Update (June 13, 2026): This story has moved on since publication. Under US pressure the UK withdrew its original worldwide order, then issued a new one aimed at British residents, and the secret-order regime is now being argued in open court. For where the fight stands now, read The UK Dropped Its Apple Encryption Order, Then Issued Another.

TL;DR: The UK government secretly ordered Apple to build a backdoor into iCloud encryption using a "Technical Capability Notice" under the Investigatory Powers Act. Apple sued in the Investigatory Powers Tribunal. The tribunal dismissed Apple's appeal after the government revised its order to target UK users only. Rather than build backdoors, Apple withdrew its Advanced Data Protection (ADP) encryption from UK users entirely, meaning UK residents now have less privacy than users elsewhere. Privacy International and Liberty are continuing legal challenges into 2026, but for now, the UK government won.

What Happened

Under Section 253 of the UK's Investigatory Powers Act 2016, the government can issue "Technical Capability Notices" (TCNs) to technology companies. These secret orders require companies to build surveillance capabilities into their products.[1]

In 2024-2025, the UK Home Office issued a TCN to Apple requiring the company to:

  • Modify or remove encryption protections on iCloud data
  • Provide a mechanism for government access to encrypted content
  • Do so in secret: TCNs cannot be disclosed publicly

This is the definition of a backdoor: a deliberate vulnerability built into a product at government demand.

Apple's Response

Apple filed a legal complaint with the UK's Investigatory Powers Tribunal (IPT), a secret court that handles surveillance disputes.[2]

Apple's position has been consistent: they don't build backdoors. Any vulnerability that allows government access can also be exploited by hackers, criminals, and hostile foreign governments. Security is binary: you either have it or you don't.

But Apple's legal challenge failed. The IPT dismissed the appeal after the Home Office issued a revised order targeting UK users specifically rather than seeking worldwide access.[3]

Rather than compromise their encryption architecture globally, Apple took the only remaining option: they withdrew Advanced Data Protection from UK users entirely.[4]

What Advanced Data Protection Does

Apple's Advanced Data Protection (ADP) provides end-to-end encryption for most iCloud data:

  • iCloud Backup: including messages, photos, and app data
  • iCloud Drive: files stored in iCloud
  • Photos: your entire photo library
  • Notes: personal notes and documents
  • Reminders, Safari, Wallet, and more

With ADP enabled, only you can decrypt this data. Not Apple. Not anyone who gains access to Apple's servers. Not governments with warrants.

Without ADP, Apple can access this data, which means governments can too, with appropriate legal process (or, as we've seen, pressure).

UK users can no longer enable ADP. Their iCloud data is less protected than users in other countries.

The Problem with Secret Courts

The entire TCN process happens in secret:[5]

  • TCNs themselves are classified: Apple couldn't publicly confirm receiving one
  • The IPT proceedings were closed to the public
  • The revised government order was not disclosed
  • We only know about this because advocacy groups pieced together public filings

When surveillance disputes are resolved in secret courts, the public has no way to evaluate whether the outcome was reasonable. We're told to trust institutions we can't observe.

The Fight Continues

Although Apple's specific appeal was dismissed, civil liberties organizations are continuing legal challenges:[5][6]

  • Privacy International: Has a case against the Home Secretary's secret surveillance orders, scheduled to be heard in 2026
  • Liberty: Challenging the legality of TCNs and the secrecy surrounding them
  • Both organizations: Arguing that secret orders to undermine encryption violate human rights

These cases won't restore ADP to UK users. But they could establish legal precedent limiting future TCN abuse.

The Investigatory Powers Act Gets Worse

The 2024 amendments to the Investigatory Powers Act added troubling new powers:[7]

  • Notification requirements: Companies must notify the government of planned changes to products or services that could impede surveillance access
  • Pre-approval power: The government can effectively veto product security improvements
  • Extraterritorial scope: Applies to services used by UK residents, regardless of where the company is based

This means tech companies must ask permission before improving security. Future encryption features could be blocked before implementation.

Global Implications

The UK's approach sets a dangerous precedent:

Model for Authoritarians

If the UK can force backdoors, why not Russia, China, or Saudi Arabia? The same legal template applies.

Race to the Bottom

Once any country successfully demands backdoors, others will follow. Companies face impossible choices.

Security for None

Backdoors aren't selective. A vulnerability built for UK intelligence can be exploited by any sophisticated attacker.

Withdrawal Pattern

Rather than compromise security, companies may simply withdraw services from demanding jurisdictions, leaving users less protected.

What UK Users Can Do

Local Encryption

Store sensitive data locally with full-disk encryption rather than iCloud. What's not uploaded can't be accessed.

Third-Party Encryption

Use additional encryption tools (Cryptomator, Boxcryptor) on files before uploading to iCloud.

Alternative Services

Consider privacy-focused cloud providers based in jurisdictions with stronger protections (Switzerland, Iceland).

Support Legal Challenges

Organizations like Privacy International and Liberty are fighting this in court. They need resources and visibility.

The Bottom Line

The UK government ordered Apple to compromise encryption. Apple refused to build backdoors, but lost the legal fight. The only option left was withdrawal: UK users lost access to Advanced Data Protection entirely.

This is what "anti-encryption" policy looks like in practice: not backdoors (which Apple wouldn't build), but reduced security for an entire country's users.

The Investigatory Powers Act gives the UK government secret powers to demand surveillance capabilities. The Investigatory Powers Tribunal resolves disputes in closed proceedings. The public has no visibility into the process.

If you're a UK resident, your iCloud data is now less protected than users elsewhere. And the legal framework that made this possible is getting stronger, not weaker.

Privacy International's case continues into 2026. But for now, the surveillance state won this round.

References

  1. The Guardian - Apple UK Encryption Backdoor Order
  2. The Register - Apple Files UK IPT Challenge
  3. Computer Weekly - Apple IPT Appeal Dismissed
  4. EFF - Apple Withdraws ADP from UK
  5. Privacy International - UK Secret Surveillance Orders
  6. Liberty - Technical Capability Notice Challenge
  7. DLA Piper - Investigatory Powers Amendment Act 2024