Cloud control

The UK government’s latest move against encryption is a brazen overreach that imperils digital privacy and security. In January, it secretly ordered Apple to build a backdoor granting authorities access to all iCloud content. This directive, issued under the 2016 Investigatory Powers Act — popularly known as the Snooper’s Charter — was first revealed in a bombshell Washington Post report. Unlike previous orders targeting specific accounts, this sweeping mandate demands blanket capability to view encrypted material and has no comparable precedent in any major democracy.

On February 21, Apple responded by withdrawing its highest level of cloud data security — Advanced Data Protection (ADP) for iCloud — from UK users, refusing to compromise its encryption model. This marked the first time Apple had taken such action in any market.

The consequences for UK citizens are dire. Without ADP, their data is far more vulnerable to cyberattacks, mass surveillance, and unauthorised access. More broadly, the UK government’s stance reflects an escalating pattern of authoritarian overreach, emblematic of its growing disregard for fundamental rights and freedoms.

Some, like former Defence Secretary Ben Wallace, have dismissed the backlash to Apple’s decision as “alarmist nonsense.” In a post on X, Wallace argued that governments have long had the ability to access certain data and that a backdoor for a democratically elected government with judicial oversight wouldn’t put ordinary citizens at risk.

However, Wallace’s comments betray a fundamental misunderstanding of how ADP and similar end-to-end encryption systems work. In such systems, only the user holds the key. Apple cannot comply with a judicial order to unlock encrypted content any more than it can repeal gravity. A backdoor wouldn’t be a magic tool reserved for “good guys” in government; it would break end-to-end encryption, creating an open door for everyone.

Even the US government, historically hostile to end-to-end encryption, has begun to accept its necessity

Encryption is, at its core, mathematics. It relies on operations that are easy to perform but incredibly difficult to reverse. A common example is multiplying two large prime numbers. While multiplication is straightforward, factoring the result — unless one already knows the original numbers — is exponentially harder. Encryption implements this mathematical principle: the easy operation encrypts the data, but the only way to decrypt it is with the private key, which is held by the user alone.

History shows that security flaws in computer code, once introduced, are inevitably exploited. A 2015 paper by renowned security experts demonstrated that replacing end-to-end encryption with a system enabling a “master key” or exceptional access would create a single point of failure and several systemic vulnerabilities, weakening security for everyone. The 2017 WannaCry ransomware attack — a global crisis disrupting hospitals, businesses, and governments — was triggered by an exploit originally developed by the NSA, demonstrating how government backdoors can be weaponised by bad actors. In 2021, Apple wisely abandoned plans for on-device scanning for child sexual abuse imagery after 14 leading computer scientists published a damning critique, warning it would pose serious security risks with little law enforcement benefit.

The landmark 1996 US case Bernstein v. Department of Justice recognised computer code as speech, ruling that export control laws on encryption violated First Amendment rights. Judge Marilyn Hall Patel wrote:

This court can find no meaningful difference between computer language, particularly high-level languages as defined above, and German or French … Like music and mathematical equations, computer language is just that, language, and it communicates information either to a computer or to those who can read it.

This ruling underscores a fundamental reality: encryption, as a form of speech, cannot be effectively banned. Its mathematical foundations are widely known and easily implemented, ensuring alternative solutions will always exist.

Even the US government, historically hostile to end-to-end encryption, has begun to accept its necessity. Following a wave of cyberattacks on telecommunications companies, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued reports in December 2024 urging the public to use end-to-end encryption to protect against digital threats.

The UK government’s attempt to weaken encryption, by contrast, appears especially misguided. As more of our most private and sensitive data — from financial records to personal messages — is stored in the cloud, strong encryption is essential to keeping it secure. Weakening these protections will leave citizens more vulnerable to hacking, data breaches, blackmail, identity theft, financial fraud, phishing scams, and other forms of cybercrime. It will also provide hostile states with a powerful tool for espionage and destabilisation. But beyond these tangible threats, undermining encryption erodes privacy itself — the ability to have unrecorded, unmonitored thoughts — which is fundamental to self-determination, human dignity, and democracy. Weakening privacy rights for some ultimately threatens freedom for all. 

As whistleblower Edward Snowden wrote in Permanent Record:

Because a citizenry’s freedoms are interdependent, to surrender your own privacy is really to surrender everyone’s … Ultimately, saying that you don’t care about privacy because you have nothing to hide is no different from saying you don’t care about freedom of speech because you have nothing to say.

Ironically, the UK’s policy will not even achieve its intended goal of aiding law enforcement. Tech-savvy users — as well as those engaged in activities the government wants to monitor — will simply migrate to alternative platforms with strong encryption. Secure storage solutions like SpiderOak and Tresorit, communication tools like Signal, and open-source alternatives will continue to provide end-to-end encryption beyond the UK government’s reach. 

Meanwhile, ordinary users, less aware of these alternatives, will bear the brunt of weakened online security. The result is a policy that is both ineffective and harmful, leaving citizens more exposed while failing to curb illicit activities.

What we are witnessing is not a measured approach to public safety but a reckless and outdated response from a government that does not understand the digital age. It sets a dangerous precedent, paving the way for broader crackdowns on encryption worldwide. Rather than undermining the foundations of digital security, governments should pursue smarter, rights-respecting approaches to law enforcement. Weakening privacy does not protect people — it puts everyone at greater risk.