The United Kingdom has dropped its push to require that tech giant Apple provide the country’s security officials with backdoor access to users’ encrypted iCloud backups, Director of National Intelligence Tulsi Gabbard said on Monday.
The Washington Post reported in January that the UK issued a secret order to Apple that directed the company to provide its law enforcement and intelligence personnel with the “blanket capability” to access customers’ encrypted files worldwide. The order would have affected Apple users across the world, including those in the U.S.
Under the UK’s 2016 Investigatory Powers Act — known colloquially as the Snooper’s Charter — Apple received the order to provide cloud data without any judicial review.
In an X post, Gabbard said that U.S. officials — including President Donald Trump and Vice President JD Vance — have been working with their UK counterparts over the past few months “to ensure Americans’ private data remains private and our Constitutional rights and civil liberties are protected.”
She added that, “as a result, the UK has agreed to drop its mandate for Apple to provide a ‘back door’ that would have enabled access to the protected encrypted data of American citizens and encroached on our civil liberties.”
News of the UK order earlier this year received bipartisan pushback from some lawmakers and calls for the U.S. to reevaluate its cybersecurity and intelligence-sharing relationship with London.
The Clarifying Lawful Overseas Use of Data — or CLOUD — Act, which was enacted in 2018, provides U.S. law enforcement officials with the ability to obtain data from American companies that is stored on their overseas servers. The law also authorized the creation of bilateral data-sharing agreements between the U.S. and allies. The access agreement between the U.S. and UK went into effect in October 2022.
In a Feb. 13 letter to Gabbard, Sen. Ron Wyden, D-Ore., and Rep. Andy Biggs, R-Ariz., asked if the Trump administration was made aware of the UK’s order and its understanding of, in part, “the bilateral CLOUD Act agreement with regard to an exception to gag orders for notice to the U.S. government.”
In a reply later that month to the lawmakers’ missive, Gabbard said she had directed her attorneys to outline the implications of the UK’s order to Apple but added that the move “would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors.”
In response to a request for comment from Nextgov/FCW, an ODNI spokesperson pointed to an X post from the agency that praised the UK’s recent decision and cited Gabbard’s response to Wyden’s and Biggs’ letter.
Biggs and Wyden — along with Sen. Alex Padilla, D-Calif., and Reps. Warren Davidson, R-Ohio, and Zoe Lofgren, D-Calif. — also sent a letter in March to the UK’s Investigatory Powers Tribunal that called for the judicial body to “remove the cloak of secrecy related to notices given to American technology companies by the United Kingdom.”
Wyden similarly released draft legislation in February to modify the CLOUD Act’s requirements so that U.S. providers do not have to weaken their security standards to meet requests from foreign governments.
“I sounded the alarm that the UK’s outrageous demands that Apple weaken encryption would put the security and privacy of all Americans at risk,” Wyden said in a statement to Nextgov/FCW. “If it’s true the UK has folded, that’s a win for everyone who values secure communications. However, the details of any agreement are extremely important, especially when it comes to other legal avenues the UK could use to obtain Americans’ data, such as by delivering spyware or requiring US user data to be stored in the UK.”
Apple did not respond to a request for comment, although the tech giant moved earlier this year to remove its high-level Advanced Data Protection tool from the UK market. The company was also in the midst of legal action to overturn the order when the UK dropped its backdoor encryption push.
The UK Home Office told media outlets that it “does not comment on operational matters.”
Some organizations, like the nonprofit Center for Democracy and Technology, welcomed the news but also called for further changes when it comes to data-sharing agreements.
“The Administration should be more transparent about any deal it cut with the UK, and Congress should amend the CLOUD Act to prevent other countries from issuing similar orders to U.S. service providers,” Greg Nojeim, senior counsel and director of CDT’s security and surveillance project, said in a statement.
Nextgov/FCW Cybersecurity Reporter David DiMolfetta contributed to this report.
Read the full article here