Urge to Protect Americans’ Digital Speech, Secure Encryption, and Data
Dear Secretary Rubio, Attorney General Bondi, Acting Secretary Pelter, and Director Kratsios,
We write to urge you to take immediate action to protect Americans’ digital speech and data from the United Kingdom’s Home Office efforts to break secure encryption. Every American has “the right to be free from state inquiry into the contents of his library.” Acting under the UK Investigatory Powers Act of 2016, the UK’s Home Office has sent “technical capability notices” to Apple reportedly demanding access to “all the content any Apple user worldwide has uploaded to the cloud”— including tens of millions of Americans. This demand has “no known precedent in major democracies.” It compels Apple to decrypt, and allow the UK access to, user data currently protected by end-to-end encryption (E2EE), the best available technology for protecting stored messages, documents, and other material. The Home Office’s notices require immediate compliance even pending an appeal through a process that is—like the notices—secret by law.
While Congress should enact a law prohibiting American tech companies from providing encryption backdoors to any country, barring swift congressional action, the federal government should use all leverage at its disposal to convince the UK Home Office to change course. In particular, the United States could threaten to terminate the UK-US Cloud Act agreement of 2019 if the UK does not withdraw its demands to Apple. This agreement has been of considerably greater value to the UK than to the US and it is already past its original five-year term and is ripe for reconsideration anyway.
The UK’s demand puts users at risk. To comply, Apple must either build a backdoor into its end-to-end encrypted cloud service (which could, and would, then be accessed by malicious actors) or cease offering E2EE cloud services altogether. Either way, it appears that Apple would have to make such changes not only for users within the UK but worldwide. Apple is right: no single government should “have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption.”
Of course, the UK is not constrained by our Constitution but, by demanding access to encrypted cloud storage for users worldwide, the UK is nonetheless vitiating Americans’ Fourth Amendment rights to be secure in our “papers and effects” and First Amendment rights “to receive information and ideas.” This right means nothing unless Americans’ private information is secure. Government snooping chills speech—it discourages those who, “motivated by fear of economic of official retaliation, by concern about social ostracism, or merely by a desire to preserve as much of [their] privacy as possible,” must keep their thoughts and communication secure from prying eyes. “The door barring federal and state intrusion into” Americans’ privacy of information “cannot be left ajar; it must be kept tightly closed[.]” Breaking end-to-end encryption for one cause will lead ineluctably to “encroachment upon more important interests.” Our present moment perfectly illustrates the point: through its Salt Typhoon hacking operation, the Chinese Communist Party is throwing this right to security of information into doubt. Salt Typhoon has compromised at least nine telecom firms—apparently by accessing our governments’ own backdoors into telecom networks. If the UK government’s action is left to stand, without a swift and effective American response, the result will be the creation of more backdoors for the CCP and other adversarial nations to exploit.
The UK’s decision to go after Apple, in particular, seems designed to send a message. Apple is renowned for its cybersecurity and data protection. If the UK can force Apple to expose its users’ stored data, it can force any cloud storage provider to do so. If the UK is not made to back down now, this will only be the beginning. If the UK has its way, when the next Salt Typhoon comes along, Americans will have no end-to-end encrypted services in which to seek shelter from government surveillance. In a borderless world, our Fourth and First Amendment rights will be meaningless.
Ultimately, the UK’s demands are unlikely to withstand judicial review even under the weaker protection of European fundamental rights law, as the attached letter explains. But you cannot wait for the European Court of Human Rights to act. The UK’s notice was already served in January and requires immediate compliance even during an appeal, which Apple has likely already undertaken but which is secret by law. We urge you to act swiftly to protect Americans, and Internet users everywhere, from having their stored communications exposed to access by malicious governments and non-state actors.
Civil Society Organizations
TechFreedom
Advocacy for Principled Action In Government American Consumer Institute
Competitive Enterprise Institute
Freedom of the Press Foundation
New America’s Open Technology Institute R Street Institute
The Future of Free Speech
Academics & Computer Scientists
Neil Chilson
Head of AI Policy
Abundance Institute
Brian L. Frye
Spears-Gilbert Professor of Law
University of Kentucky College of Law
Jess Miers
Visiting Assistant Professor of Law
University of Akron School of Law
Riana Pfefferkorn
Policy Fellow
Stanford HAI