Apple pulls data protection tool instead of caving to UK demand for a backdoor

Apple abruptly yanks privacy tool in UK, taking bold stance against snooping law.

See full article...

 

[escape_velocity]

I don't understand how turning off end to end encryption is a better solution. Now the UK can get the data they wanted (along with a lot of other folks), plus it's a signal to other countries they can just pressure Apple to turn off encryption in their countries too.

I suspect because Apple didn't want to waste money on performatively trying to create the impossible, i.e. an encryption scheme that's only able to be decrypted by the user or the "good guys" (agents of the state). Our security services seem to spend an inordinate amount of time poring through every section of public life, hoovering up large amounts of tax money, and preventing precisely fuck all(*) of note, although they do spend significant expense on domestic left-wing protest and enabling the police to pre-emptively detain people before such a protest. The entire thing needs reform, including the police, as there's too much deference to the landed class and not enough to the security of the country, not that this will happen in my lifetime.

* - who knows, because the trials or even attempts at prosecution are never made public. Full disclosure is obviously a pipe dream as it would compromise sources and staff alike, but "based on information from our security services" doesn't seem like an excess of damaging information.

 

[Wandering Monk]

Yeah, except now everyone knows that if you pressure Apple, they will shut down their E2E Encryption for you, too.

Ok, I’ll bite. What did you want them to do instead?

 

[Moodyz]

Seems like a great time for someone knowledgeable about the subject to write a how-to article about personal on prem NAS's and rolling your own encrypted backup. Seems like some Brit's could make use of such instructions.

That’s beyond the means (knowledge and budget) of the majority of people.
Cryptomator is probably the easiest solution for most users, I reckon.

 

[Philosopherdog]

As a UK resident I fully support Apple here. More incompetence from the Labour government (and I speak as a Labour voter).

The cons are the ones who have really been instrumental in pushing this idea though, let’s be fair

 

[Philosopherdog]

By implication all other big tech already has back doors, ie Android. No big surprise there.

 

[Ish_Musgrave]

I support Apple in this decision, even though I don't use their devices.

The law by my government is egregious.

 

[multimediavt]

According to Apple, complying with the UK law could have enabled not just government officials but also bad actors to gain access to encrypted data.

Uh, it's not just Apple saying this. It's every computer security person on the planet, and those that implement end-to-end encryption for data security. That would be every bank, as well.

It's a blantantly overreaching "law" the UK have on their hands. Hopefully Britons will wise up and strike it down.

 

[gnasher729]

Maybe I am missing something but doesnt this give the UK exactly what it asked for namely unencrypted access?

It doesnt seem good to me.

It’s what you used to have before apple enabled end-to-end encryption. The Uk government wanted people to believe they had end-to-end encryption but be lied to. So now you know the truth.

 

[multimediavt]

I presume UK government will still complain that law is not followed because "what about all the other users" part. So the real question will be, would Apple decide to abandon whole UK market if (or perhaps when) this happens

I'll bet the odds at Lloyd's are in favor of the pullout and not the capitulation ratio.

 

[tww92009]

What happens when I travel to the UK?
Are my backups encrypted?

 

[Tijger]

What happens when I travel to the UK?
Are my backups encrypted?

Ask Apple? I would suggest that this only applies to UK Apple users but the only one that can tell you for sure is Apple.

 

[Zod]

At the top of the Advanced Data Protection page on my UK iPhone, it now says:

"Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users."

 

[plectrum]

It basically comes from none of our MPs understanding how encryption works, and that it's not possible to backdoor maths for the purposes of "national security". We need more technically minded people in politics, although that's hardly likely to happen.

Don't worry, Kemi Badenoch (opposition Conservative party leader) "is an engineer" (she studied Computer Systems Engineering and worked in IT for a few years). Last heard wittering something about pronouns, clearly applying engineering to the great matters of state...

 

[iquanyin]

Labor under Keir Starmer has been a thorough disappointment. After the shit-show of the former Conservative goverment(s), there were hopes that Starmer would right the ship. Instead he has cozied up to Trump like no other in Europe except Orban, suspended MPs opposing the two child benefit cap(which will increase child poverty), hypocritically accepted gifts from party donors(including expensive clothes for his wife), etc. The demand to disable encryption is the opposite of what I'd expect from a former human rights lawyer.

i recall reading about him when he first won. it was pretty clear (to me) that he wasn’t the hero britain needed. i wondered: how did it happen that this specific guy won? labor needed a win for conservatives to avoid being tarred and feathered (imo) and im sure they knew it. my guesses aren’t happy ones.

 

[Flailsafe]

the question becomes, does this apply to everyone who enters uk? and how many visitors will not turn up because of this?

do certain (foreign/international) businesses have it on mandatorily for their work phones and decide they'll simple pull the plug on doing business here?

I have similar questions. What determines a UK user? The phone service/ number? Point of sale?

It can't be geographic location, can it? If so, what length of time determines it?

I'd guess the phone service provider.

 

[famousringo]

Up until now, I felt reasonably secure in not using ADP. The risk of losing all access to my data seemed greater than the risk of my account being targeted by a state actor or extremely sophisticated criminal.

Now that the Fourth Reich is in power, the risk assessment has changed, and I turned it on earlier this week.

 

[Coriolanus]

Ok, I’ll bite. What did you want them to do instead?

Fight the law until they've exhausted every other avenue.

Here's a quote from the previous article on this from Ars:

"Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the UK," The Washington Post paraphrased its sources as saying. "Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States."

The kicker is that this doesn't satisfy what the UK is demanding (which is extra-territorial access). So they are still on the hook and need to go through the appeal process anyway. They just turned off e2e encryption in the UK ahead of time.

 

[Moodyz]

Don't worry, Kemi Badenoch (opposition Conservative party leader) "is an engineer" (she studied Computer Systems Engineering and worked in IT for a few years). Last heard wittering something about pronouns, clearly applying engineering to the great matters of state...

You guys should’ve voted Ed Davey into power. He at least does funny dances on tiktok and has a colourful bus.

 

[lasertekk]

How very Swiss of Apple*.

Government: We need this information on your customer.
Apple: Go screw yourselves.

*My example and attitude based on the experiences of a distant family member, Credit Suisse and curious eyeballs over literal pocket change to cover expenses in Europe for his yearly month long trip visiting relatives.

 

[Cloudgazer]

iCloud is still end-to-end encrypted, it's just a question of where the "end" is. Without ADP, iCloud data is encrypted but Apple has the key. This is useful for people who aren't good at managing their own keys and want Apple to restore their data when they lose the keys. When you enable ADP, you're telling Apple you want to manage your own keys and you don't want them to keep a copy.

That's not what E2EE means, you can't just argue 'oh well it's E2E if we redefine the end'. iCloud without ADP isn't E2EE (with exceptions for health and keychain), as Apple will happily tell you.

https://support.apple.com/en-gb/102651

End-to-end encrypted data can only be decrypted on your trusted devices where you’ve signed in to your Apple Account. No one else can access your end-to-end encrypted data – not even Apple – and this data remains secure even in the case of a data breach in the cloud. If you lose access to your account, only you can recover this data, using your device passcode or password, recovery contact, or recovery key.

 

[DJ Farkus]

Seems like a great time for someone knowledgeable about the subject to write a how-to article about personal on prem NAS's and rolling your own encrypted backup. Seems like some Brit's could make use of such instructions.

While I agree with the sentiment, said persons had better be extremely knowledgeable and competent, because roll-your-own security and encryption is rarely reliably secure (if ever)

 

[bigmushroom]

Agree that installing a ‘backdoor’ would be inviting disaster. I’m sure that this fact has been explained to the Powers That Be in the UK over and over again. One can only hope that governmental authorities elsewhere understand this better.

Apple is not at all consistent on this issue. While iMessages is E2E encrypted in China, icloud data isn't because the data has to be stored in Chinese data centers with encryption keys accessible to the government.

The only reason for Apple to turn off icloud encryption in the UK is because they anticipate an outcry and a change in the UK law while in China they know that it would be futile to fight the government. If China would require encryption keys for iMessage then surely Apple would comply given the size of that market.

 

[Cloudgazer]

I have similar questions. What determines a UK user? The phone service/ number? Point of sale?

It can't be geographic location, can it? If so, what length of time determines it?

I'd guess the phone service provider.

Most likely the same sort of thing that determines EU user for DMA purposes - it's a bunch of stuff related to physical location but also iTunes account billing

https://theapplewiki.com/wiki/Eligibility

 

[Zephro]

could have enabled not just government officials but also bad actors to gain access to encrypted data

We definitely don't want Hayden Christiansen or Keanu Reeves getting access to our data...

 

[Cloudgazer]

Apple is not at all consistent on this issue. While iMessages is E2E encrypted in China, icloud data isn't because the data has to be stored in Chinese data centers with encryption keys accessible to the government.

The only reason for Apple to turn off icloud encryption in the UK is because they anticipate an outcry and a change in the UK law while in China they know that it would be futile to fight the government. If China would require encryption keys for iMessage then surely Apple would comply given the size of that market.

At least so far iMessage is E2EE in the UK too, so long as you turn off iCloud backups entirely.

 

[RichyRoo]

On a long enough timeline, any backdoor is equivalent to no encryption.

Good move Apple.

They should put a prominent "Unencrypted and unsafe thanks to The Snoopers Charter" on the UI of affected users

 

[Cloudgazer]

Apple may be much better than the vast majority of other tech companies when it comes to privacy, but let's not forget that this is the same company that scanned your iCloud photos in the name of finding CSAM. As usual, using "think of the children" to justify erosion of rights.

No they didn't - your device would be the one doing the scanning. They were clearly attempting to come up with a solution that would discourage exactly this sort of heavy handed bullshit from governments by disarming their 'think of the children' arguments before they could make them.

 

[Squuiid]

Unbelievable stupidity from the UK government.

Hard to imagine a more convincing way to demonstrate your incompetence than this.

Well said. It shows an utter lack of understanding by those making this decision. This is totally misguided and now impacts all UK citizens. Depressing.

 

[justin150]

Because we do not know what the detail of the UK Government's demand was, we have no idea whether Apple turning off ADP will satisfy that demand. Based on the law, there is a possibility that it does not because the UK could, in theory, be demanding access to all accounts not just of UK citizens but anyone who has communicated with a UK citizen or holds photos of a UK citizen - not exactly the entire world but a very large subset.

I suspect that whatever the actual Government demand was, switching off of ADP will satisfy the Government at least for the next few months - they will be back asking for more in due course. This will only end when Apple threatens to walk from the UK market completely

I have no doubt that those who want to hide to their information from UK Government snooping will shortly find appropriate software solutions that take over the auto back up to iCloud functions and insert their own encryption - some of them may even be reasonably effective

 

[crepuscularbrolly]

Why would you use a cloud service to backup data that is important to you? Not exactly the most secure thing, storing your data on someone else's server, but it is very convenient.

Google "3-2-1 backup strategy".

 

[Rosyna]

You can still back up your iOS device to your Mac or PC securely (security depends on the security of the Mac/PC), but it’s not really automatic and you don’t get the fancy photo syncing features.

https://support.apple.com/guide/iphone/back-up-iphone-iph3ecf67d29/ios

 

[mrkite77]

Does the UK demand their banks provide a backdoor?

 

[raxadian]

Good. Hopefully the UK will reconsider as a result.

*Looks at Brexit

Yeah good luck with that.

 

[daverayment]

Labor under Keir Starmer has been a thorough disappointment. After the shit-show of the former Conservative goverment(s), there were hopes that Starmer would right the ship. Instead he has cozied up to Trump like no other in Europe except Orban, suspended MPs opposing the two child benefit cap(which will increase child poverty), hypocritically accepted gifts from party donors(including expensive clothes for his wife), etc. The demand to disable encryption is the opposite of what I'd expect from a former human rights lawyer.

As another poster pointed out, the act is from 2016. This isn't a new Labour law. It's seen - wrongly - as an attempt to better tackle crimes such as incitement to terrorism, child pornography and others. They're sickening crimes, but this will just force perpetrators to other services.

As for the child benefit and various other decisions since Labour came into power, the government has been severely limited in what they can do when it comes to budget because of 14 years of Tory rule. Most services are cut to the bone after the Conservatives' austerity programme following their 2010 victory. It's not an ideological opposition - there are simply things which cannot be done yet.

As for 'cosying up to' the Orange-Faced Idiot, welcome to politics, where sometimes you have to say one thing and think another. The USA is the UK's largest export market, counting for 17-20% of exports (goods and services). That's worth $200 bn per year (2022 ONS figures) to our economy. What would you do?

 

[BrangdonJ]

In fairness, the same nonsense has come from all the main parties about installing backdoors in things. They are all equally clueless on this stuff. This is just the first time that it's got this far.

One of the reasons I vote Lib Dem is that they are against that sort of thing. Both at the time, and now. In general, if Labour and Conservatives agree on a policy, and the Lib Dems are against it, the Lib Dems better reflect my position. Other examples include the Iraq war, the ID database, and Brexit.