Director of National Intelligence Tulsi Gabbard suggests UK broke agreement in secretly asking Apple to build iCloud backdoor

According to a letter seen by 9to5Mac, the Trump Administration is investigating whether the UK may have broken a bilateral agreement when secretly demanding that Apple build a global backdoor into iCloud.

Trump’s Director of National Intelligence Tulsi Gabbard wrote in a letter responding to Senator Ron Wyden of Oregon and Representative Andy Biggs of Arizona that she was not made aware of the UK’s secret demand by her UK counterparts. However, she suggested, the UK government may have broken a bilateral privacy and surveillance agreement in making the demand.

For background, media reports claim that the British government made an undisclosed demand that Apple create a security backdoor that would allow authorities to access all encrypted customer data, not just local data on a specific iPhone. Per reporting, Apple could not reveal that such a security backdoor into iCloud was created.

Rather than quietly comply and risk customer data security globally, Apple announced that it removed the ability to create end-to-end encryption backups to iCloud for UK customers.

In her letter, Gabbard stated that such a security backdoor into iCloud would “be a clear and egregious violation of Americans’ privacy and civil liberties, despite the FBI basically calling for the same access at times.

I am aware of the press reporting that the UK Home Secretary served Apple with a secret order directing the company to create a “back door” capability in its iCloud encryption to facilitate UK government access to any Apple iCloud users’ uploaded data anywhere in the world. I share your grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a “backdoor” that would allow access to Americans personal encrypted data. This would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors.

Gabbard goes on to say that a cross-agency effort is underway to understand the UK’s demand and what such a request of an American company could mean in terms of risks.

I have requested my counterparts at CIA, DIA, DHS, FBI and NSA to provide insights regarding the publicly reported actions, and will subsequently engage with UK government officials. The UK’s Investigatory Powers Act of 2016, also known as the Snoopers’ Charter, which I understand would be at issue, allows the UK to issue a “gag order,” which would prevent Apple or any company from voicing their concerns with myself, or the public. I have directed a senior Intelligence Community officer to work with ODNI’s Office of Civil Liberties, Privacy, and Transparency and ODNI’s Office of Partner Engagement, to outline the potential implications of the United Kingdom compelling an American company to create a “back door” that would allow the UK government to retrieve private user content.

The Director of National Intelligence specifically cites the CLOUD Act agreement between the US and UK, which the UK’s demands may have violated.

My lawyers are working to provide a legal opinion on the implications of the reported UK demands against Apple on the bilateral Cloud Act agreement. Upon initial review of the U.S. and U.K. bilateral CLOUD Act Agreement, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents (“U.S. persons”), nor is it authorized to demand the data of persons located inside the United States. The same is true for the United States – it may not use the CLOUD Act agreement to demand data of any person located in the United Kingdom.

Any information sharing between a government—any government—and private companies must be done in a manner that respects and protects the U.S. law and the Constitutional rights of U.S. citizens. I look forward to ensuring the UK government has taken necessary actions to protect the privacy of American citizens, consistent with the CLOUD Act and other applicable laws, irrespective of any press reporting. My lawyers are working to provide a legal opinion on the implications of the reported UK demands against Apple on the bilateral Cloud Act agreement. 

So what happens next? The real signal of consequence is whether Advanced Data Protection returns to iPhone customers in the UK. Otherwise, this privacy spat may continue to only play out in press reports. You can read Tulsi Gabbard’s letter in full here.

What’s notable for now, however, is that the DNI is basically arguing Apple’s position against creating security backdoors for iPhone software in general: a backdoor for any purpose puts all customer data at risk of exposure.

It’s not impossible to imagine a scenario where Apple may very well need to put to the DNI’s thinking when arguing against backdoors at the request of another government agency.