, and can request review of the notice by the Secretary of State, the Judicial Commissioner or the government’s Technical Advisory Board. However, appeals to a court about a specific notice is not possible due to their highly-sensitive nature.

How frequent is interception in the UK?

According to the IPCO’s Annual Report for 2022 (published 24 March 2024), it considered 4,574 requests for targeted interception of an individual’s communications in 2022. None were refused. Individuals who feel they have been affected by interception of their communications can complain to the Investigatory Powers Tribunal (the body that hears complaints in relation to sensitive intelligence collection). Over 400 cases were heard in 2023, according to the IPT’s 2024 report.

Do other countries do this?

Other countries have similar laws for the interception of communications, including EU states, the US, Canada, Australia, Russia and China.

What do international courts say?

States that are signatories to the Council of Europe’s European Convention on Human Rights can be challenged in the European Court of Human Rights over their interception laws. This has happened a number of times, with the Court usually granting states a “wide margin of appreciation” when it comes to national security.

Notable exceptions include the recent case of Podchasov v Russia in February 2024, which concerned access to Telegram’s encrypted messaging services by the Russian FSB. The Court ruled that Russia’s legal framework mandating access to encrypted messages (section 10.1(4.1) of the Information Act and Order no. 432 of 19 July 2016) was not proportionate, noting that alternative ways of accessing data may be available and ordering blanket decryption could risk the security of all users’ data.

In an earlier judgment, the Court ruled against the UK in Big Brother Watch and Others v. the United Kingdom (2021) when it found that bulk interception of communications under the previous UK legal regime lacked proper procedural safeguards. The case was brought following the Edward Snowden revelations, and involved intelligence-sharing between the UK and US.

However, the judgment did not prohibit bulk interception completely, instead focusing on the need for procedural safeguards. The UK would argue that the increased checks under the Investigatory Powers Act, including the “double lock,” provides these safeguards.

What does the US think of this?

The reaction of the US is still unknown. Apple is believed to have resisted the notice, as it has with past requests to access encrypted data, though it has not issued a statement. In his first term, President Trump was supportive of the use of encryption-breaking technology for the purposes of combating organised crime and terrorism, but whether he will take the same position in his second term remains to be seen.