Apple’s Encrypted iCloud meets the UK Technical Capability Notices
Or, ohmygod the UK authorities are requiring Apple to enable a backdoor into encrypted iCloud Accounts!… reportedly
This is going to be a quick and dirty blog post because I have a mountain of essays to grade in the next 4 days, so forgive any errors or typos. This is the fastest I’ve ever written and published anything. But I can’t help but write about the biggest news story maybe ever to drop in my very niche research area without raising a few points/questions about it in a longer form than some Bluesky posts.
The Washington Post is reporting that UK authorities have served Apple with a ‘technical capability notice’ which requires Apple to create a back door allowing UK authorities access to encrypted Apple iCloud accounts.
The beginning of the Post’s article reads:
“Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.
The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users, the people said, speaking under the condition of anonymity to discuss legally and politically sensitive issues.
Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the U.K., the people said. Yet that concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States.
The office of the Home Secretary has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidence, the people said.”
What is a technical capability notice?
Alright first, you may be wondering what a technical capability notice (TCN) is. Here I am going to crib from a book chapter I wrote on this very issue (which several people at the time told me was obscure and unlikely to ever be relevant…*ahem*):
“The Investigatory Powers Act 2016 (IPA) provides that the Secretary of State may serve a TCN on a telecommunications operator when such a notice is ‘necessary for securing that the operator has the capability to provide any assistance which the operator may be required to provide in relation to any relevant authorisation’. IPA, section 253) In other words, the UK authorities will require a telecommunications operator to implement the capability necessary to comply with future demands for data under the law.”
So first things first. The TCN would require Apple to implement the backdoor (aka remove end-to-end encryption) to enable access to the encrypted iCloud accounts. That’s it. Or that’s all that it should be anyway. The reporting is vague on this point (see quote above that the TCN “requires blanket capability to view fully encrypted material”). Contrary to my initial reaction on Bluesky, I think this vagueness is because of the intended audience of the Post article, rather than the TCN exceeding its scope.
Why can I assert this? Well, because the TCN only can be used to enable access. This is very clear in the IPA (s 253). For the UK authorities to actually obtain any of the content of the iCloud accounts, they need to use a separate authorisation. Under s253, a TCN can only be used with one of the following authorisations (with rough descriptions of each):
· A targeted interception warrant: this warrant allows authorities to obtain content data from an identified target, likely to be a single account or just a few related accounts for a specific criminal investigation. This is likely what the TCN is meant to enable (I’ll explain more below).
· A communications data authorisation: communications data is data about an account and is unlikely to be encrypted I would think. Apple will retain information on who holds the accounts even though the content of the account is encrypted.
· An equipment interference warrant: this warrant allows authorities to gain access to a device, which mostly would not apply if going after iCloud accounts which are not always on a device, but rather as the name suggests ‘in the cloud’. (Also the Post would likely have said if the TCN was for a way into iPhones rather than iCloud accounts)
· A bulk interception warrant: this warrant authorizes intelligence agencies to intercept ‘overseas-related communications’ – meaning communications sent and received by people outside the UK. While I have serious doubts that this is what the TCN is meant to enable, I cannot rule it out. It would seem possible given Wash Post’s reporting that the UK wants access to all iCloud Accounts. But I suspect that is now what is going on, for reasons I will explain below.
TCNs and end-to-end encryption
Now, can a TCN be used to require removal of end-to-end encryption? This is a somewhat contested issue, as I wrote in my book chapter and recently covered by Paul Scott and Michéal Ó Flynn in this article (which is open access, and also very good, and I had planned to write up a review of it for this blog when I had time. Didn’t expect a big Apple v UK TCN/encryption story to drop in the meantime… best laid plans and all). Basically the answer is “yes”. And for now, we will stick with that because (1) the UK government certainly thinks it is, and (2) there is more to discuss about this that I think is interesting.
Assuming that TCNs can be used by UK authorities to require removal of end-to-end encryption, Apple would have a strong argument that this is disproprortionate under Article 8 of the European Convention of Human Rights (to which the UK is a party). I wrote about the relevant, new(ish) case out of the European Court of Human Rights on end-to-end encryption, Podchasov v Russia, here. I will let that mostly speak for itself except to reiterate the point that the ECtHR found a Russian law’s requirement for a backdoor into an end-to-end encrypted messaging app to be a violation of the Article 8 right to privacy because it disproportionately affected all users. It is hard to see how that would not also be the case here. At the time I wrote this note, I was focusing on new provisions under the UK Online Safety Act and the potential EU ‘chat control’ proposal, but I think the analysis equally applies to TCNs used to require removal or weakening of end-to-end encryption.
Extraterritorial scope
TCNs can be served extraterritorially, as it has been here on an American company. Section 253(8) IPA states: “a technical capability notice may be given to persons outside the United Kingdom (and may require things to be done, or not to be done, outside the United Kingdom)”. Further, (and borrowing from my chapter again):
“The Code of Practice further elaborates that the Secretary of State should consider ‘any requirements or restrictions under the law of [a foreign] country that may arise when the operator complies’ with the notice. This implies, at least, that if there were a foreign blocking statute in effect, the TCN may not be issued or enforced.”
But there is no blocking statute in effect anymore for UK demands for data due to the UK-US Data Access Agreement (DAA) under the US CLOUD Act. That agreement allows the UK to send interception orders to US companies directly without the cooperation of US authorities. Previously, the US Electronic Communications Privacy Act would have blocked Apple from disclosing content data (for more info on this change). What I argued in my book chapter is that because the US CLOUD Act is “neutral” on encryption[1], it de facto allows the UK authorities to send TCNs to US companies. (To clarify, there never has been a blocking provision for TCNs, but there would have been little point in serving a TCN when the accomodating authorisations would have been blocked by ECPA.) My book chapter explores this in much more detail (apologies that it is not freely available—if you need it and cannot access a library, get in touch).
But crucially, the UK-US DAA does not allow the UK to have open season on the world’s data, which seems to be suggested by subtext of the Washington Post article. The UK cannot seek the data of US persons under the Agreement and if it seeks the data of a third country national, it must inform that country. My best guess is that the global scope of the TCN is due to the nature of the iCloud system being global in scope. (But again this is just a guess given a short news article!)
Finally, let’s discuss what type of authorisation the TCN is meant to enable and how this affects the extraterritorial scope.
My best guess is that the TCN is meant to enable a targeted interception warrant. This warrant under sections 41 and 43 can require a person outside the UK to provide assistance in the form of conduct outside the UK to give effect to the warrant. As with TCNs, Apple could object if there was a blocking statute in the third country and the UK authorities would have to ‘take that into account’ (which is vague and does not necessarily preclude the application of the warrant) (IPA s 43).
What if the TCN is meant to enable bulk interception warrants? This is not an area that I know as much about because bulk warrants are limited to the intelligence agencies and my research has heretofore been limited to criminal investigations / law enforcement authorities. I don’t have time to do the research at the moment, but I just do not see this being the intended authorisation. Up until now, the case law has not really involved telecommunications operators assisting in bulk intercept. When I think of bulk intercept, I think of tapping cables a la Tempora. That said, if you know of any sources or articles on point, please let me know. Bulk intercept warrants would only apply to communications of persons outside of the UK, and therefore might explain the global scope of the TCN (although I think the likelier explanation is the one I set out above).
I think I may have set out more questions than answers, as is the case with very brief media reports on secret orders! It will be interesting to see what happens next (if we get to see it at all). This has been a very quick sketch of thoughts on the legality of what is going on, not necessarily on the security implications or normative desirability of using TCNs to remove encryption. As you may have guessed from previous writings, I find it very problematic and likely a violation of fundamental rights. But that’s another post for another day.
Ps. Even though it scares me, I’ve enabled comments now because most of this post is just questions that I want answers to! If you read this and the comments have been disabled, someone was not being polite, and feel free to send me an email with thoughts instead.
[1] The CLOUD Act stated that agreements under the Act “shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”. 18 USC § 2523(b)(3).
A further thought: s254 requires the judicial commissioner to review the TCN for necessity and proportionality. You might reach one sort of decision if the TCN is targeted against individuals under some sort of suspicion. But it would be interesting to review the thought processes if the TCN is directed at all Apple users of their cloud storage service.
The main route for questioning IPA decisions is the Investigatory Powers Tribunal.
Thanks for the posting:
s 253 IPA Technical Capability Notices as well as s 252 National Security Notices are subject to the "double lock" authorisation protocol - laid down in s 254. The authorisers are judicial commissioners at IPCO:
In deciding whether to approve a decision to give a relevant notice, a Judicial Commissioner must review the Secretary of State's conclusions as to the following matters—
(a)whether the notice is necessary as mentioned in section 252(1)(a) or (as the case may be) section 253(1)(a), and
(b)whether the conduct that would be required by the notice is proportionate to what is sought to be achieved by that conduct.
In doing so, the Judicial Commissioner must—
(a)apply the same principles as would be applied by a court on an application for judicial review, and
(b)consider the matters referred to in subsection (2) with a sufficient degree of care as to ensure that the Judicial Commissioner complies with the duties imposed by section 2 (general duties in relation to privacy).
IPCO has the benefit of a Technical Advisory Board - TAB; its members and some of its work are referenced in the IPCO Annual reports, available at https://www.ipco.org.uk/publications/annual-reports/.
Inevitably their actual work is shrouded in secrecy but it's a reasonable question to ask about the competence of the commissioners and the TAB to undertake all that is asked of them. None of them, as far as I know, are in the least bit stupid but there is an issue of the extent of their knowledge.
My guess is that the Apple TCN issue will only be partially dealt with by the courts.
But we must recognise that pure "invasion of privacy" arguments only have cut-through with a minority of the population, who are likely to be impressed with the usual child protection/terrorism/serious organised crime blandishments (which, to be fair do have some merit). Additionally one must refer to the commercial and economic effects, and the problems for professionals such as doctors and lawyers who have obligations of data protection.