The Day Apple Made an Announcement That Had Nothing to Do With a New Product

On the Technical Capability Notice the UK Home Office served Apple in January 2025, what the Investigatory Powers Act actually empowers a government to demand, what iCloud data is and is not encrypted without Advanced Data Protection, and what the surveillance architecture behind this story reveals about the trajectory of democratic governance in Europe.

On the morning of February 21, 2025, Apple published a statement that contained no product announcement, no design reveal, no pricing detail, and no release date. Instead, the company announced that it was withdrawing its Advanced Data Protection feature from the United Kingdom, effective immediately for new users, with existing users given a transition period to disable a service they had voluntarily enabled precisely because they valued the security it provided. The statement was careful, tightly worded, and notably short. Apple said it was “gravely disappointed” that it could not offer its highest level of cloud data security to UK users. It did not explain why it could not. It did not name the legal mechanism that had forced the decision. It could not, under British law, because the order in question had arrived with a statutory gag.

What had happened, as reported by the Washington Post on February 7, 2025, and subsequently confirmed by multiple credible sources, was this: the UK Home Office had served Apple with a Technical Capability Notice under Section 253 of the Investigatory Powers Act 2016, demanding that Apple maintain the capability to provide the British government with access to iCloud data protected by end-to-end encryption, not only for UK users, but for Apple users worldwide (Privacy International, 2025, “PI Apple TCN Challenge”). The demand was, in the assessment of Liberty, Privacy International, and a coalition of digital rights organizations that subsequently challenged it before the Investigatory Powers Tribunal, one of the most extreme measures available under British surveillance law, and potentially the first time a major democracy had openly ordered a technology company to deliberately weaken an end-to-end encrypted service (Liberty, 2025, “UK Government’s Secret Apple Data Access Order Challenged”).

I want to spend some time on the precise mechanics of what was demanded, what it means technically, and what it reveals about the direction of surveillance governance in Europe, because the public conversation around this event has been shaped by two kinds of misunderstanding that pull in opposite directions. The first misunderstanding, promoted largely by government spokespersons and uncritically reproduced in mainstream coverage, is that this is a narrow, targeted law enforcement tool with appropriate safeguards, entirely unremarkable among comparable democracies. The second misunderstanding, which appears in privacy circles and in the original version of my own article on this subject, is that this event meant that every byte stored by every Apple user instantly became visible to British intelligence officers. Neither of these accounts is accurate, and precision matters here, because imprecision serves different interests depending on its direction.

What Advanced Data Protection Actually Is, and What Its Removal Actually Means

To understand what was demanded and what was conceded, you need to understand how iCloud actually handles encryption, which is not how most Apple users believe it works and not how most technology journalists describe it.

Apple’s standard iCloud configuration, which it calls Standard Data Protection, encrypts data in transit and stores it on Apple’s servers in an encrypted format. However, under Standard Data Protection, the encryption keys for most categories of data are held by Apple, not exclusively by the user’s devices. This means Apple can decrypt and provide that data in response to a lawful order from a court or government authority. Under this standard configuration, your iCloud backup, which contains a near-complete image of your device including your SMS messages, your photos, your app data, your call history, your location data, and your notes, is technically accessible to Apple and therefore technically accessible to any government with the legal standing to compel Apple (Apple Support, 2025, “iCloud Data Security Overview”). The same applies to iCloud Drive, to your photos library, to your reminders, and to a range of other categories.

Advanced Data Protection, introduced in 2022 and available in the UK until February 2025, changed this architecture fundamentally. When a user enabled ADP, the encryption keys for the majority of their iCloud data were deleted from Apple’s data centers permanently and irrevocably, and those keys were retained only on the user’s own trusted devices (Apple Support, 2022, “Advanced Data Protection for iCloud”). Apple explains this with precision in its security documentation: the deletion of keys from its Hardware Security Modules is “immediate, permanent, and irrevocable,” meaning Apple cannot reverse the process even under legal compulsion because it no longer possesses what it would be required to surrender. ADP extended end-to-end encryption to 25 data categories, up from 15 under Standard Data Protection, and the additional categories it covered included iCloud Backup (the complete device image), Photos, Notes, iCloud Drive, Reminders, and Safari bookmarks.

It is important to be equally precise about what ADP’s removal does not affect. Several categories of iCloud data are end-to-end encrypted by default, regardless of ADP status, and this encryption is not touched by the UK’s demand. These include the data in the iCloud Keychain, which stores passwords and passkeys, iCloud Health data, payment information, iMessage when iCloud Backup is disabled, and several other sensitive categories. A user who loses ADP protection does not lose encryption on their passwords or their health records. What they lose is the assurance that their backup, their photos, their files, their notes, and their messages as they exist in the backup cannot be accessed by Apple and therefore cannot be compelled from Apple by a government with a warrant.

The scope of what that backup contains, and what its accessibility means, is something I can speak to from direct experience. In the course of forensic examinations conducted over many years, I have worked with iCloud backup data extracted through legal processes, and the completeness of what a standard iCloud backup contains is something that consistently surprises those who encounter it for the first time. The backup is not a selective archive of files you consciously chose to preserve. It is a comprehensive, automated snapshot of your digital existence, updated nightly while your device charges, capturing text messages, message attachments, call logs, contacts with their associated notes and relationship context, calendar entries, browser history, application data including the data of third-party apps, location history as embedded in photos and app logs, and voice memos. It is, as a forensic document, among the richest single sources of behavioral evidence available from a consumer device.

The Extraterritorial Ambition of the UK’s Demand

The aspect of the UK’s TCN that received insufficient attention in initial coverage, and that carries the most significant implications for users outside the United Kingdom, is the initial demand’s geographical scope. The first Technical Capability Notice, issued in January 2025, did not request access to the data of UK-registered Apple accounts. It demanded blanket capability to access ADP-protected iCloud data from any Apple user anywhere in the world (Kouvakas, I., 2025, “You Can’t Have Your Apple and Eat It Too”, UK Constitutional Law Association; Legal letter to UK Home Secretary, US House Judiciary Committee, May 7, 2025). This is not an administrative detail. It represents a British government claim to jurisdictional reach over the encrypted personal data of citizens in Germany, in France, in the United States, in Japan, and in every other country where Apple users had opted into end-to-end encryption, without the knowledge or consent of those users or those governments.

Privacy International and Liberty noted in their legal submissions that such a demand, if complied with, would have created a condition in which the UK government possessed a technical capability to access encrypted data that would be illegal to access under the data protection laws of EU member states, potentially threatening the UK’s data adequacy status under the General Data Protection Regulation and the European Convention on Human Rights (Liberty, 2025; Kouvakas, 2025). Apple, in a submission to the UK Parliament in 2024, had already stated its position clearly: “There is no reason why the UK government should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption” (as cited in Usercentrics, 2025, “UK Government Demands Access to Apple Users’ Encrypted Data”).

Apple appealed to the Investigatory Powers Tribunal, which is the specialist UK court established to handle surveillance-related legal challenges. The Home Office demanded total secrecy over the case, which the Tribunal rejected on April 7, 2025, allowing at minimum the bare outline of the proceedings to become public. By October 2025, TechCrunch reported the existence of a second TCN, apparently limiting the demand to UK users only, at which point Apple withdrew its legal challenge against the first order, with the apparent interpretation that the revised scope was more defensible (TechCrunch, October 1, 2025, “UK Government Tries Again to Access Encrypted Apple Customer Data”). Whether the second TCN represents a genuine retreat or a tactical concession pending future demands is a question that the IPA’s gagging provisions make impossible to answer with certainty. The separate legal challenges brought by Privacy International, Liberty, and the Internet Society continue before the Tribunal as of mid-2025.

What the Investigatory Powers Act Actually Is

The Investigatory Powers Act 2016, nicknamed the “Snoopers’ Charter” by its critics when it was debated in Parliament, is one of the most expansive surveillance authorization frameworks in the Western world. It grants UK intelligence agencies and law enforcement bodies extensive powers to conduct bulk interception of communications, bulk collection of communications metadata, targeted interception of individual communications, equipment interference (the legal term for what most people would call hacking), and, relevant here, the issuance of Technical Capability Notices requiring telecommunications operators and internet service providers to maintain the technical ability to comply with interception warrants.

The Act was amended substantially in 2024 by the Investigatory Powers (Amendment) Act, which expanded several powers and introduced new requirements including the obligation for telecommunications providers to give advance notice to the Home Office before implementing security changes to their products, a provision that, if applied to cryptographic features, would effectively give the government a veto over the security architecture of products used by people worldwide if those products happen to be developed by a company with UK operations (Internet Society, 2025, “A UK Government Order Threatens the Privacy and Security of All Internet Users”).

The TCN mechanism specifically allows the Secretary of State to require a company to “take, or refrain from taking, any action” specified in the notice, provided the obligation is “reasonably practicable.” It prohibits the recipient from disclosing that they have received such a notice. It carries no requirement for prior judicial authorization, only internal government review. And it is subject to a form of oversight that, as the Apple case demonstrated, can be conducted in secret even before the targeted company is permitted to disclose the existence of the proceedings.

From the Forensic Practice: What Investigators Actually Find

I have testified as a court-appointed expert on digital evidence for 30 years, which means I have been on both sides of the question of what investigators find when they obtain access to cloud-stored data, and I want to be direct about what that experience teaches about the stakes of this debate.

The value of a complete iCloud backup, from an investigative standpoint, is not primarily in any single category of data it contains. It is in the temporal depth and the behavioral correlation that the totality of the backup enables. A backup is not a file. It is a narrative. It records not only what you said in a message, but when you said it, where your device was when you said it (via embedded GPS coordinates in photos taken before or after), what applications you had open around the same time (via app state data), and what your behavioral pattern of device use looked like in the hours and days surrounding the communication. Investigators who know how to read backup data are not reading documents, they are reconstructing a timeline of a person’s life with a granularity that no previous investigative tool could achieve.

The forensic tools that make this reconstruction possible, and that are used by investigative authorities across Europe and North America, are sophisticated, fast, and continuously updated. Cellebrite and MSAB produce extraction platforms that ingest iCloud backup data and present the results in structured, searchable formats that allow an analyst to move through months of a person’s communications, location data, and behavioral patterns within hours. These platforms are not exotic or restricted; they are standard equipment in police forensic laboratories across Germany, Austria, Switzerland, the UK, the Netherlands, and most other European investigative jurisdictions.

The Palantir question is relevant here because it concerns what happens to data after it has been extracted. Palantir Technologies, the data analytics company founded in 2003 and originally funded in part by the CIA’s venture arm In-Q-Tel, holds over £670 million in UK public contracts across the National Health Service, the Ministry of Defence, multiple police forces, the Home Office, the Cabinet Office, and as of early 2026, the Financial Conduct Authority (Slow AI, 2026, “NHS, Defence, Police, and Now Your Financial Data”). The NHS Federated Data Platform contract, worth £330 million over 7 years and awarded to a Palantir consortium in November 2023, processes data from NHS trusts across England. The Ministry of Defence awarded Palantir a £240 million contract in December 2025 for “data analytics capabilities supporting critical strategic, tactical and live operational decision making across classifications” (The Lowdown, 2026, “Palantir, the Controversy, the Contracts and the Campaign”). The British Medical Association voted in June 2025 to oppose the NHS Federated Data Platform rollout. Amnesty International has urged termination of the NHS contract by 2027. Over 47,000 patients and health workers have formally objected. None of this has altered the trajectory of the contracts.

The relevant forensic observation is this: a government that possesses both the legal authority to compel access to encrypted cloud backups and the analytical infrastructure to process that access at scale has created something qualitatively different from a targeted investigative capability. It has created a mass surveillance architecture in which the gap between what is legally authorized on a case-by-case basis and what is technically possible in aggregate is a matter of administrative restraint rather than technical constraint. Administrative restraint, as any student of institutional behavior understands, is not a fixed constant.

The Biometrics Trap: Why Your Face Is Not a Password

The original version of this article recommended disabling biometric authentication, which is the right recommendation, but the legal reasoning behind it is more nuanced than the article suggested, and precision here matters because the legal landscape is actively shifting.

The core issue is the distinction between something you know and something you are. In American constitutional jurisprudence, the Fifth Amendment’s protection against compelled self-incrimination has long been interpreted to protect the contents of your mind, including a password or passphrase that exists only in your memory, while not protecting physical characteristics that can be directly observed or measured, including your fingerprints and your face. The key question for biometric device authentication is which category biometrics falls into when used not for identification but for device access: is compelling you to place your finger on a sensor the same as compelling you to write down a combination, or is it more like taking your fingerprint at booking?

Federal circuit courts in the United States have now reached conflicting answers. The Ninth Circuit, in United States v. Payne, decided in 2024, held that compelled fingerprint unlock of a device is a non-testimonial physical act not protected by the Fifth Amendment, placing it in the same category as a blood draw (U.S. v. Payne, 99 F.4th 495, 9th Cir. 2024). The D.C. Circuit, in United States v. Brown, decided in January 2025, reached the opposite conclusion, finding that compelling a suspect to use their fingerprint to unlock a device is testimonial because it discloses the person’s association with the device’s contents, and therefore does violate the Fifth Amendment (U.S. v. Brown, 125 F.4th 1186, D.C. Cir. 2025). The Supreme Court has not yet resolved the split.

In European jurisdictions, including Germany and the UK, the legal frameworks are different but the practical tension is analogous. The UK’s Regulation of Investigatory Powers Act, and related provisions, creates mechanisms through which decryption assistance can be compelled; the question of whether biometric device unlock is covered by these mechanisms and what protections apply is similarly unresolved and similarly contested in academic and legal circles. What is clear, across all jurisdictions I am aware of, is that a passphrase that exists only in your memory occupies a stronger position of legal protection than a biometric characteristic that can be physically imposed without your cognitive cooperation. An officer can hold your finger to a sensor while you sleep. An officer cannot hold your memory open.

The practical recommendation is therefore not merely a privacy preference but a legal strategy: a strong alphanumeric passphrase protects your device contents behind a legal barrier that biometrics does not provide. The inconvenience of typing a complex passphrase every time you unlock your device is a direct measure of the protection it offers. Convenience and security are in structural tension here, and that tension cannot be resolved in favor of both simultaneously.

What Effective Personal Data Security Actually Requires

I want to address the practical question of what individuals can do, with the same precision I have applied to the factual background, because the gap between what is recommended in most privacy guides and what is actually effective under adversarial conditions is wider than most people realize.

The first and most consequential change available to an iCloud user who cares about the confidentiality of their backup data, and who is not a UK resident, is to enable Advanced Data Protection if they have not already done so. ADP remains available outside the United Kingdom, and it moves iCloud backup, Photos, Notes, and iCloud Drive files from the category of data Apple can provide under a lawful order into the category of data that is encrypted with keys Apple does not possess. For UK residents, this option is no longer available for new enabling, and existing ADP users who disabled the feature have lost the protection. For UK users who cannot enable ADP, the practical alternative is to disable iCloud Backup entirely and maintain encrypted local backups using a tool such as VeraCrypt on a drive that remains physically in your possession.

IP Beacon: my.0at.de  |  What Your Browser Confesses Before You Finish Typing

The email question is frequently addressed with the recommendation to switch to ProtonMail or another end-to-end encrypted provider, and this recommendation is sound as far as it goes. ProtonMail’s architecture means that mail stored on its servers is encrypted with keys it does not hold, and it cannot provide plaintext content in response to a government order directed at ProtonMail. However, end-to-end encrypted email is substantially more complicated than its marketing suggests, because end-to-end encryption only protects emails exchanged between parties who both use compatible encryption, which in practice means both parties use ProtonMail or a compatible service. An encrypted email sent from ProtonMail to a Gmail address is not end-to-end encrypted on its way to Gmail; it becomes readable at the Gmail server. The practical implication is that switching to ProtonMail provides meaningful protection primarily for communications with other privacy-conscious correspondents using comparable tools.

For device security, the combination of full-disk encryption with a strong passphrase, disabled biometric unlock, and regular local encrypted backups provides a substantially stronger posture than any cloud-dependent configuration. Open Keychain on Android, the built-in full-disk encryption on iOS with biometrics disabled, BitLocker or FileVault on macOS and Windows with a strong passphrase, and VeraCrypt for external drives represent tools with documented security properties that have been independently audited and that do not depend on the goodwill of any company toward its users. A hardware authentication token such as a YubiKey or NitroKey adds a second factor that is not susceptible to phishing, and protects accounts even if a password is compromised.

None of these measures are absolute, and I want to be direct about that. A device that is running and unlocked when seized provides substantially weaker protection than one that is powered off and encrypted at rest. A passphrase that has been disclosed under legal compulsion or coercion provides no protection. Physical security of encrypted storage is essential because encryption protects data in a storage medium that remains under your control; it does not protect data that has already been extracted or that can be extracted from a running device with appropriate forensic tools. The goal of personal digital security is not to be impenetrable, which is not achievable, but to ensure that the cost of accessing your data, in terms of legal process, time, technical capability, and judicial oversight, is proportionate to the seriousness of the investigation and not routinely available as a matter of convenience.

The Surveillance Architecture That the Apple Case Reveals

The Apple iCloud case matters beyond its immediate facts because it makes visible an architecture that normally operates below the threshold of public awareness. That architecture has several components, and understanding them together is necessary for assessing what is actually at stake.

The first component is a legislative framework, embodied in the Investigatory Powers Act, that authorizes extremely broad surveillance powers, allows secret demands on technology companies with no prior judicial authorization, and enforces silence through gagging provisions that apply even when the company subject to the demand believes it to be unlawful. The second component is an infrastructure of analytical capability, embodied in Palantir’s contracts across UK state institutions, that can process the data those powers can compel at a scale and speed that previous investigative tools could not approach. The third component is a judicial oversight mechanism, the Investigatory Powers Tribunal, that meets in secret, whose full judgments are not made public, and that has so far been unable to prevent or reverse the most contested demands made under the Act.

Together, these 3 components describe a system in which the principal constraint on surveillance is not law, because the law actively enables the surveillance, and not technology, because the technology is advancing to make surveillance easier, but political will and the willingness of private companies to incur the reputational and legal costs of resistance. Apple’s decision to remove ADP from the UK rather than create a backdoor was an exercise of that private resistance. It preserved the security of users outside the UK at the cost of losing the ability to offer enhanced security within the UK. Whether Apple will continue to take that position if similar demands are made by larger markets, or by the US government under the CLOUD Act’s framework for compelling US companies to provide data regardless of where it is stored, is a question the current record does not allow us to answer with confidence.

The UK adequacy decision under the GDPR, which permits data transfers between the European Union and the United Kingdom to flow without additional legal mechanisms, was due for renewal in 2025 and is under pressure from precisely this dynamic. Legal scholars have argued that the UK’s TCN regime is incompatible with the European Convention on Human Rights in its current form, and that continued data transfer adequacy decisions in the presence of this regime would be legally vulnerable to challenge before European courts (Kouvakas, 2025, citing ECHR Article 8 and relevant CJEU jurisprudence). The outcome of the ongoing proceedings before the Investigatory Powers Tribunal involving Privacy International, Liberty, and the Internet Society may ultimately determine whether this argument succeeds.

A Note on the Language of National Security

The argument made in every jurisdiction where expanded surveillance powers have been sought is the same argument: this capability is necessary to protect citizens from terrorism, serious organized crime, and online harm. The argument is structurally irrefutable within its own terms because it relies on evidence that is, by definition, secret, and because the harms it invokes are real and serious. It is also structurally asymmetrical in a way that deserves explicit naming: the expansion of surveillance capability is permanent, because legislative authorizations and technical infrastructures once created are not routinely dismantled, while the threat environment that justifies each expansion is presented as perpetually current, requiring perpetual capability, generating a ratchet mechanism that runs in only 1 direction.

The forensic record of what happens to expanded surveillance capabilities over time suggests that the population most affected is not the one initially named as the justification. Mass surveillance infrastructure, once established, is applied to the full range of state priorities, which includes organized crime and terrorism but also includes tax enforcement, immigration enforcement, industrial disputes, political activism, and journalism. The UK’s own history with the Regulation of Investigatory Powers Act, the predecessor to the Investigatory Powers Act, included documented cases in which local councils used surveillance powers to investigate dog owners defying local bylaws and parents suspected of falsifying school catchment area information. These are not catastrophic abuses; they are routine institutional behavior when the cost of using a capability is low and the political restraint on using it is weak.

Closing

Apple’s Advanced Data Protection removal from the UK was not, as it was characterized in some commentary, a moment when privacy ended. It was a moment when the gap between what the law permits and what privacy requires became publicly visible in a way that a statutory gagging provision had previously prevented. The data that Apple can now provide to the UK government under a lawful order for UK users without ADP is data Apple has always been able to provide, because it is protected only by keys Apple holds. What was lost when ADP was removed was the option to close that gap through a technical architecture that placed the keys exclusively in the user’s hands.

Whether that option is restored, and under what conditions, will depend partly on the outcome of the legal proceedings before the Investigatory Powers Tribunal and partly on whether the political cost of the UK’s surveillance posture eventually becomes high enough to produce legislative change. The legal challenges brought by Privacy International, Liberty, and the Internet Society represent the best available institutional mechanism for forcing that question. They deserve support and attention.

In the meantime, the encryption tools that protect your data at rest and in transit exist, are free or inexpensive, have been audited, and require no government approval to use. The passphrase that lives only in your memory cannot be compelled from Apple, from a TCN, or from a Palantir analytics platform. The encrypted local backup that lives on a drive under your physical control cannot be extracted by a cloud access order. These protections are imperfect, require effort, and are not available to every user in every situation. They are, nonetheless, what remains available, and the gap between what remains available and what is being made inaccessible to UK users is precisely the territory that the Technical Capability Notice was designed to shrink.

Governments that work hard to shrink that territory are not, in the main, doing so because of criminals and terrorists, who are sophisticated enough to adapt their tools faster than any legislative cycle. They are doing so because the capability is useful for the full range of state functions, and because the population of ordinary users whose data becomes accessible in the process is very large and very unorganized.

The question this poses is the oldest question in the political philosophy of democratic government, which is who watches the watchers, and the answer the IPA provides, in the form of secret tribunals and statutory gags, is not one that any account of democratic accountability can comfortably accept.

References

• Apple Support. (2022). Advanced Data Protection for iCloud. Apple Inc. https://support.apple.com/guide/security/advanced-data-protection-for-icloud-sec973254c5f/web
• Apple Support. (2025). iCloud data security overview. Apple Inc. https://support.apple.com/en-us/102651
• Computer Weekly. (2025, October 13). Court dismisses Apple’s appeal against Home Office backdoor. https://www.computerweekly.com/news/366632561/Apple-and-Home-Office-agree-to-drop-legal-claim-over-encryption-backdoor
• Internet Society. (2025, July). A UK Government order threatens the privacy and security of all internet users. https://www.internetsociety.org/blog/2025/07/a-uk-government-order-threatens-the-privacy-and-security-of-all-internet-users/
• Kouvakas, I. (2025, March 13). You can’t have your Apple and eat it too: Decryption orders and the perilous future of UK data adequacy. UK Constitutional Law Association Blog. https://ukconstitutionallaw.org/2025/03/13/ioannis-kouvakas-you-cant-have-your-apple-and-eat-it-too-decryption-orders-and-the-perilous-future-of-u-k-data-adequacy/
• Liberty. (2025, March). UK Government’s secret Apple data access order challenged by Liberty and Privacy International. https://www.libertyhumanrights.org.uk/issue/uk-governments-secret-apple-data-access-order-challenged-by-liberty-and-privacy-international/
• Medact. (2026, March). Briefing: Concerns Regarding Palantir Technologies and NHS Data Systems. https://www.medact.org/2026/resources/briefings/briefing-palantir-fdp/
• Privacy International. (2025). PI Apple TCN Challenge. https://privacyinternational.org/legal-action/pi-apple-tcn-challenge
• Privacy Guides. (2025, February 28). The UK Government forced Apple to remove Advanced Data Protection: What does this mean for you? https://www.privacyguides.org/articles/2025/02/28/uk-forced-apple-to-remove-adp/
• Slow AI. (2026, March 26). NHS, Defence, Police, and now your financial data: Palantir’s expanding UK presence. https://theslowai.substack.com/p/palantir-uk-government-data
• TechCrunch. (2025, October 1). UK government tries again to access encrypted Apple customer data: Report. https://techcrunch.com/2025/10/01/uk-government-tries-again-to-access-encrypted-apple-customer-data-report/
• The Lowdown. (2026, April). Palantir, the controversy, the contracts and the campaign against the FDP. https://lowdownnhs.info/topics/accountablility/palantir-the-controversy-the-contracts-and-the-campaign/
• United Kingdom. (2016). Investigatory Powers Act 2016 (c. 25). Parliament of the United Kingdom. https://www.legislation.gov.uk/ukpga/2016/25/contents
• United Kingdom. (2024). Investigatory Powers (Amendment) Act 2024. Parliament of the United Kingdom.
• United States Court of Appeals, D.C. Circuit. (2025). United States v. Brown, 125 F.4th 1186.
• United States Court of Appeals, Ninth Circuit. (2024). United States v. Payne, 99 F.4th 495.
• Usercentrics. (2025, April). UK government demands access to Apple users’ encrypted data. https://usercentrics.com/knowledge-hub/uk-government-demands-access-to-apple-users-encrypted-data/
• US House Judiciary Committee. (2025, May 7). Letter to the Rt. Hon. Yvette Cooper MP, Home Secretary, regarding UK Investigatory Powers Act and Apple TCN. https://judiciary.house.gov/sites/evo-subsites/republicans-judiciary.house.gov/files/evo-media-document/2025-05-07-jdj-bm-to-cooper-re-cloud-act_0.pdf