In early February, the Washington Post reported that the UK security officials have "demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud."

Issued in January, the order from the UK government requires the tech company to provide full access to encrypted material rather than access to a specific account. The Washington Post described this demand as unprecedented in major democracies.

The order is aimed at the ability for Apple users to encrypt backups uploaded to iCloud. These backups contain a copy of various data held on a users' device, including copies of messaging data from iMessage.

According to the Washington Post report, Apple is likely to stop offering this service to UK users instead of breaking its security promise to users. However, such a concession "would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States," according to the Washington Post.

This post provides a breakdown of the legalities of this request.

How is the UK able to order Apple to do this?

The Investigatory Powers Act 2016

The relevant law here is the Investigatory Powers Act 2016 (IPA 2016). This is the principal piece of legislation regulating state surveillance in the UK.

It stipulates rules for the use of various surveillance powers by government agencies like MI5, MI6 and GCHQ. It makes provision for seven different types of powers:

• Interception of communications

• Retention of communications data

• Acquisition of communications data

• Equipment interference

• Bulk personal datasets

• Technical capability notices

• National security notices

The IPA 2016 specifies the nature, scope and limits of these powers. Supplementing the Act are codes of practice that provide more detail on the practical application of the powers.

One important feature of the IPA 2016 is what is known as the 'double lock' mechanism. This is a system of review for the approval of warrants, notices and authorisations permitting the use of surveillance powers by government agencies.

Judicial commissioners (JCs), persons who have held high judicial office in the UK, are tasked with carrying out this review process.1 For each warrant, notice or authorisation, they must look at the conduct being permitted and determine whether it is both necessary for and proportionate to the objective being pursued.

Before these warrants, notices or authorisations are reviewed by the JCs, the government agency applying for them must also consider the conduct to be necessary and proportionate. These considerations by the JCs and government agencies make up the double lock mechanism.

Accordingly, the double lock mechanism ensures that the use of surveillance powers by government agencies is compliant with human rights law. This is an important aspect of the IPA 2016 that was missing from previous versions of UK state surveillance law.

Technical capability notices

Under the IPA 2016, a technical capability notice (TCN) is an instruction given by the government to a telecommunications operator to assist with the execution of surveillance powers.

These notices are used to facilitate the surveillance operations of government agencies when using their powers under the IPA 2016.2 This could be in relation to interception warrants, data acquisition authorisations, bulk acquisition warrants or equipment interference warrants.

TCNs can therefore contain a range of obligations that a telecommunications operator must fulfil. These include:3

• Providing facilities or services of a specified description

• Obligations relating to apparatus owned or operated by an operator

• The removal by an operator of electronic protection applied by or on behalf of that operator to any communications or data

• Obligations relating to the security of any telecommunications service provided by an operator

• Obligations relating to the handling or disclosure of information

The IPA 2016 has a very wide definition of 'telecommunications operators'. It effectively covers a wide range of entities providing communications services, including public networks, online storage providers and messaging applications.4

There are four key rules that government agencies must follow when issuing TCNs:

1. The obligations contained in a TCN must be necessary for and proportionate to the objective pursued, which is ensuring that the telecommunications operator can provide assistance to the government agency executing its surveillance powers.5

2. TCNs must be reviewed by a JC for their necessity and proportionality under the double lock mechanism.

3. TCNs relating to interception and equipment interference warrants cannot be imposed on telecommunications operators that do not provide a service to more than 10,000 users.6

4. TCNs cannot be issued to telecommunications operators solely providing banking, insurance, investment or other financial services.7

Additionally, the government must also consult the telecommunications operator before serving them with a TCN. In doing so, the following factors must be taken into account:8

• The likely benefits of the TCN

• The likely number of users (if known) of the service provided by the operator

• The technical feasibility of complying the TCN

• The likely cost of complying with the TCN

• Any other effect of the TCN

Finally, operators served with a TCN must keep it secret from the public.9 Permission is needed from the government before revealing anything about its existence or contents.

What Apple data does the order target?

Given that TCNs are secret, the UK has not published the one it has issued to Apple. Also, the Home Office has neither confirmed or denied the existence of the TCN.

But according to the Washington Post, the TCN requires "blanket capability to view fully encrypted material, not merely assistance in cracking a specific account." In particular, the TCN is focused on Apple's Advanced Data Protection (ADP) system for iCloud.

ADP is an optional setting that allows users to encrypt their iCloud data, including backups, photos, notes and other information. Apple states that ADP uses 'end-to-end encryption', meaning that Apple itself does not possess a copy of the cryptographic keys to decrypt the data uploaded its servers.

However, if users do not turn ADP on, then any data stored in iCloud is subject to Apple's standard security measures. This means that although the data are still protected by encryption, it is not protected by E2EE and Apple will hold a copy of the cryptographic keys that it can use to decrypt the data.

Apple states that by holding a copy of the keys, it can assist users with data recovery. This could be helpful if a user forgets their password or loses their phone and is trying to access the data stored in their iCloud account.

However, as cryptographer Matthew Green points out in his blog post, the downside of this is that Apple holding a copy of the keys does introduce more vulnerabilities relative to E2EE:

Two different types of “bad guys” can walk through the hole created by this vulnerability: one type includes hackers and criminals, including sophisticated state-sponsored cyber-intrusion groups. The other is national governments: typically, law enforcement and national intelligence agencies.

Since Apple’s servers hold the decryption key, the company can be asked (or their servers can be hacked) to provide a complete backup copy of your phone at any moment. Notably, since this all happens on the server side, you’ll never even know it happened. Every night your phone sends up a copy of its contents, and then you just have to hope that nobody else obtains them.

What about data protection law?

Ordinarily, the automated or structured processing of personal data is subject to the UK GDPR.10 However, many of the data protection obligations imposed by this regulation do not apply to processing carried out in the context of national security.

Such an exemption can be found in the Data Protection Act 2018 (DPA 2018). Section 26(1)(a) of the DPA 2018 states that certain provisions of the UK GDPR do not apply if the exemption from such provisions is necessary for the purpose of safeguarding national security.

The exempted provisions in this case include, among others:

• The data protection principles (except for lawfulness and therefore also Article 6 on the lawfulness of processing and Article 9 on special categories data)

• Data subject rights

• Notification of data breaches to the Information Commissioner and data subjects

• International data transfers

This exemption could apply to any data controller, even if they are not a government department or other public body. The national security exemption could therefore even apply to a private company like Apple.11

A Minister of the Crown can certify that a national security exemption from certain data protection law provisions is required in relation to certain personal data or processing where such are necessary for safeguarding national security.12 Under the DPA 2018, a 'Minister of the Crown' means a member of the Cabinet or the Attorney General or the Advocate General for Scotland.13

So in Apple's case, if a national security certificate was issued along with the TCN, it would exempt the company from certain data protection obligations with respect to the iCloud data sought by the UK government.

What about human rights law?

Last year I wrote a post about an important decision from the European Court of Human Rights (ECtHR) which held that data acquisition orders requiring the decryption of communications protected by E2EE are unlawful.14 This was on three main grounds:

1. Weakening E2EE would make all users of the service implementing E2EE more vulnerable, therefore impacting those who pose no threat or are otherwise of no interest to government agencies.

2. Creating backdoors opens the possibility for indiscriminate surveillance of personal electronic communications.

3. Such backdoors could also be exploited by criminal networks for nefarious purposes.

Since the TCN has not been publicly disclosed, and since Apple cannot reveal its existence or contents, we do not know if the data acquisition is in relation to iCloud data protected by E2EE or protected by Apple's standard encryption measures with which the company could decrypt the data. If the latter, then it would not require the weakening of E2EE and (potentially) escape the criticisms highlighted by the ECtHR.

However, if the order relates to data protected by E2EE, then this would appear to fall foul of the Court's stipulations: orders for the weakening or removal of E2EE constitute an unlawful interference with the right to privacy under Article 8 of the European Convention on Human Rights.

So what can Apple do next?

Apple could fight back.

The IPA 2016 does include a procedure for challenging TCNs. Under this procedure, Apple could challenge the TCN if its obligations are unreasonable.15 It can refer it back to the government for review, requiring JCs and technical experts to consider the pros and cons of the TCN, resulting in either its variation, revocation or replacement.

Failing this, Apple could commence judicial review proceedings contending that the TCN contains obligations that are incompatible with the Human Rights Act 1998.16 Under s.7(1)(a) of the Human Rights Act 1998, a person who claims that a public authority has infringed their rights may bring proceedings against that authority in the appropriate court of tribunal. To this effect, the Investigatory Powers Tribunal has jurisdiction to hear cases against the security and intelligence agencies, and certain other public authorities, to determine whether such authorities have complied with the 1998 Act when using their surveillance powers.17