In February 2025, it was reported that the United Kingdom (UK) Office of the Home Secretary served Apple with a technical capability notice (TCN), a secret legal order demanding that the company build a backdoor that enables access to content Apple users have uploaded to the cloud. The UK issued the notice under the UK Investigatory Powers Act of 2016, which enables its law enforcement and intelligence agencies to obtain consumers’ data from technology companies in the course of an investigation. However, requiring Apple to provide such a backdoor would significantly compromise end-to-end encryption for Apple users in the UK and around the world, placing their privacy and security at risk. Notably, the UK Home Secretary appears to view the breadth of the order as neither bounded by national borders, nor limited to communications or other content pertaining to UK persons. Obliged to respond quickly under the probable terms of such a TCN, Apple has already taken the dramatic step of disabling its Advanced Data Protection(ADP) feature for customers in the UK. Reading the TCN as limited to the Home Secretary’s geographic jurisdiction, a decision to discontinue ADP for customers in the UK is the logical response, in order to preserve ADP protections without the mandatory vulnerability for the rest of the world. Given the dangers backdoors pose to consumers, U.S. policymakers should unequivocally reject an interpretation that the TCN applies globally and defend American interests and privacy against unwarranted intrusions.
As demonstrated by the ongoing Salt Typhoon hack against the United States, mandating a vulnerability to facilitate surveillance efforts can significantly undermine both consumer privacy and security. In 1994, Congress enacted the Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications carriers and manufacturers to build capabilities to comply with legal requests for information into their equipment, facilities, and services. While this law essentially enabled law enforcement to access consumers’ communications data through legal requests, we know that it also created vulnerabilities that have been exploited by bad actors. For example, in late 2024, the Wall Street Journal reported that Salt Typhoon, a hacking group affiliated with the Chinese government, infiltrated U.S. telecommunications networks by exploiting weaknesses in the system, including these backdoors originally designed for lawful surveillance requests. Weakening encryption by putting these backdoors in place inadvertently created a point of entry for cybercriminals and compromised U.S. consumers’ privacy and security.
By undermining encryption, policymakers deny people from all walks of life—including journalists, members of marginalized communities, activists, and political dissidents—a needed means to communicate, manage finances, and share sensitive health data privately and securely, while creating systemic vulnerabilities that threaten individual, national, and global security. Without strong encryption, consumers are far more exposed to criminal activities, data breaches, and other incidents facilitated by weakened cybersecurity standards. Its loss also raises significant national security concerns for governments. If the UK can access any iPhone’s content, those access mechanisms could potentially expose sensitive communications from U.S. officials and business leaders. For example, Salt Typhoon targeted the phones of President Trump, Vice President J.D. Vance, and other policymakers and their staff. Any bad actors who exploit backdoors in encryption algorithms created as a result of the UK’s technical capability notice could likely access similar content from world leaders. On a global scale, oppressive regimes may use the examples set by the United States and United Kingdom to similarly weaken encryption in their own countries, endangering their citizens, as well as activists and dissidents, who use encrypted tools to communicate freely.
Though some argue that encryption enables criminal activity, this is a deeply flawed and disproportionate rationale. In reality, weakening encryption will not prevent sophisticated bad actors from communicating securely nor expedite law enforcement investigations. Even if policymakers weaken encryption on commonly used devices, bad actors can take advantage of open source encryption tools or other software to communicate without government awareness. Content with investigative value can be accessed elsewhere without threatening encryption.
This is where the recently enacted Clarifying Lawful Overseas Use of Data (CLOUD) Act comes into play. Developed to address legal conflicts between the United States and other jurisdictions in cross-border investigations involving digital evidence, the CLOUD Act authorizes the Attorney General, along with the Secretary of State, to enter into executive agreements to clear the way for such investigations. The cross-border digital investigation scenario arises somewhat commonly, since important evidence is often stored in copy in remote servers and data centers, instead of solely on individuals’ devices and computers–and investigated individuals don’t always volunteer their own devices. The relevant background statutory provisions in U.S. federal law generally completely block U.S.-based cloud service providers’ compliance with orders from foreign governments. Other nations have various versions of these “blocking statutes,” but the United States’ statute gets the most airtime since the most often-used cloud providers globally tend to be based in America.
With this backdrop of inherent conflict, governments seeking data from American cloud providers (and American investigators seeking information stored overseas) are typically compelled to use the Mutual Legal Assistance Treaty (MLAT) process. Notoriously difficult, MLAT requests often take several months to receive an answer–and the CLOUD Act sought to solve both the legal conflicts and MLAT problem by enabling agreements between the United States and countries with similar human rights protections. It just so happens that the UK is the only government with which the United States has forged a CLOUD Act agreement. So the question naturally arises here, how does this global capability square with the original purposes and bilateral nature of the CLOUD Act? Congress set forth clear requirements for any CLOUD Act partner government, “the domestic law of the foreign government, including the implementation of that law, affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement.” Thus, the CLOUD Act seeks to empower governments with similar due process approaches to enter into fast-track investigation arrangements based on specific protections that apply within their jurisdictions. Policymakers should closely watch the UK’s response to Apple’s remedy to see if it has a competing interpretation of the TCN to apply globally rather than only to the UK. They should carefully consider whether such an interpretation and its potential to enable blanket surveillance of U.S. persons squares with the original, bilateral purpose of the CLOUD Act.
The UK’s technical capability notice represents more than an attempt to access Apple users’ cloud data–it sets a dangerous precedent that threatens to undermine end-to-end encryption and global security. The Salt Typhoon cyberattack demonstrated how backdoors intended for law enforcement and intelligence agencies can instead become entry points for bad actors, compromising both consumer privacy and national security. Rather than acquiescing to foreign demands that weaken encryption standards, U.S. policymakers should defend strong encryption as a cornerstone of privacy and security.