Members of a U.S. House subcommittee have a bipartisan view on the need to address potential negative impacts of a proposed order from the U.K. government for Apple to create a back door to encrypted user data in its cloud database.
The House Committee on the Judiciary's Subcommittee on Crime and Federal Government Surveillance held a 5 June hearing to promote further review of the U.K.-U.S. Clarifying Lawful Overseas Use of Data Act — otherwise known as the CLOUD Act. The hearing delved into the U.K.'s invocation of its Investigatory Powers Act to force backdoor access to Apple cloud data for law enforcement purposes, and how that access could impact the safety of U.S. data.
Consensus among federal lawmakers on data privacy matters is not a simple task. However, House subcommittee Republicans and Democrats agreed the U.K. order is potentially problematic for U.S. data and could pave the way for other pervasive standards.
Subcommittee Chair Andy Biggs, R-Ariz., indicated the U.K.'s requirement "sets a dangerous precedent and if not stopped now could lead to future orders by other countries." Ranking Member Jamie Raskin, D-Md., added, "Forcing companies to circumvent their own encrypted services in the name of security is the beginning of a dangerous slippery slope."
Biggs went as far as proposing the U.S. invoke a 30-day termination clause on the sharing agreement and renegotiate terms in a way that halts potential unfettered U.K. backdoor access.
How the CLOUD Act fits in
The U.K.-U.S. CLOUD Act was enacted by Congress in 2018 and took force August 2022. It allows U.S. companies to hand over user data in response to legal requests from foreign jurisdictions subject to conditions around adequate security standards as well as necessity and proportionality.
Biggs suggested the proposed order to Apple or any other U.S.-based cloud database could allow the U.K. to invoke the CLOUD Act to openly access U.S. consumer data through a back door. He said the U.K. is "taking advantage of its authority" with such a move while "attacking data security and privacy."
"Efforts to weaken, or even breaking, encryption makes us all less secure," Biggs added. "The U.S.-U.K. relationship must be built on trust. If the U.K. is trying to undermine this foundation of cybersecurity, it is breaching that trust. If companies are forced to build back doors, that simultaneously opens a back door to privacy rights and it's impossible to limit a back door to just the good guys."
Raskin insisted he supports the premise of the CLOUD Act and the agreement itself is not the problem at hand. But he said back doors "are only worthwhile to the U.K. because of the data made available through the agreement."
The case for upholding encryption
Tufts University Professor of Cyber Security and Policy Susan Landau testified to the subcommittee on a perceived anti-encryption pattern the U.K. is developing.
In addition to the backdoor order to Apple, Landau pointed to the absence of the U.K. on December 2024 joint guidance from the so-called "Five Eyes" alliance on securing digital communications infrastructure. The guide, supported by Australia, Canada, New Zealand and the U.S., implored network engineers and defenders make encryption foundational and use it "to the maximum extent possible."
"By refusing to sign, the U.K. is a real outlier," Landau said. "Apple's advanced encryption protects people's data. It's an important and needed technology. I urge you to ensure the U.K.'s efforts to improve its own investigatory capabilities do not come at its expense."
Echoing Biggs' opposition to potential unintended access to encryption back doors, Raskin said a single exemption could lead to a flood of potential espionage, consumer fraud and ransomware. He added the "deluge of ways governments spy on their citizens" will only be exacerbated if privacy and security slip by the wayside.
"Some argue privacy is passe. ... Cookies monitor which sites we click on. Our devices already track every step we take. And data brokers take anonymized data and reidentify in portfolios available to the highest bidder." Raskin said. "But I disagree with the idea privacy is no longer valuable or meaningful to the American citizenry. ... Americans' security from government intrusion has never been more urgent or important."
Joe Duball is the news editor for the IAPP.
