Our challenge against UK's secret TCN powers

On 13 March 2025, we filed a complaint against the UK government challenging their use of dangerous, disproportionate and intrusive surveillance powers to undermine the privacy and security of people all over the world. Here, we answer some key questions about the case and the recent events that led to this development.

Note: This post was last updated on 13 March 2025.

What’s the fuss about?

A month ago, it was reported that the UK government demanded Apple Inc – maker of the iPhone, iPads, Macs and home computing devices – provide access to encrypted data in Apple’s cloud storage service, iCloud. This purported order threatens the privacy and security of users all over the world as it allegedly is global in scope. Apple responded by withdrawing its Advanced Data Protection (ADP) for UK users. Then Apple reportedly took the UK Government to the Investigatory Powers Tribunal (IPT), a body tasked with reviewing certain surveillance measures.

On 13 March 2025, Privacy International, alongside Liberty and two individuals, filed their own case with the IPT, challenging the purported Technical Capability Notice (TCN) served on Apple.

What are ‘Technical Capability Notices’?

Technical Capability Notices - TCNs – are secret orders that could compel any company in any jurisdiction, so long as they have sufficient connection to the UK, to make changes to their service to facilitate the UK's use of its investigatory powers. These changes could reduce the service's security, including by removing electronic protection (such as encryption).

TCNs are part of the Investigatory Powers Act 2016 (IPA). TCNs (and other similar notices) are not made public, and recipients of them are not allowed to release information about them. As such, the only information available about the purported Apple TCN is that which has been leaked to the press.

TCNs have been the focus of our attention for a while - ironic, given everything regarding TCNs is secretive, and disclosing the details of a TCN by its recipient is illegal. TCNs represent a dangerous, disproportionate and intrusive surveillance power.

What is end-to-end encryption (E2EE) and why is so important for our privacy and security?

E2EE is a form of encryption that is even more protective of privacy than regular encryption. It ensures that only the “ends” of the communication, such as the person who sends an encrypted message and the intended recipient(s), can decrypt and read the message. When it comes to services like iCloud, it relates to who “holds” the encryption key, be that Apple or the customer. When only the customer holds the key, Apple cannot decrypt the data stored in iCloud.

As more of people’s lives are lived in the digital realm, communication security tools, such as E2EE, are increasingly important to the protection of human rights, including the right to privacy. E2EE gives us access to safe and private spaces for personal development where we can stored our information and communicate without interference. It protects us from criminals. It protects us from unnecessary and disproportionate surveillance. And it gives us control over access to our sensitive data.

How does this relate to Apple?

On 7 February 2025, the Washington Post reported that the UK Government had issued Apple with an order to maintain the capability to provide access to any data stored on its iCloud system by Apple users anywhere in the world. Notably, that would include data stored using Apple’s Advanced Data Protection (ADP) – find more on ADP below.

On 24 February 2025, Apple announced that they would withdraw the availability of ADP for new users in the UK (those already using ADP were given “a period of time to disable the feature themselves to keep using their iCloud account”). ADP remained available to users everywhere else in the world. Apple previously stated that they would sooner withdraw services from the UK market than comply with orders to reduce their security and privacy for their users.

Soon thereafter, the Financial Times reported that Apple would be seeking to challenge the notice, suggesting the withdrawal of ADP services from the UK may not have been sufficient to satisfy it. One reason why that withdrawal may not have been sufficient is that the order reportedly seeks the ability to access data stored by users based anywhere in the world. The scope of this intrusion into people’s private lives and consequent undermining of data security is unprecedented.

What is Apple ADP?

Apple’s Advanced Data Protection (ADP) uses E2EE to provide stronger protection to user data stored on iCloud. Data stored using ADP cannot be accessed by Apple because decrypting it requires a key that is stored only on the user’s trusted devices. Some types of data on Apple’s services (eg. passwords and health data) are already protected by E2EE by default, but users have to opt-in to ADP to have it applied to all data they store on iCloud.

What does the TCN to Apple say?

We don’t know for sure because the text of it is secret. The UK Government have not responded to requests to publish it (including by Members of the UK Parliament), and Apple are legally prevented from doing so. Nevertheless, our understanding, based on what has been publicly reported so far, is that the UK Government is requiring Apple to, at least, be able to provide access to encrypted data stored on iCloud and from users inside and outside the UK.

Seriously? Can they do that? What is the problem with TCNs?

In 2016, the UK passed the Investigatory Powers Act (IPA), one of the most intrusive surveillance laws in the world. The IPA allows spy agencies, like the MI5 and MI6, to carry out mass surveillance. It also introduces the TCNs described above.

Extreme surveillance powers -including TCNs- need to be subject to very strict safeguards. International laws like the European Convention on Human Rights (ECHR) prohibit the UK from messing with our rights to privacy and freedom of expression, unless the government has legitimate reasons to do so and any measures they adopt for that purpose satisfy fundamental principles like legality, necessity and proportionality.

This is likely not the case here. TCNs that demand companies indiscriminately undermine the security and data of billions of people (not just those in the UK but everyone in the entire world) can never be necessary or proportionate. Russia attempted to do this when it imposed similar decryption orders upon Telegram. Last year, the European Court of Human Rights, the international body which hears ECHR complaints against governments, found that the Russian measures were so disproportionate that they impaired the very essence of the right to privacy.

So why have Apple turned off ADP and only in the UK?

As recently as 2024 Apple made clear to the UK Parliament that it would “never build a backdoor into its products” and that TCNs could have the result of forcing companies like Apple “to publicly withdraw critical security features from the UK market, depriving UK users of these protections.” That seems to be exactly what’s happened now. A reasonable presumption could be that Apple doesn't want to undermine the effectiveness of ADP and so its only option is to stop offering it in the UK.

We haven’t seen the substance of the TCN, but, assuming it exists, Apple may have hoped that switching off ADP for UK users would be enough to get the UK to back down on the TCN. Turns out that may not have been enough though, as Apple has now reportedly gone to the IPT to challenge the notice. The purported IPT challenge may be because the notice reportedly sought global access to ADP, not just access in the UK. If that is true, the UK Government seem to think that they should be able to dictate what Apple do anywhere in the world. Just in case they want to snoop on the data of anyone, anywhere, anytime.

How does this affect me?

• If you are an iCloud user in the UK and you want to turn on the ADP feature: Bad news! Apple says they will no longer offer ADP for new users.
• If you are an iCloud user in the UK and you already had the ADP feature turned on before February 19, Apple will likely ask you to disable it soon or risk losing access to your iCloud account.
• If you are an iCloud user outside the UK: You can keep using the ADP feature or turn it on, if you hadn’t done so already. Apple have expressed no intention to remove ADP for non-UK based customers.
• If you are a human rights defender, activist, journalist or member of a vulnerable group that relies on the ADP feature to protect themselves from oppressive regimes: Apple continues to claim that they will never build a backdoor into their systems.

But the threat is bigger!

While the UK Government seems to have come for Apple today, tomorrow it may be any other big tech companies, such as Google and Microsoft, and the day after it could be Signal, your VPN Provider, Proton and others. This kind of sweeping measure has a chilling effect on the eco-system. Developers worry that the data they send to iCloud isn’t secure, potentially pushing data to less safe locations. And do keep in mind, just because you aren’t an iCloud user doesn’t mean that what is shared with you is not on iCloud.

What action did we take?

Privacy International, alongside Liberty and two individuals, have made two applications to the IPT. Our first application concerns Apple’s upcoming hearing challenging the TCN at the IPT. We have invited the tribunal to make this hearing public, in the interests of open justice. Our second application is a substantive complaint against the UK Government’s issuing of the TCN, as a disproportionate and unlawful use of the powers under the IPA.

What are the key issues arising from the ongoing procedures?

Under the IPA, the recipients of a TCN are prohibited from disclosing its details or existence without the permission of the Secretary of State. This can lead to a situation where the privacy and security measures (like ADP) of digital services providers are compromised without the users of those services being aware.

This issue is further exacerbated as the IPT, a tribunal which was established to keep such powers in check, may conduct its scrutiny in secret, restricting the public’s ability to raise legal objections. We believe that when surveillance powers are exercised with widespread and potentially damaging consequences, there is a strong public interest in the exercise of these powers and the judicial body’s decision-making around them being public.

Finally, the manner in which the UK Government has purportedly exercised this TCN is a key concern. Targeting a major tech company and seeking to undermine privacy and security measures in a way that potentially affects millions of users is a disproportionate use of the surveillance powers granted under the IPA, and a violation of the human rights of those affected.

What do you mean the hearings are secret?

Since 2003, the IPT has operated on the basis that its hearings should be open to the public where possible. That makes sense for a democratic society that respects the principle of open justice. However, the Tribunal has retained the power to decide to hold hearings in secret. While it might sometimes be reasonable for certain parts of hearings to be held behind closed doors (for example to protect someone’s identity or if matters of national security are being discussed), that can hardly apply to the entirety of these proceedings! The details have already been reported on around the world. The Government’s position on ongoing secrecy isn’t yet known; but the current arrangements are likely to have come about at its request. If that is right, it appears the Government is trying to turn back time.

What comes next?

The lack of transparency on something that impacts the safety, security and privacy of users not just in the UK but potentially worldwide is alarming. We need to act now to challenge such disproportionate secretive powers. We are requesting that if our complaint is taken forward, it be done with full transparency in an open court. 
Beyond the intricacies of the Apple situation, we hope our complaint shines a light on a secretive and dangerous surveillance measure that shouldn’t exist in a democratic society.

We are now awaiting the decisions of the IPT in relation to Apple’s hearing and our own submissions. We will continue to challenge the UK Government’s exercise of this power and invite you to voice your concerns if you feel the same.

Nice. How can I help?

To keep up to date on the case and all our work, you can sign up to our mailing list - don’t worry, you can choose the topics you are most interested in… and we take proper care of your data!

As we are a charity with limited funds, any support you can give us through a donation would be most appreciated. For context, the last time we went to the IPT, it took us 8 years of work. We want to see these cases reach the finish line, and we need funding to achieve that.

To reiterate however, to really ensure that we don’t sleepwalk into a world of ubiquitous state and corporate surveillance, it is essential that people put pressure on governments and corporations - so if there’s one thing you can do, it’s make your voice heard!