Encryption is one of the most effective defenses protecting our digital lives. Yet governments around the world, including the United Kingdom and United States, continue to demand back door access to encrypted tools in the name of public safety, despite mounting evidence that these very back doors could be accessed by bad actors as well.
In January 2025, relying on broad powers conferred by the Investigatory Powers Act, the UK Home Secretary ordered Apple to provide UK law enforcement with the blanket capability to access users’ encrypted iCloud data, even where Apple does not hold a copy of the encryption key.
The information at issue was secured using Apple’s Advanced Data Protection (ADP) offering, through which a user’s “trusted devices retain sole access to the encryption keys for the majority of their iCloud data, thereby protecting it using end-to-end encryption.” As a result, nobody else can access it, including Apple.
In line with its past approach to similar orders, Apple appealed the law enforcement demand, which, in addition to requiring Apple to create a means to access encrypted information, would prohibit Apple from informing users about the weakened product security.
Apple took the further step of pulling ADP from the UK market, publicly reaffirming its commitment never to build a “back door” into its encrypted products. The move adds a subtle wrinkle to the dispute by implying Apple’s assertion that the government’s geographic jurisdiction in asserting the TCN ends at the UK’s borders, while the Home Office’s assertion appears to be that the TCN should apply globally.
This request is only the most recent instance of law enforcement efforts to weaken encryption for the sake of apprehending criminals, and the United Kingdom is not the only government that has lamented the difficulties posed by giving consumers access to sophisticated tools to shield their data, photos, and messages from view.
For decades, other law enforcement agencies, including the U.S. Federal Bureau of Investigation (FBI), have objected to unbreakable encryption, arguing that it prevents them from gathering crucial evidence against the most reprehensible criminals, including terrorists and those who access and distribute child pornography.
Similarly, the EU and a number of its member states are currently considering several proposals that arguably would force companies either to provide back doors or eliminate encryption altogether.
Yet recent experience suggests that this is the wrong approach in a world where cybercriminals increasingly seek access to individuals’ most sensitive data. With the proliferation of advanced persistent threats, including those affiliated or sponsored by foreign governments, weakening protections inevitably provides another attack vector, despite assurances from law enforcement that back doors would remain used exclusively for lawful purposes.
Since the late 1960s, Title III of the Omnibus Crime Control and Safe Streets Act has authorized US law enforcement to obtain a warrant to tap suspects’ oral and wire communications. To tap wireline phones of the era, law enforcement needed only to install a physical device at the local phone exchange. However, by the 1990s, companies began migrating to digital switching technology, which—along with cellular phones—could not be tapped in this way.
Congress responded by passing the Communications Assistance to Law Enforcement Act (CALEA), which required telecommunications companies to build wiretapping capabilities for law enforcement into new networks and retrofit existing, older networks accordingly. CALEA has since been updated to require the same for cellular networks and certain networks using Voice over Internet Protocol technology.
CALEA, like the UK Investigatory Powers Act, has been controversial since its inception, with experts arguing that it required providers to architect a security vulnerability directly into their network infrastructure, weakening security overall and providing a potentially accessible means for bad actors to breach innocent users’ communications data.
Fast forward to October 2024, when it was revealed that several major US telecommunications companies—including AT&T, Verizon, and T-Mobile—were the victims of a serious cyberattack, perpetrated by Salt Typhoon, a sophisticated cyber espionage group closely affiliated with the Chinese government.
Experts believe the attack started as early as 2022. By the time it was uncovered, Salt Typhoon had infiltrated U.S. networks so thoroughly that it could access private call records and communications—a breach Sen. Mark Warner and FCC Chairman Brendan Carr dubbed the worst such attack in American history. The vulnerable data included “information that was subject to U.S. law enforcement requests pursuant to court orders.”
That is, Salt Typhoon may have leveraged the very capabilities required by CALEA, exploiting the weaknesses it created to steal sensitive information from unsuspecting consumers. The back door, intended for law enforcement, was instead likely exploited by the hacking group, which quietly infiltrated critical communications infrastructure to conduct espionage on American citizens.
In a world in which we cannot keep bad actors out of our most sensitive information, whether held by government or industry, we should be reinforcing our digital defenses—not deliberately weakening them. Encryption is a necessity for journalists, dissidents, victims of domestic abuse, business owners, and ordinary citizens alike, and we certainly don’t want to eliminate the protection it affords us all. Once a back door exists, it’s not a matter of if it will be infiltrated, but when. If we weaken encryption in the name of security, we risk losing both.
###
Stanley Crosley and Christopher Rosina are partners in Crosley Law Offices. Mr. Crosley is a privacy fellow at the Innovators Network.
