The UK government has demanded to be able to access encrypted data stored by Apple users worldwide in its cloud service.
Currently only the Apple account holder can access data stored in this way – the tech giant itself cannot view it.
The demand has been served by the Home Office under the Investigatory Powers Act (IPA), which compels firms to provide information to law enforcement agencies.
Apple declined to comment, but says on its website that it views privacy as a “fundamental human right”.
Under the law, the demand cannot be made public.
The news was first reported by the Washington Post quoting sources familiar with the matter, and the BBC has spoken to similar contacts.
The Home Office said: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”
Privacy International called it an “unprecedented attack” on the private data of individuals.
“This is a fight the UK should not have picked,” said the charity’s legal director Caroline Wilson Palow.
“This overreach sets a hugely damaging precedent and will embolden abusive regimes the world over.”
The demand applies to all content stored using what Apple calls “Advanced Data Protection” (ADP).
This uses something called end-to-end encryption, where only the account holder can access the data stored – even Apple itself cannot see it.
It is an opt-in service, and not all users choose to activate it.
This is because, while it makes your data more secure, it comes with a downside – it encrypts your data so heavily that it cannot be recovered if you lose access to your account.
It is unknown how many people choose to use ADP.
It’s also important to note that the government notice does not mean the authorities are suddenly going to start combing through everybody’s data.
It is believed that the government would want to access this data if there were a risk to national security – in other words, it would be targeting an individual, rather than using it for mass surveillance.
Authorities would still have to follow a legal process, have a good reason and request permission for a specific account in order to access data – just as they do now with unencrypted data.
Apple has previously said it would pull encryption services like ADP from the UK market rather than comply with such government demands – telling Parliament it would “never build a back door” in its products.
Cyber security experts agree that once such an entry point is in place, it is only a matter of time before bad actors also discover it.
And withdrawing the product from the UK might not be enough to ensure compliance – the Investigatory Powers Act applies worldwide to any tech firm with a UK market, even if they are not based in Britain.
Still, no Western government has yet been successful in attempts to force big tech firms like Apple to break their encryption.
The US government has previously asked for this, but Apple has pointedly refused.
In 2016, Apple resisted a court order to write software which would allow US officials to access the iPhone of a gunman – though this was resolved after the FBI were able to successfully access the device.
That same year, the US dropped a similar case after it was able to gain access by discovering the person’s passcode.
Similar cases have followed, including in 2020, when Apple refused to unlock iPhones of a man who carried out a mass shooting at a US air base.
The FBI later said it had been able to “gain access” to the phones.
The tech giant can appeal against the government’s demand but cannot delay implementing the ruling during the process even if it is eventually overturned, according to the legislation.
The government argues that encryption enables criminals to hide more easily, and the FBI in the US has also been critical of the ADP tool.
Professor Alan Woodward, cyber security expert from Surrey University, said he was “stunned” by the news, and privacy campaigners Big Brother Watch described the reports as “troubling”.
“This misguided attempt at tackling crime and terrorism will not make the UK safer, but it will erode the fundamental rights and civil liberties of the entire population,” the group said in a statement.
UK children’s charity the NSPCC has previously described encryption as being on the front line of child abuse because it enables abusers to share hidden content.
But Apple says that privacy for its customers is at the heart of all its products and services.
In 2024 the company contested proposed changes to the Investigatory Powers Act, calling it an “unprecedented overreach” of a government.
The changes also included giving the government the power to veto new security measures before they were implemented. They were passed into law.
“The main issue that comes from such powers being exercised is that it’s unlikely to result in the outcome they want,” said Lisa Forte, cyber security expert from Red Goat.
“Criminals and terrorists will just pivot to other platforms and techniques to avoid incrimination. So it’s the average, law abiding citizen who suffers by losing their privacy.”