Too right, it was far more problematic than they ever made out.
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.
> you think Google didn't already sign up to this?
My understanding is that Android's Google Drive backup has had an E2E encryption option for many years (they blogged about it at https://security.googleblog.com/2018/10/google-and-android-h...), and that the key is only stored locally in the Titan Security Module.
If they are complying with the IPA, wouldn't that mean that they must build a mechanism into Android to exfiltrate the key? And wouldn't this breach be discoverable by security research, which tends to be much simpler on Android than it is on iOS?
> What concerns me more is that Apple is the only company audibly making a stand.
But still Apple operates in China and Google does not. This is weird to me. Google left China when the government wanted all keys to the citizens data. Apple is making a stand when it's visible and does not threaten their business too much.
Apple is not really in the business of protecting your data, they are just good at marketing and keeping their image.
> Google left China when the government wanted all keys to the citizens data.
Google left China after China started hacking into Google's servers.
> In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company’s source code and even broke into the Gmail accounts of Chinese human rights advocates.
They were working to reenter the China market on China's terms many years later, when Google employees leaked the effort to the press. Google eventually backed down.
China feels like an important difference here though. Google leaving China doesn't protect Chinese citizen's data any more than Apple turning off ADP in the UK does. As far as I know, Apple isn't pretending that the data of Chinese users is encrypted from their government, and the way they're complying with the Chinese laws shouldn't impact the security of users outside of China.
Apple pulling ADP from UK users is similar - the UK has passed an ill-considered law that Apple doesn't think it can win a court case over, so they're complying in a way that minimally effects the security of people outside the UK. If, as someone outside the UK, I travel to the UK with ADP turned on, my understanding is it won't disable itself.
Would you have been more satisfied if Apple just pulled out of the UK entirely? Bricked every iPhone ever purchased there? Google doesn't seem to have made any stand for security ever - them pulling out of China feels more to do with it meaning they wouldn't have had access to Chinese users' data, which is what they really want.
It’s different. Apple follows Chinese law to operate their services in China, just like Microsoft.
With Google, their services are way broader. Operating a hunk of their search business with a third party Chinese firm just isn’t viable for their services, which are way more complex.
The government, with anti trust laws, could easily force this issue. On the other hand, they really love how few places they have to go with FISA warrants to just take anyones data. This is the long tail of the American security state. So it's really ironic that China takes most of the blame.
Perhaps Apple has a greater leverage in China due to its outsized manufacturing presence. And it's likely they already dont offer ADP to Chinese citizens.
Eh Google had pretty good reasons to not operate in China (not seeing them in this thread, don't recall the details precisely enough to relate here)
Apple is deeply embedded in China (manufacturing) and benefits from a decent (but shrinking) userbase in the country. China isn't asking for the keys to all iphone user data, just data stored in China.
> Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
Totally agree. Having this discussion so US centred just makes us miss the forest for the trees. Apart from data owned by US citizens, my impression is that data stored in the US is fair game for three letter agencies, and I really doubt most companies would spend more than five minutes agreeing with law enforcement if asked for full access to their database on non-US nationals.
Also, remember that WhatsApp is the go-to app for communication in most of the world outside the US. And although it's end-to-end encrypted, it's always nudging you to back up your data to Google or Apple storage. I can't think of a better target for US intelligence to get a glimpse of conversations about their targets in real time, without needing to hack each individual phone. If WhatsApp were a Chinese app, this conversation about E2E and backup restrictions would have happened a long time ago. It's the same on how TikTok algorithm suddenly had a strong influence on steering public opinion and instead of fixing the game we banned the player.
Android data isn't encrypted at rest (or at least not in a way Google doesn't have the key). If the uk gov has a warrant, they can ask Google to provide your Google Drive content. The whole point of this issue is Apple specifically designed ADP so they couldn't do that.
i think people focus on whether backups are encrypted too much. it really doesn't matter when the government has remote access equivalent to your live phone when it's in an unencrypted state, which they almost certainly do.
> Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
Er, no...? I'm not sure where you get that idea. Access requires a warrant, and companies are not compelled to build systems which enable them to decrypt all data covered by the warrant.
See, for example, the Las Vegas shooter case, where Apple refused to create an iOS build that would bypass iCloud security.
Also, I wondered if by complying with British law that they may somehow be breaking laws of another country?
Hypothetically, if Apple just provide a back door to the data they have on US Senators for instance, then providing that information may be considered treason by the US.
That's a totally made up example, and I have no idea, but it seems like it's possibly an issue.
Which is all about the issues around data sovereignty I suppose!
Treason is a very heavy charge and as far as I know it applies more to individuals. Can a company be prosecuted for treason? I guess it depends on the country and I don't know US law well (never even visited there)
But I'm sure local laws conflict heavily between countries yes. I'm often wondering how multinationals manage to navigate this maze. This is why we have such a big legal department I guess :) And the company I work for is a pretty honest one, I've never seen any skullduggery going on with eg privacy or media manipulation. In fact employees are urged to report such things and I have to do a course on responsible behaviour yearly. Probably a result of being purely B2B. But anyway I digress, just wanted to say that getting away with stuff does not seem to be the reason for us having a big legal dept.
But just look at the laws of e.g. the EU and Iran. Pretty diametrically opposed on many topics. There's no way to satisfy them both.
I think what helps to make this happen is that most countries don't try to push their laws outside of their jurisdiction. Which the UK is trying to do here.
> One scenario would be somebody in an airport and security officials are searching your device
No Heathrow connection necessary. “The law has extraterritorial powers, meaning UK law enforcement would have been able to access the encrypted iCloud data of Apple customers anywhere in the world, including in the US” [1].
I don't really understand your comment to be honest. Section 3 of the Regulation of Regulatory Powers Act 2000 allows for compelled key disclosure (disclosure of the information sought instead of the key is also possible). Schedule 7 of the Counter-Terrorism Act allows 9 hour detention, questioning and device search at the border. With these powers it isn't necessary to get access to iCloud backups, as you can get the device and/or the data.
I don't think the e2e icloud backup is problematic under existing legislation / before the TCN. While you can't disclose the key because it lives in the secure enclave, you can disclose the information that is requested because you can log into your apple account and retrieve it. IANAL, but I believe this to be sufficient (and refusing would mean jail).
The Investigatory Powers Act allows for technical capability notices, and the TCN in this case says (as far as we know) "allow us a method to be able to get the contents of any iCloud backup that is protected by E2EE for any user worldwide". This means that there is no need to ask the target to disclose information and if implemented as asked, also means that any user worldwide could be a target of the order, even if they'd never been to the UK.
I imagine they want the ability to look at someone's iCloud backups without notifying the owner that they are doing so or they want to do it when the owner is unwilling or unable to provide keys.
For the latter, there are a lot of cases where jail isn't much a threat (e.g. the person is dead or not in the country).
You have no laws when traveling through immigration. Thats true in US too. There was an article (trying to look for it could be arstechnica verge I dont remember where) once where a US citizen journalist was detained at the border for hours while traveling into the US and questioned. You can be in the immigration for hours or even decades until you give out what they demand which can involve your unlocked phone and password. There are no laws protecting you.
> Apple is the only company audibly making a stand
Apples stand is false, they take with one hand and give with the other. There have been many times that Apple have been caught giving user data to governments at their request, lied about it, then later on admitted it once it had leaked from another source.
This whole 'we will never make a backdoor' is a complete whitewash marketing stunt, why do they need to make a backdoor when they are providing any and all metadata to any government on request.
> There have been many times that Apple have been caught giving user data to governments at their request, lied about it, then later on admitted it once it had leaked from another source.
In other words, Apple complies with legal government orders, as they are required to. The government can compel them with a warrant to hand over data that they have, and can prohibit them from talking about it. That's the whole reason for the push towards end-to-end encryption and for not collecting any data Apple doesn't need to operate the products. This also ties into things like photo landmark identification, where Apple designed it such that they don't get any information about the requests and so they don't have any information that they could be compelled to hand to the government.
Irrespective of political leanings, a lot of British people are saying this. They stand for it because they have to. It's a government that was voted in by a large margin only six months ago. Disquiet, if that's the word, is pretty much universal and I am not sure we've been quite in this position before. Keir Starmer's decline in approval ratings 'marks the most substantial post-election fall for any British prime minister in recent history'.
> What concerns me more is that Apple is the only company audibly making a stand.
Dropping the functionality for a particular market hardly equals to making a stand. Sure they haven't added a backdoor that would give all user's data access to UK icloud user's data so in the end UK residents didn't win anything.
And who knows if they simply have an agreement with US gov to have a backdoor only available to them and not the other govs.
"technical capability notice" under the Investigatory Powers Act (IPA)
Sounds a lot like the godawful "assistance and access" laws that were rushed through in Australia a couple of years ago, right down to the name of the secret instrument sent to the entity who gets forced into to building the intercept capability.
Now that Apple has caved once, I expect to see other providers strongarmed in the same way, as well as the same move tried in other countries.
For photos, it's probably best to use an open-source (also self-hostable) service like Ente. For files it's best to self-host Nextcloud or similar. And rely on other people's computers as little as possible. Sadly, operating systems are very complex and mostly composed of proprietary blobs nowadays so there is still a risk of it leaking data but people can still do at least something.
But if you don't trust Apple, how to you get the key into the Secure Enclave to begin with? Doesn't Apple control the software on your device that provides the interface into the Secure Enclave from outside of it?
> One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act
No, it's much broader than that. The UK is asking for a backdoor to your data and backups in the cloud, not on your device. Why bother with searching physical devices when they can just issue a secret subpoena to any account they want?
It's actually pretty amazing that Apple made ADP possible for the general public. This is the culmination of a major breakthrough in privacy architecture about ten years ago.
Traditionally you had to make a choice between end-to-end encryption and data recoverability. If you went with E2EE, it's only useful if you use a strong password, but if you forget it then Apple can't help you recover your account (no password reset possible). So that was totally unsuitable for precious memories like photos for the average user.
Apple's first attempt to make this feasible was a recovery key that you print out and stuff in a drawer somewhere. But you might lose this. The trusted contact feature is also not totally reliable either, because chances are it's your spouse and they might also lose their device at that same time as you (for example in a house fire).
So while recovery keys and trusted contacts help, the solution that really made the breakthrough for ADP was iCloud Keychain Backup. This thing is low-key so cool and kind of rips up the previous assumptions about E2EE.
iCloud Keychain Backup makes it possible to recover your data with a simple, weak 6 digit passcode that you are virtually guaranteed never to forget, yet you are also protected from brute force attacks on the server. It is specifically designed to work on "adversarial clouds" that are being actively attacked. This is... sort of not supposed to be possible in the traditional thinking. But they added something called hardware security modules to limit the number of guesses an attacker can make before it wipes your key.
And crucially it ensures you don't forget this passcode because it's your device passcode which the OS keeps in sync with the backup key. This is part of the reason your iPhone asks you to enter your passcode now and then even though your biometrics work just fine.
It is a true secret that only you know and can keep in your brain even when your house burns down and nobody (hopefully) can derive from something they can research about you. This didn't really exist for the general populace until smartphones came along. And that ultimately was the breakthrough that allowed for changing the conventional wisdom on E2EE.
iCloud Keychain Backup came out about a decade ago and it has taken this long to gradually test the feasibility of going 100% E2EE without significantly risking customer data loss. The UK is kind of panicking but when people see how well ADP protects their most personal data from breaches, I think they will demand it. It just wasn't practical before.
> No, it's much broader than that. The UK is asking for a backdoor to your data and backups in the cloud, not on your device. Why bother with searching physical devices when they can just issue a secret subpoena to any account they want?
My point was that there was already a clear chain in place that would give them access to the data of foreign nationals. It's not just a "UK problem", but actually the ramifications are further reaching.
Another thing to consider is that these cookie alerts on sites were for EU countries only, but ended up everywhere. If Apple were to comply, this cloud backdoor could end up in other countries too, with the keys sitting there ready for collection.
To make things more complex still, they would need to support dual/multi nationality. It probably ends up looking like a dual key E2E system where there is a unique key for the end-user and then a third party. Key revocation would likely be difficult, so it would likely be the cloud provided decrypting and re-encrypting the files per request, throwing E2E out the window entirely.
Your smartphone cannot be considered a private device. You as the owner don’t have sufficient control over its operating system and applications to ever make that claim.
In theory you have the likes of the PinePhone where you can run a full Linux kernel [1]. You could then use something like Waydroid to run Android apps [2].
I think the biggest concern is that many of the important apps are anti-emulation, for example banking apps and authentication apps.
It's amusing to think of Apple as a "monopoly" (if anything they have a monopsony on TSMC production) but let's just replace that with "giant" for purposes of discussion.
Tech giants typically devolve local operations to small companies to avoid liability - think petroleum suppliers not owning gas stations (because those typically end up as superfund sites). Not sure if this analogy this works for Google Android and all the manufacturers that deploy it for their smartphones too.
So corporations have been doing this forever, trying to find legal loopholes where they can have their cake and eat it too.
> There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
> Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
Codename 'Krasnov' is the largest backdoor I have ever heard of. And, we only need to look at his behavior.
These E2EE from USA can be tainted in so many ways, and FAMAG sits on so much data, that codename 'Krasnov' can abuse such to target whoever he wants in West. Because everyone you know is or has been in ecosystem of Apple, Google, or Microsoft.
Whataboutism! Fair. From my PoV, as European, the UK government is (still) one of the good guys who will protect Europe from adversaries such as those who pwn codename 'Krasnov'. Such protection may come with a huge price.
The real prescient threat in that movie was the predictive AI algorithm that tracked individual behaviors and identified potential threats to the regime. In the movie they had a big airship with guns that would kill them on sight, but a more realistic threat is the AI deciding to feed them individualized propaganda to curtail their behavior. This is the villain's plot in Metal Gear Solid 2, which is another great story.
> Your persona, experiences, triumphs, and defeats are nothing but byproducts. The real objective was ensuring that we could generate and manipulate them.
It's really brilliant to use a video game to deliver the message of the effectiveness of propaganda. 'Game design' as a concept is just about manipulation and hijacking dopamine responses. I don't think another medium can as effectively demonstrate how systems can manipulate people's behavior.
Life is imitating too many dystopian books, movies, etc these days. I think we need to put an end to all creative works before the timeline becomes irrecoverably destroyed.
It's always hilarious to see how far people here are ready to go to twist some bad Apple news into something which might be considered good.
I mean seriously. Apple making a stand? What stand? They are ripping security out of their customers hands. Customers which are already dependent on the company's decision in their locked in environment.
There is absolutely nothing good about it, and you dragging Android into it and making it look like it's even worse is suspicious. You can have full control over your Android device. Something impossible on an Apple phone. You can make your Android device safer than your iPhone.
The government forced them to pull the feature. Would you rather they left a toggle-switch that doesn't actually do anything? Or are you thinking they should just pull out of the EU altogether?
What I fund 'amusing' is the swap between Left vs Right.
'Back in the day' it was the "Right" that wanted have total access/total control over everything. So people turned a bit "left". Now the "Left" government is seeking totalitarian-style control ('because paedophiles/drugs/etc.).
As a reminder, both Right and Left extremes went from 'liberal/conservatives' to "we don't need elections ever again - trust me!".
I saw this happening in the US, in Saudi (e.g. Blackberry 'keys'). Now I see it in the UK. So I interpret this in two ways:
1) The "Left is the new Right" (or "Right is the new Left")
2) Left and Right are irrelevant terms when it comes down to "we need to exert control over people/knowledge/data/information/etc. And the 'guise' of Left/Right is just on the fiscal policies. So UK has been playing around with 'snooper charter' but at 'that' time Apple's encryption was not on the table.
Apple (I don't blame them - very much - just a little) does what a company does. Makes money. And they prefer to sell-out the data of their clients and keep their money, than lose that money.
So... yeah.. if your data is in someone else's server, that happens.
If you go too far right or left, both types of authoritarianism are difficult to distinguish. I think this just makes the case that every election you need to be a swing voter, make sure your politicians still overlap with your ideals.
Apple today appear to be on the 'correct side of history', but even then you need to be swing consumer.
> What concerns me more is that Apple is the only company audibly making a stand.
They are not making a stand. They roll over without a peep. And this is concerning users' privacy which they say is the core of the company.
Compare it to fighting every government tooth and nail over every single little thing concerning the "we don't know if it's profitable and we don't keep meeting records" AppStore
"Not making a stand" would be leaving everything as is, and handing your encryption keys over to the government. By loudly disabling ADP and saying this feature is illegal in the UK (they really should have said "illegal" instead of "unavailable" so people would know it was the government), they are at least making half a stand. By leaving it enabled in other regions and for visitors from other regions to the UK, they're making three quarters of a stand.
What are you talking about? This is literally them doing the opposite, and there are multiple other public instances of them making a stand, not to mention in the design of their systems.
Fundamentally, I think the issue is more about technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear. Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.
It's not literacy. They don't care. They need control, and if establishing control means increased risks for you, it's not something they see as a negative factor. It's your problem, not theirs.
The government put in restrictions against using certain powers in the Investigatory Powers Act to spy on members of parliament (unless the Prime Minister says so, section 26), so I think they're just oblivious to the risk model of "when hackers are involved, the computer isn't capable of knowing the order wasn't legal".
They don't even need control. They want control. Why? Either they're idiots who think they need control or they are tyrants who know they'll need control later on when they start doing seriously tyrannical things.
I used to think it was illiteracy, but when you hear politicians talk about this you realise more often than not they're not completely naive and can speak to the concerns people have, but fundamentally their calculation here is that privacy doesn't really matter that much and when your argument for not breaking encryption based around the right to privacy you're not going to convince them to care.
You see a similar thing in the UK (and Europe generally) with freedom of speech. Politicians here understand why freedom of speech is important and why people some oppose blasphemy laws, but that doesn't mean you can just burn a bible in the UK without being arrested for a hate crime because fundamentally our politicians (and most people in the UK) believe freedom from offence is more important than freedom of speech.
When values are misaligned (safety > privacy) you can't win arguments by simply appealing to the importance of privacy or freedom of speech. UK values are very authoritarian these days.
"Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties."
What is a "paternalistic state". I studied Latin so obviously I understand pater == father but what is a father-like state?
What on earth is: "authoritarian support across all parties".
The UK has one Parliament, four Executives (England, Northern Ireland, Scotland, Wales) and a Monarch (he's actually quite a few Monarchs).
Anyway, I do agree with you that destroying routine encryption is a bloody daft idea. It's a bit sad that Apple sold it as an extra add on. It does not cost much to run openssl - its proper open source.
In medicine, a paternalistic attitude towards the patient from a point of authority (like a father)
The doctor acts as if he knows more and knows what is better. The patient has his own preferences and priorities, but they don't necessarily match with what the doctor does.
I suppose a paternalistic state functions to satisfy the needs of the people, and to define those needs. The people get what the state says is best for them.
Paternalism, unless I'm mistaken, is a belief among those in power that they what's best for you, better than you do, and will exercise power on your behalf in that manner. Just like your parents do when you're a child.
Government knows what’s best for the people (colloquially we call it the nanny state).
All our main political parties have an authoritarian slant so these policies have rarely received long-lasting opposition. Literally every government in office for the past 30-odd years has presented legislation like this.
Are you trying to disagree with them by pretending that they're speaking rubbish? As a Brit, their comment made complete sense to me.
By the way, there is no 'England' executive; it's the government of the United Kingdom, which handles all matters not devolved, in England and the rest of the UK.
> that having nothing to hide means you have nothing to fear
hopefully the US turning from leader of the free world to Russia's tool will give them the kick they need to realise that just because you trust the government now doesn't mean you trust the next government or the one after it.
You probably don't want to look up which US President tried to force Apple to insert an encryption back door into iPhones back in 2015.
However, Google did only start moving to protect location data from subpoenas after people started to worry that location data could be used as a legal weapon against women who went to an abortion clinic, so your larger point stands.
What the politicians want is partial security: something they can crack but criminals can't. That is achievable in physical security, but not in cybersecurity.
I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.
> That is achievable in physical security, but not in cybersecurity
This isn't accurate though, and leads us down the path of trying to prevent these bad laws from a technical perspective when we should be fighting the principle of the bad law not just decrying it for being "unworkable".
It is possible to construct encryption schemes with a "backdoor key" while still being provably secure against anyone else.
This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
But like those who argue online age-consent schemes can't work, it doesn't help to argue against the technical aspects of such bad laws. The law, particularly UK law, doesn't care for what's technically possible. The bad laws can sit on the books regardless of the technical feasibility of enforcement. Eventually technology can catch up, or the law can simply be applied on a best endeavours / selective enforcement approach.
> the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys
This is a very good point, and in the recent months we have been witnessing that people in government, or aiming to become the government, are definitely not the good guys. So, even if what they are asking would be limited to just governments (which it wouldn't), they can't claim they are the good guys anymore.
Just to be clear: Wallace is not a head of state, or even an MP any more. At one point, he was Secretary of State for Defence, a Cabinet position, however he resigned this in 2023.
This doesn’t justify his position (it’s stupid) but he doesn’t speak for the current government.
And that's why it is so important to nip this "pedo" / "think of the children" crap right in the bud.
Obviously pedos on the interwebs are bad, but hey as long as it's just anime they're whacking off to I don't care too much. But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile. And you're not gonna catch these pedos with banning encryption, that's a fucking smokescreen if I ever saw one, you're gonna catch them with police legwork and by actually teaching young children about their bodies!
"it's hardly likely that pedo rings or rape gangs will be top of the list of priorities".... is this not one of the most disturbing, disgusting, psychologically troubling and damning ideas ever to be put to words/brought to awareness? . Right up there "let's meticulously plan out this horrific, atrocious, dehumanizing act and meditate upon the consequences, and then choose the most brutal and villainous option". Dear Lord....
People are extremely opposed to pedos, so they're a primary rationalization for oppressive technology. But then you have two problems.
First, pedos know everybody hates them, so they take measures normal people wouldn't in order to avoid detection, and then backdooring the tech used by everybody else doesn't work against them because they'll use something else. But it does impair the security of normal people.
Second, there aren't actually that many pedos and the easy to catch ones get caught regardless and the hard to catch ones get away with it regardless, which leaves the intersection of "easy enough to catch but wouldn't have been caught without this" as a set plausibly containing zero suspects. Not that they won't use it against the ones who would have been caught anyway and then declare victory, but it's the sort of thing that's pretty useless against the ones it's claimed to exist in order to catch, and therefore not something it can be used effectively in order to do.
Whereas industrial espionage or LOVEINT or draining grandma's retirement account or manipulating ordinary people who don't realize they should be taking countermeasures -- the abuses of the system -- those are the things it's effective at bringing about, because ordinary people don't expect themselves to be targets.
> is this not one of the most disturbing, disgusting, psychologically troubling and damning ideas ever to be put to words/brought to awareness? .
Hmm? Hell has depths. Your yard might be a little too short to measure them? In that case, just think about this: rape is probably most common in prisons, where you will send innocents the moment this dragnet thing glitches.
> technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear.
That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here.
Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues:
I feel like the comment was clear, technical illiteracy leads politicians to believe that they'll be the only ones with access to this backdoor, which isn't true.
Let me offer a possible example that might be more in line with the HN commenting guideline about interpreting people's comments as charitably as reasonably possible:
My password manager vault isn't exactly something to hide in the political sense, but it's definitely something I would fear is exposed to heightened risk of compromise if there were a backdoor, even one for government surveillance purposes. And it's a reasonable concern that I think a lot of people aren't taking seriously enough due, in part, to a lack of technical literacy. Both in terms of not realizing how it materially impacts everyday people regardless of whether they're up to no good, and in terms of not realizing just how juicy a target this would be for agents up to and including state-level adversaries.
As for Eric Schmidt, he's something of a peculiar case. I don't doubt his technical literacy, but the dude is still the head of one of the world's largest surveillance capitalist enterprises, and, as the saying goes, "It is difficult to get a man to understand something when his salary depends on his not understanding it."
If you see a red car driving down the street do you not call it red because there are many other red cars? They're adding color (pun intended) to their description of the general bias of the UK government. What you're doing is called Whataboutism - the argument that others are doing something similar or as bad in different contexts. It doesn't make what the UK is doing any less bad for citizens (and non-citizens) privacy or data sovereignty.
Many people might not be aware of it, but Apple publishes a breakdown of the number of government requests for data that it receives, broken down by country.
Much of this is likely related to the implementation and automation of the US-UK data access agreement pursuant to the CLOUD Act, which has streamlined this type of request by UK law enforcement and national security agencies.
The problem is AFAIK this act is a lot different and Apple or any party that gets this order is completely forbidden to talk about it. So these kind of requests would not show up in this transparency requests. It is IMHO fair to assume Apple will UK this backdoor given they chose to disable Advanced Data Encryption and public would have no insight to amount and reasons to the backdoor usage. It is really troubling.
I don't share your findings, EVERY six-month period between January 2014 - June 2017 shows bigger requests than any six-month period in the last 5 years.
Sad to see the home of the magna carta slowly spiraling down into fascism and 1984. The government should be required to have a specific warrant to get at your personal data.
>Online privacy expert Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government.
That is such a self serving comment. If Apple provides UK a backdoor, it weakens all users globally. With this they are following the local law and the country deserves what the rulers of the country want. These experts are a bit much. In the next paragraph they say something ominous.
>"It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.
I wonder what the impact of Apple withdrawing from China will be. I know we are talking about UK, but this made me think.
Not only their sales will reduce, but hey Chinese manufacturing cuts down. By how much? Will it be impactful? I would think so but wonder if it is quantifiable.
I often notice journalistic pieces interview people and then use maybe 30 seconds' worth of material from a 20-minute interview. The "expert" could have condemned it in any number of ways until the topic of applying data protection laws came up and she said that companies need to be held accountable (could be about GDPR, could be about snooping laws) which the journalist then quoted, not out of malice but because everyone already condemns it and this is the most interesting statement of the interview
Anyway, so while I don't think we should condemn people based on such a single quoted sentence... I took a look at her website and the latest video reveals at 00:38 that she worked for the UK crime agency, which does sound like the one of the greatest possible conflicts of interest for someone called upon for privacy matters rather than crime fighting. Watching the rest of that interview, she approaches it fairly objectively but (my interpretation of) her point of view seems to be on the side of "even with this backdoor, a warrant needs issuing every time they use it and so there's adequate safeguards and the UK crime fighters and national security people should just get access to anything they can get a warrant for"
This is actually an increasing concern, that large multinational companies are so powerful that they don't have to obey governments any more, and can instead blackmail them by withdrawing products. Pornhub has done this in US states. Meta has threatened to do it in various countries. There has always been pushback to regulation from powerful companies, but punishing countries by withdrawing products seems to be used as a tactic more often recently. There are other tools of power companies use as well, like deciding where to create jobs and build facilities. Musk has used that, moving from California to Texas. Defence and oil companies use these tactics also.
I disagree but respect your opinion. Companies have the right to free speech. In the tussle between regulators and companies, companies are disadvantaged. If we can force companies to do the regulators bidding and not allow them to use free speech to act in their best interests, we would have global tyranny. The regulators and companies both acting towards their own goals with freedom allows us to have a world with balance.
I believe in this however I think we are testing limits of this approach with scenarios like the one with encryption. Ideally privacy needs E2E encryption. But concerns on misuse of such technology that governments raise are also not without merit. I wonder if this tussle between regulators and companies can end in any way in which privacy is not compromised. Mathematically it doesn't seem that there is a way to be safe and private.
>"It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments,"
This would actually be a very very very very VERY GOOD precedent if you ask me.
Facebook pulled something similar when Canada passed the Online News Act and instead of extorting facebook to pay the media companies for providing a service to them (completely backasswards way to do things), they just pulled news out of Canada. I despise Meta as a company, but I had to give them credit for not just letting the government shake them down.
Good riddance. Governments need to be reminded from time to time that they are, in fact, not Gods. We can and should, just take our ball and go play in a different park or just go home rather than obey insane unjust laws.
Note that this doesn’t satisfy the government’s original request, which was for worldwide backdoor access into E2E-encrypted cloud accounts.
But I have a more pertinent question: how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense against backdooring E2E is the (US) doctrine that work cannot be compelled. Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer) if that capability already exists.
That’s exactly the plan. Anyone with this enabled in the UK will need to manually disable it or they’ll get locked out of their iCloud account after a deadline.
The hardware will not allow this, at least not without modifications. The encryption keys are not exportable from the Secure Enclave, not even to Apple's own servers.
> how can you “pull” E2E encryption without data loss
You can’t. The article says if you don’t disable it (which you have to do yourself, they can’t do it for you, because it’s E2E), your iCloud account will be canceled.
We are told the encryption keys reside only on your device. But Apple control “your” device so they can just issue an update that causes your device to decrypt data and upload it.
Apple has already fought US government demands that they push an update that would allow the US governmrnt to break encryption on a user's device.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.
Apple is in a really tough position. I don't know if there's any way they could fulfil the original request without it effectively becoming a backdoor. Disabling E2E for the UK market is just kicking the can down the road.
Even simply developing a tool to coerce users out of E2E without their explicit consent to comply with local laws could be abused in the future to obtain E2E messages with a warrant on different countries.
> Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer)
I think it’s really speech [0], which is why it’s important to user privacy and security that Apple widely advertises their entire product line and business as valuing privacy. That way, it’s a higher bar for a court to cross, on balance, when weighing whether to compel speech/code (& signing) to break E2EE.
After all, if the CEO says privacy is unimportant [1], maybe compelling a code update to break E2EE is no big deal? (“The court is just asking you, Google, to say/code what you already believe”).
Whereas if the company says they value privacy, then does the opposite without so much as a fight and then the stock price drops, maybe that’d be securities fraud? [2]. And so maybe that’d be harder to compel.
>> Apple's defense against backdooring E2E is the (US) doctrine that [government can’t] be compelling work (or speech, if you prefer)
It’s really not "work” but speech. That’s why telecoms can be compelled to wiretap. But code is speech [2], signing that code is also speech, and speech is constitutionally protected (US).
The tension is between the All Writs Act (requiring “third parties’ assistance to execute a prior order of the court”) and the First Amendment. [1]
So Apple may be compelled to produce the iCloud drives the data is stored on. But they can’t be made to write and sign code to run locally in your iPhone to decrypt that E2EE data (even though obviously they technologically could).
> how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
They'll keep your data hostage and disable your iCloud account. Clever, huh? So they are not deleting it, just disabling your account. "If you don't like it, make your own hardware and cloud storage company" kind of a thing.
Think about it.. You don't even have to be an Apple user to be affected by this issue. If someone backs up their conversations with you to apple cloud, your exchange is now fair game. You get no say in it either.
Setting a retention time out is playing with fire. If the police get ahold of the other party's device, and present an exhibit which they say contains the true conversation, you could be worse off than if you retained the conversation. The fact that you have since deleted it could be incriminating.
In some jurisdiction, yes, legally, such evidence might not be probative, but you might still convicted because of it.
Very similar to sites like LinkedIn, which ask you to share your personal info & contact list.
I don't want to share my contact details, but the second someone I know decides to opt in, I lose all rights to my own data as they've shared it on my behalf.
Maybe they have other info, such as birthday, home address, other emails or phone #s, etc. stored for me, which is all fair game, as well.
Security hinges on trust. The only real privacy tool is PGP which uses a web of trust model. But it only works if people own their own computers and storage devices. What they've done is got everyone to rent their computers and storage instead. There's no security model that works for the users here.
> Online privacy expert Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government".
> "It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.
Attributing this shockingly pro-UK-spy-agencies quote to an "online privacy expert" without pointing out she consults for the UN, EU and international military agencies is typical BBC pro-government spin. In fact, Caro, it would be "very, very worrying" if communications operators didn't withdraw a product rather than be forced to make it deceptive and defective by design.
Free speech already under threat and now y'all are giving up the right of private communication too? For anyone cheering this on, do you honestly think this will only affect the "bad people", and you'll never have your own neck under the government's boot? Even if you trust the government today, what happens when your neighbors elect a government you disagree with ideologically?
Instead of the word cheering we could use letting.
Bad people flourish over the inaction of good people.
(but yes, there are always several who protect and argue for things risking their own and everyone's livelihood, exposing themselves to shady elements, along singled out and elevated thin aspects, cannot understood why)
Readit News
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.
My understanding is that Android's Google Drive backup has had an E2E encryption option for many years (they blogged about it at https://security.googleblog.com/2018/10/google-and-android-h...), and that the key is only stored locally in the Titan Security Module.
If they are complying with the IPA, wouldn't that mean that they must build a mechanism into Android to exfiltrate the key? And wouldn't this breach be discoverable by security research, which tends to be much simpler on Android than it is on iOS?
[1] https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
Deleted Comment
But still Apple operates in China and Google does not. This is weird to me. Google left China when the government wanted all keys to the citizens data. Apple is making a stand when it's visible and does not threaten their business too much.
Apple is not really in the business of protecting your data, they are just good at marketing and keeping their image.
Google left China after China started hacking into Google's servers.
> In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company’s source code and even broke into the Gmail accounts of Chinese human rights advocates.
https://www.nytimes.com/2010/03/23/technology/23google.html
They were working to reenter the China market on China's terms many years later, when Google employees leaked the effort to the press. Google eventually backed down.
Apple pulling ADP from UK users is similar - the UK has passed an ill-considered law that Apple doesn't think it can win a court case over, so they're complying in a way that minimally effects the security of people outside the UK. If, as someone outside the UK, I travel to the UK with ADP turned on, my understanding is it won't disable itself.
Would you have been more satisfied if Apple just pulled out of the UK entirely? Bricked every iPhone ever purchased there? Google doesn't seem to have made any stand for security ever - them pulling out of China feels more to do with it meaning they wouldn't have had access to Chinese users' data, which is what they really want.
They adapt to the local rules of each region, much like they’re doing here in the UK.
With Google, their services are way broader. Operating a hunk of their search business with a third party Chinese firm just isn’t viable for their services, which are way more complex.
I want to backup my data with a managed service.
I do NOT want these to be the same company.
The government, with anti trust laws, could easily force this issue. On the other hand, they really love how few places they have to go with FISA warrants to just take anyones data. This is the long tail of the American security state. So it's really ironic that China takes most of the blame.
Apple is deeply embedded in China (manufacturing) and benefits from a decent (but shrinking) userbase in the country. China isn't asking for the keys to all iphone user data, just data stored in China.
But is that backup encrypted? If it's not, all they need is <whatever piece of paper a british security official needs, if any> to access your data.
This is about having access to backups that are theoretically encrypted with a key Apple doesn't have?
> We're talking about the largest back door I've ever heard of.
Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
Totally agree. Having this discussion so US centred just makes us miss the forest for the trees. Apart from data owned by US citizens, my impression is that data stored in the US is fair game for three letter agencies, and I really doubt most companies would spend more than five minutes agreeing with law enforcement if asked for full access to their database on non-US nationals.
Also, remember that WhatsApp is the go-to app for communication in most of the world outside the US. And although it's end-to-end encrypted, it's always nudging you to back up your data to Google or Apple storage. I can't think of a better target for US intelligence to get a glimpse of conversations about their targets in real time, without needing to hack each individual phone. If WhatsApp were a Chinese app, this conversation about E2E and backup restrictions would have happened a long time ago. It's the same on how TikTok algorithm suddenly had a strong influence on steering public opinion and instead of fixing the game we banned the player.
They don't even care where it's stored...
See: CLOUD Act [1]
[1] https://en.wikipedia.org/wiki/CLOUD_Act
Based on them mentioning the difficulty of opting out, I presume OOP does not use Google's cloud backup.
Deleted Comment
Er, no...? I'm not sure where you get that idea. Access requires a warrant, and companies are not compelled to build systems which enable them to decrypt all data covered by the warrant.
See, for example, the Las Vegas shooter case, where Apple refused to create an iOS build that would bypass iCloud security.
Hypothetically, if Apple just provide a back door to the data they have on US Senators for instance, then providing that information may be considered treason by the US.
That's a totally made up example, and I have no idea, but it seems like it's possibly an issue.
Which is all about the issues around data sovereignty I suppose!
Treason is the only crime defined in the constitution, and it is quite a high bar.
But I'm sure local laws conflict heavily between countries yes. I'm often wondering how multinationals manage to navigate this maze. This is why we have such a big legal department I guess :) And the company I work for is a pretty honest one, I've never seen any skullduggery going on with eg privacy or media manipulation. In fact employees are urged to report such things and I have to do a course on responsible behaviour yearly. Probably a result of being purely B2B. But anyway I digress, just wanted to say that getting away with stuff does not seem to be the reason for us having a big legal dept.
But just look at the laws of e.g. the EU and Iran. Pretty diametrically opposed on many topics. There's no way to satisfy them both.
I think what helps to make this happen is that most countries don't try to push their laws outside of their jurisdiction. Which the UK is trying to do here.
A lot is posted about LEO's lying in the US, this seems worse.
No Heathrow connection necessary. “The law has extraterritorial powers, meaning UK law enforcement would have been able to access the encrypted iCloud data of Apple customers anywhere in the world, including in the US” [1].
[1] https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...
https://en.wikipedia.org/wiki/CLOUD_Act
Lots of Americans in this thread seem to be talking down to other countries laws while being completely unaware of their own
Meta also said they would make a stand if a similar request comes for WhatsApp. I'm not going to hold my breath though.
WA is end-to-end encrypted.
I don't think the e2e icloud backup is problematic under existing legislation / before the TCN. While you can't disclose the key because it lives in the secure enclave, you can disclose the information that is requested because you can log into your apple account and retrieve it. IANAL, but I believe this to be sufficient (and refusing would mean jail).
The Investigatory Powers Act allows for technical capability notices, and the TCN in this case says (as far as we know) "allow us a method to be able to get the contents of any iCloud backup that is protected by E2EE for any user worldwide". This means that there is no need to ask the target to disclose information and if implemented as asked, also means that any user worldwide could be a target of the order, even if they'd never been to the UK.
Relevant info:
- https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
For the latter, there are a lot of cases where jail isn't much a threat (e.g. the person is dead or not in the country).
Apples stand is false, they take with one hand and give with the other. There have been many times that Apple have been caught giving user data to governments at their request, lied about it, then later on admitted it once it had leaked from another source.
This whole 'we will never make a backdoor' is a complete whitewash marketing stunt, why do they need to make a backdoor when they are providing any and all metadata to any government on request.
https://www.macrumors.com/2023/12/06/apple-governments-surve...
In other words, Apple complies with legal government orders, as they are required to. The government can compel them with a warrant to hand over data that they have, and can prohibit them from talking about it. That's the whole reason for the push towards end-to-end encryption and for not collecting any data Apple doesn't need to operate the products. This also ties into things like photo landmark identification, where Apple designed it such that they don't get any information about the requests and so they don't have any information that they could be compelled to hand to the government.
And yes, it's still pwnable this way, and happens regularly.
Everything in the cloud is not yours anymore, and you should always treat it like that.
https://politicalpulse.net/uk-polls/keir-starmer-approval-ra...
Dropping the functionality for a particular market hardly equals to making a stand. Sure they haven't added a backdoor that would give all user's data access to UK icloud user's data so in the end UK residents didn't win anything.
And who knows if they simply have an agreement with US gov to have a backdoor only available to them and not the other govs.
Sounds a lot like the godawful "assistance and access" laws that were rushed through in Australia a couple of years ago, right down to the name of the secret instrument sent to the entity who gets forced into to building the intercept capability.
Now that Apple has caved once, I expect to see other providers strongarmed in the same way, as well as the same move tried in other countries.
No, it's much broader than that. The UK is asking for a backdoor to your data and backups in the cloud, not on your device. Why bother with searching physical devices when they can just issue a secret subpoena to any account they want?
It's actually pretty amazing that Apple made ADP possible for the general public. This is the culmination of a major breakthrough in privacy architecture about ten years ago.
Traditionally you had to make a choice between end-to-end encryption and data recoverability. If you went with E2EE, it's only useful if you use a strong password, but if you forget it then Apple can't help you recover your account (no password reset possible). So that was totally unsuitable for precious memories like photos for the average user.
Apple's first attempt to make this feasible was a recovery key that you print out and stuff in a drawer somewhere. But you might lose this. The trusted contact feature is also not totally reliable either, because chances are it's your spouse and they might also lose their device at that same time as you (for example in a house fire).
So while recovery keys and trusted contacts help, the solution that really made the breakthrough for ADP was iCloud Keychain Backup. This thing is low-key so cool and kind of rips up the previous assumptions about E2EE.
iCloud Keychain Backup makes it possible to recover your data with a simple, weak 6 digit passcode that you are virtually guaranteed never to forget, yet you are also protected from brute force attacks on the server. It is specifically designed to work on "adversarial clouds" that are being actively attacked. This is... sort of not supposed to be possible in the traditional thinking. But they added something called hardware security modules to limit the number of guesses an attacker can make before it wipes your key.
And crucially it ensures you don't forget this passcode because it's your device passcode which the OS keeps in sync with the backup key. This is part of the reason your iPhone asks you to enter your passcode now and then even though your biometrics work just fine.
It is a true secret that only you know and can keep in your brain even when your house burns down and nobody (hopefully) can derive from something they can research about you. This didn't really exist for the general populace until smartphones came along. And that ultimately was the breakthrough that allowed for changing the conventional wisdom on E2EE.
iCloud Keychain Backup came out about a decade ago and it has taken this long to gradually test the feasibility of going 100% E2EE without significantly risking customer data loss. The UK is kind of panicking but when people see how well ADP protects their most personal data from breaches, I think they will demand it. It just wasn't practical before.
My point was that there was already a clear chain in place that would give them access to the data of foreign nationals. It's not just a "UK problem", but actually the ramifications are further reaching.
Another thing to consider is that these cookie alerts on sites were for EU countries only, but ended up everywhere. If Apple were to comply, this cloud backdoor could end up in other countries too, with the keys sitting there ready for collection.
To make things more complex still, they would need to support dual/multi nationality. It probably ends up looking like a dual key E2E system where there is a unique key for the end-user and then a third party. Key revocation would likely be difficult, so it would likely be the cloud provided decrypting and re-encrypting the files per request, throwing E2E out the window entirely.
I think the biggest concern is that many of the important apps are anti-emulation, for example banking apps and authentication apps.
[1] https://pine64.org/devices/pinephone_pro/
[2] https://waydro.id/
Deleted Comment
1) tech monopoly strong enough to stand up to G7 nation state demands
2) tech monopoly strong enough to remove itself from G7 nation state jurisdiction?
edit: s/monopoly/empire, apologies
Tech giants typically devolve local operations to small companies to avoid liability - think petroleum suppliers not owning gas stations (because those typically end up as superfund sites). Not sure if this analogy this works for Google Android and all the manufacturers that deploy it for their smartphones too.
So corporations have been doing this forever, trying to find legal loopholes where they can have their cake and eat it too.
> Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
Codename 'Krasnov' is the largest backdoor I have ever heard of. And, we only need to look at his behavior.
These E2EE from USA can be tainted in so many ways, and FAMAG sits on so much data, that codename 'Krasnov' can abuse such to target whoever he wants in West. Because everyone you know is or has been in ecosystem of Apple, Google, or Microsoft.
Whataboutism! Fair. From my PoV, as European, the UK government is (still) one of the good guys who will protect Europe from adversaries such as those who pwn codename 'Krasnov'. Such protection may come with a huge price.
Meh, I don't know. I can still decide to not go the UK and be fine. I think the CLOUD Act is much worse because it's independent from where I am.
This got me thinking about MGS2 again and rewatching the colonel's dialogue at the end of the game: https://www.youtube.com/watch?v=eKl6WjfDqYA
> Your persona, experiences, triumphs, and defeats are nothing but byproducts. The real objective was ensuring that we could generate and manipulate them.
It's really brilliant to use a video game to deliver the message of the effectiveness of propaganda. 'Game design' as a concept is just about manipulation and hijacking dopamine responses. I don't think another medium can as effectively demonstrate how systems can manipulate people's behavior.
I mean seriously. Apple making a stand? What stand? They are ripping security out of their customers hands. Customers which are already dependent on the company's decision in their locked in environment.
There is absolutely nothing good about it, and you dragging Android into it and making it look like it's even worse is suspicious. You can have full control over your Android device. Something impossible on an Apple phone. You can make your Android device safer than your iPhone.
'Back in the day' it was the "Right" that wanted have total access/total control over everything. So people turned a bit "left". Now the "Left" government is seeking totalitarian-style control ('because paedophiles/drugs/etc.).
As a reminder, both Right and Left extremes went from 'liberal/conservatives' to "we don't need elections ever again - trust me!".
I saw this happening in the US, in Saudi (e.g. Blackberry 'keys'). Now I see it in the UK. So I interpret this in two ways: 1) The "Left is the new Right" (or "Right is the new Left") 2) Left and Right are irrelevant terms when it comes down to "we need to exert control over people/knowledge/data/information/etc. And the 'guise' of Left/Right is just on the fiscal policies. So UK has been playing around with 'snooper charter' but at 'that' time Apple's encryption was not on the table.
Apple (I don't blame them - very much - just a little) does what a company does. Makes money. And they prefer to sell-out the data of their clients and keep their money, than lose that money.
So... yeah.. if your data is in someone else's server, that happens.
It was the Clinton administration that pushed for the Clipper chip.
Are you talking about a 'day' before that time?
Apple today appear to be on the 'correct side of history', but even then you need to be swing consumer.
Do you know of the clipper chip? https://en.wikipedia.org/wiki/Clipper_chip
From what I recall, we were only spared from it by someone hacking it before it was deployed.
They are not making a stand. They roll over without a peep. And this is concerning users' privacy which they say is the core of the company.
Compare it to fighting every government tooth and nail over every single little thing concerning the "we don't know if it's profitable and we don't keep meeting records" AppStore
What are you talking about? This is literally them doing the opposite, and there are multiple other public instances of them making a stand, not to mention in the design of their systems.
Truly curious how you see this that way.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.
https://www.legislation.gov.uk/ukpga/2016/25/section/26
I used to think it was illiteracy, but when you hear politicians talk about this you realise more often than not they're not completely naive and can speak to the concerns people have, but fundamentally their calculation here is that privacy doesn't really matter that much and when your argument for not breaking encryption based around the right to privacy you're not going to convince them to care.
You see a similar thing in the UK (and Europe generally) with freedom of speech. Politicians here understand why freedom of speech is important and why people some oppose blasphemy laws, but that doesn't mean you can just burn a bible in the UK without being arrested for a hate crime because fundamentally our politicians (and most people in the UK) believe freedom from offence is more important than freedom of speech.
When values are misaligned (safety > privacy) you can't win arguments by simply appealing to the importance of privacy or freedom of speech. UK values are very authoritarian these days.
What is a "paternalistic state". I studied Latin so obviously I understand pater == father but what is a father-like state?
What on earth is: "authoritarian support across all parties".
The UK has one Parliament, four Executives (England, Northern Ireland, Scotland, Wales) and a Monarch (he's actually quite a few Monarchs).
Anyway, I do agree with you that destroying routine encryption is a bloody daft idea. It's a bit sad that Apple sold it as an extra add on. It does not cost much to run openssl - its proper open source.
I suppose a paternalistic state functions to satisfy the needs of the people, and to define those needs. The people get what the state says is best for them.
All our main political parties have an authoritarian slant so these policies have rarely received long-lasting opposition. Literally every government in office for the past 30-odd years has presented legislation like this.
By the way, there is no 'England' executive; it's the government of the United Kingdom, which handles all matters not devolved, in England and the rest of the UK.
hopefully the US turning from leader of the free world to Russia's tool will give them the kick they need to realise that just because you trust the government now doesn't mean you trust the next government or the one after it.
However, Google did only start moving to protect location data from subpoenas after people started to worry that location data could be used as a legal weapon against women who went to an abortion clinic, so your larger point stands.
So much humour in one short phrase.
Do you really believe your propaganda or is it just absentmindedly parroting pro permanent war talking points?
I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.
Not with physical security either, I'm afraid.
This isn't accurate though, and leads us down the path of trying to prevent these bad laws from a technical perspective when we should be fighting the principle of the bad law not just decrying it for being "unworkable".
It is possible to construct encryption schemes with a "backdoor key" while still being provably secure against anyone else.
This creates precisely the "partial security" you describe: Criminals can't crack the encryption, but the government can use their backdoor-key.
But like those who argue online age-consent schemes can't work, it doesn't help to argue against the technical aspects of such bad laws. The law, particularly UK law, doesn't care for what's technically possible. The bad laws can sit on the books regardless of the technical feasibility of enforcement. Eventually technology can catch up, or the law can simply be applied on a best endeavours / selective enforcement approach.
This is a very good point, and in the recent months we have been witnessing that people in government, or aiming to become the government, are definitely not the good guys. So, even if what they are asking would be limited to just governments (which it wouldn't), they can't claim they are the good guys anymore.
https://x.com/BenWallace70/status/1892972120818299199
This doesn’t justify his position (it’s stupid) but he doesn’t speak for the current government.
Obviously pedos on the interwebs are bad, but hey as long as it's just anime they're whacking off to I don't care too much. But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile. And you're not gonna catch these pedos with banning encryption, that's a fucking smokescreen if I ever saw one, you're gonna catch them with police legwork and by actually teaching young children about their bodies!
What on earth are you talking about?
Charles III is head of state, and before that, Liz II. The monarch absolutely does not get involved in politics.
Dead Comment
First, pedos know everybody hates them, so they take measures normal people wouldn't in order to avoid detection, and then backdooring the tech used by everybody else doesn't work against them because they'll use something else. But it does impair the security of normal people.
Second, there aren't actually that many pedos and the easy to catch ones get caught regardless and the hard to catch ones get away with it regardless, which leaves the intersection of "easy enough to catch but wouldn't have been caught without this" as a set plausibly containing zero suspects. Not that they won't use it against the ones who would have been caught anyway and then declare victory, but it's the sort of thing that's pretty useless against the ones it's claimed to exist in order to catch, and therefore not something it can be used effectively in order to do.
Whereas industrial espionage or LOVEINT or draining grandma's retirement account or manipulating ordinary people who don't realize they should be taking countermeasures -- the abuses of the system -- those are the things it's effective at bringing about, because ordinary people don't expect themselves to be targets.
Hmm? Hell has depths. Your yard might be a little too short to measure them? In that case, just think about this: rape is probably most common in prisons, where you will send innocents the moment this dragnet thing glitches.
That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here.
Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues:
https://news.ycombinator.com/item?id=983717
Thank you in advance for clarifying your thought process here. Tech illiteracy -> what you got to hide there buddy?
My password manager vault isn't exactly something to hide in the political sense, but it's definitely something I would fear is exposed to heightened risk of compromise if there were a backdoor, even one for government surveillance purposes. And it's a reasonable concern that I think a lot of people aren't taking seriously enough due, in part, to a lack of technical literacy. Both in terms of not realizing how it materially impacts everyday people regardless of whether they're up to no good, and in terms of not realizing just how juicy a target this would be for agents up to and including state-level adversaries.
As for Eric Schmidt, he's something of a peculiar case. I don't doubt his technical literacy, but the dude is still the head of one of the world's largest surveillance capitalist enterprises, and, as the saying goes, "It is difficult to get a man to understand something when his salary depends on his not understanding it."
This seemed strange to point out. It’s not really any more or less “paternalistic” than most western nations including the US.
The number of UK requests has ballooned in recent years: https://www.apple.com/legal/transparency/gb.html#:~:text=77%...
Much of this is likely related to the implementation and automation of the US-UK data access agreement pursuant to the CLOUD Act, which has streamlined this type of request by UK law enforcement and national security agencies.
https://www.apple.com/legal/transparency/de.html#:~:text=77%...
And they didn't just withdraw a product, they withdraw their entire business.
Not only their sales will reduce, but hey Chinese manufacturing cuts down. By how much? Will it be impactful? I would think so but wonder if it is quantifiable.
Anyway, so while I don't think we should condemn people based on such a single quoted sentence... I took a look at her website and the latest video reveals at 00:38 that she worked for the UK crime agency, which does sound like the one of the greatest possible conflicts of interest for someone called upon for privacy matters rather than crime fighting. Watching the rest of that interview, she approaches it fairly objectively but (my interpretation of) her point of view seems to be on the side of "even with this backdoor, a warrant needs issuing every time they use it and so there's adequate safeguards and the UK crime fighters and national security people should just get access to anything they can get a warrant for"
I believe in this however I think we are testing limits of this approach with scenarios like the one with encryption. Ideally privacy needs E2E encryption. But concerns on misuse of such technology that governments raise are also not without merit. I wonder if this tussle between regulators and companies can end in any way in which privacy is not compromised. Mathematically it doesn't seem that there is a way to be safe and private.
Ironic to refer to her as a "privacy expert" given her open hostility to privacy.
This would actually be a very very very very VERY GOOD precedent if you ask me.
Facebook pulled something similar when Canada passed the Online News Act and instead of extorting facebook to pay the media companies for providing a service to them (completely backasswards way to do things), they just pulled news out of Canada. I despise Meta as a company, but I had to give them credit for not just letting the government shake them down.
Good riddance. Governments need to be reminded from time to time that they are, in fact, not Gods. We can and should, just take our ball and go play in a different park or just go home rather than obey insane unjust laws.
They re-emerged as "security feature" "add vulns to security features to make it an insecurity feature"
But I have a more pertinent question: how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense against backdooring E2E is the (US) doctrine that work cannot be compelled. Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer) if that capability already exists.
Apple could just lock you out of iCloud until you do this.
You can’t. The article says if you don’t disable it (which you have to do yourself, they can’t do it for you, because it’s E2E), your iCloud account will be canceled.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.
https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_...
"It was naïve of the UK government to think they could tell a US technology company what to do globally"
Even simply developing a tool to coerce users out of E2E without their explicit consent to comply with local laws could be abused in the future to obtain E2E messages with a warrant on different countries.
A very difficult position to be in.
You mean Apple is in a unique position to make a statement. No more Apple products in the UK. Mic drop. Exit stage left.
I think it’s really speech [0], which is why it’s important to user privacy and security that Apple widely advertises their entire product line and business as valuing privacy. That way, it’s a higher bar for a court to cross, on balance, when weighing whether to compel speech/code (& signing) to break E2EE.
After all, if the CEO says privacy is unimportant [1], maybe compelling a code update to break E2EE is no big deal? (“The court is just asking you, Google, to say/code what you already believe”).
Whereas if the company says they value privacy, then does the opposite without so much as a fight and then the stock price drops, maybe that’d be securities fraud? [2]. And so maybe that’d be harder to compel.
[0]: https://news.ycombinator.com/item?id=43134235
[1]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid...
[2]: https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...
Is this actually a thing? Telecoms in the US are compelled to provide wiretap facilities to the US and state and local governments.
It’s really not "work” but speech. That’s why telecoms can be compelled to wiretap. But code is speech [2], signing that code is also speech, and speech is constitutionally protected (US).
The tension is between the All Writs Act (requiring “third parties’ assistance to execute a prior order of the court”) and the First Amendment. [1]
So Apple may be compelled to produce the iCloud drives the data is stored on. But they can’t be made to write and sign code to run locally in your iPhone to decrypt that E2EE data (even though obviously they technologically could).
[1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writ...
[2]: https://www.eff.org/deeplinks/2015/04/remembering-case-estab...
They'll keep your data hostage and disable your iCloud account. Clever, huh? So they are not deleting it, just disabling your account. "If you don't like it, make your own hardware and cloud storage company" kind of a thing.
Well exactly. The UK just showed the whole thing is a joke and that Apple can do this worldwide.
We all lose.
In some jurisdiction, yes, legally, such evidence might not be probative, but you might still convicted because of it.
Really, apps should encrypt their own storage with keys that aren't stored in the backups. That's how you get security/privacy back.
I don't want to share my contact details, but the second someone I know decides to opt in, I lose all rights to my own data as they've shared it on my behalf.
Maybe they have other info, such as birthday, home address, other emails or phone #s, etc. stored for me, which is all fair game, as well.
> "It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.
Attributing this shockingly pro-UK-spy-agencies quote to an "online privacy expert" without pointing out she consults for the UN, EU and international military agencies is typical BBC pro-government spin. In fact, Caro, it would be "very, very worrying" if communications operators didn't withdraw a product rather than be forced to make it deceptive and defective by design.
Bad people flourish over the inaction of good people.
(but yes, there are always several who protect and argue for things risking their own and everyone's livelihood, exposing themselves to shady elements, along singled out and elevated thin aspects, cannot understood why)
Dead Comment
Dead Comment