Senator Ron Wyden has written to the US director of national intelligence, Tulsi Gabbard, urging her to provide Congress and the American public with a “frank assessment” of the security risks posed by UK surveillance to the US.
The letter, which follows disclosures that the UK Home Office issued a secret notice to Apple to gain access to its users’ encrypted data, raises new concerns that the UK’s Investigatory Powers Act (IPA) may allow it much wider access to data on US citizens than previously reported.
Android phones may have ‘backdoors’
In a letter to Gabbard yesterday, Wyden claimed the Home Office may also have issued a secret order against Google to introduce “backdoors” to the encrypted backup service used by billions of Android phone users worldwide. Following the publication of Wyden’s letter, Google said it had received no such order from the UK.
The letter also raises questions about Home Office powers to issue orders to secretly under the Investigatory Powers Act force US companies to store data belonging to US citizens in the UK, “where it could be then seized by the UK government”.
Wyden’s intervention comes as president Donald Trump, who has criticised the Home Office’s order against Apple as something China would be expected to do, met with prime minister Keir Starmer at Trump’s Turnberry Golf Club in South Ayrshire.
Wyden and Republican congressman Andy Biggs first wrote to Gabbard in February 2025, after a leak in The Washington Post revealed that home secretary Yvette Cooper had issued an order, known as a technical capability notice (TCN), against Apple, requiring it to introduce backdoor access to users’ data stored on its Advanced Data Protection (ADP) encrypted storage service.
Gabbard told the lawmakers that she shared their “grave concern” about the UK ordering US companies to create backdoors that would allow access to the encrypted data of US citizens. Such a move would “be a clear and egregious violation of American citizens’ privacy and civil liberties” and would create cyber vulnerabilities that could be exploited by hostile actors, she added.
Wyden stated in the letter that companies that receive orders under the UK’s IPA are legally prohibited from disclosing their existence, making it impossible to confirm which US technology companies have received such orders from the UK, “much less the extent to which they may be complying with them”.
Apple’s ADP service is disabled by default, making it likely that only a “very small” proportion of Apple’s customers “benefiting from this important cyber security defence” would be affected by a Home Office order.
However, Wyden raised the prospect – since denied by Google – that the Home Office has also issued an order requiring Google to provide backdoor access to encrypted backups made by billions of Android smartphone users that are protected by end-to-end encryption by default.
“When my office asked Google about backdoor demands from the UK, the company did not answer the question, only stating that if it had received a technical capabilities notice, it would be prohibited from disclosing that fact,” Wyden wrote.
This is in contrast to Meta, which offered Wyden an “unequivocal denial” when asked the same question on 17 March 2025, stating: “We have not received an order to backdoor our encrypted services, like that reported about Apple.”
Home Office hacking powers could impact US
Wyden has raised further concerns that the threat to US data posed by UK surveillance laws is not limited to demanding that US companies weaken their encryption with backdoors.
The British Embassy in Washington has not denied claims that the UK could use the IPA to force US companies to store newly created US customer data in the UK. “Such UK-located data could then be seized by the UK government,” he added.
Wyden has also raised concerns that the UK can use the “equipment interference” (hacking) provisions in the IPA to demand that companies “infect their customers with spyware to hack Americans” – a capability which the British Embassy in Washington has, again, not denied.
“The cyber security of Americans’ communications and digital lives must be defended against foreign threats,” Wyden told Gabbard. “The national security implications are serious, not least because the communications of US government officials could be subject to both weakened encryption and storage in the UK,” he said.
Commenting on Wyden’s letter, Jim Killock, executive director of the Open Rights Group, which is campaigning against UK’s moves against encryption, said the Home Office’s orders impact the security of people worldwide.
“Google’s refusal to answer senator Wyden is extremely worrying for Android users who rely on encryption for their privacy and security,” he added.
Update 21:00 29 July 2025:
Following publication of this story, Google told The Washington Post that the British government has never asked it for special access to users’ private messages and data.
A spokesperson told The Washington Post: “We have never built any mechanism or ‘backdoor’ to circumvent end-to-end encryption in our product,” adding: “If we say a product is end-to-end encrypted, it is.”
