Apple taking British government to court over encryption backdoor

Appeals to Investigatory Powers Tribunal

Image:

Tribunal will have to weigh privacy against protections

The privacy row between the Home Office and Apple is escalating. The next step is tribunal.

Apple has reportedly lodged a ‘first of its kind’ appeal to the Investigatory Powers Tribunal (IPT), an independent judicial body which oversees legal complaints made against public authorities or intelligence agencies in the UK if they commit a potentially unlawful action.

The dispute began at the end of January when the Home Office ordered Apple, via a Technical Capability Notice (TCN) under the Investigatory Powers Act 2016 to create a backdoor into its encrypted cloud data, arguing that criminals were using this encryption to hide their illegal activity.

Last month, Apple responded by pulling its Advanced Data Protection (ADP) feature altogether in the UK, effectively killing end-to-end encryption for data backed up in iCloud. A spokesperson for Apple said:

“We have never built a backdoor or master key to any of our products or services and we never will.”

The Home Office has refused to either confirm or deny the existence of the notice to multiple media outlets despite its existence being widely reported, and the terms of the Investigatory Powers Act 2016 Apple cannot make any details public.

At the same time, the government appears to have quietly removed encryption advice from the National Cyber Security Centre (NCSC) website. Until recently, the NCSC recommended that high-risk individuals such as legal professionals, politicians and journalists use encrypted services to protect their communications and sensitive data. The relevant page named Apple’s ADP as one of the suggested tools.

However, security expert Alec Muffet spotted that the URL hosting the NCSC document now redirects to a different page that doesn’t mention encryption at all. Instead, it recommends that at-risk individuals use Lockdown Mode on Apple devices, along with other basic protections like prompt application if security updates and protecting physical access to devices.

The case is likely to reach the IPT in just a few weeks, and the first point of debate is going to be about whether the case can be argued openly or privately for reasons of national security.

It is also likely to be a test case for the Home Office’s wider war on encryption, with WhatsApp. Signal and Proton Mail all potential targets. The outcome will determine the extent of government powers under the Investigatory Powers Act 2016 to use these TCNs to give criminal investigators the power to order the decryption of encrypted data.

The government has argued that end-to-end encryption is being used to perpetuate child sexual exploitation and terror attacks. That is very likely true, but providers of encryption have counter argued that back doors, once opened can be used by anyone.

The problem is that they are both right. What this case will determine is not just the extent of governmental and law enforcement power but how the public feel about it.

The government does seem to be keen to allay fears that the state can access anyone’s data and messages on a whim. Last week, Security minister Dan Jarvis, in response to a question on the use of TCNs said that requests to access user data under the Act could only be made on an "exceptional basis, and only when it is necessary and proportionate to do so."

If the government succeeds in presenting this case as Big Tech protecting criminals sexually exploiting children, the chances are that public opinion will come down on the side of law enforcers, and that people will be happy to trade their right to privacy if it also stops criminals enjoying the same protection.