In September 2025, the UK Home Office reportedly served Apple with a technical capability notice (TCN) demanding the company build a backdoor into its cloud storage service for UK users. This order follows an earlier reported attempt to compel Apple to weaken its encrypted Advanced Data Protection (ADP) feature. After significant backlash from U.S. policymakers and other commenters, the UK purportedly dropped its demands. The latest TCN revives them with a narrower scope that applies only to UK users, seemingly to assuage U.S. concerns. However, even this limited backdoor poses the same fundamental threat to encryption and U.S. consumers’ privacy and security. U.S. policymakers should oppose this second TCN and defend strong encryption as essential to Americans’ privacy and security.

Strong encryption underpins the digital ecosystem and provides essential protection for consumers’ privacy and security. Weakening it deprives policymakers, journalists, members of marginalized communities, and others of a vital tool to communicate privately and safely. Installing a backdoor leaves individuals and institutions more vulnerable to cybercrime, data breaches, and espionage, and exposes sensitive personal and governmental communications to exploitation by bad actors. Even users of encryption that is not end-to-end would be affected, as bad actors focus more resources on breaking all kinds of encryption knowing a vulnerability is mandated in end-to-end services. While some law enforcement agencies have argued encryption hinders investigations, backdoors offer no guarantee of meaningful investigative value. In practice, law enforcement can often find relevant information from other sources, including a device’s metadata. Internationally, lawful access frameworks, such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, already enable data requests without requiring providers to decrypt, build backdoors, or compromise global cybersecurity standards.

ACT | The App Association joined a coalition of technology policy organizations to oppose technical capability notices after the Washington Post reported in early 2025 that the Home Office had served one to Apple. We applied to intervene in a legal challenge brought by Privacy International against the UK’s use of TCNs and submitted evidence detailing how a TCN would harm small businesses in the United Kingdom, including real-world impact stories from our members.

Members of Congress and the Trump Administration similarly opposed the UK’s demands that Apple weaken its encrypted systems out of concern for Americans’ privacy and security.  Shortly after news of the TCN broke, Senator Ron Wyden (D-OR) and Rep. Andy Biggs (R-AZ) wrote to U.S. Director of National Intelligence Tulsi Gabbard, urging her to reassess cybersecurity and intelligence-sharing ties between the United States and United Kingdom. Notably, they warned that because Apple uses the same encryption software worldwide, a backdoor built for the UK market would inevitably compromise American users’ privacy as well. In separate letters, Rep. Jim Jordan (R-OH) and Rep. Biggs called on Attorney General Pamela Bondi to terminate and renegotiate the U.S.-UK CLOUD Act agreement, arguing that the UK’s demands undermine the agreement’s intent and Americans’ privacy protections, while Rep. Jordan and Rep. Brian Mast (R-FL) urged UK Home Secretary Yvette Cooper to reconsider the use of TCNs and allow Apple to brief U.S. officials on the order. This collective pushback culminated in DNI Gabbard announcing that the UK had dropped its demand that Apple build a backdoor into Americans’ protected data.

The UK Home Office issued this latest order directing Apple to build a backdoor into its encrypted cloud services for British users despite all of the blowback on the broader order. The narrower scope appears intended to ease U.S. policymakers’ concerns about risks to American consumers’ privacy and security. However, even with this adjustment, the TCN continues to endanger encryption worldwide. Because encryption operates across integrated, borderless systems, weakening it for users anywhere inevitably undermines the security of users everywhere. Moreover, with the details of the TCN still undisclosed, it remains unclear whether the order applies to users physically in the United Kingdom, British citizens abroad, or both. In either case, would communications stored in ADP-protected iCloud services between UK persons and U.S. citizens be subject to a TCN? If not, by what process would the Home Office ensure U.S. persons remain protected from surveillance? Given these technical and jurisdictional ambiguities, it is unrealistic to assume the TCN’s impact will remain confined to the UK or that Americans’ data will remain insulated from its fallout.

Given encryption’s importance to consumers, businesses, and national security, policymakers should not only avoid weakening it, but they should also champion its adoption and use. To that end, U.S. officials should take several concrete steps:

  • First, policymakers should expand investment in encryption research and development to ensure that emerging technologies do not expose systems to new vulnerabilities. Researchers and industry experts must have the resources to stay ahead of malicious actors.
  • Second, policymakers should avoid mandating vulnerabilities or lawful access backdoors in encrypted systems. For example, Chinese hacking group Salt Typhoon likely infiltrated U.S. telecommunications networks through a backdoor required under the Communications Assistance for Law Enforcement Act (CALEA), demonstrating how such mandates can unintentionally endanger national security and consumer privacy. Weakening encryption for lawful access will not necessarily yield valuable information but will certainly increase the risks posed to consumers’ privacy and security.
  • Finally, the United States should articulate encryption as critical infrastructure for democracy, cybersecurity, and economic competitiveness in international agreements. In support of this, the Department of Justice should review whether the UK’s use of TCNs—particularly if interpreted to apply extraterritorially—is consistent with the CLOUD Act’s requirement that partner governments afford robust protections for privacy and civil liberties. At minimum, U.S. negotiators should turn to Article 12.3 of the U.S.-UK agreement under the CLOUD Act, allowing either party to “conclude that the Agreement may not be invoked with respect to an identified category of Legal Process.” Invoking Article 12.3 would ensure that an order issued under the TCN may not be expedited under CLOUD Act processes and would instead be subject to the far more onerous mutual legal assistance treaty (MLAT). If necessary, however, the United States should also consider suspending, terminating, or renegotiating the U.S.-UK CLOUD Act Agreement to ensure it reflects a genuine shared commitment to encryption, privacy, and security.

Strong encryption is essential to protecting consumer privacy, safeguarding national security, and preserving the integrity of the digital ecosystem. The United Kingdom should withdraw its latest TCN and commit to upholding, rather than undermining, strong encryption and privacy. If it does not, the United States should consider the available options to exclude orders issued under TCNs from its CLOUD Act agreement with the UK—and consider renegotiating the agreement altogether if these mechanisms fail—in order to safeguard U.S. citizens’ access to strong encryption.