Order attempts to force Apple to provide security authorities access to encrypted user data

Move would put anyone critical of the authorities at increased risk

‘Governments should be encouraging companies to provide greater protections of our data and our rights, not seeking back doors that will leave people around the world at risk’ - Joshua Franco

‘If these reports are true, this is an alarming overreach by the UK authorities seeking to access private data’ - Zach Campbell

The UK government’s order to Apple to allow security authorities access to encrypted cloud data severely harms the privacy rights of users in the UK and worldwide, Amnesty International and Human Rights Watch said today. 

The secret order, reported in The Washington Post last week, was issued in January by the Home Office. It concerns Advanced Data Protection, an iPhone function that uses end-to-end encryption on data stored in the cloud, ensuring that only the user of the account can access the data stored and attempts to force Apple to provide security authorities access to it, including device backups that can include contact lists, as well as location and messaging history, for any Apple user worldwide.

The order is disproportionate by design, as it would weaken data protections for all users, not just those suspected of a crime or under investigation. Compliance would harm privacy rights of users worldwide. 

News reports said that the Government ordered Apple to build a back door into its products under the Investigatory Powers Act, a 2016 surveillance law that includes provisions allowing the Government to order companies to remove “electronic protection” of user data. The law also prohibits the recipients of these orders, in this case Apple, from acknowledging or commenting on them and reportedly "requires blanket capability to view fully encrypted material” for Apple users worldwide, including users with no apparent connection to the UK. 

Privacy vital to protecting people’s rights

Encryption is a crucial enabler of human rights online and offline. Human rights defenders, journalists, and everyone else rely on the security and privacy of their devices to protect them not only from unlawful government spying, but also from cybercrime and other attacks from non-state actors. Weakening encryption, or mandating back doors, leaves all users more vulnerable.

Governments should support strong encryption, and companies should build it into their products and services by default. 

In recent years there have been a stream of revelations about government spying relying on surveillance tools eg spyware and digital forensic tools but also taking advantage of overly permissive legal regimes that allow states to access huge troves of personal data from private companies. 

State surveillance threatens the work of human rights defenders and journalists, puts marginalised groups including women and LGBT activists at particular risk, and creates a society-wide chilling effect, undermining the rights of everyone to express themselves and protest peacefully.

These tools exploit weaknesses in device encryption and security, and their use is enabled by an under-regulated trade in spyware and other surveillance tools at a global scale, and by the unwillingness of states to regulate their own surveillance practices, too often leaning on “national security” as a blanket excuse  for unfettered snooping. 

Efforts to protect people’s data

In part due to such revelations, some companies, including Apple, have added new security features to help protect users, including those who may be at particular risk. These include Lockdown Mode, a feature that provides extra protection from spyware and targeted hacking to mobile devices, as well as Advanced Data Protection, the subject of the UK government’s reported order.  

The UK is a party to several international and regional treaties enshrining the right to privacy and data protection rights. The vital role of encryption as an enabler of privacy and human rights has been widely recognised including by UN bodies, the UN High Commissioner for Human Rights and human rights experts.

The UN General Assembly and the Human Rights Council, in several resolutions, have called on governments to refrain from interfering with encryption technologies. UN resolutions also encourage technology companies to secure and protect the confidentiality of digital communications and transactions, including measures for encryption, pseudonymisation and anonymity. 

Both Amnesty and Human Rights Watch have been critical of the Investigatory Powers Act since its inception. In written evidence to the Joint Committee on the Draft Investigatory Powers Bill in 2016, Human Rights Watch recommended that the UK should refrain from undermining encryption and digital security. It specifically said that the legislation should be amended to ensure that authorities are prohibited from imposing obligations on internet service providers to weaken security measures or design their systems to incorporate measures for exceptional access into encryption by UK authorities. 

Joshua Franco, Amnesty Tech’s senior research adviser, said:

“Governments have more and more powerful legal and technical tools at their disposal, and research shows that they are using them to target people for protesting, speaking out, or even just because of what they represent.

“Strong encryption is one of the few protections we have against such attacks, and states should be encouraging companies to provide greater protections of our data and our rights, not seeking back doors that will leave people around the world at risk.” 

Zach Campbell, Human Rights Watch’s senior surveillance researcher, said:

“If these reports are true, this is an alarming overreach by the UK authorities seeking to access the private data of not only people in the UK, but anyone worldwide with an Apple account.

“People rely on secure and confidential communications to exercise their rights. Access to device backups is access to your entire phone, and strong encryption to prevent this access should be the norm by default.”