Federal Trade Commission writes letter to technology companies warning them against censoring or weakening data security of Americans at request of foreign powers. Meanwhile the UK government says it will not seek back doors for programs
August 22, 2025 |
The demand. by some governments to have a back door to end to end encryption is hugely controversial. The National Security Agency in the United States had Yahoo install a backdoor for NSA’s use in 2014/5, although Yahoo says it challenged the NSA about this. In 2015 it built custom software to search client’s incoming emails. Since 2013 the NSA has been keen to get around or through encrypted messaging.In February this year the UK ordered Apple to let it have access to users’ encrypted accounts. In 2015/2016 Apple was embroiled in a dispute with the FBI. The FBI wanted Apple to unlock phones whose data was cytographically protected. Apple refused and objected to at least 11 orders issued by the US District Courts.
The issue of concern is that the US government is concerned that overseas governments are attempting to weaken the level of encryption and data security. This directive, for want of a better word, poses real challenges for companies operating in other jurisdictions. Like Australia. But the US policy has had an impact with the UK agreeing to drop its plan for encryption backdoor mandate for Apple.
The chairman of the Federal Trade Commission (“FTC”) has written letters to the largest and well known cloud computing, data security, social media, computer and other technology companies warning them not to censor themselves or weaken data security of Americans if asked by foreign governments. The rationale is set out in its media release titled FTC Chairman Ferguson Warns Companies Against Censoring or Weakening the Data Security of Americans at the Behest of Foreign Powers.
The media release provides:
Federal Trade Commission Chairman Andrew N. Ferguson sent letters today to more than a dozen prominent technology companies reminding them of their obligations to protect the privacy and data security of American consumers despite pressure from foreign governments to weaken such protections. He also warned them that censoring Americans at the behest of foreign powers might violate the law.
The letters were sent to companies that provide cloud computing, data security, social media, messaging apps and other services and include: Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.
The letters noted that companies might feel pressured to censor and weaken data security protections for Americans in response to the laws, demands, or expected demands of foreign powers. These laws include the European Union’s Digital Services Act and the United Kingdom’s Online Safety Act, which incentivize tech companies to censor worldwide speech, and the UK’s Investigatory Powers Act, which can require companies to weaken their encryption measures to enable UK law enforcement to access data stored by users.
“I am concerned that these actions by foreign powers to impose censorship and weaken end-to-end encryption will erode Americans’ freedoms and subject them to myriad harms, such as surveillance by foreign governments and an increased risk of identity theft and fraud,” Chairman Ferguson wrote.
The letter noted that as companies consider how to comply with foreign laws and demands, they are still required to comply with the FTC Act’s prohibition against unfair and deceptive practices in the marketplace. For example, if a company promises consumers that it encrypts or secures online communications but then adopts weaker security in response to demands from a foreign government, such an action could be considered a deceptive practice under the FTC Act, the letter noted.
The FTC has brought dozens of cases over the past two decades against companies that have failed to keep their promises to consumers to deploy reasonable safeguards to protect consumer data.
The model letter sent to the companies provides, without footnotes:
Americans rightly hold dear the First Amendment and its guarantee of freedom of speech. We understand that America’s greatness and prosperity stems in no small part from its zealous commitment to the free exchange of ideas. We know, as sixteen-year-old Benjamin Franklin knew when he wrote in The New-England Courant, using the persona of a middle-aged widow named Silence Dogood, that “[w]ithout freedom of thought, there can be no such thing as wisdom; and no such thing as public liberty, without freedom of speech….” In the 21st century, the public squares in which citizens gather to exchange ideas and engage in lively debate now include online platforms. Because online platforms have become so critical to public discourse, pervasive online censorship in recent years has outraged the American people. Not only have Americans been censored and expelled from platforms for uttering opinions and beliefs that were not shared by a small Silicon Valley elite, the previous administration actively worked to encourage such censorship.
President Trump has put a swift end to the weaponization of the federal government against Americans and their freedoms, but foreign governments present emerging and ongoing threats to the free exchange of ideas. Companies might be censoring Americans in response to the laws, demands, or expected demands of foreign powers. And the anti-encryption policies of foreign governments might be causing companies to weaken data security measures and other technological means for Americans to vindicate their right to anonymous and private speech. Specifically, there have been numerous recent attempts by foreign governments to pressure your company to censor content or degrade security for users of your services. Examples of these efforts include the European Union’s Digital Services Act (DSA), which “incentiviz[es] tech companies to censor speech, including speech outside of Europe”; the United Kingdom’s Online Safety Act,9 which requires online platforms to “protect” their users from harm by detecting and removing “illegal content;” and reported demands from the UK’s government under its Investigatory Powers Act that companies weaken their encryption measures to enable UK law enforcement to access data stored by users.
I am concerned that these actions by foreign powers to impose censorship and weaken end- to-end encryption will erode Americans’ freedoms and subject them to myriad harms, such as surveillance by foreign governments and an increased risk of identity theft and fraud. I am also concerned that companies such as your own might attempt to simplify compliance with the laws, demands, or expected demands of foreign governments by censoring Americans or subjecting them to increased foreign surveillance even when the foreign government’s requests do not technically require that. Indeed, foreign governments seeking to limit free expression or weaken data security in the United States might count on the fact that companies have an incentive to simplify their operations and legal compliance measures by applying uniform policies across jurisdictions.
As you grapple with how your company will comply with these misguided international regulatory requirements, I write to remind you that your company has independent obligations to American consumers under Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. As the nation’s consumer protection agency, the FTC has taken action for over two decades against companies that fail to keep their data security or privacy promises to consumers. The Commission has steadfastly maintained that companies that collect, use, share, or transmit consumers’ personal data must employ reasonable security measures, including encryption of sensitive information, to protect such information from unauthorized access, use, or disclosure.
Companies that promise that their service is secure or encrypted, but fail to use end-to-end encryption where appropriate, might deceive consumers who reasonably expect that level of confidentiality. Further, certain circumstances may require reasonable security measures such as end-to-end encryption, and the failure to implement such measures might constitute an unfair practice.
Weakening encryption or other security measures to comply with the laws, demands, or expected demands of a foreign government may also violate Section 5. If a company promises consumers that it encrypts or otherwise keeps secure online communications but adopts weaker security due to the actions of a foreign government, such conduct may deceive consumers who rightfully expect effective security, not the increased susceptibility to breach or intercept desired by a foreign power Consumers may be further deceived if companies fail to prominently disclose that weaker security measures were adopted due to the actions of a foreign government, information that might be material to a consumer’s decision to use a service. It might also be an unfair practice to weaken the security of Americans’ communications to placate foreign powers that do not have Americans’ best interests at heart and that might seek to surveil or otherwise hurt Americans.
Censoring Americans to comply with a foreign power’s laws, demands, or expected demands can also violate Section 5. American consumers do not reasonably expect to be censored to appease a foreign power and may be deceived by such actions. And as with weakened security measures, consumers might be further deceived if companies do not prominently disclose that censorious policies were adopted due to the actions of a foreign government, as consumers might not want to use a service that exposes them to censorship by foreign powers. Further, it might be an unfair practice to subject American consumers to censorship by a foreign power by applying foreign legal requirements, demands, or expected demands to consumers outside of that foreign jurisdiction.
Protecting the privacy and security of Americans’ personal data and safeguarding their liberty by combatting illegal censorship are priorities for the Trump-Vance FTC. Part and parcel of the Commission’s efforts is engagement with stakeholders on these important issues. I invite you to reach out by Thursday, August 28th to schedule a time to meet with my office to discuss security measures, including encryption of sensitive information, to protect such information from unauthorized access, use, or disclosure..
Companies that promise that their service is secure or encrypted, but fail to use end-to-end encryption where appropriate, might deceive consumers who reasonably expect that level of confidentiality. Further, certain circumstances may require reasonable security measures such as end-to-end encryption, and the failure to implement such measures might constitute an unfair practice.
Weakening encryption or other security measures to comply with the laws, demands, or expected demands of a foreign government may also violate Section 5. If a company promises consumers that it encrypts or otherwise keeps secure online communications but adopts weaker security due to the actions of a foreign government, such conduct may deceive consumers who rightfully expect effective security, not the increased susceptibility to breach or intercept desired by a foreign power. Consumers may be further deceived if companies fail to prominently disclose that weaker security measures were adopted due to the actions of a foreign government, information that might be material to a consumer’s decision to use a service. It might also be an unfair practice to weaken the security of Americans’ communications to placate foreign powers that do not have Americans’ best interests at heart and that might seek to surveil or otherwise hurt Americans.
Censoring Americans to comply with a foreign power’s laws, demands, or expected demands can also violate Section 5. American consumers do not reasonably expect to be censored to appease a foreign power and may be deceived by such actions. And as with weakened security measures, consumers might be further deceived if companies do not prominently disclose that censorious policies were adopted due to the actions of a foreign government, as consumers might not want to use a service that exposes them to censorship by foreign powers. Further, it might be an unfair practice to subject American consumers to censorship by a foreign power by applying foreign legal requirements, demands, or expected demands to consumers outside of that foreign jurisdiction.
Protecting the privacy and security of Americans’ personal data and safeguarding their liberty by combatting illegal censorship are priorities for the Trump-Vance FTC. Part and parcel of the Commission’s efforts is engagement with stakeholders on these important issues. I invite you to reach out by Thursday, August 28th to schedule a time to meet with my office to discuss
The story about the UK agreeing to drop the encryption backdoor mandate provides:
Britain has dropped its demand for the iPhone maker Apple to provide a “backdoor” that would have enabled access to the protected encrypted data of American citizens, United States director of national intelligence Tulsi Gabbard said.
Gabbard issued the statement on X, saying she had worked for months with Britain, along with President Donald Trump and Vice President JD Vance, to arrive at a deal.
British Prime Minister Keir Starmer was in Washington on Monday along with other European leaders to meet Trump and discuss Russia’s war in Ukraine.
A spokesperson for the British government said that while they would not comment on any agreement, Britain had long worked with the US to tackle security threats while seeking to protect the privacy of citizens in both countries.
“We will always take all actions necessary at the domestic level to keep UK citizens safe,” the spokesperson added.
Apple did not immediately respond to requests for comment on Gabbard’s statement.
US lawmakers said in May that the UK’s order to Apple to create a backdoor to its encrypted user data could be exploited by cybercriminals and authoritarian governments.
Apple, which has said it would never build such access into its encrypted services or devices, had challenged the order at the UK’s Investigatory Powers Tribunal (IPT).
The iPhone maker withdrew its Advanced Data Protection feature for British users in February following the UK order.
Users of Apple’s iPhones, Macs and other devices can enable the feature to ensure that only they – and not even Apple – can unlock data stored on its cloud.
US officials said earlier this year they were examining whether Britain broke a bilateral agreement by demanding that Apple build a backdoor allowing the British government to access backups of data in the company’s encrypted cloud storage systems.
In a letter dated February 25 to US lawmakers, Gabbard said the US was examining whether the UK government had violated the CLOUD Act, which bars it from issuing demands for the data of US citizens and vice versa.
Cybersecurity experts told Reuters that if Apple chose to build a backdoor for a government, that backdoor would eventually be found and exploited by hackers.
Apple has sparred with regulators over encryption as far back as 2016 when the US government tried to compel it to build a tool to unlock the iPhone of a suspected extremist.