The United Kingdom government's order to Apple to allow access to encrypted cloud data harms the privacy rights of users in the UK and worldwide, Amnesty International and Human Rights Watch said today.
The UK government order is an attempt to force Apple to provide access to encrypted user data, including device backups that can include contact lists, as well as location and messaging history, for any Apple user worldwide. The secret order, which the Washington Post reported was issued in January 2025 by the Home Office, the interior ministry, concerns Advanced Data Protection, an iPhone option that uses end-to-end encryption on data stored in the cloud, and means Apple has no access to user data stored on its servers. The UK government should drop the order.
"If these reports are true, this is an alarming overreach by the UK authorities seeking to access the private data of not only people in the UK, but anyone worldwide with an Apple account," said Zach Campbell, senior surveillance researcher at Human Rights Watch. "People rely on secure and confidential communications to exercise their rights. Access to device backups is access to your entire phone, and strong encryption to prevent this access should be the norm by default."
News reports said that the UK government ordered Apple to build a back door into its products under the Investigatory Powers Act, a 2016 surveillance law that includes provisions allowing the government to order companies to remove "electronic protection" of user data. The law also prohibits the recipients of these orders, in this case Apple, from acknowledging or commenting on them. The new UK order, according to the Washington Post, "requires blanket capability to view fully encrypted material" for Apple users worldwide, including users with no apparent connection to the UK.
Encryption is a crucial enabler of human rights online and offline. Human rights defenders, journalists, and everyone else rely on the security and privacy of their devices to protect them not only from unlawful government spying, but also from cybercrime and other attacks from non-state actors. Weakening encryption, or mandating back doors, leaves all users more vulnerable. Governments should support strong encryption, and companies should build it into their products and services by default.
In recent years there has been a steady drumbeat of revelations about government spying relying on surveillance tools like spyware and digital forensic tools but also taking advantage of overly permissive legal regimes that allow states to access huge troves of personal data from private companies.
These tools are often used in combination. Human Rights Watch and Amnesty International have both highlighted the steep human rights costs of such surveillance: state surveillance threatens the work of human rights defenders and journalists, puts marginalized groups including women and LGBT activists at particular risk, and creates a society widechilling effect, undermining the rights of everyone to express themselves and protest peacefully. These tools exploit weaknesses in device encryption and security, and their use is enabled by an under-regulated trade in spyware and other surveillance tools at a global scale, and by the unwillingness of states to regulate their own surveillance practices, too often leaning on "national security" as a blanket excuse for unfettered snooping.
In part due to such revelations, some companies, including Apple, have added new security features to help protect users, including those who may be at particular risk. These include Lockdown Mode, a feature that provides extra protection from spyware and targeted hacking to mobile devices, as well as Advanced Data Protection, the subject of the UK government's reported order. Any limits to these features would harm users worldwide and put journalists, human rights defenders, and other critical voices at increased risk.
The United Kingdom is a party to several international and regional treaties enshrining the right to privacy and data protection rights. The vital role of encryption as an enabler of privacy and human rights has been widely recognized including by United Nations bodies, the United Nations High Commissioner for Human Rights and human rights experts. The UN General Assembly and the Human Rights Council in several resolutions, have called upon states to refrain from interfering with encryption technologies. UN resolutions also encourage technology companies to secure and protect the confidentiality of digital communications and transactions, including measures for encryption, pseudonymization and anonymity.
A 2015 report by the United Nations special rapporteur on freedom of expression specifically urged governments to avoid all measures that weaken security for individuals online, such as mandated back doors. Requiring technology companies to build vulnerabilities into secured products unavoidably and disproportionately undermines the security for all users of that product.
The UK government's reported order requiring Apple to provide access to encrypted user data is disproportionate by design, as it would weaken data protections for all users, not just those suspected of a crime or under investigation. Compliance with the order by Apple would harm privacy rights of users worldwide.
Both Amnesty International and Human Rights Watch have been critical of the Investigatory Powers Act since its inception. In written evidence to the Joint Committee on the Draft Investigatory Powers Bill in 2016, Human Rights Watch recommended that the UK should refrain from undermining encryption and digital security. It specifically said that the legislation should be amended to ensure that authorities are prohibited from imposing obligations on internet service providers to weaken security measures or design their systems to incorporate measures for exceptional access into encryption by UK authorities.
"States have more, and more powerful legal and technical tools at their disposal, and research shows that they are using them to target people for protesting, speaking out, or even just because of who they are," said Joshua Franco, senior research adviser at Amnesty Tech. "Strong encryption is one of the few protections we have against such attacks, and states should be encouraging companies to provide greater protections of our data and our rights, not seeking back doors that will leave people around the world at risk."
