[Corrected] Out of 6,000 non-IPA requests, Apple provided UK with iCloud data only four times since 2020

Editor’s Note: An earlier version of this story misunderstood that the requests cited in Apple’s transparency data were made under a different legal framework to those most typically made by authorities in the United Kingdom. Because of this, it would be difficult to draw a connection between the data and the reported attempts by the British government to force Apple to provide it with encrypted iCloud accounts. The story below has been updated to reflect an accurate understanding of the transparency data.

Apple has provided the content of its users’ iCloud accounts in response to legal requests made by British authorities less than 0.06% of the time since 2020. Crucially, this does not include requests made under the Investigatory Powers Act (IPA), Britain’s principle legal framework for accessing material held by technology companies.

Between January 2020 and the end of June 2023 Apple received more than 6,000 legal requests from British authorities under non-IPA laws seeking customer data related to specific Apple accounts. In only four of those cases did Apple provide any content, rather than metadata about those accounts.

According to the company's transparency data, it received between 0 and 499 requests relating to iCloud accounts under IPA warrants in the first half of 2023. Apple said it is required by law to report these requests in bands of 500, and that “under the US-UK Data Access Agreement … Apple is limited in its ability to disclose what information or data may be sought through these requests.”

Contrary to the initial version of this story, the lack of detail in those figures means they cannot be said to speak to the motivation behind the British government’s reported attempt to serve the company with a secret legal order that would force Apple to be technically capable of providing iCloud content upon receipt of a valid warrant.

The British government previously told a parliamentary committee that “significant operational benefits” had been derived from the US-UK Data Access Agreement.

In a ministerial statement in 2023, a government official said Britain had made “more than 10,000 requests” to U.S. companies since the agreement came into force, adding: “All of these requests have provided UK Law Enforcement and Intelligence Agencies with critical data to tackle the most serious crimes facing UK citizens including terrorism; child sexual exploitation; drug trafficking; and organised crime.”

Apple’s transparency reports suggest the company provides iCloud content data in other jurisdictions including the United States and Brazil. Over the same 2020-2023 period Apple was able to share content data in the U.S. in 22,306 cases in response to more than 51,811 requests — or more than 43% of the time. For most other countries there is a low level of response to requests for content data, as companies based in the U.S. are unable to share this material directly with foreign governments.

Department of Justice press releases and indictments show that this content data is used to prosecute terrorist offenders, January 6th insurrectionists, both foreign and domestic spies, drug traffickers, and sexual predators who target children.

Backdoor?

The British government’s legal demand, revealed by The Washington Post, is known as a Technical Capability Notice (TCN).  It is not illegal to report on the existence of a TCN, however the individual target of a notice is instructed not to disclose it and seemingly can face criminal proceedings if they do so, although there is some doubt about this interpretation of the law.

According to The Washington Post’s report, the TCN was issued after Apple introduced optional end-to-end encryption (E2EE) for iCloud users in December 2022, despite complaints from law enforcement agencies in both the UK and U.S.that such an action would undermine efforts to tackle serious crime.

The Washington Post describes the demand as creating a “back door allowing [British authorities] to retrieve all the content any Apple user worldwide has uploaded to the cloud,” although the British government does not describe TCNs the same way. The specifics of the TCN itself are not available.

In an essay on the topic published in Lawfare in 2018 — written by two of the most senior technical specialists at GCHQ, the UK’s cyber and signals intelligence agency — British officials argued for a “more informed debate” about the requirements for law enforcement and national security agencies to access encrypted material stored on the largest technology companies’ servers.

The essay draws a distinction between a lawful access regime and the other mechanisms governments might adopt to get hold of encrypted material — “just hack the target’s device and get what you want” — and warns the hacking approach “is completely at odds with the demands for governments to disclose all vulnerabilities they find to protect the population.”

Despite assertions in the article that the British government “strongly supports commodity encryption” — with the director of GCHQ publicly stating the agency has “no intention of undermining the security of the commodity services that billions of people depend upon” — critics of the government’s approach argue that it remains accurate to describe lawful access as a “back door.”

Robin Wilton, a senior director at the Internet Society Foundation, said there was “no safe way for Apple to break end-to-end encryption on its cloud services without weakening the privacy and security of all its users.” 

“Opening a backdoor for the UK government also opens a backdoor for cyber criminals intent on accessing our private information,” said Wilton.

In places, the Lawfare article suggests the TCN regime itself may be flawed by operating secretly. “Transparency is essential,” write the officials, noting “the details of any exceptional access solution may well become public and subject to expert scrutiny, which it should not fail.” 

“Given the unique and ubiquitous nature of these services and devices, we would not expect criminals to simply move if it becomes known that an exceptional access solution exists,” they wrote.

The idea of transparency had appeared to be one that the British government took onboard with the Online Safety Act, which included an explicit provision allowing for British authorities to publicly require services providing end-to-end encrypted messaging to use “accredited technology” to identify particular kinds of content, particularly terrorism content and child sexual abuse material.

Apple did not respond to a request for comment.A spokesperson for the British government said: “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.”