Investigatory Powers (Amendment) Bill [HL]

Written evidence submitted by Apple to the Investigatory Powers Public Bill Committee (IPAB10)

Introduction

1. Apple Inc. and Apple Distribution International Limited (collectively 'Apple ') appreciate the opportunity to submit written evidence on the Investigatory Powers Act (Amendment) Bill ('Bill').

2. As a developer of hardware, software and services used by people across the globe, Apple has an understanding of the Investigatory Powers Act 2016 ('IPA'), and how it interplays with industry.

Executive Summary

3. Apple is committed to enhancing the privacy, security and safety of our users all around the world. Our work to protect users has never been more important, as the myriad threats they face in the modern digital world continue to grow in complexity and frequency each and every day . Simultaneously, users continue to increase both the amount and sensitivity of the data they store on their devices and in the cloud. They rely on their devices and technology services to securely store and process information such as their health data, the location of their family members, their intimate messages and their financial data. Our users entrust us with keeping this data safe, secure and private.

4. Our commitment to our users and their trust in us is why we object to the reforms proposed by the UK government ('UKG'). We believe these reforms could undermine our ability to offer users the most advanced data protections available, not only in the UK, but for all Apple users around the world. The breadth of these reforms is unprecedented, and the potential impact on the security of technology users across the world cannot be understated.

5. The Investigatory Powers Act 2016 ('IPA'), in its current form, grants the UKG unprecedented and sweeping surveillance powers. For example, the IPA allows the UKG to issue secret orders to attempt to force providers to break encryption by inserting backdoors into their software products .At the time of passage, we objected to the powers proposed in the IPA, including its purported extraterritorial application [1] Apple similarly objects to the proposed reforms in the Bill, which significantly widen the powers and exacerbate the flaws inherent in the IPA.

6. The IPA’s existing powers are already extremely broad and pose a significant risk to the global availability of vitally important security technologies. Under the current law, the UKG can issue a 'Technical Capability Notice' that seeks to obligate a provider to remove an 'electronic protection' to allow access to data that is otherwise unavailable due to encryption. In addition, the Secretary of State ('SoS') has been granted the further authority to prohibit the provider from disclosing any information about such a requirement to its users or the public without the SoS's express permission. Moreover, the IPA purports to apply extraterritorially, permitting the UKG to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally. Together, these provisions could be used to force a company like Apple, that would never build a backdoor into its products, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.

7. The proposed reforms in the current version of the Bill seek to further expand the SoS’s authority and erode protections originally included in the IPA. The new powers that the Bill would create for the UKG-expanded authority to regulate foreign companies and the ability to pre-screen and block innovative security technologies-would dramatically  disrupt the global market for security technologies, putting users in the UK and around the world at greater risk.

8. In addition to impacting the safety of billions of users around the world who rely on security technologies developed by Apple and other companies, the Bill in its current form would undermine fundamental human rights. In fact, just this year, the European Court of Human Rights held that requiring a company to provide a means to decrypt all encrypted communications on its platform violated the right to privacy in Article 8 of the European Convention on Human Rights. As that Court explained, "technical solutions for securing and protecting the privacy of electronic communications, including measures for encryption, contribute to ensuring the enjoyment of other fundamental rights, such as freedom of expression." [2] In contrast, requiring decryption would weaken encryption "for all users," "make it technically possible to perform routine, general and indiscriminate surveillance of personal electronic communications" and "seriously compromise the security of all users’ electronic communications." [3] The decision is unequivocal: encryption facilitates and protects the exercise of fundamental rights. Yet the Bill would allow the UKG to weaken encryption for all users globally.

9. We believe the following provisions, in particular, are highly problematic:

· Pre-notification requirement (Clause 21): The Bill proposes new powers that would allow the SoS to require technology providers to pre-brief the UKG of any changes to their offerings that could impact the UKG’s ability to access user data. That would suppress innovation, stifle commerce and-when combined with purported extraterritorial application-make the UKG the de facto global arbiter of what level of data security and encryption are permissible.

· Extraterritoriality (Clause 19): The Bill proposes that the extraterritorial scope of the IPA should apply to providers in any country, even if they have no UK user base at all, so long as they provide a telecommunication system which is used by another person who provides a service to UK users. Under this proposal, a non-UK provider could be forced to undermine the security of all its users, simply because another company using its systems had a small number of UK users.

· Requirement to maintain the status quo during the review process (Clause 18): At present, the SoS must navigate important oversight mechanisms before they can block the offering of a new product or service they believe will impact the UKG’s ability to access private user data. The Bill proposes new powers which would allow the SoS to block, in secret, the release of a product or service even before the legality of a Technical Capability Notice can be reviewed by independent oversight bodies. The effect of this amendment will be to, extraordinarily, hand the SoS the power to block new products or services prior to their legality being ascertained. This result upends the balance of authority and independent oversight Parliament struck in the IPA.

10. Cumulatively, these changes amount to an expansion of the IPA that would impinge on the prerogative of other governments, and the rights of their citizens, to determine for themselves the balance of data security and government access within their own jurisdictions. Indeed, at the same time that Parliament is considering the present Bill, the German Government is taking the polar opposite and very much to be welcomed approach by mandating that communications providers offer an end-to-end encrypted communications option for users. [4]

11. The dangers in the Bill’s approach are obvious. It would be improper for the UKG to seek to act as the world’s regulator of security technology, and its doing so would create serious conflicts of foreign law-including the European Union’s General Data Protection Regulation and the United States’ CLOUD Act. In addition, a requirement to notify the SoS of emerging security technologies would dissuade any technology company that falls within the broad scope of the UK’s assertion of authority from investing significant time, energy and resources into developing new security technologies when the SoS may summarily and secretly veto the use of those technologies. It is deeply troubling that the SoS is poised to receive a power to issue what are effectively secret extrajudicial injunctions against emerging security technologies without any apparent recourse by the service provider or for citizens of other countries or their governments.

12. Apple has long been committed to user privacy and security, developing and improving upon features to protect user data with innovations that give people greater control and insight into how their data is used and more powerful tools to protect that data. Apple actively seeks to protect its users by designing security into the core of its platforms and using industry-leading security technologies to protect user data.

13. Apple continuously enhances its security features because the threats to user information are relentless, pervasive, and constantly evolving. Customers expect Apple to protect their personal data from bad actors who seek to access, steal and use that data without a user’s permission. Our efforts to stay ahead of those threats have only become more important as millions of gigabytes of personal data are stored in the cloud. As illustrated by a recent summary of data breach research, [5] the need to enhance users’ security is especially urgent today, as the total number of data breaches has more than tripled between 2013 and 2021, exposing 1.1 billion personal records across the globe in 2021 alone.

14. One of the most important security features available to protect personal information both in transit and in storage in the cloud is end-to-end encryption. That encryption technology ensures that only users-and not  the companies who provide cloud services-can access a user’s personal data and communications. This technology provides an essential layer of additional security because it ensures that a malicious actor cannot obtain access to a user’s data even if the actor is able to breach a cloud service provider’s data centres. Thus, it is critical to shielding everyday citizens from unlawful surveillance, identity theft, fraud and data breaches, and it serves as an invaluable protection for journalists, human rights activists and diplomats who may be targeted by malicious actors. The critical value of encryption-and end-to-end encryption in particular-is a key reason for the technology community’s broad consensus in support of this technology.

15. In December 2022, Apple introduced a new, optional data security feature called Advanced Data Protection for iCloud ('ADP'), which allows a user to extend end-to-end encryption to additional categories of their personal data, including Photos, Notes and iCloud backups. Security researchers and technical experts across the globe applauded ADP as an invaluable protection for users’ private information in an environment of increasing threats to data security. [6] Apple’s use of end-to-end encryption for iCloud is one way among many that Apple protects its users’ personal information.

16. As explained in further detail below, Apple strongly objects to the proposals to provide the SoS with the power to force pre-notification and block emerging security technologies and to expand the IPA’s extraterritorial reach.

I. Pre-notification Requirement (Notification Notices) (Clause 21)

 

17. There is no proper basis for the SoS to have the authority under the IPA to require technology companies to provide advance notification of technological security innovations. [1] The proposed amendment would permit the SoS to block the introduction of new security technologies in the name of ensuring the UKG’s access to individuals’ personal data for law-enforcement and national-security purposes. Such power, coupled with the proposed expansion of the IPA’s extraterritorial reach, would stifle the development of security technologies, including end-to-end encryption, leaving millions of users vulnerable.

18. In its response to the public consultation on the notices regimes, the Home Office asserted that the pre-notification requirement "is not intended as an approval mechanism," and that "[t]here will be no method within the notification requirement itself for the Secretary of State to intervene in any way with the decision the operator has chosen." [2] But that mistakes form for function. Once a company is compelled to provide notice of a new security technology to the SoS, the SoS can immediately seek a Technical Capability Notice to block the technology.

19. In effect, through this Bill, the UKG seeks a power that no other country has claimed-to prohibit a company from releasing a security feature unless the UKG receives advance notice. The result, inevitably, is that a company must choose whether to subject itself to the preferences of the SoS or deprive users around the world of critical security features. While the benefits of pre-notification to the Home Office are obvious, the danger to human rights activists, journalists and at-risk populations across the globe are even clearer.

20. We are extremely concerned that the SoS could claim the authority to use the pre-notification requirement, in combination with the proposed expansion of the IPA’s extraterritorial scope and the proposed requirement to maintain the status quo during the review process, to thwart the development of security-enhancing technologies such as end-to-end encryption. For companies like Apple that prioritise protecting their users’ data, the pre-notification and extraterritoriality proposals would result in an impossible choice between complying with a SoS mandate to secretly install vulnerabilities into new security technologies (which Apple would never do), or to forgo development of those technologies altogether as threats to users’ data security continue to grow.

II. Extraterritoriality (Clause 19)

 

21. The proposal to expand the IPA’s extraterritoriality should be rejected. [3] The SoS should not have a basis for claiming authority to act as the global regulator for a global multinational technology company merely because its services are sold on UK soil or a corporate affiliate of such a company provides telecommunications services in the UK.

22. In its current formulation, the IPA provides that the SoS may issue a notice to a non-UK company that provides telecommunications services in both the United Kingdom and in other jurisdictions. The Investigatory Powers (Technical Capability) Regulations 2018 do not purport to limit the effect of a notice served on a non-UK company to UK persons, meaning that the SoS could attempt to assert the extreme position that its notice powers extend to all users globally of a non-UK technology company, as long as a small number of UK users use the service. If the IPA were amended to allow the SoS to ignore the differences between a legal entity doing business in the United Kingdom and one providing services worldwide, it would effectively empower the SoS to act as the global regulator for every technology company with a single affiliate (whether located in the United Kingdom or not) that provides telecommunications services in the United Kingdom.

23. There is no reason why the UKG should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption. The balance between those interests is the topic of active debate in many countries and one on which a wide variety of constituents-governments, industry, civil society groups, privacy advocates and security experts-have strong equities and deeply held views. Different countries will reach different answers to the competing policy questions that end-to-end encryption poses-and those answers should emerge through democratic processes, not through the unilateral decisions of one country’s law enforcement agency made in secret. Moreover, any attempt by the SoS to use its extraterritorial powers to compel technology companies to weaken encryption technology will only strengthen the hands of malicious actors who seek to steal and exploit personal data for nefarious purposes.

24. Using the notice regime in this way conflicts with the European Convention on Human Rights, as illustrated by a recent decision by the European Court of Human Rights. In that decision, the Court reviewed a law that required companies to provide information necessary to decrypt encrypted electronic messages-an obligation that the SoS could impose under this Bill. The Court concluded that an obligation to decrypt certain end-to-end encrypted communications "risks amounting to a requirement that providers of such services weaken the encryption mechanism for all users," [4] and that it violated the right to privacy under Article 8 of the Convention. Yet a notice compelling a company to weaken its encryption technology would create the same danger to all users that the Court identified and would similarly result in the violation of fundamental rights.

25. The use of the IPA’s notice regime to undermine encryption technology around the world would also create serious conflicts with foreign law. For example, Article 32 of the European Union’s General Data Protection Regulation ('GDPR') imposes a positive obligation on companies to implement technical and organisational measures to protect the privacy of their users’ personal data. Recital 83 of the GDPR highlights that encryption is one means by which a company can meet its Article 32 obligations. Seeking to secretly force companies to install backdoors in end-to-end encrypted technologies in order to comply with UK law for persons not subject to any lawful process would violate that obligation.

26. In addition, a notice requiring a US company like Apple to maintain the ability to decrypt data for any of its users worldwide would violate the US CLOUD Act and the implementing UK-US Data Access Agreement. The CLOUD Act forbids the use of data access agreements to mandate the decryption of user data. [5] The implementing UK-US Data Access Agreement also prohibits the UK from seeking US persons’ personal information. [6] But if the SoS could compel Apple and other US technology companies to maintain the ability to decrypt user data currently protected by end-to-end encryption, it would effectively circumvent the UK-US Data Access Agreement by including a decryption mandate, in violation of the CLOUD Act.

27. Expanding the extraterritoriality of the IPA’s notice regime is even more troubling in light of the IPA’s requirement that the recipient of a notice not disclose the notice’s existence. By requiring non-UK technology companies to maintain the ability to produce unencrypted data for all of their users worldwide-without notifying their users of that ability-the IPA would include a worldwide gag order. That is deeply problematic, especially considering that the legal systems of most civilized nations regard free speech as a fundamental human right.

III. Requirement to Maintain Status Quo During the Review Process (Clause 18)

 

28. Finally, Apple objects to the proposal to impose a general requirement to maintain the status quo throughout a notice review process. [7]

29. Currently, the IPA provides for a consultation and review process to ensure that telecommunications operators receive at least some minimal process before an IPA notice can become binding. Those protections are especially important in light of the serious obligations that an IPA notice can impose. The statutory requirement that the SoS engage in a consultation period with the relevant operator before a notice is issued ensures that the operator understands the requirements and effects of the proposed notice. The consultation also offers an opportunity for the operator to provide an explanation of the technology and any other relevant information to the SoS, who is statutorily obligated to take that information into account when determining the technical feasibility of the requirements in the IPA notice. [8]

30. The review process mandated by the IPA is a necessary prerequisite to ensure that the obligations imposed by a notice are fair and lawful under UK law. If the recipient of a notice seeks review, the Technical Advisory Board ('TAB') and a Judicial Commissioner must take into account any evidence and representation from the targeted operator and the SoS, and they must issue conclusions that the SoS, in turn, is then required to consider. Those determinations by the TAB (as to the technical requirements and financial consequences of the notice) and Judicial Commissioner (as to the proportionality of the notice) aid the SoS in deciding whether the notice meets the statutory requirements of the IPA. This procedure is a necessary undertaking before any operator can be compelled to comply with an IPA notice.

31. The proposed obligation that operators maintain the status quo during the review period would effectively nullify the carefully drafted and thoughtfully negotiated procedural protections contained in the text of the IPA. Under the proposal, the SoS could issue a notice attempting to mandate that an operator block adoption of a new technology, even if the TAB later determines that the "technical requirements and the financial consequences" of the notice make maintenance of the status quo infeasible, [9] and even if the Judicial Commissioner concludes that blocking adoption of the new technology is not "proportionate." [10] The resulting regime would thus give initial notices the same effect as final notices that have undergone the IPA’s full review process. A notice issued only with the views of the SoS should not be expected to strike the balance required in the IPA between privacy, cybersecurity and valid national security objectives.

32. This modified process would stifle attempts to innovate encryption technology and would prevent companies from responding quickly to growing data security threats. Empowering the SoS to effectively issue an unreviewable, extrajudicial injunction to prohibit the release of a new technology would force companies to withhold end-to-end encryption features or other new technologies from users, even in light of constantly evolving threats to their users’ data security. Malicious actors would have a significant advantage in threatening user data.

Conclusion

33. The Bill’s proposals to expand the IPA’s extraterritorial reach and to grant the SoS the power to mandate pre-notification and block emerging security technologies constitute a serious and very real threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, these proposals should be rejected.

March 2024


[1] See Written Evidence of Apple Inc. and Apple Distribution International on Investigatory Powers Bill (Dec. 21, 2015), http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/draft-investigatory-powers-bill-committee/draft-investigatory-powers-bill/written/26341.html.

[2] Podchasov v. Russia, no. 33696/19, § 76, ECHR 2024.

[3] Ibid., § 77.

[4] https://cdn.netzpolitik.org/wp-upload/2024/02/2024-02-07_BMDV_RefE_TTDSAendG.pdf.

[5] https://www.apple.com/newsroom/pdfs/The-Rising-Threat-to-Consumer-Data-in-the-Cloud.pdf.

[6] See, e.g., https://www.eff.org/deeplinks/2023/05/how-enable-advanced-data-protection-ios-and-why-you-should; https://securityboulevard.com/2022/12/how-and-why-to-take-full-advantage-of-apples-new-advanced-data-protection-feature/.

[1] Clause 21 would add a new provision to the IPA, stating that: "The Secretary of State may give a relevant operator a notice in writing under this section requiring the operator to notify the Secretary of State of any proposals of the operator to make any relevant changes specified in the notice." It would then define "relevant change" and describe procedures for issuing, varying and revoking this new type of notice.

[2] https://www.gov.uk/government/consultations/revised-investigatory-powers-act-notices-regimes-consultation/outcome/government-response-to-the-home-office-consultation-on-revised-notices-regimes.

[3] Clause 19 would amend the definition of a "telecommunications operator" in IPA s. 261(10) to include a person that "controls or provides a telecommunication system which - (i) is not (wholly or partly) in, or controlled from, the United Kingdom, and (ii) is used by another person to offer or provide a telecommunications service to persons in the United Kingdom." A Technical Capability Notice may be issued only to a "telecommunications operator," a "postal operator," or a person proposing to become a telecommunications operator or postal operator. See IPA s. 253(3).

[4] Podchasov v. Russia, no. 33696/19, § 79, ECHR 2024.

[5] See 18 U.S.C. § 2523(b)(3).

[6] See Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime (Oct. 3, 2019), Arts. 1.4, 1.6, 1.12, 6.1; see also 18 U.S.C. § 2523(b)(4)(A).

[7] Clause 18(5) would amend IPA s. 257, which governs the review process for National Security Notices and Technical Capability Notices, so that when a person refers the notice for further review, "the person must not make any relevant changes to telecommunications or postal services, or telecommunication systems, to which obligations imposed by the notice . . . relate." It would also define a "relevant change" to mean "a change that, if implemented, would have a negative effect on the capability of the person to provide any assistance which the person may be required to provide in relation to any warrant, authorisation or notice issued or given under this Act."

[8] See Ch. 8 of Interception of Communications Code of Practice.

[9] IPA s. 257(6).

[10] IPA s. 257(7).

 

Prepared 7th March 2024