Apple has provided the content of its users’ iCloud accounts in response to legal requests made by British authorities less than 0.06% of the time since 2020.

Between January 2020 and the end of June 2023 Apple received more than 6,000 legal requests from British authorities seeking customer data related to specific Apple accounts. In only four of those cases did Apple provide any content. More recent data is unavailable.

The figures, published in Apple’s own biannual transparency reports, suggest a potential motivation behind the British government’s reported attempt to serve the company with a special and secret legal order that would force Apple to be technically capable of providing iCloud content upon receipt of a valid warrant.

Read more: UK reportedly demands secret ‘back door’ to Apple users’ iCloud accounts

The company’s reports suggest Apple maintains this capability in other jurisdictions, however. Over the same period in the U.S., Apple provided content data in 22,306 cases in response to more than 51,811 requests — or more than 43% of the time.

Department of Justice press releases and indictments show that this content data is used to prosecute terrorist offenders, January 6th insurrectionists, both foreign and domestic spies, drug traffickers, and sexual predators who target children.

Legal differences could also explain the discrepancy between the British and U.S. figures, as requests for content data are subject to more stringent legal checks in the UK than requests for metadata — meaning the requesting authorities could rely more regularly on one type of request than another. Apple’s transparency report does not indicate what type of data was initially requested.

Backdoor?

The British government’s legal demand, revealed by The Washington Post, is known as a Technical Capability Notice (TCN).  It is not illegal to report on the existence of a TCN, however the individual target of a notice is instructed not to disclose it and can face criminal proceedings if they do so.

According to the report, it was issued after Apple introduced optional end-to-end encryption (E2EE) for iCloud users in December 2022, despite complaints from law enforcement agencies in both the UK and U.S.that such an action would undermine efforts to tackle serious crime.

The Washington Post’s report describes the demand as creating a “back door allowing [British authorities] to retrieve all the content any Apple user worldwide has uploaded to the cloud,” although the British government does not describe TCNs the same way. The specifics of the TCN itself are not available.

In an essay on the topic published in Lawfare in 2018 — written by two of the most senior technical specialists at GCHQ, the UK’s cyber and signals intelligence agency — the officials argued for a “more informed debate” about the requirements for law enforcement and national security agencies to access encrypted material stored on the largest technology companies’ servers.

The essay draws a distinction between a lawful access regime and the other mechanisms governments might adopt to get hold of encrypted material — “just hack the target’s device and get what you want” — and warns the hacking approach “is completely at odds with the demands for governments to disclose all vulnerabilities they find to protect the population.”

Despite assertions in the article that the British government “strongly supports commodity encryption” — with the director of GCHQ publicly stating the agency has “no intention of undermining the security of the commodity services that billions of people depend upon” — critics of the government’s approach argue that it remains accurate to describe lawful access as a “back door.”

Robin Wilton, a senior director at the Internet Society Foundation, said there was “no safe way for Apple to break end-to-end encryption on its cloud services without weakening the privacy and security of all its users.” 

“Opening a backdoor for the UK government also opens a backdoor for cyber criminals intent on accessing our private information,” said Wilton.

In places, the Lawfare article suggests the TCN regime itself may be flawed by operating secretly. “Transparency is essential,” write the officials, noting “the details of any exceptional access solution may well become public and subject to expert scrutiny, which it should not fail.” 

“Given the unique and ubiquitous nature of these services and devices, we would not expect criminals to simply move if it becomes known that an exceptional access solution exists,” they wrote.

The idea of transparency had appeared to be one that the British government took onboard with the Online Safety Act, which included an explicit provision allowing for British authorities to publicly require services providing end-to-end encrypted messaging to use “accredited technology” to identify particular kinds of content, particularly terrorism content and child sexual abuse material.

Neither Apple nor the British government immediately responded to a request for comment.