US spy chief directs legal review of UK’s Apple backdoor demand

Director of National Intelligence Tulsi Gabbard said this week that she asked her attorneys to craft a legal opinion regarding a January United Kingdom demand that Apple build a backdoor into its advanced iCloud encryption offering.

That order mandates UK law enforcement operatives be granted worldwide, unfettered access to users’ protected cloud data. Apple customers residing in the United States would be cast into that dragnet. The Washington Post first reported the secret order earlier this month.

“I have directed a senior Intelligence Community officer to work with ODNI’s Office of Civil Liberties, Privacy, and Transparency and ODNI’s Office of Partner Engagement, to outline the potential implications of the United Kingdom compelling an American company to create a ‘back door’ that would allow the UK government to retrieve private user content,” Gabbard wrote in a response to a previous Capitol Hill inquiry that urged the nation’s spy chief to rethink U.S. intelligence-sharing relations with the UK.

“This would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors,” she also said.

This month, Sen. Ron Wyden, D-Ore., a privacy hawk, released a discussion draft of a measure which seeks to reform the Clarifying Lawful Overseas Use of Data — or CLOUD — Act. The 2018 law was designed to adapt to the advent of cloud computing technologies, after the FBI said it had issues with legal access requests for information stored in U.S. communications firms’ overseas servers.

The CLOUD Act, as is, directs relevant American companies to adhere to warrants for data, even if that data is stored on foreign soil. The law also authorizes the creation of bilateral data-sharing agreements between the U.S. and allies. 

In her missive, Gabbard wrote that “the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents (‘U.S. persons’), nor is it authorized to demand the data of persons located inside the United States. The same is true for the United States — it may not use the CLOUD Act agreement to demand data of any person located in the United Kingdom.”

Under the UK’s 2016 Investigatory Powers Act — known colloquially as the Snooper’s Charter — Apple received the order to provide cloud data without any judicial review. High-ranking Biden administration officials had been monitoring the dispute since the UK initially hinted at requiring access, a move that Apple opposed, the Post previously reported.

The consumer electronics giant’s Advanced Data Protection feature, released in 2022, lets users lock their iCloud data, blocking even Apple from accessing it. The capability is available in several countries and throws a wrench into law enforcement efforts to easily obtain that data via standard warrants. 

In adherence to the directive, that ADP service is no longer available in the United Kingdom, the company said last week. Apple may pursue legal action against the backdoor order, but it must still yield to its requirements while any case is ongoing.

“As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” the company said.

The UK has been a longtime U.S. ally, and both nations have benefited greatly from decades of intelligence-sharing agreements that involve counterterrorism operations, cyber threat intelligence, signals intelligence collaboration and law enforcement coordination on transnational crime.

The Biden administration’s Justice Department downplayed concerns about the UK's demand for the encryption backdoor when it assured Congress in November 2024 that there were no major legal disputes with Britain over data-sharing agreements, the Post reported Wednesday.

Critics argue that the government-mandated backdoor would not only weaken security for U.S. citizens, but could also set a dangerous precedent for law enforcement and intelligence agencies worldwide.

“Unlike the DOJ, which knew about the impending order to Apple to build a backdoor to its encrypted cloud back-ups and hid the fact from Congress, the DNI has done the right thing by taking this stance,” said Greg Nojeim, senior counsel and head of the Center for Democracy & Technology’s Security and Surveillance Project. “Building a backdoor to encrypted content undermines security for all of us.”