FBI Warns iPhone, Android Users—We Want ‘Lawful Access’ To All Your Encrypted Data By Zak Doffman, Contributor. Zak Doffman writes about security, surveillance and privacy. Feb 24, 2025
The furor after Apple removed full iCloud security for U.K. users may feel a long way from American users this weekend. But it’s not — far from it. What has just shocked the U.K. is exactly what the FBI told me it also wants in the U.S. “Lawful access” to any encrypted user data. The bureau’s quiet warning was confirmed just a few weeks ago.
The U.K. news cannot be seen in isolation and follows years of battling between big tech and governments over warranted, legal access to encrypted messages and content to fuel investigations into serious crimes such as terrorism and child abuse.
As I reported in 2020, “it is looking ever more likely that proponents of end-to-end security, the likes of Facebook and Apple, will lose their campaign to maintain user security as a priority.” It has taken five years, but here we now are.
The last few weeks may have seemed to signal a unique fork in the road between the U.S. and its primary Five Eyes ally, the U.K. But it isn’t. In December, the FBI and CISA warned Americans to stop sending texts and use encrypted platforms instead. And now the U.K. has forced open iCloud to by threatening to mandate a backdoor. But the devil’s in the detail — and we’re fast approaching a dangerous pivot.
While CISA — America’s cyber defense agency — appears to advocate for fully secure messaging platforms, such as Signal, the FBI’s view appears to be different. When December’s encryption warnings hit in the wake of Salt Typhoon, the bureau told me while it wants to see encrypted messaging, it wants that encryption to be “responsible.”
What that means in practice, the FBI said, is that while “law enforcement supports strong, responsibly managed encryption, this encryption should be designed to protect people’s privacy and also managed so U.S. tech companies can provide readable content in response to a lawful court order.” That’s what has just happened in the U.K. Apple’s iCloud remains encrypted, but Apple holds the keys and can facilitate “readable content in response to a lawful court order.”
There are three primary providers of end-to-end encrypted messaging in the U.S. and U.K. Apple, Google and Meta. The U.K. has just pushed Apple to compromise iMessage. And it is more than likely that “secret” discussions are also ongoing with the other two. It makes no sense to single out Apple, as that would simply push bad actors to other platforms, which will happen anyway, as is obvious to any security professional.
In doing this, the U.K. has changed the art of the possible, bringing new optionality to security agencies across the world. And it has done this against the backdrop of that U.S. push for responsible encryption and Europe’s push for “chat control.” The U.K has suddenly given America’s security agencies a precedent to do the same.
“The FBI and our partners often can’t obtain digital evidence, which makes it even harder for us to stop the bad guys,” warned former director Christopher Wray, in comments the bureau directed me towards. “The reality is we have an entirely unfettered space that’s completely beyond fully lawful access — a place where child predators, terrorists, and spies can conceal their communications and operate with impunity — and we’ve got to find a way to deal with that problem.”
The U.K. has just found that way. It was first, but unless a public backlash sees Apple’s move reversed, it will not be last. In December, the FBI’s “responsible encryption” caveat was lost in the noise of Salt Typhoon, but it shouldn’t be lost now. The tech world can act shocked and dispirited at the U.K. news, but it has been coming for years. While the legalities are different in the U.S., the targeted outcome would be the same.
Ironically, because the U.S. and U.K. share intelligence information, some American lawmakers have petitioned the Trump administration to threaten the U.K. with sanctions unless it backtracks on the Apple encryption mandate. But that’s a political view not a security view. It’s more likely this will go the other way now. As EFF has warned, the U.K. news is an “emergency warning for us all,” and that’s exactly right.
“The public should not have to choose between safe data and safe communities, we should be able to have both — and we can have both,” Wray said. “Collecting the stuff — the evidence — is getting harder, because so much of that evidence now lives in the digital realm. Terrorists, hackers, child predators, and more are taking advantage of end-to-end encryption to conceal their communications and illegal activities from us.”
The FBI’s formal position is that it is “a strong advocate for the wide and consistent use of responsibly managed encryption — encryption that providers can decrypt and provide to law enforcement when served with a legal order.”
The challenge is that while the bureau says it “does not want encryption to be weakened or compromised so that it can be defeated by malicious actors,” it does want “providers who manage encrypted data to be able to decrypt that data and provide it to law enforcement only in response to U.S. legal process.”
That’s exactly the argument the U.K. has just run.
Somewhat cynically, the media backlash that Apple’s move has triggered is likely to have an impact, and right now it seems more likely we will see a reversal of some sort of Apple’s move, rather than more of the same. The UK government is now exposed as the only western democracy compromising the security for tens of millions of its citizens.
Per The Daily Telegraph, “the [UK] Home Office has increasingly found itself at odds with Apple, which has made privacy and security major parts of its marketing. In 2023, the company suggested that it would prefer to shut down services such as iMessage and FaceTime in Britain than weaken their protections. It later accused the Government of seeking powers to 'secretly veto’ security features.”
But now this quiet battle is front page news around the world. The UK either needs to dig in and ignore the negative response to Apple’s forced move, or enable a compromise in the background that recognizes the interests of the many.
As The Telegraph points out, the U.S. will likely be the deciding factor in what happens next. “The Trump administration is yet to comment. But [Tim] Cook, who met the president on Thursday, will be urging him to intervene,” and perhaps more interestingly, “Elon Musk, a close adviser to Trump, criticised the UK on Friday, claiming in a post on X that the same thing would have happened in America if last November’s presidential election had ended differently.”
Former UK cybersecurity chief Ciaran Martin thinks the same. “If there’s no momentum in the U.S. political elite and US society to take on big tech over encryption, which there isn’t right now, it seems highly unlikely in the current climate that they’re going to stand for another country, however friendly, doing it.”
Meanwhile the security industry continues to rally en masse against the change.
“Apple’s decision,” an ExpressVPN spokesperson told me, “is deeply concerning. By removing end-to-end encryption from iCloud, Apple is stripping away its UK customers’ privacy protections. This will have serious consequences for Brits — making their personal data more vulnerable to cyberattacks, data breaches, and identity theft.”
It seems inconceivable the UK will force all encrypted platforms to remove that security wrap, absent which the current move becomes pointless. The reality is that the end-to-end encryption ship has sailed. It has becomne ubiquitous. New measures need to be found that will rely on metadata — already provided — instead of content.
Given the FBI’s stated position, what the Trump administration does in response to the UK is critical. Conceivably, the U.S. could use this as an opportunity to revisit its own encryption debate. That was certainly on the cards under a Trump administration pre Salt Typhoon. But the furor triggered by Apple now makes that unlikely. However the original secret/not secret news leaked, it has changed the dynamic completely.
Cool, bring a warrant and we’ll talk.
I probably still won’t give you the data, but I’ll be polite about it. But hey, you never know, I might feel charitable.
You can take my phone, but good luck breaking in.
Lawful access is exactly how salt typhoon hackers got into the US wire tapping system to spy on phone calls.
A backdoor is a door!
New FBI, who dis?
Dropping hints right before
@Flmaker the new Trump FBI, more liberty focused than ever 🤡
FBI can fuck right off.
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
A court order gets around that.
But it shouldn’t.
supported by Oath or affirmation
Surely no one has ever abused this before.
Yeah. Unless they changed the law, electronic devices don’t count as papers. Maybe they did, idk
Papers doesn’t mean literal papers, it means the collection of information about you.
Conservatives: Something something originism. Papers mean literal papers.
Also Conservatives: riGHt tO bEAr aRmS inCLuDe nUcLeaR wEaPoNs
Papers probably was the wrong one to bold.
Effects (i.e. personal effects) is likely better and the first definition I found is “Items of personal property that one carries on one’s person, including identification, jewelry, and clothing.”.
I’d argue a phone falls under this definition.
The issue is bigger than just smartphones, and I would like to think the meaning of “papers” is about one’s stored information rather than pressed wood pulp. (Let’s remember how language was used in the 1700s.) But okay, I’ll bold both.
The difference is that they can get a warrant for my phone, but not the information on my phone. So I can’t be forced to unlock it for them. Likewise, if I have physical documents encoded with a cypher, they can’t force me to decode it for them.
That’s why “papers” doesn’t mean “information,” you can’t get a warrant for information, only to search for information.
The FBI and our partners often can’t obtain digital evidence, which makes it even harder for us to stop the bad guys
Oh, those nefarious bad guys. The security, it’s always to protect us, even though the vast amount of data is gathered on American citizens. God forbid I just don’t want them seeing everything, why do they have to know when I’m making plans to see my mom, or that I want to keep my baby videos private? How does that give us security?
It’s not about security. It’s about turning otherwise innocent data into incriminating evidence that can be used against anybody at any time.
Commander Vimes didn’t like the phrase “The innocent have nothing to fear,” believing the innocent had everything to fear, mostly from the guilty but in the longer term even more from those who say things like “The innocent have nothing to fear.” – Snuff
Terry Pratchett? I’m going through the series right now, and am currently on Guards! Guards!
Google just hands it over, often without a warrant. AT&T too. Idk about others.
AT&T facilities have been cloning and warehousing voice traffic for decades. Google agrees to settle out of court for root access.
Yes, they began, afaik, under G.W. Bush. I believe that’s when the courts ruled that papers don’t include electronic devices, but I could be off on timing. I haven’t heard anything differently. We’ve been complacent.
It makes no sense to single out Apple, as that would simply push bad actors to other platforms, which will happen anyway, as is obvious to any security professional.
Except it does, or why else would they do it?
Android doesn’t really have an equivalent to iCloud direct from Google. It doesn’t have iMessage (which is technically encrypted, though with issues).
Android doesn’t have a full backup system like iOS. It doesn’t automatically sync to a cloud like iOS, etc, etc.
Its just not the same. Grab any Android phone, and the mix of messengers for sms alone is vastly different. Not to mention all the other messengers.
It’s a lot easier to gather a lot of info from a lot of people by first attacking iOS. It’s kind of the opposite of virus/malware.
Fascism
Well, actually, I can probably make my own way up. Hag! Evil old woman, considered frightful or ugly, 12 down.
Too fuckin bad.
And the people in charge that partake in all of those things you’re trying to stop will be caught too, right? If you get our encrypted data then everyone gets yours. None of this bullshit about “security.” Either all of it is available or none of it is. As the argument always goes, “if you don’t have anything to hide, why are you worried?”
Privacy for them, not for you. Learn your place.
Just kidding bunch of fucking parasites, won’t help shit, similar to gun laws in Canada our fearless idiot thinks that toughening up laws on law abiding citizens will help with the way criminals behave. This is the same, the government is going to turn on its citizens, doesn’t matter what government they’re all the same. They want to spy on you and restrict your rights based on the illegal shit they’re doing.
Paul Harvey had a good storey on how the people string up the politicians and let them rot until the birds are them. Seems like it might be a good way to send a message.
It you’re 💯% right it has about as much to do with security as these fucks think books are about protecting kids. It’s a lie to get the sheep to get on their side because no one wants people assaulting kids (unless you’re one of the sick fucks that Epstein was hanging with,cough cough you orange fucker) and no one wants criminals to get away with shit (again unless you’re one of those fucks that are in the gov employment).
What a sad fucking timeline we’re living in, but only we can make the change.
Facebook and security? That’s a joke, right?
Lol, nope. Warrant first, along with the judge’s affidavit that is supposed to come with it.
Don’t have those? Well, that sounds like a big bowl of “not my problem”.
Better: Don’t touch my encrypted data, ever
They can try, but if they break it in the process, you can bet I’ll sue for compensation.
