Big Tech Versus Encryption Backdoors: WhatsApp Is the First Tech Giant to Formally Back Apple in Its Legal Contest Against the U.K. Government

WhatsApp has reportedly applied to submit evidence to the Investigatory Powers Tribunal (IPT), which is hearing Apple’s case against the U.K. Home Office that details its concerns regarding the security risks and dangerous precedent that the United Kingdom’s orders regarding encryption backdoors could introduce. The initial order being contested by Apple came from the U.K. Home Office in late 2024 in the form of a secret Technical Capability Note (TCN), issued under the Investigatory Powers Act (IPA), demanding that Apple introduce encryption backdoors into the Apple Advanced Data Protection (ADP) service. Apple withdrew its ADP service from the United Kingdom in response and confirmed its decision to legally challenge the U.K. government’s demands in March. While government access to private data via an encryption backdoor has been a hotly contested issue over the last number of years, the outcome of this latest legal battle is expected to have monumental repercussions for encryption service providers worldwide.

As the IPT is hearing both Apple’s appeal against the Home Office as well as the cases of two human rights campaign groups, Privacy International and Liberty, WhatsApp’s decision to submit evidence to the IPT firmly aligns the Meta-owned behemoth with these parties’ opposition to the U.K. government’s backdoor demands. As the first big tech giant to legally endorse these cases, WhatsApp’s decision to become formally embroiled within the proceedings brings with it a certain weight, raising the stakes for the upcoming hearings and escalating the prominence of what was already a high-profile case in the public arena. Bringing further media and public attention to the IPT cases is particularly significant given the closed nature of the judicial hearings hitherto. A judicial ruling in April denied the government’s petition to keep even the “bare details” of the case shrouded in secrecy; however, any hearings, thus far, have been closed off from media and public scrutiny. Given the IPT’s discretionary power to hold hearings either in public or in private, mounting public interest and pressure, further catalyzed by WhatsApp’s recent application to submit evidence, may prompt the IPT to incorporate an increased “public element” within the Apple versus the U.K. government contest, alongside limiting any potential reporting restrictions.

WhatsApp’s legal involvement in the hearing also has diplomatic consequences that extend beyond the United Kingdom’s territorial confines. Back in February, officials of the U.S. administration threatened to expel the United Kingdom from the U.K.-U.S. Five Eyes intelligence sharing agreement, while on June 5, U.S. politicians petitioned Congress to reform the U.S. Cloud Act to prevent the United Kingdom from ordering U.S. vendors to install encryption backdoors into their services. Meta-owned WhatsApp is an American company and thus its formal backing of Apple against the United Kingdom is likely to stoke tensions between the two nations, potentially cutting the United Kingdom out of key intelligence sharing deals and severing key U.K. intelligence sources.

Given the current clandestine nature of ongoing legal proceedings, the timeline for updates is indeterminate. However, it remains clear that Apple, Privacy International, and Liberty’s cases against the United Kingdom will have far-reaching consequences regardless.  

If the Home Office’s TCN is upheld, this could:

• Create a Technical Backdoor That Exposes the ADP Service to Malicious Interference: The ADP backdoor will weaken End-to-End (E2E), creating a hole that malicious actors and other state governments could exploit to conduct cyberattacks and state espionage activities, impacting individual and state security.
• Set a Legal Precedent That Is Preferential Toward the Government: With legal backing, reliance on politically contentious measures, like TCNs, are likely to become more rampant. In the United Kingdom, the ruling will form a legally binding precedent, making the road much more difficult for vendors challenging future TCNs.
• Encourage Increasingly Aggressive Approaches to Encryption Backdoors Across the European Union (EU): While the IPT’s ruling does not form a legally binding precedent in other countries, it is likely to serve as encouragement to other nations of what they can get away with when it comes to encryption services. This is particularly likely in Europe where officials have already tried to undermine E2E (e.g., French “ghost participants,” the EU's Chat Control for scanning encrypted messages.)
• Position the United Kingdom as an Outlier Among Its Peers: In December 2024, the other four parties to the Five Eyes agreement (the United States, Australia, Canada, and New Zealand) promoted the use of E2E where possible following the Salt Typhoon breach. Thus, the success of the TCN and any subsequent reliance on an encryption backdoor within the United Kingdom will serve to further isolate it from the policies of its allies, damaging those relationships.
• Risk Evidence Admissibility Challenges in Future Cases: Evidence securing via encryption backdoors in future criminal cases may face admissibility challenges, as in the Venetic case.
• Drive Encryption Service Providers Out of the United Kingdom: WhatsApp already threatened to leave the U.K. market in 2023 if it is forced to weaken E2E, and a successful TCN could encourage other vendors to take that approach, reducing the number of security vendors within the U.K. ecosystem, and weakening its standing as a leader in security technology and innovation.
• Trigger the Possibility of a Challenge Against the United Kingdom in the European Court of Human Rights (ECtHR): Human rights campaigners have submitted that the use of encryption backdoors is a disproportionate incursion on individuals’ privacy rights, exposing civilians to unauthorized government surveillance. The right to privacy is not absolute and can be limited under specific conditions. Terrorist threats and national security are generally considered a reasonable basis for qualifying a citizen's right to privacy. Yet, legal frameworks attempting to restrict this right must balance the interests of the individual and community, as well as be both necessary and proportionate in their scope. The U.K. government’s attempt to create encryption backdoors in ADP demanded a “blanket capability,” which is inherently wide-encompassing and without limitations based on the location of the device and its owner, indicating its potentially disproportionate nature. While cases like Podchasov v. Russia have ruled on the continuous storage of communications data acquired via a backdoor, without clear legal precedent from the ECtHR or other judicial bodies on the legality of encryption backdoors themselves, the fate of E2E at Strasbourg remains ambiguous.

If the Home Office’s TCN is denied, this could:

• Promote Other Routes into Accessing Encrypted Communications: With TCNs deemed an unsatisfactory route, the United Kingdom and other nations are likely to continue to explore other ways of undermining E2E. In the United Kingdom, an Equipment Interference order may be used instead of a TCN, effectively acting as a warrant to hack encryption services. Other options include “ghost protocols,” suggested by the U.K. and French governments as a means to monitor live chats as a “ghost” participant.
• Encourage Increased Allyship Between Vendors Against Governmental Demands Regarding Backdoors: Relatively speaking, Apple’s ADP service seems to be low-hanging fruit, particularly given its nature as an optional service, rather than the default setting within Apple products. However, colossal encryption messaging services, like WhatsApp, Telegram, and Signal, represent much higher-value targets for Nation States’ security agendas. This has prompted accusations that Apple’s APD service is being weaponized as a “stalking horse” to gauge industry and public reactions to governmental interference in private communications before turning to these more controversial targets. Thus, WhatsApp’s formal involvement is ever more important, and in the case of a TCN denial, it could encourage increased allyship between encryption and other general technology services when it comes to challenging similar government orders.

Regardless of its outcome, Apple versus the U.K. government indicates the need for stronger safeguards for E2E, including considering new innovations that integrate safeguards against governmental abuse if and where backdoors are used and cryptographic enforcements that render prospective “master keys” usable only where certain procedural conditions are met. Privacy-preserving techniques like Fully Homomorphic Encryption also show potential in this space. There are opportunities here for vendors; however, as displayed by WhatsApp’s latest move, the path ahead will continue to be strife with contention and controversy.