House lawmakers are pointing to reports from earlier this year that the United Kingdom secretly ordered Apple to build a backdoor into encrypted iCloud backups as proof that the U.S. should reevaluate its cybersecurity and intelligence-sharing relationship with the UK.
Congress passed the Clarifying Lawful Overseas Use of Data — or CLOUD — Act in 2018 to allow U.S. law enforcement officials to obtain data from American companies stored on their overseas servers. The law directs U.S. firms to adhere to warrants for data, even if that data is stored on foreign soil, and also authorizes the creation of bilateral data-sharing agreements between the U.S. and allies. The CLOUD Act data access agreement between the U.S. and UK went into effect in October 2022.
The Washington Post reported in February, however, that the UK issued a secret order to Apple requesting that the tech giant provide its law enforcement and intelligence personnel with the “blanket capability” to access customers’ encrypted files worldwide, meaning Apple customers residing in the U.S. would be cast into that dragnet.
Under the UK’s 2016 Investigatory Powers Act — known colloquially as the Snooper’s Charter — Apple received the order to provide cloud data without any judicial review.
During a House Judiciary Crime and Federal Government Surveillance Subcommittee hearing on Thursday, lawmakers expressed bipartisan support for strengthening cybersecurity and privacy provisions in CLOUD Act agreements so that Americans’ data remains secure.
Rep. Andy Biggs, R-Ariz., who chairs the panel, said the UK’s order “sets a dangerous precedent.”
“Efforts to weaken or even break encryption makes us all less secure,” Biggs said, adding that “if companies are forced to build backdoors to encryption that simultaneously opens a backdoor to privacy rights, or an invasion of privacy rights, it is impossible to limit a backdoor to just the good guys.”
He noted that the Salt Typhoon hacking group was, in part, able to breach several U.S. telecom firms’ “lawful intercept” systems that house law enforcement wiretap requests.
“I continue to urge our government, including the Justice Department, to evaluate whether the CLOUD Act and our agreement with the United Kingdom are working as intended,” Biggs said. “If they are not, we should renegotiate the agreement to ensure that our rights are protected.”
The UK’s demand of Apple has led to bipartisan scrutiny of the CLOUD Act and a broader evaluation of the nation’s data sharing agreement with London.
Director of National Intelligence Tulsi Gabbard said in February that she directed her office’s legal personnel to conduct a review of the UK’s request for Apple to create a backdoor in its system, saying it would be “a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors.”
Gabbard’s requested review came after Biggs and Sen. Ron Wyden, D-Ore., sent her a letter earlier that month asking her to evaluate U.S. intelligence-sharing relations with the UK following the press report.
Biggs and Wyden — along with Sen. Alex Padilla, D-Calif., and Reps. Warren Davidson, R-Ohio, and Zoe Lofgren, D-Calif. — also sent a letter to the UK’s Investigatory Powers Tribunal in March demanding transparency around its request of Apple.
Wyden similarly released draft legislation in February that would modify the CLOUD Act’s requirements so that U.S. providers do not need to weaken their security standards to meet requests from foreign governments.
Gregory Nojeim, senior counsel and director of the Center for Democracy and Technology’s Security and Surveillance Project, noted during the hearing that the UK has issued more than 20,000 requests under the CLOUD Act, compared to 63 requests issued by the U.S. during the same period.
“CLOUD Act agreements are supposed to preserve the privacy of Americans and of other people in the United States,” Nojeim said, but he added that “if Apple had fully complied [with the UK’s request], it would have compromised the communication security of its users in the U.S. and worldwide.”
Maryland Rep. Jamie Raskin, the top Democrat on the House Judiciary Committee, said government-mandated backdoors into encrypted systems would allow cyber criminals “to target Americans for espionage, consumer fraud and ransomware.”
Although Raskin said the CLOUD Act agreement between the U.S. and UK has been mutually beneficial, he added that “I also believe that forcing companies to circumvent their own encrypted services in the name of security is the beginning of a dangerous slippery slope.”
Nextgov/FCW Cybersecurity Reporter David DiMolfetta contributed to this report.
