House Judiciary Subcommittee probes UK order to Apple, witnesses urge CLOUD Act changes

WASHINGTON — The House Judiciary Subcommittee on (name not specified in transcript) held a hearing on the CLOUD Act and foreign influence on U.S. data security where witnesses described a reported U.K. order to Apple as a direct threat to global encryption and recommended prompt U.S. action and statutory changes.

The hearing featured testimony from Professor Susan Landau (Tufts University), Carolyn Wilson Palo (legal director and general counsel, Privacy International), Richard Salgado (Salgado Strategies), and Greg Nojeim (Center for Democracy & Technology). Panelists described press reports that the U.K. had issued a secret technical capability notice requiring Apple to alter its “Advanced Data Protection” iCloud feature so U.K. authorities could obtain content otherwise protected by end-to-end encryption.

Why it matters: Witnesses said a legally compelled weakening of encryption on a widely used product would not only expose U.K. users but would create a global vulnerability because the change would affect all users of that product worldwide, including Americans. They argued that such an outcome would undermine cybersecurity, hurt the competitiveness of U.S. technology companies, and risk misuse by hostile states or criminal actors.

“Apple’s Advanced Data Protection secures users’ files by treating them as end-to-end encrypted messages sent from the user to themselves,” Professor Susan Landau testified. “Since only the user has the encryption key, the files cannot be decrypted while stored in iCloud.”

Panelists explained the regulatory mechanics at issue. The CLOUD Act (2018) allows the Justice Department to enter executive agreements with foreign governments enabling those governments to issue orders to U.S. providers for data stored abroad under specified safeguards. Separately, the U.K.’s Investigatory Powers Act 2016 contains a technical capability notice (TCN) regime that, according to witnesses, permits the U.K. to compel companies to alter products or services in ways that can be secret and extraterritorial. Carolyn Wilson Palo said the TCNs are “ill defined, secret, and extraterritorial.”

Greg Nojeim told the subcommittee that, under the Cloud Act framework, the U.K. “has availed itself of this opportunity in spades, issuing over 20,000 demands under the Cloud Act. In contrast, the U.S. has issued 63.” He warned that companies that receive such secret orders are typically legally gagged from notifying customers or U.S. oversight bodies.

Witnesses urged specific U.S. responses. Suggestions included: the Justice Department invoking the CLOUD Act’s 30‑day termination provision and threatening to terminate the U.S.–U.K. executive agreement unless the U.K. publicly withdraws the reported order to Apple; amending the CLOUD Act to make cybersecurity and protections for encryption explicit qualifying criteria for partner countries; and allowing or requiring providers to notify the U.S. government when they receive conflicting foreign orders.

Richard Salgado summarized the policy stance: “The harm is magnified when such mandates are imposed in closed secret proceedings with outcomes concealed.” Salgado added that narrowly targeted statutory changes could declare network security a national interest and bar partner countries from imposing technical surveillance or anti‑security obligations on U.S. companies as a condition of an agreement.

On bipartisan reforms, witnesses also highlighted section 702 of the Foreign Intelligence Surveillance Act and related surveillance-search practices. Several panelists endorsed requiring a warrant to search databases that incidentally contain Americans’ communications, echoing broader calls for transparency and judicial oversight. As one panelist put it, warrant requirements and better reporting would be “constitutionally mandated” and good policy.

Members of the subcommittee asked whether the CLOUD Act and existing executive agreements sufficiently protect Americans’ communications; witnesses answered that the statute provides a useful framework but needs changes to prevent extraterritorial orders that weaken encryption and to improve transparency and reporting.

The session closed with several witnesses urging immediate diplomatic and legal pressure on the U.K. and with recommendations for congressional amendments to the CLOUD Act to add explicit protections for encryption, require partner countries to prohibit orders that force technical weakening of security, and improve DOJ reporting and provider notification channels. The hearing record will include the witnesses’ full written statements, which the subcommittee entered into the record.