Apple pulls data protection tool after UK government security row

My understanding is that Android's Google Drive backup has had an E2E encryption option for many years (they blogged about it at https://security.googleblog.com/2018/10/google-and-android-h...), and that the key is only stored locally in the Titan Security Module.

If they are complying with the IPA, wouldn't that mean that they must build a mechanism into Android to exfiltrate the key? And wouldn't this breach be discoverable by security research, which tends to be much simpler on Android than it is on iOS?

But still Apple operates in China and Google does not. This is weird to me. Google left China when the government wanted all keys to the citizens data. Apple is making a stand when it's visible and does not threaten their business too much.

Apple is not really in the business of protecting your data, they are just good at marketing and keeping their image.

Hypothetically, if Apple just provide a back door to the data they have on US Senators for instance, then providing that information may be considered treason by the US.

That's a totally made up example, and I have no idea, but it seems like it's possibly an issue.

Which is all about the issues around data sovereignty I suppose!

But is that backup encrypted? If it's not, all they need is <whatever piece of paper a british security official needs, if any> to access your data.

This is about having access to backups that are theoretically encrypted with a key Apple doesn't have?

> We're talking about the largest back door I've ever heard of.

Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?

No Heathrow connection necessary. “The law has extraterritorial powers, meaning UK law enforcement would have been able to access the encrypted iCloud data of Apple customers anywhere in the world, including in the US” [1].

[1] https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...

Meta also said they would make a stand if a similar request comes for WhatsApp. I'm not going to hold my breath though.

I don't think the e2e icloud backup is problematic under existing legislation / before the TCN. While you can't disclose the key because it lives in the secure enclave, you can disclose the information that is requested because you can log into your apple account and retrieve it. IANAL, but I believe this to be sufficient (and refusing would mean jail).

The Investigatory Powers Act allows for technical capability notices, and the TCN in this case says (as far as we know) "allow us a method to be able to get the contents of any iCloud backup that is protected by E2EE for any user worldwide". This means that there is no need to ask the target to disclose information and if implemented as asked, also means that any user worldwide could be a target of the order, even if they'd never been to the UK.

Relevant info:

- https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...

Apples stand is false, they take with one hand and give with the other. There have been many times that Apple have been caught giving user data to governments at their request, lied about it, then later on admitted it once it had leaked from another source.

This whole 'we will never make a backdoor' is a complete whitewash marketing stunt, why do they need to make a backdoor when they are providing any and all metadata to any government on request.

https://www.macrumors.com/2023/12/06/apple-governments-surve...

1) tech monopoly strong enough to stand up to G7 nation state demands

2) tech monopoly strong enough to remove itself from G7 nation state jurisdiction?

edit: s/monopoly/empire, apologies

I mean seriously. Apple making a stand? What stand? They are ripping security out of their customers hands. Customers which are already dependent on the company's decision in their locked in environment.

There is absolutely nothing good about it, and you dragging Android into it and making it look like it's even worse is suspicious. You can have full control over your Android device. Something impossible on an Apple phone. You can make your Android device safer than your iPhone.

They are not making a stand. They roll over without a peep. And this is concerning users' privacy which they say is the core of the company.

Compare it to fighting every government tooth and nail over every single little thing concerning the "we don't know if it's profitable and we don't keep meeting records" AppStore

What is a "paternalistic state". I studied Latin so obviously I understand pater == father but what is a father-like state?

What on earth is: "authoritarian support across all parties".

The UK has one Parliament, four Executives (England, Northern Ireland, Scotland, Wales) and a Monarch (he's actually quite a few Monarchs).

Anyway, I do agree with you that destroying routine encryption is a bloody daft idea. It's a bit sad that Apple sold it as an extra add on. It does not cost much to run openssl - its proper open source.

I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.

hopefully the US turning from leader of the free world to Russia's tool will give them the kick they need to realise that just because you trust the government now doesn't mean you trust the next government or the one after it.

https://x.com/BenWallace70/status/1892972120818299199

That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here.

Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues:

https://news.ycombinator.com/item?id=983717

Thank you in advance for clarifying your thought process here. Tech illiteracy -> what you got to hide there buddy?

This seemed strange to point out. It’s not really any more or less “paternalistic” than most western nations including the US.

https://www.apple.com/legal/transparency/de.html#:~:text=77%...

And they didn't just withdraw a product, they withdraw their entire business.

This would actually be a very very very very VERY GOOD precedent if you ask me.

Facebook pulled something similar when Canada passed the Online News Act and instead of extorting facebook to pay the media companies for providing a service to them (completely backasswards way to do things), they just pulled news out of Canada. I despise Meta as a company, but I had to give them credit for not just letting the government shake them down.

Good riddance. Governments need to be reminded from time to time that they are, in fact, not Gods. We can and should, just take our ball and go play in a different park or just go home rather than obey insane unjust laws.

Ironic to refer to her as a "privacy expert" given her open hostility to privacy.

Apple could just lock you out of iCloud until you do this.

You can’t. The article says if you don’t disable it (which you have to do yourself, they can’t do it for you, because it’s E2E), your iCloud account will be canceled.

Even simply developing a tool to coerce users out of E2E without their explicit consent to comply with local laws could be abused in the future to obtain E2E messages with a warrant on different countries.

A very difficult position to be in.

Is this actually a thing? Telecoms in the US are compelled to provide wiretap facilities to the US and state and local governments.

They'll keep your data hostage and disable your iCloud account. Clever, huh? So they are not deleting it, just disabling your account. "If you don't like it, make your own hardware and cloud storage company" kind of a thing.

Well exactly. The UK just showed the whole thing is a joke and that Apple can do this worldwide.

Why were people not mad then? Do you think people would be angrier now, if HTTPS were suddenly outlawed?

Among other valid answers, removing rights and privileges generally makes people angrier than not having those rights or privileges in the first place.

It's certainly better than the opposite, where citizens and residents are scared of their government, which wields the power to deprive them of their freedom, possessions, and life.

They are not scared of people, but of working, doing their job, especially when it is difficult (catching criminals). They expect the job to be done for them by others, on the expense of everyone, while they collecting all the praise.

On sympathetic to Vance I did not really found a presentable reaction, would not find on any other accidentally agreeable sentence leaving his mouth (very low chance btw.). Talking a lot about all kind of things sooner or later will hit something acceptable, which will not yield an unacceptable and destructive to society figure sympathetic.

You also should be aware of practices and conducts the various US security services practice (and probably all governemnts out there), if not from news or law but at least from the movies. When we come to the topic of who is afraid of their own.

As a very privacy-oriented European I don't need American alt-right populists to concern troll about surveillance and privacy in Europe.

Amusing when you consider the National Cyber Security Centre (NCSC, a part of GCHQ), along with the Information Commissioners Office, both publish guidance recommending, and describing how to use, encryption to protect personal and sensitive data.

Our government is almost schizophrenic in its attitude to encryption.

So, perhaps this is a bit of a dangerous precedent, but it was the least-bad option.

Apple's only consolation prize is that its limited to UK users for now. But it seems inevitable that ADP will gradually be made illegal all around the world.

Hopefully they will.

In the UK, there's no right to bear arms, so people are pretty helpless against their oppressing government.

The UK has made it clear that Counter Terrorism legislation has no limits in UK law even if that means compromising all systems and leaving them vulnerable to state actor attacks.

MPs will continue to use encrypted messaging systems that disappear messages during any inquiries of course.

You can also manually transfer photos to the computer. Or you can enable a different app (Google Photos or Dropbox for example) to store copies of every picture you take, and then turn off iCloud Photos.

Note that neither Google nor Dropbox are E2E encrypted either though.

These companies have to comply with so many laws and want cozy relationships with governments, so they play both sides. It likely does things differently, but if the keys are not secure, then its not secured

On iPhone or iPad

    Open the Settings app.

    Tap your name, then tap iCloud.

    Scroll down, tap Advanced Data Protection, then tap Turn on Advanced Data Protection.

    Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

    Choose Apple menu  > System Settings.

    Click your name, then click iCloud.

    Click Advanced Data Protection, then click Turn On.

    Follow the onscreen instructions to review your recovery methods and enable Advanced Data Protection.

This depends on whether you see "citizens" as individuals or as a group. In other words it's possible that to improve the security (and thus protect) the majority, the rights of individual citizens need to be eroded.

For example, to protect vulnerable citizens from crime (the cliche of child porn is useful here, but it extends to most-all crime) it's useful for prosecutors to be able to collect evidence against guilty parties. This means that the erosion of some privacy of those parties.

Thus the govt balances "group security" with "individual privacy". It has always been so. So to return to your original hypothesis;

>> Lowering the data protection of it's citizens in comparison to the rest of the world. ... and also, making it easier to detect and prosecute criminals, and thus protect the citizens from physical harm.

Now, of course, whenever it comes to balancing one thing against another, there's no easy way to make everyone happy. We all want perfect privacy, coupled with perfect security. Some will say that they'll take more privacy, less security - others will take more security and less privacy. Where you stand on this issue of course depends on which side you lean.

More fundamentally though there's a trust issue. Citizens (currently) do not trust governments. They assume that these tools can be used to harm more than just criminals. (They're not wrong.) If you don't trust the govt to act in good faith then naturally you choose privacy over security.

Microsoft wants to have a word with you regarding their Windows operating system that's installed on their device that you're renting.

I wasn't sure which way they'd go.

Apple lost here.

So to me, backdoor encryption seems like it defeats the whole point of ADP, no? But if not - even if there is some tiny marginal benefit - cryptography is extremely expensive to get right. It's doubtful that it makes financial sense to Apple to develop a new encryption workflow for a single country for very slight security benefits.

And it still wouldn't be complying with the UK's demands anyways. The UK demanded access to accounts worldwide. If Apple is going to be non-compliant, then they might as well be non-compliant the easy way.

In both cases it's encrypted in transit and at rest.

"The table below provides more detail on how iCloud protects your data when using standard data protection or Advanced Data Protection."

https://support.apple.com/en-us/102651

I believe the UK already has "you must unlock anything we ask" as part of the RIP/2000[0].

[0] https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...

Other apps like Nextcloud, can only backup documents (those not in apps) and pictures, because there's an API for this.

iTunes backup is an option, but it's not automatic and convenient.

Just back up your phone to your computer via iTunes (Windows) or the built in facility on Macs