Apple begins legal battle to resist ‘egregious’ iCloud backdoor demand

Macworld

Apple has begun legal action to resist a secret demand by the U.K. government for access to iPhone users’ data. Citing “people familiar with the matter,” the Financial Times reports that the company has made an appeal to the Investigatory Powers Tribunal, seeking (likely on grounds of U.S. national security) to have the order quashed.

The tribunal is connected to but independent from the British Home Office and investigates complaints about intelligence services, law enforcement agencies, and public authorities. It will consider whether the demand, which was based on the 2016 Investigatory Powers Act, was lawful. This will be the first time a court has tested the government’s powers to break encryption under the act, so it could have far-reaching consequences.

In January the office of the Home Secretary issued a technical capability notice (TCN) instructing Apple to “create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud,” according to a report last month by the Washington Post. This report was based on whistleblower tips, as it would be illegal for Apple even to acknowledge that it had received a TCN.

While the British government also hasn’t admitted that the TCN exists, security minister Dan Jarvis commented obliquely that “privacy is only impacted on an exceptional basis, in relation to the most serious crimes and only when it is necessary and proportionate to do so.” Yet the powers sought are wide-ranging and potentially dangerous. Any data stored in the cloud by Apple users would need to be accessible not only by the company itself but by the U.K. government… and very likely by outside agencies and criminals in the event of a leak.

Apple currently has access to some cloud-based user data and has supplied that data in the past when required to do so by a legitimate order from law enforcement. But under the reported terms of the TCN, the U.K. government seeks access to a greater range of encrypted data, even if a user has activated the Advanced Data Protection feature that provides an extra layer of encryption for backups and other data.

Apple’s first response was to disable ADP on iPhones in the U.K., at least for new users. There was no mention of the TCN in the announcement of this move, of course, but Apple took the opportunity to comment that, “as we have said many times before, we have never built a back door or master key to any of our products or services and we never will.”

This is all a big privacy concern for the U.K. and one that will almost certainly apply to users worldwide. In our coverage, my colleague Jason Cross described the order as “comically authoritarian” and warned that it “would instantly compromise the security of over two billion Apple users.” U.S. intelligence chief Tulsi Gabbard, who said she had not been informed in advance about the TCN, described it as an “egregious violation” of citizens’ right to privacy. President Donald Trump is unhappy as well, calling the order “something you only hear from China.”

How all this plays out remains to be seen, but the new legal challenge is one possible way Apple could avoid the requirements of the TCN. The case, the FT says, could be heard by the tribunal this month, although it is unknown whether the process or decision will be publicly disclosed.