U.K. officials have ordered Apple Inc. to implement a backdoor in its iCloud file storage service, the Washington Post reported today.

The backdoor would enable the government to access Apple users’ encrypted files. If implemented, it would affect consumers in not only the U.K. but also all the other markets where iCloud is available. 

Under a 2016 piece of legislation called the Investigatory Powers Act, U.K. law enforcement agencies can order companies to help them collect evidence. Such orders are known as technical capability notices. It’s reportedly illegal for companies to disclose that they’ve received a technical capability notice.

Apple reportedly received a notice from the U.K. Home Office last month. The order is said to focus on Advanced Data Protection, or ADP, an encryption system that the company rolled out for iCloud in 202. ADP protects users’ backups and about dozen other types of files using end-to-end encryption.

By default, iCloud secures data using a feature that Apple calls standard data protection. The capability scrambles files with encryption keys stored in the company’s backend infrastructure. This means that it would be relatively simple for Apple to decrypt the data. 

When users enable ADP, iCloud switches to end-to-end encryption. The technology scrambles files using an encryption key that is stored on the user’s device rather than in Apple data centers. This means the iPhone maker has no way of decrypting the data. 

According to cybersecurity experts cited by the BBC, adding a backdoor to ADP would weaken its cybersecurity. That could make it easier for bad actors to compromise Apple users’ data. In the event a backdoor is implemented, it’s believed the iPhone maker wouldn’t be allowed to notify customers about the change. 

According to the Post, Apple can appeal the U.K. government’s technical capability notice to a secret panel. The panel would consider factors such as the cost of implementing the backdoor before issuing its decision. Additionally, a judge would have to weigh whether the technical capability notice “was in proportion to the government’s needs”.

Companies have to comply with technical capability notices while going through the appeal process. It’s believed Apple would rather make ADP unavailable in the U.K. than add a backdoor. Last year, the iPhone maker raised that possibility in a document submitted to the U.K. parliament ahead of a change to the Investigatory Powers Act. 

According to the Post, U.K. officials could in theory also ask other tech giants to implement a backdoor.

Google LLC rolled out a backup feature with end-to-end encryption to Android in 2018. A spokesperson for the search giant declined to state whether a government has asked it to add a backdoor but implied it hasn’t implemented one. Meta Platforms Inc., which provides end-to-end encryption for WhatsApp users, pointed to a transparency statement on its website in which it pledges not to implement backdoors. 

Photo: Pixabay