Core access: an analysis of the UK government’s demand to Apple 

What is the demand?

On 7 February 2025, it was reported that the UK government had demanded that Apple allow access to encrypted user data worldwide. Under current security policies, only the account holder can access the stored data in Apple’s cloud services, meaning the technology organisation itself cannot view it. The demand was reportedly served by the UK’s Home Office under the Investigatory Powers Act (IPA) of 2016, which can be used to compel organisations to provide information they hold to law enforcement. Though Apple declined to comment on the demand, it states on its website that “privacy is a fundamental human right” and describes it as “one of our core values”. As such, this demand likely goes against the organisation’s policies and implementation of security features on its devices. According to the Washington Post, the UK government’s demand requires blanket access rather than assistance to access a specific account. Whilst governments routinely request that technology companies assist with providing user data to often aid investigations of criminal cases, this demand sets a new precedent in the cyber and technological landscape. The Home Office has stated that it “do[es] not comment on operational matters, including for example confirming or denying the existence of any such notices”.

The demand would apply to all content which is stored under Apple’s Advanced Data Protection (APD), which uses end-to-end encryption where only the account holder can access the stored data. It is an opt-in service, meaning that not all users choose to activate APD. This is because the data is encrypted so heavily that it cannot be recovered if users lose access to their accounts. As such, data is inherently more secure when using this option. This tool is separate to protections for blue messages sent using iMessage, health app data, facetime, and passwords stored in the iCloud keychain, which are end-to-end encrypted by default. It is believed that the UK government wants the option to access this data in incidents involving risks to national security.

However, rather than comply with the demand, Apple has instead removed the option for APD in the UK. Consequently, UK-based Apple users are met with an error message when attempting to turn the feature on. Similarly, existing users will have to disable the feature themselves in the near future as Apple cannot disable ADP automatically. The UK government has argued that encryption allows criminals to hide their malicious activity more easily, though the demand has garnered widespread criticism. Under UK law, the Home Office’s notice to Apple cannot be made public. Whilst the number of Apple users who have APD enabled in the UK cannot be verified, the demand has led to a widespread reduction of protection for these types of devices.

This report will explore the impact of the demand against the existing regulatory landscape and examines how it affects UK-based Apple users.

The regulatory landscape

Cyber Security and Resilience Bill

The Investigatory Powers Act of 2016 combines various existing powers to intercept and obtain communications. It is of note that Apple has previously criticised the UK government for updates it applied to this act in 2024. Specifically, this update made it lawful for the government to force technology companies based both in the UK and internationally to inform it of any planned improvements to encryption or other enhanced security or privacy measures. It also permits the government to halt these changes pending a review. This law was key in allowing the government to create its demand against Apple, though it is notable that it hinders the application of security updates to devices. As such, this demonstrates that the UK government has consistently enacted powers which allow it to bypass the often urgent need to address vulnerabilities or security measures from technology organisations.

This trend in behaviour creates tension with the forthcoming Cyber Security and Resilience Bill, which aims to improve the UK’s cyber defences and protect essential public services. Announced in July 2024, the bill recognises that the UK’s digital economy is increasingly being targeted by threat actors which target critical infrastructure and public services. It highlights that UK law has not kept up to date with the changing landscape, thus setting out to address vulnerabilities and deliver growth. The bill sets out to expand the remit of existing regulations, put regulators in a stronger position, and increase reporting requirements to gain a clearer understanding of cyber threats in the UK. The bill may allow potential cost recovery mechanisms to be provided to regulators such that vulnerabilities can be proactively investigated. However, as the government has effectively asked Apple to give it a backdoor into the encryption process, this centralises the ability to gain access to UK-based user data.  Because of this, a threat actor could theoretically compromise any access the UK government may gain, though this may be difficult to conduct. It is now more likely that threat actors will look to compromise the reduced levels of protection UK Apple users have, particularly as this bill is yet to be presented in parliament. If the government were to gain this backdoor, then attackers would have a centralised access point to exfiltrate UK users’ data. However, as the request has not been complied with, the disabling of APD means that the option for the highest level of privacy is being prevented. Consequently, the demand goes against the remit of this bill and would actively allow for exploitation to occur. 

Through this bill, the UK government will likely request that organisations adhere to and invest in stricter cybersecurity standards. This will likely mean that organisations will need to consider who they work and interact with in supply-chains. However, this requisite appears too broad when considering the demand to Apple. Specifically, the split for iOS devices versus Android devices in the UK market is reportedly 52.28%. Because of the market majority, this means that Apple devices which are used in both personal and work environments could be impacted. As such, if the UK government was able to gain access, then a wider range of sensitive data could become compromised. The consequence of this is that the UK government is essentially superseding the protection of everyday users to satisfy its own intelligence needs. This appears to go against the aims of the bill to provide resilience against cyber threats when passed into law. Given the scope of Apple’s operations not only in the UK but also worldwide, this puts a larger pool of user data at risk due to decreased privacy protections.

The UK government has previously tried to tackle global organisation’s use of encryption through the 2023 end-to-end encryption and child safety bill. Though Apple is not mentioned, the bill uses the example of social media organisation Meta and its implementation of end-to-end encryption to state that existing controls to protect vulnerable groups are overridden. The bill specifically covers child safety and states that end-to-end encryption potentially poses a significant risk of enabling abuse. Similar to Apple, Meta is a global operation which has its headquarters in the United States. This is further evidence that the UK government has long sought to control the use of encryption via the operations of global organisations. It also highlights that the UK government inherently believes that encryption aids in bad actors being able to conduct malicious activities across the digital landscape.

EU’s NIS2 directive

Whilst the UK looks to implement its Cyber Security and Resilience Bill, the EU is set to implement its NIS2 directive. This directive establishes a unified legal framework which upholds cybersecurity in 18 critical sectors across the EU. It also means that member states must define their national cybersecurity strategies and collaborate with the EU for cross-border enforcement. Risk management and reporting requirements will be introduced to ensure that entities from different sectors cooperate in information sharing and supervision. It mandates that each member state adopts a national cybersecurity strategy which includes policies for supply-chain security, vulnerability management, and cybersecurity awareness. Additionally, member states must also establish and regularly update a list of operators of essential services. The directive mostly applies to medium and large-sized businesses in sectors including infrastructure, banking and finance, food, and healthcare.

As can be seen by the description of the UK’s Cyber Security and Resilience Bill, the two are similar in terms of the goals set out. There is an emphasis on promoting security cybersecurity strategies and ensuring resilience against key sectors and services. However, when comparing the bill and the directive, the timing is interesting to note. Specifically, it emphasises how the UK government could be attempting to scapegoat its demand to Apple. Whilst the demand has received a large level of criticism, the UK government can say that it is actually bolstering the protection of users despite APD being disabled. Subsequently, it can say that it is taking the necessary extra steps to protect its citizens by enacting these demands alongside developing new laws. However, it is likely that the EU directive is set to be more effective in comparison because the government is contradicting its own proposed legislation in favour of unprecedented access to data.

China’s quantum computing

Part of the criticism levied against the UK government is that its demand to Apple threatens the privacy of users both in the UK and worldwide. NGOs such as Amnesty International and Human Rights Watch have criticised the demand, highlighting previous reports of governments using spyware, digital forensic tools, and permissive laws to gain access to significant levels of personal data via private organisations.

Other countries have also been observed using and developing tools which counteract current encryption and privacy methods. For example, in March 2024, China stated that it is planning to develop further into emerging industries such as quantum computing. This refers to quantum computers which use qubits to perform certain kinds of computation tasks more efficiently than a regular computer can. It is based on the rules of quantum mechanics, harnessing effects which exist at the level of photons, electrons, and atoms. China’s development of quantum computing and communications has been described as potentially having the capability to undermine encryption standards and could accelerate data-driven surveillance. This poses a potential risk to cybersecurity standards and data security, with particular concerns related to China’s ability to store encrypted data in the present and use quantum computers in the future to decrypt it. Consequently, this could lead to an increase in state-sponsored attacks with the aim of data theft, particularly against critical sectors where sensitive personal information is held. It is likely that such attacks would be conducted to further the interests of the Chinese government.

Whilst the UK government’s demand does not involve the same complex technology, it does highlight how states can use permissive laws and advanced computers to promote state-sponsored causes. Given that developments in quantum computing mean that traditional encryption methods may come under threat, demands similar to the one against Apple increases the risk posed by this software. If another nation were to make a similar rejected demand but had access to quantum computing, it increases the likelihood that organisations like Apple would be targeted. It causes an increased risk of exposure which leaves both organisations and individuals vulnerable to an emerging threat, meaning that further legislation would be needed to protect cybersecurity strategies and user privacy.

Responses to the demand

The UK government’s demand has created tension between the country and the US. Two US politicians, Democrat senator Ron Wyden and Republican Congressman Andy Biggs, have responded negatively to the demand. Both politicians wrote to the US’ National Intelligence Director, Tulsi Gabbard, to state that the UK government’s demand threatens the security and privacy of the US. Within the letter, the politicians said that whilst the UK is a trusted ally of the country, the US must not permit “what is effectively a foreign cyberattack waged through political means”. This demonstrates the risk to US users’ privacy rights and how the demand could escalate to allow US adversaries to conduct espionage using the backdoor. Additionally, Tulsi Gabbard said that she was seeking further information from the FBI and other agencies about the UK government’s demand. Two US lawmakers have also requested that the Department of Justice reviews the UK government’s demand and the implication for US-based Apple users. It is apparent that US politicians see the UK government’s demand as undermining the effectiveness of its information security, laws, and public policies due to organisations based in the country being compelled to weaken encryption.

This will likely remain a prevalent issue within the US government, particularly as Vice President JD Vance has already expressed concern about regulations being imposed on the country’s technology sector from other nations. At the beginning of February 2025, Vance stated that “the Trump administration is troubled by reports that some foreign governments are considering tightening the screws on US tech companies with international footprints“. This came as part of Vance’s speech at the AI summit in Paris, where both the US and UK refused to sign an international AI declaration. Additionally, government advisor Elon Musk used X (formerly Twitter) to express concern with the demand. Figures 1 and 2 below show that Musk has reposted content related to the UK government’s demand. It is of note that Musk reposted UK MP Rupert Lowe’s post on the matter, likely in an attempt to show that UK parliamentary members are not unified in the decision.

The full post which Musk quoted in Figure 2 reads:

“BREAKING: The UK Just Ordered Apple to Kill Encryption for 2 Billion People—And They Can’t Even Talk About It.

 A global privacy nightmare is unfolding. The UK government secretly ordered Apple to backdoor encrypted iCloud storage worldwide—but Apple is legally forbidden from revealing this order, or they face criminal charges. 

This affects 2 BILLION USERS.”

Musk’s comments reflect an ongoing trend where the senior advisor to Trump has criticised the UK government and specifically prime minister, Keir Starmer. Subsequently, there is a significant likelihood that Musk and other US politicians will continue to publicly criticise the demand. 

It has been reported that during Starmer’s visit to the US in February 2025, President Donald Trump told the prime minister that the UK “can’t do this” in reference to the demand. Trump also likened the demand to something “you hear about with China”, which is likely a reference to China’s documented lack of privacy for its citizens and enforcement of censorship. The president’s comment emphasises how the UK is being positioned next to countries which use stringent surveillance policies to further their own goals. This further links back to the speech given by Vance at the AI summit, meaning that the US could take additional steps to protect its technology sector from foreign interference.

However, both current and former UK politicians have defended the demand. Figure 3 highlights how former Secretary for Defence, Ben Wallace, has stated that the US has its own laws to force platforms to hand over user data. Wallace’s post was community noted on X, which demonstrates that encryption is used to secure data across various sectors including finance and government.

Despite resigning from office in July 2023, Wallace was part of the Conservative government cabinet which worked towards implementing the end-to-end encryption and child safety bill. As such, his support of this demand likely stems from the fact that its goals align with the aims of this established bill. Additionally, this highlights the ideology of MPs who appear to only raise the negatives which come with encryption. It appears that there is a narrow view of encryption within the UK government, likely because the benefits of using it merge into the background of everyday online activity. 

Concluding remarks

The demand against Apple demonstrates the contrast between government officials who state that encryption makes it harder to track criminals and the stance of technology organisations who emphasise the need for data privacy. Despite ADP only being introduced to UK Apple customers in December 2022, the demand has led to the weakening of online security and privacy for users in the country. Consequently, if the demand were ever to be enacted, threat actors would highly likely exploit the backdoor for malicious purposes. Additionally, if the UK government was ever to gain access, cybercriminals who use Apple devices would likely pivot to using other software and platforms to conduct malicious activity. Ultimately, this means the burden of this decision is placed on citizens who use Apple devices in their everyday lives. This is evidenced by other incidents, such as when the CEO of Telegram, Pavel Durov, was arrested in Paris in relation to criminal activity on the platform. Threat actors discussed moving their malicious activity to other platforms after Telegram stated it would hand over the IP addresses and phone numbers of users who violated its rules to law enforcement.

More widely, compelling private organisations to undermine encryption and security features places specific groups of individuals at risk from both state-sponsored and opportunistic attacks. For examples, high-profile individuals such as journalists and politicians could be increasingly targeted if demands such as the one discussed are enacted. It also highlights the issue of user privacy and government surveillance, potentially influencing other nations to create similar demands. Moreover, it could lead to a wider compromise of security. This is because organisations may choose to limit security features in countries which have restrictive laws or demands. Consequently, both the demand and Apple’s disabling of APD for UK users increases the risk of unauthorised access and diminishes the security of the wider operating system. As such, increased opportunities for data misuse will likely be observed. 

Moreover, Apple is reportedly taking legal action to overturn the UK government’s demand. The technology company has appealed to the Investigatory Powers Tribunal, which is an independent court that investigates claims against the Security Service. Whilst the tribunal case may be heard in the near future, it may not be made public. This demonstrates that ultimately, the demand is view as disproportionate by the technology company. It is likely that this view will be echoed in the wider technology sector, both based in the US and internationally. Depending on the outcome of the case, this could set the precedent as to whether more governments will attempt to compel such access or whether global technology organisations can legally stop foreign nations from interfering with encryption and data privacy processes.