The Washington Post alleged that the British government had served a technical capability notice against Apple in December 2024 to provide backdoor global access into encrypted Apple iCloud services. The BBC’s subsequent report appears to support the Post’s allegations. And begs philosophical question about what it means when the government has a copy of your ‘digital twin’?
What is a technical capability notice
A technical capability notice is a legal document. It is issued by the UK government that compels a telecoms provider or technology company that compels them to maintain the technical ability to assist with surveillance activities like interception of communications, equipment interference, or data acquisition. When applied to telecoms companies and internet service providers, it is usually UK only in scope. What is interesting about the technical capability notice allegedly served against Apple is extra-territorial in nature. The recipient of a technical capability notice, isn’t allowed to disclose that they’ve been served with the notice, let alone the scope of the ask.
Apple outlined a number of concerns to the UK parliament in March 2024:
- Breaks systems
- Lack of accountability in the secrecy
- Extra-territoriality
Tl;DR – what the UK wants with technical capability notices is disproportionate.
Short history of privacy
The expectation of privacy in the UK is a relatively recent one. You can see British spy operations going back to at leas the 16th century with Sir Francis Walsingham. Walsingham had a network that read couriered mail and cracked codes in Elizabethan England.
By Victorian times, you had Special Branch attached to the Metropolitan Police and related units across the British Empire. The Boer War saw Britain found permanent military intelligence units that was the forerunner of the current security services.
By world war one the security services as we now know them were formed. They were responsible to intercept mail, telegraph, radio transmissions and telephone conversations where needed.
Technology lept forward after World War 2.
ECHELON
ECHELON was a cold war era global signals intelligence network ran by Australia, Canada, New Zealand, the UK and the US. It originated in the late 1960s to monitor the military and diplomatic communications of the Soviet Union and its Eastern Bloc allies during the Cold War, the ECHELON project became formally established in 1971.
ECHELON was partly inspired by earlier US projects. Project SHAMROCK had started in 1940 and ran through to the 1970s photographing telegram communications in the US, or transiting through the US. Project MINARET tracked the electronic communications of listed American citizens who travelled abroad. They were helped in this process by British signals intelligence agency GCHQ.
In 2000, the European Commission filed a final report on ECHELON claimed that:
- The US-led electronic intelligence-gathering network existed
- It was used to provide US companies with a competitive advantage vis-à-vis their European peers; rather like US defence contractors have alleged to undergone by Chinese hackers
Capenhurst microwave tower
During the cold war, one of the main ways that Irish international data and voice calls were transmitted was via a microwave land bridge across England and on to the continent.
Dublin Dame Court to Holyhead, Llandudno and on to Heaton Park. Just next to the straight line path between Llandudno and Heaton Park was a 150 foot tower in Capenhurst on the Wirral. This siphoned off a copy of all Irish data into the British intelligence system.
Post-Echelon
After 9/11, there were widespread concerns about the US PATRIOT Act that obligated US internet platforms to provide their data to US government, wherever that data was hosted. After Echelon was exposed, it took Edward Snowden to reveal PRISM that showed how the NSA was hoovering up data from popular internet services such as Yahoo! and Google.
RAMPART-A was a similar operation taking data directly from the world’s major fibre-optic cables.
US programme BULLRUN and UK programme Edgehill were programmes designed to crack encrypted communications.
So privacy is a relatively new concept that relies the inability to process all the data taken in.
Going after the encrypted iCloud services hits different. We are all cyborgs now, smartphones are our machine augmentation and are seldom out of reach. Peering into the cloud ‘twin’ of our device is like peering into our heads. Giving indications of hopes, weaknesses and intent. Which can then be taken and interpreted in many different ways.
What would be the positive reasons to do a technical capability notice?
Crime
Increasing technological sophistication has gone hand in hand with the rise of organised crime groups and new criminal business models such as ‘Klad’. Organised crime is also transnational in nature.
But criminals have already had access to dedicated criminal messaging networks, a couple of which were detailed in Joseph Cox’ Dark Wire . They use the dark web, Telegram and Facebook Marketplace as outlets for their sales.
According to Statista less than six percent of crimes committed resulted in a charge or summons in 2023. That compares to just under 16 percent in 2015.
Is going after Apple really going to result in an increased conviction rate, or could the resources be better used elsewhere?
Public disorder
Both the 2011 and 2024 riots caught the government off-guard. Back in 2011, there was concern that the perpetrators were organising over secure BlackBerry messaging. The reality that the bulk of it was being done over social media. It was a similar case with the 2024 public disturbances as well.
So gaining access to iCloud data wouldn’t be that much help. Given the effort to filter through it, given that the signals and evidence were out there in public for everyone to see.
The big challenge for the police was marshalling sufficient resources and the online narrative that took on a momentum of its own.
Paedophiles
One of the politicians strongest cards to justify invasion of privacy is to protect against nonces, paedos and whatever other label you use to describe the distribution of child sexual abuse images. It’s a powerful, emotive subject that hits like a gut punch. The UK government has been trying to explore ways of understanding the size of abuse in the UK.
Most child abuse happens in the home, or by close family members. Child pornography rings are more complex with content being made around the world, repeatedly circulated for years though various media. A significant amount of the content is produced by minors themselves – such as selfies.
The government has a raft of recommendations to implement from the The Independent Inquiry into Child Sexual Abuse. These changes are more urgently needed like getting the police to pay attention to vulnerable working-class children when they come forward.
Terrorism
The UK government puts a lot of work into preventing and combating terrorism. What terrorism is has evolved over time. Historically, cells would mount terrorist attacks.
Eventually, the expectation of the protagonist surviving the attack changed with the advent of suicide tactics. Between 1945 and 1980, these were virtually unheard of. The pioneers seem to have been Hezbollah against UN peacekeepers in Lebanon.
This went on to influence 9/11 and the London bombings. The 9/11 commission found that the security services didn’t suffer from a lack of information, but challenges in processing and acting on the information.
More recently many attacks have been single actors, rather than a larger conspiracy. Much of the signs available was in their online spiral into radicalisation, whether its right-wingers looking to follow the example of The Turner Diaries, or those that look towards groups like ISIS.
Axel Rudakubana’s actions in Southport doesn’t currently fit into the UK government’s definition of terrorism because of his lack of ideology.
I am less sure what the case would be for being able to access every Apple’s cloud twin of their iPhone. The challenge seems to be in the volume of data and meta data to sift through, rather than a lack of data.
Pre-Crime
Mining data on enough smartphones over time may show up patterns that might indicate an intent to do a crime. Essentially the promise of predictive crime solving promised in the Tom Cruise dystopian speculative future film Minority Report.
Currently the UK legal system tends to focus on people having committed a crime, the closest we have to pre-crime was more intelligence led operations during The Troubles that were investigated by the yet to be published Stalker/Sampson Inquiry.
There are so many technical, philosophical and ethical issues with this concept – starting with what it means for free will.
What are the negative reasons for doing a technical capability notice?
There are tensions between the UK government’s stated opinion on encrypted services and the desire to access the data, outlined in Written testimony of Chloe Squires, Director National Security, Home Office.
The UK Government supports strong encryption and understands its importance for a free, open and secure internet and as part of creating a strong digital economy. We believe encryption is a necessary part of protecting our citizens’ data online and billions of people use it every day for a range of services including banking, commerce and communications. We do not want to compromise the wider safety or security of digital products and services for law abiding users or impose solutions on technology companies that may not work within their complex systems.
Extra-territorial reach
Concerns about the US PATRIOT Act and PRISM saw US technology companies lose commercial and government clients across Europe. Microsoft and Alphabet were impacted by losing business from the likes of defence contractor BAE Systems and the Swedish government.
The UK would likely experience a similar effect. Given that the UK is looking to biotechnology and technology as key sectors to drive economic growth, this is likely to have negative impact on:
- British businesses looking to sell technology services abroad (DarkTrace, Detica and countless fintech businesses).
- Britain’s attractiveness to inbound investments be it software development, regional headquarter functions or infrastructure such as data centres. Having no exposure to the UK market may be more attractive to companies handling sensitive data.
- You have seen a similar patten roll out in Hong Kong as more companies have moved regional headquarters to Singapore instead.
The scope of the technical capability notice, as it is perceived, damages UK arguments around freedom-of-speech. State surveillance is considered to have a chilling effect in civilian discussions and has been criticized in the past, yet the iCloud backdoor access could be considered to do the exactly same thing as the British government opposes in countries like China, Hong Kong and Iran.
Leverage
The UK government has a challenge in terms of the leverage that it can bring to bear on foreign technology multinationals. While the country has a sizeable market and talented workforce, it’s a small part of these companies global revenues and capabilities.
They can dial down services in the UK, or they can withdraw completely from the UK marketplace taking their jobs and infrastructure investment with them. Apple supports 550,000 jobs through direct employment, its supply chain, and the iOS app economy. In 2024, Apple claimed that it had invested over £18 billion over the previous five years.
Precedent
Once it is rumoured that Apple has given into one country’s demands. The equivalent of technical capability notices are likely to be employed by governments around the world. Apple would find it hard not to provide similar access to other 5is countries, China, India and the Gulf states.
Even if they weren’t provided with access, it’s a lot easier to break in when you know that a backdoor already exists. A classic example of this in a different area is the shock-and-awe felt when DeepSeek demonstrated a more efficient version of a ChatGPT-like LLM. The team had a good understanding of what was possible and started from there.
This would leave people vulnerable from around the world to authoritarian regimes. The UK is currently home to thousands of political emigres from Hong Kong who are already under pressure from the organs of the Chinese state.
From a domestic point-of-view while the UK security services are likely to be extremely professional, their political masters can be of a more variable quality. An authoritarian populist leader could put backdoors allowed by a technical capability notice to good use.
Criminal access
The hackers used by intelligence services, especially those attributed to China and Russia have a reputation for double-dipping. Using it for their intelligence masters and then also looking to make a personal profit by nefarious means. Databases of iCloud data would be very tempting to exploit for criminal gain, or sell on to other criminals allowing them to mine bank accounts, credit cards, conduct retail fraud.
It could even be used against a country’s civilians and their economy as a form of hybrid warfare that would be hard to attribute.
In the past intelligence agencies were limited in terms of processing the sea of data that they obtained. But technology moves on, allowing more and more data to be sifted and processed.
What can you do?
You’ve got nothing to hide, so why worry? With the best will in the world, you do have things to hide, if not from the UK government then from foreign state actors and criminals – who are often the same people:
- Your bank account and other financial related logins
- Personal details
- Messages that could be taken out of context
- I am presuming that you don’t have your children’s photos on your social media where they can be easily mined and fuel online bullying. Your children’s photos on your phone could be deep faked by paedophiles or scammers.
- Voice memos that can be used to train a voice scammer’s AI to be good enough
- Client and proprietary information
- Digital vehicle key
- Access to academic credentials
- Access to government services
So, what should you do?
Here’s some starting suggestions:
- Get rid of your kids photos off your phone. Get a digital camera, have prints made to put in your wallet, use an electronic picture frame that can take an SD card of images and doesn’t connect to the web or use a cloud service.
- Set up multi-factor authentication on passwords if you can. It won’t protect you against a government, but it will make life a bit more difficult for criminals who may move on to hacking someone else’s account instead.
- Use the Apple password app to generate passwords, but keep the record off them offline in a notebook. If you are writing them down, have two copies and use legible handwriting.
- You could delete ‘important’ contacts from your address book and use an old school filofax or Rolodex frame for them instead. You’re not likely to be able to do this with all your contacts, it wouldn’t be practical. If you are writing them down, have two copies and use legible handwriting.
- Have a code word with loved ones. Given that a dump of your iCloud service may include enough training data for a good voice AI, having a code word to use with your loved ones could prevent them from getting scammed. I put this in place ages ago as there is enough video out there on the internet of me in a public speaking scenario to train a passable voice generative AI tool.
- Use Signal for messaging with family and commercially sensitive conversations.
- My friend and former Mac journalist Ian Betteridge recommended using an alternative service like Swiss-based Proton Cloud. He points out that they are out of the legal jurisdiction of both the US and UK. However, one has to consider history – Crypto AG was a Swiss-based cryptography company actually owned by the CIA. It gave the intelligence agency access to secure communications of 120 countries including India, Pakistan and the Holy See. Numerous intelligence services including the Swiss benefited from the intelligence gained. So consider carefully what you save to the cloud.
- if you are not resident in the UK, consider using ‘burn devices’ with separate cloud services. When I worked abroad, we had to do client visits in an authoritarian country. I took a different cellphone and laptop to protect commercially sensitive information. When I returned these were both hard reset by the IT guy and were ready for future visits. Both devices only used a subset of my data and didn’t connect to my normal cloud services, reducing the risk of infiltration and contamination. The mindset of wanting to access cloud services around the world may be just the thin end of the wedge. Countries generally don’t put down industrial and political espionage as justifications for their intelligence services powers.
What can criminals do?
Criminals already have experience procuring dedicated secure messaging services.
While both dark web services and messaging platforms have been shut down, there is an opportunity to move the infrastructure into geographies that are less accessible to western law enforcement: China, Hong Kong, Macau or Russia for instance. A technical capability notice is of no use. The security services have two options to catch criminals out:
- Obtain end devices on the criminal:
- While they are unlocked and put them in a faraday cage to prevent the device from being wiped remotely.
- Have an informant give you access to their device.
- Crack the platform:
- Through hacking
- Setting the platform up as a sting in the first place.
If the two criminals are known to each other a second option is to go old school using a one-time pad. This might be both having the same edition of a book with each letter or word advancing through the book .
So if you used the word ‘cat’ as the fourth word on line 3 of page 2 in a book you might get something like 4.3.2, which will mean nothing if you don’t have the same book and if the person who wrote the message or their correspondent don’t use 4.3.2 to signify cat again. Instead they would move onwards through the book to find the next ‘cat’ word. A sleuthing cryptographer may be able to guess your method of encryption by the increasing numbers, but unless they know the book your feline secret is secure from their efforts.
Above is two pages from an old one-time pad issued by the NSA called DIANA.
The point is, those criminals that really want to evade security service understanding their business can do. Many criminals in the UK are more likely to rely on a certain amount of basic tactics (gloves, concealing their face, threatening witnesses) and the low crime clearance rate in the UK.
Instead of a technical capability notice, these criminals are usually caught by things like meta analysis (who is calling who, who is messaging who, who is transferring money etc.), investigative police work including stings, surveillance and informers.
Why?
Which begs the questions:
- Why Apple and why did they choose to serve it in December 2024?
- What trade-offs have the UK government factored in considering the potiential impact on its economic growth agenda and political ramifications?
- The who-and-why of the leak itself? Finally, the timing of the leak was interesting, in the early days of the Trump administration.
I don’t know how I feel about the alleged technical capability notice and have more questions than answers.
More information
European Commission Final Report on Echelon and coverage that appeared at the time of the report’s release: EU releases Echelon spying report • The Register
Patriot Act und Cloud Computing | iX – German technology press on the risks posed by the Patriot Act
US surveillance revelations deepen European fears | Reuters – PRISM negatively impacted US technology companies
NSA’s Prism surveillance program: how it works and what it can do | guardian.co.uk
The strange similarities in Google, Facebook, and Apple’s PRISM denials | VentureBeat
Computer Network Exploitation vs. Computer Network Attack | Schneier on Security
EXPLANATORY MEMORANDUM TO THE INVESTIGATORY POWERS (TECHNICAL CAPABILITY) REGULATIONS 2018