Apple Removes Advanced Data Protection Tool from UK

The Government says that if data is inaccessible to both the organisation hosting it and law enforcement agencies, the technology could be used to store and disseminate unlawful content and could allow that content to be used for criminal activity.

There have been ongoing concerns about big tech companies not preventing their systems and services from facilitating criminal activity and unlawful content.  Their stance has often been to distance themselves from liability for how their users use their services.  With Apple not being able to access data held on its own systems, it provides a useful means of absolving itself of any responsibility for content these systems hold, and removes any possibility that it could monitor user data for inappropriate content.

Obtaining data, especially from mobile devices, has been instrumental in addressing crime and combating terrorism, and law enforcement agencies are eager to retain this valuable tool.

A report was issued by the Information Commissioner’s Office (ICO) in June 2020, which detailed the results of its investigation into the extraction of data from mobile devices by law enforcement agencies.  The regulator had long felt that law enforcement practice at the time tended to extract all data from a device, and that this practice was unlawful because it was not necessary and proportionate to extract all data when the investigators only needed some of it.  The ICO investigation covered compliance with data protection legislation, but also compliance with the Police and Criminal Evidence Act 1984 and the Criminal Justice and Police Act 2001.  It concluded that the prevailing practices might result in an erosion of public confidence and of the willing cooperation of the public in securing the observance of laws.  The report was useful because it set out all the issues in one place for the first time.

‍

‍

The College of Policing ran a consultation from December 2020 to January 2021, and, in May 2021, subsequently issued updated guidance to police forces on obtaining data from digital devices in what is known as an Authorised Professional Practice (APP).  This attempted to balance the right of privacy against the right of individuals to a fair trial.  It also ensured that police practice complies with Part 3 of the Data Protection Act 2018, which covers the processing of personal data for law enforcement purposes.

In August 2022, the Government published a factsheet on the extraction of information under the Police, Crime Sentencing and Courts Act, 2022.  This sets out the police powers that limit requests for data to those which are necessary and proportionate.  Police must also state what data is needed, why it is needed and how it will be used.  Consequently, the legislation and guidance that applies to law enforcement authorities in the UK means requests for user information from providers like Apple cannot be used for blanket surveillance, but must instead be targeted, necessary and proportionate.

Apple has previously said it would never build its systems to allow access via a ‘back door’, even to government or law enforcement authorities.  There are additional concerns that an access route could be used by those with criminal intent to unlawfully gain access to user data, and that it might also pose a security risk to whistleblowers and journalists.

Apple and privacy pressure groups have said that the Government’s move undermines the fundamental human right of privacy.

Big Brother Watch said: ‘We urge the UK government to immediately rescind this draconian order and cease attempts to employ mass surveillance in lieu of the targeted powers already at their disposal’.

TCNs under Section 253 of the Investigatory Powers Act have been on the statute book since late 2016 and sparking intense debate even before becoming law. This controversy has been simmering for quite some time. However, Apple only introduced ADP in 2023, so this is the first time it has received such a Notice from the UK government.  As stated, both sides are severely limited in what they can say about the specific TCN that prompted Apple’s decision.  

Similar legislation exists in other countries including within the EU, such as France, Germany and Italy, so this debate could take place (involving Apple or other providers of E2E encryption services) elsewhere before long.

Equally, Apple is not the only E2E encryption provider in the UK that is subject to the Investigatory Powers Act. Another tech company, Signal, has recently said that if its own encryption offering were threatened with compromise by the UK government it would go further than Apple and not just remove a feature from the UK market, but leave it altogether (or ‘100% walk’, as Signal put it).   And what of possibly the most well-known and widely-used E2E message encryption service of them all, Meta’s WhatsApp?  Popular with UK politicians of all varieties, including (in)famously Boris Johnson and Michael Gove, who knows what controversy might erupt if WhatsApp/Meta were to be served with a TCN?

The balance of argument between privacy, freedom of speech and law enforcement continues.

Apple can appeal against the Government's TCN but, according to the legislation, cannot delay implementing the ruling during the process, even if it is eventually overturned.  Although the results of the appeal process are not made public, this is likely to not be the final chapter of the story.