Apple appeals UK’s secret demand for backdoor access to encrypted user data

Apple appeal to Investigatory Powers Tribunal may be the first case of its type.

See full article...

 

[juzer]

It feels also that UK request and the people involved were on such a level, that Apple just had to go public with it.
As in, in enterprise (technical) companies you would be in disbelief how clueless some people in position of power are, so I wonder how discussion around this backdoor were going.
Probably people requesting this from the UK have no clue what they are talking about and they are really asking for a primitive "we should get all the access whenever we want".
Not to say there is many "safe" options of having a backdoor on a device, but asking for a global option for all devices is really over the top.

 

[kaibelf]

My only question about this debacle is, if this was leaked and therefore gave Apple the opening to publicly acknowledge this request and make hay of their refusal to partake in this, what other companies already complied in secret?

 

[msadesign]

do these politicians ever think these things through?

Oh, sure they do. That's where the trouble starts, with a self-assigned assessment of what's right, what goes too far, etc. And rightly so: clearly there are many fringe-decisions that are tricky as hell and that require deep consideration. Certainly, FISA courts are needed, for instance; they need to make decisions based on a very fine line.

Problematic, though, are decisions made not on the facts but on underlying priori political sense. Most often as in the case here, there's often a really fine line or distinction to be drawn, a decision that should reflect the broadly held sensibilities of citizens.

Tricky indeed.

 

[msadesign]

My only question about this debacle is, if this was leaked and therefore gave Apple the opening to publicly acknowledge this request and make hay of their refusal to partake in this, what other companies already complied in secret?

You, over in the corner? Is your hand up or not? Yes? No? the guy in the striped shirt?

https://tinyurl.com/3933dhhr

 

[hillspuck]

Technically you still have encryption without ADP, it's just that Apple retain the key and thus could be forced to legally, via court action, decrypt something whereas with ADP Apple can't do anything to help.

I would say without ADP, you don't truly have encryption. You just have a smaller set of people that your data is obvious to. It's a fancy obfuscation that most people won't be able to see through.

I've always been dubious about these companies that preach about advanced encryption for customers benefit, in reality I've always believed that from a companies perspective it is more to do with being able to say there is nothing we can do about controlling what is sent.

And that's a good thing, given governments of the world.

 

[Chuckstar]

Another issue here: how can the government publicly punish an individual or corporation for refusing a secret order? At some point, it has to become public or the justice system is totally corrupted. Same goes for the US FISA orders, although those usually have a sunset clause.

A FISA order is an order to a third-party. If the third-party refused, you could adjudicate how to punish them while the only secret that would be necessary to keep would be the identity of the person being spied upon, not the fact an order exists related to “someone”. Obviously, if the question were the specifics of whether there was enough probable cause, that might be a problem to adjudicate while keeping that identity secret, but for broader questions such as whether the government even has the power to make such an order, that could be adjudicated entirely publicly.

 

[imchillyb]

A backdoor for one is a backdoor for all.

Your neighbor will eventually have this tech, because no government on earth and no organization on earth could keep such a secret.

All backdoors for one, and one backdoor for all.

 

[ldrn]

Technically you still have encryption without ADP, it's just that Apple retain the key and thus could be forced to legally, via court action, decrypt something whereas with ADP Apple can't do anything to help. I've always been dubious about these companies that preach about advanced encryption for customers benefit, [...]

Technically, you can just lie on the Internet.

Gasp, who would do such a thing? Perhaps the same kind of person who writes that it's technically encryption even if everyone has the key.

 

[EarendilStar]

The US Government wouldn't need to "follow." The UK is a Five Eyes nation; any signals intelligence (and way more, but technically "just" sigint) they have access to, the US has access to. And what they're asking for is a backdoor into all Apple users' data worldwide.

Except that the US and Britain have an agreement not to spy on each others citizens. The analysis I’ve read says this likely violates that agreement. A targeted warrant issued in public for accused criminal acts? Sure, not spying. A private back door to all data that includes a gag order on Apple such that they can’t even tell their customers? That’s spying.

The USA already has basically the same thing, through those national security letters that target origanizations are legally obligated to lie about.

Except those have to be specific. They can not (legally, as far as we know) ask for all the keys to all the data, such that they can access the data at will and go fishing.

The government knows exactly what they are doing.

Phase 1. Create law requiring backdoor access.
Phase 2. Instead of giving a backdoor, the company stops encryption.
Phase 3. Now the data is no longer encrypted and the government have their backdoor, which is now a front door, that is wide open for them to take advantage of.

Apple didn't give them a backdoor (which they are correct in doing). Unfortunately, in removing the encryption, they have basically handed the keys over to anything in the iCloud. Damned if they do and damned if they don't.

Sort of. iCloud has three forms of encryption:
1. Encrypted end to end, but the user allows Apple to retain one of those ends for reasons of data recovery and web access. This is how governments, using a warrant, can ask Apple for specific data on specific people.
2. Encrypted end to end, but only the user has the ends. A warrant does nothing, because Apple doesn’t store it. This is what the UK wants broken. If broken, they could access all data from the comfort of their government office chair.
3. Don’t use iCloud at all. Even if a backdoor were implemented on every device, the government would still need to physically acquire your phone.

The important context is Apple being gagged such that they can’t tell their customers what’s up. Apple would be selling a product that is technically a lie, giving a false sense of security to their customers. So, Apple has eliminated the product. Now their users know what their REAL options are, which is #1 and #3.

 

[nxg]

It's not exactly an internal affair if it affects all iPhone users worldwide, including politicians of other sovereign nations who use iPhones.

For the sake or precision, it's not quite this.

The order was (as I understand it) concerned with creating a back door only to UK citizens’ data (as if that were feasible), and Apple's response was to withdraw the ADP service from ‘Users in the UK’ (for some definition of the term which will be largely meaningless in security terms).

Thus the entirely predictable result will be that the Home Office gets no access to anyone's data that it didn't have before, but common-or-garden UK users will be deprived of ready access to an easy to use (and therefore rather secure) privacy service. And it's all happening in public (horrors!). I think you'd have to be a very optimistic Home Secretary to see that as a net win.

 

[McTurkey]

Sigh, I guess a new generation of leaders need to be educated: if you create a backdoor for government, it will be used by criminals. Any encryption with a backdoor is no encryption. Encryption is math, and math doesn't care about your political stance.

Use by criminals is less relevant than use by every single other government. That's what should concern these intelligence agencies and legislators, because they know damn well that their own people are going to be using these encrypted communications tools for sensitive purposes--directly or indirectly--whether or not they're legally authorized to do so.

 

[Korios]

The government knows exactly what they are doing.

Phase 1. Create law requiring backdoor access.
Phase 2. Instead of giving a backdoor, the company stops encryption.
Phase 3. Now the data is no longer encrypted and the government have their backdoor, which is now a front door, that is wide open for them to take advantage of.

Apple didn't give them a backdoor (which they are correct in doing). Unfortunately, in removing the encryption, they have basically handed the keys over to anything in the iCloud. Damned if they do and damned if they don't.

Apple did not "remove encryption" in the UK. They disabled ADP, i.e. end-to-end encryption; that's the kind of encryption even Apple cannot decrypt because they do not hold the keys.

By disabling ADP/E2EE they had UK Apple users fall back to conventional TLS encryption. That is less safe, prone to MITM snooping, and the NSA/GCHQ might be able to break it. Whether they can or not Apple does hold the TLS keys, so if served with a legal warrant for individual UK users they can provide data access to the UK authorities.

So they partly obeyed the letter of the law, refusing to provide "blanket capability" for UK users (I mean legally/openly; if the GCHQ can trivially break TLS without a warrant anyway, I doubt whatever they find would be admissible in most courts - well, unless the case is shrouded in National Security BS secrecy...), still requiring warrants for individual UK users, and of course they did not even entertain to provide... global warrantless access to all Apple users.

Any country can claim "global jurisdiction" with a new law, but that does not mean they can enforce global jurisdiction, since that law conflicts with the rest-of-the-world jurisdiction.

 

[ssamani]

Sigh, I guess a new generation of leaders need to be educated: if you create a backdoor for government, it will be used by criminals. Any encryption with a backdoor is no encryption. Encryption is math, and math doesn't care about your political stance.

Bus also if you create a backdoor for the government, it will be misused by the government.

We have a previous Regulation of Investigatory Power Act, in theory to target terrorists post 9/11 used by local councils to see if parents were lying about living in the catchement area for schools.

https://www.bbc.co.uk/news/uk-england-dorset-10839104

We have a law the permits indefinite detention. Essentially to lock someone up indefinitely without an appropriate criminal sentencing. Even the minister who introduced the act thinks the law should repealed.

https://www.independent.co.uk/voice...prison-sentences-united-nations-b2694636.html

 

[jdawgnoonan]

they know, they just dont care

Exactly.

 

[johnsonwax]

what recourse is there for Apple? It seems like Apple may need the US to step in

Apple made the terms clear when the US was asking - if one government compels them to open a backdoor, then every government gets the backdoor.

 

[Gyrator]

I am no fan of Trump, but this is patently false. In fact, it was the Biden administration that, shamefully, went along with this. The Trump administration seems to be pushing back against the UK demand at multiple levels.

Yes but this is Trump we're talking about so the only reason that makes sense it that he has his entire camera roll from his visit to Epstein Island uploaded to iCloud.

 

[GrimR3]

what recourse is there for Apple? It seems like Apple may need the US to step in

Apple needs to remove itself from UK jurisdiction. Shutdown all stores/offices and withdraw from the market

 

[johnsonwax]

Apple needs to remove itself from UK jurisdiction. Shutdown all stores/offices and withdraw from the market

Apple would prefer to convince the UK off of this course. If the UK insists, I wouldn't rule out Apple leaving the market.

 

[whquaint]

Thank you Apple for fighting.

 

[nikusa]

Apple can just leave the relatively tiny UK market (Apple sales in the UK are like $1.5B, compared to over $100B in the EU as a whole). One can argue that forgoing UK sales over user privacy will only increase their sales in the rest of the world.

The UK needs Apple a lot more than Apple needs the UK.

The population of the UK is about 67 million vs EU’s 450 million, or about 15% of EU’s population.

Surely you meant sales of 15 billion, if EU sales are about 100 billion.

But yes, UK is not a massive market for Apple, only about 5% or so of their annual revenue. Leaving UK would not be a catastrophe for Apple.

 

[dimathiel]

For what? The internal affairs of a sovereign nation?

Which in the case if the US is just business as usual.

 

[Auie]

The UK always seems 1 step ahead of the US in terms of privacy invasion. Their CCTV alone is skeevy as hell.

Their greatest fictional hero is literally a super duper Government spy, that has a license to ignore whatever laws he wants in order to perform his Government spying.

 

[dimathiel]

Yes but this is Trump we're talking about so the only reason that makes sense it that he has his entire camera roll from his visit to Epstein Island uploaded to iCloud.

Don’t forget the Moscow pee pee footage.

 

[AI is cool i guess]

privacy is not a crime

 

[Chuckstar]

Their greatest fictional hero is literally a super duper Government spy, that has a license to ignore whatever laws he wants in order to perform his Government spying.

But he never ignores the law of mutual attraction… [fade to black]

 

[Auie]

But he never ignores the law of mutual attraction… [fade to black]

 

[Sulis]

As a Brit, I’m thoroughly embarrassed by the stupidity and arrogance of the UK govt in pursuing this course, and I hope Apple can force them to back down. It is no consolation whatsoever that governmental stupidity and arrogance is on the rise elsewhere.

 

[Embattle]

Apple can just leave the relatively tiny UK market (Apple sales in the UK are like $1.5B, compared to over $100B in the EU as a whole). One can argue that forgoing UK sales over user privacy will only increase their sales in the rest of the world.

The UK needs Apple a lot more than Apple needs the UK.

They aren't going to do that, not that I care if they did anyway

 

[andygates]

Apple would prefer to convince the UK off of this course. If the UK insists, I wouldn't rule out Apple leaving the market.

If it wasn't super-secret squirrel stuff, we might have seen an open discussion (much as we see with tech/privacy wonks) of "we want keys" "we can't do that" "plz explain" "here's all the bad actors who'd get it on day one" ; it's certainly the kind of thing that bounced back these laws in the past.

Feels a bit like a Committee shot themselves in the foot by saying "the wonks say it can't be done, put it in law anyway and let the next bunch have a go".

 

[gnasher729]

Apple can just leave the relatively tiny UK market (Apple sales in the UK are like $1.5B, compared to over $100B in the EU as a whole). One can argue that forgoing UK sales over user privacy will only increase their sales in the rest of the world.

The UK needs Apple a lot more than Apple needs the UK.

I think your numbers are wrong. Very wrong.

Anyway, why should Apple give up profit when every other cloud provider is less safe by silently providing a backdoor?

 

[gnasher729]

It feels also that UK request and the people involved were on such a level, that Apple just had to go public with it.

Apple didn’t go public with anything. Some journalist published a claim. Nobody knows his source. Could be either a sane or a drunk person in government.

 

[Cloudgazer]

Apple can just leave the relatively tiny UK market (Apple sales in the UK are like $1.5B, compared to over $100B in the EU as a whole). One can argue that forgoing UK sales over user privacy will only increase their sales in the rest of the world.

The UK needs Apple a lot more than Apple needs the UK.

Apple's reveues for 'Europe' are $60BN a year not $100BN and that's not the EU. In fact Europe includes European countries, as well as India, the Middle East and Africa.

https://www.sec.gov/Archives/edgar/data/320193/000032019318000145/a10-k20189292018.htm

The '$1.5BN' number you quote for the UK is even worse. Even if we just take Apple UK their revenues are about $4.5BN.

https://find-and-update.company-information.service.gov.uk/company/01591116/filing-history

And that's far from all of Apple's revenues in the UK since anything sold by any other retailer will not show up there.

The UK is a much bigger market for Apple than probably any other European country due the combination of our size and how popular iPhones are here. Pulling out of the UK completely would hurt.

 

[@inemesitaffia]

Another issue here: how can the government publicly punish an individual or corporation for refusing a secret order? At some point, it has to become public or the justice system is totally corrupted. Same goes for the US FISA orders, although those usually have a sunset clause.

Former Qwest CEO claims it happened to him.

But my real question is Google.

Does this mean it's fully compromised?

What about the CLOUD act? Don't they have access via that method?

 

[@inemesitaffia]

I am no fan of Trump, but this is patently false. In fact, it was the Biden administration that, shamefully, went along with this. The Trump administration seems to be pushing back against the UK demand at multiple levels.

Trump feels the Obama government used these methods to spy on him. That's all. He doesn't care about anyone else.

 

[@inemesitaffia]

Was it not the case that Apple appeared to have backdoored for PRISM per the Snowden-leaked presentations, or was that an NSA infiltration?

Prism is just is just the official data request platform.

It's not some real-time collection system. (Those exist too)

 

[@inemesitaffia]

If Apple caves in to this kind of demand, then the US Government will quickly follow.
A backdoor for one purpose will quickly evolve into something much worse for all of us.

Imagine "High Minded Citizens' or Governments" creating software to constantly go through user data, all with the intent of weeding out "TBD" subversive content.

View attachment 104248

If the UK has access, the US does.

FVEY

 

[desenfoque]

It seems that UK forgot that in Europe there are not big countries, there are small countries and countries that don't know they are small.

If USA says no way, then is no way.

 

[jfconde]

So if officials in the UK think they should have access to data from any iphone anywhere on earth. Does that mean they are also OK with the officials from any other country on earth getting access to any data on any iphone in the UK?

Or have they just not thought that far ahead?

 

[Wybaar]

A backdoor for one is a backdoor for all.

Your neighbor will eventually have this tech, because no government on earth and no organization on earth could keep such a secret.

All backdoors for one, and one backdoor for all.

Apple made the terms clear when the US was asking - if one government compels them to open a backdoor, then every government gets the backdoor.

Yup. I assume Apple has pointed out that if the backdoor that the UK government demanded access to existed, Beijing or Moscow could pass a similar law and demand access to that same backdoor. Using that backdoor they could get information about UK politicians and/or business leaders who use Apple products or interact with people who do. Even if they don't care about the privacy of the people they represent, I'm sure they have enough skeletons in their collective closets to care about their own privacy.