[HN Gopher] Apple pulls data protection tool after UK government...
___________________________________________________________________
Apple pulls data protection tool after UK government security row
Author : helsinkiandrew
Score : 1637 points
Date : 2025-02-21 15:05 UTC (1 days ago)
(HTM) web link (www.bbc.com)
(TXT) w3m dump (www.bbc.com)
| InsomniacL wrote:
| malicious compliance.
|
| Providing access when ordered by a court is not as secure so
| we're removing all encryption?
| smidgeon wrote:
| End-to-end-encryption-except-when-the-UK-government-is-
| interested doesn't have the same ring to it, liable to damage
| the brand ....
| nobankai wrote:
| FWIW people always put too much trust in E2EE where they
| didn't control either end. This was a loooong time coming.
| lokar wrote:
| It's not really end to end in that sense. They don't get
| the key, they just store opaque data for you.
|
| The only way apple could get your data is to push code to
| your device to steal the key.
| ferbivore wrote:
| I think their point was that you don't control your
| device. If Apple did push code to your device to steal
| the key, how would you be able to tell?
| dmix wrote:
| People aren't going to use your self-hosted E2E tools on a
| wide scale. We've been down that road. Best to secure the
| systems people already use.
| rxyz wrote:
| the whole point of ADP is that they cannot provide access
| CharlesW wrote:
| Yes, the parent commenter missed the part where Apple
| _cannot_ see the encrypted content when ADP is used.
| zikduruqe wrote:
| But Apple could say, you have 45 days to remove it or we
| will delete it, then you have to resync your data.
| brookst wrote:
| Why would they? What priorities are better served by that
| approach?
| zikduruqe wrote:
| Why would they say to all new users, that they cannot
| have Advanced Data Protection, whereas older customers
| can?
|
| Now you have a certain percentage of users with encrypted
| data, and a certain percentage of users that do not. The
| UK government will not like that. And now Apple has shown
| that it will not take a stand for privacy it might have
| to do it to comply.
| brookst wrote:
| Ah, you missed the part where Apple also said existing
| users will have to turn it off at an unspecified date.
| JKCalhoun wrote:
| No! That's not ... the comfy chair is it?
| InsomniacL wrote:
| I'm not suggesting Apple should be able to see the content,
| I'm saying the Police should be able to, when they have a
| valid court order issued in accordance with the
| legislation.
|
| For example, A 'Personal Recovery Key' could be recorded in
| a police database. To gain access to 'encrypted' data from
| Apple, a court order is needed, once they have the
| encrypted data, they can unencrypt it using the key only
| they hold.
|
| There's lots of ways to skin a cat.
| ferbivore wrote:
| Leaving aside the fact that RIPA was drafted by deranged
| lunatics and deserves zero compliance from anyone, who
| the hell would you trust to run this database?
| cassianoleal wrote:
| > A 'Personal Recovery Key' could be recorded in a police
| database.
|
| That's about as secure as not having ADP at all, or
| worse. If that police database gets compromised, not only
| my data is accessible to the attackers, but I will be
| none the wiser about it.
| InsomniacL wrote:
| An attacker would have to both compromise the police
| database AND Apple to retrieve the data.
|
| The Key could even be split, say 3 ways. Apple holds 1
| piece, the police hold another, and the Courts hold the
| third, all three would be needed to decrypt the data.
|
| This is too far in to the weeds though.
|
| It is not beyond humanities ability to have a system as
| secure as ADP while still providing a mechanism to access
| terrorists phones for example.
| svachalek wrote:
| We have a 5th amendment. You shouldn't have to do all the
| police work for them.
| ziddoap wrote:
| > _Providing access when ordered by a court is not as secure so
| we 're removing all encryption?_
|
| Providing a back door for one government reduces the security
| and privacy of the service worldwide.
|
| This decision keeps the security and privacy for the rest of
| the world. Sucks for the UK that your politicians decided to go
| this route.
| pjc50 wrote:
| "If we can't provide this product legally, we're not going to
| provide it at all" ends up being the only reasonable position
| in situations like this.
|
| At least this way doesn't compromise users in other countries.
| Retr0id wrote:
| As someone currently a citizen of the UK, what are my best
| emigration opportunities?
| nobankai wrote:
| If you abhor surveillance, don't pick a Five-Eyes nation.
| y33t wrote:
| Don't forget the 14-Eyes, which includes most of Western
| Europe.
| princetman wrote:
| Depends on what you're after * Australia * United States *
| Singapore * Dubai * Europe (Belgium/Switzerland/Netherlands)
| pjc50 wrote:
| If you're after freedom, you absolutely do not want Singapore
| or Dubai.
| faku812 wrote:
| Australia is the worst of all
| airhangerf15 wrote:
| The United States has the strongest laws for freedom of
| speech. You can't get arrested and face years of criminal
| legal trials, ending in an PS800 fine for making a joke
| with your dog in America. Police won't show up at your
| house for Facebook posts like they do in Aussiestan.
| American courts probably won't take your infant away from
| you and force a medical procedure on it like in Kiwistan
| just because you wanted to use your own blood donors for
| the operation.
|
| It's been degrading in the US too. Xitter is not at all a
| free speech platform and that technocrat says whatever he
| has to for popularity until he can chip your brain. Cutting
| a few million in wasteful government spending doesn't make
| up for how he loves China and deeply desires their level of
| autocracy.
|
| America's laws have somehow held in-spite of presidents
| that seek to crush it (yes, both of them, both sides.
| They're the same. Stop believing the headlines and read the
| damn articles). Although defamation law has been weaponized
| to neuter some forms of speech and reporting.
|
| There is an internal push by the CIA in America to further
| destabilize it and cause radical elements in the fake-left
| and fake-right to call for more authoritarianism. It's not
| a great nation, but sadly it is the last bastion of true
| liberty .. and it's eroding every day from every side.
|
| In 20 years there might not be anywhere to flee to. Fight
| for your country. They can't put every British person in
| prison if everyone decided to tell the truth.
| blibble wrote:
| this is not a free speech issue, it's about key escrow
|
| and the US invented technical crypto backdoors
|
| https://en.wikipedia.org/wiki/Clipper_chip
| nobankai wrote:
| That said, American leadership is still fine with dragnet
| surveillance and coercing corporations to lie to their
| audience: https://arstechnica.com/tech-
| policy/2023/12/apple-admits-to-...
|
| Being American has it's perks, but privacy isn't one of
| them.
| pjc50 wrote:
| > American courts probably won't take your infant away
| from you and force a medical procedure on it like in
| Kiwistan just because you wanted to use your own blood
| donors for the operation.
|
| Whenever someone writes "just" in a case like this I can
| tell there's a complicated, ugly legal case that's being
| grossly misrepresented, and quite possibly one where no
| responsible journalist is reporting because of child
| privacy issues/laws.
|
| The problem with both British and American surveillance
| state authoritarianism is it's hugely popular with the
| public when used against the ""wrong"" people. You might
| have "free speech" (subject to qualifications such as
| Comstock and their modern day equivalents) but you're
| much, much less likely to be shot and killed by the
| police - or a random stranger - in the UK.
| bananapub wrote:
| Australia is even more everyone-is-a-cop than the UK, and is
| doing this exact same shit for the exact same reason.
| ben_w wrote:
| Of the whole list, if the Investigatory Powers Act is what
| you didn't like, I'd pick Switzerland first, then
| Belgium/Netherlands.
|
| Of course, that assumes you're fluent in the local languages.
| Hoe goed spreekt u Nederlands?
|
| I made a jump to Germany in 2018, and, thanks to learning a
| new language, have had a front-row seat to how flat the real
| Dunning Kruger effect really is:
| https://en.wikipedia.org/wiki/File:Dunning-
| Kruger_Effect2.sv...
|
| Dubai, even as an international hub where you may be able to
| get by with English -- l tDy` wqtk bstkhdm dwlynjw lt`lm llG@
| l`rby@, lqd Hwlt khll lwb wm zlt l '`rf l'bjdy@ -- is much
| more authoritarian than the UK. Similar for Singapore.
|
| If you're monolingual, and privacy is your concern, then the
| US is an improvement over Australia.
|
| But also consider Canada and Ireland.
|
| Ireland isn't in Five Eyes, Canada is, but also Canada is
| slightly further away from the madness of Trump etc. than any
| company still inside the USA.
|
| I'm not even sure what's going to happen with the US federal
| government given that DOGE _cannot_ meet its stated goals
| even by deleting all discretionary-budget federal agencies
| like the NSA, CIA, FBI, all branches of the armed forces,
| etc. but on the other hand the private sector is busy doing a
| huge volume of spying anyway in the name of selling
| adverts... chaos is impossible to predict, and you should
| want to predict things at least a few years out if you 're
| going to the trouble of relocating.
| cge wrote:
| >Ireland isn't in Five Eyes,
|
| That's true, and I suspect Ireland does not do as much
| surveillance as many other countries, but if I recall
| correctly, it does have a passphrase-or-prison law like the
| UK. I also get the sense that in a number of cases, it
| tends to view its laws as suggestions, for example, with
| the autism dossiers scandal [1], and in some sense, gets
| away with it in the way that a small country can. To me, it
| feels like a country where you don't need to worry about
| organized, systemic surveillance abuses, but do need to
| worry about departments or even individual employees who
| decide that they just don't like you.
|
| [1]: https://en.m.wikipedia.org/wiki/Department_of_Health_a
| utism_...
| nickslaughter02 wrote:
| > then Belgium/Netherlands
|
| Belgium's EU presidency was pushing for Chat Control (on-
| device scanning of all your messages). Hungary took over
| and was pushing for the same. Poland took over and is
| proposing changes. Denmark has been in favor of the
| original proposal and is taking over in July 2025.
| readthenotes1 wrote:
| Wasn't this in line with JD Vance's European Eulogy last week,
| that we shouldn't be using 1984 as a playbook?
| i2km wrote:
| 1984 could only ever have been written by an Englishman
| SSLy wrote:
| Dublin?
| donohoe wrote:
| Ireland might be easy option.
|
| UK citizens do not need a visa or residency permit to live and
| work in Ireland due to the Common Travel Area (CTA) agreement
| miroljub wrote:
| If you value personal freedoms, you should go to East Europe.
| The more to the east, the better. Snowden went to Russia.
| ben_w wrote:
| > Snowden went to Russia.
|
| He was stuck in an airport when his passport got cancelled.
| It's not really a free choice if you can't go anywhere else,
| and planes suspected of carrying you get forced to land, even
| if by virtue of being denied airspace access until they run
| out of fuel.
|
| https://en.wikipedia.org/wiki/Evo_Morales_grounding_incident
| bmicraft wrote:
| freedom to _what_? Corruption is high, media is pretty
| restricted under Orban, and it doesn't look all that great
| for freely expressing your identity either. Whether Poland
| will follow their direction or manage to turn around is still
| up in the air.
|
| You're only more "free" there if you have the money to bribe
| officials.
| filoleg wrote:
| Snowden didn't go to Russia because of the government there
| "valuing personal freedoms," he went there bevause it is one
| of the very few major countries that absolutely will not
| cooperate with any extradition requests from western
| countries.
|
| If you are thinking of going to east europe (and especially
| Russia) in search of personal freedoms, I got a bridge to
| sell you (for context, I grew up in Russia). The only
| "freedom" some of those countries might provide is the
| freedom from the long reach of the hands of western
| governments (and even that is a "maybe", as Andrew Tate has
| been discovering recently).
| pelorat wrote:
| Kremlin has full access to every service operating in Russia.
| If a service is banned in Russia, that's a service you should
| use. If it's not banned, it already has a backdoor.
| int_19h wrote:
| https://en.wikipedia.org/wiki/SORM
|
| https://en.wikipedia.org/wiki/Roskomnadzor
| mtrovo wrote:
| You do realise that the UK government is, and always has been,
| notorious for surveillance. They haven't changed since before
| WW2 and probably never will, even if Apple suddenly decides to
| play hardball with them.
|
| And to be very, very honest, if you look across the Five Eyes
| nations, I don't think this is much different from what other
| countries deal with when it comes to access to data. You had
| PRISM, the trick of asking other countries for access to their
| own citizens data to avoid scrutiny, and Apple delaying the
| implementation of E2E in the US after federal agencies got
| pissed about it. The list goes on for a long time. At least in
| the UK, the government is so detached from commoners hurt
| feelings that they ask for what they want explicitly, with no
| fear of political consequences.
| Retr0id wrote:
| The fact that it's always sucked is precisely why I want to
| leave.
| LuciOfStars wrote:
| Not gonna lie, I expected Apple to just kind of roll over and
| take the blow on this one. Interesting.
| ben_w wrote:
| If any of the tech firms would resist, it would be Apple.
|
| I wasn't sure which way they'd go.
| scarface_74 wrote:
| While Apple especially under Tim Cook has done a lot
| questionable acquiescences under Cook for political
| expediences, they really didn't have a choice here. It was
| the law.
|
| Now going back on Twitter to get in the good graces of
| President Musk and bringing TikTok back to the AppStore even
| though it is clearly against the law is different.
| busymom0 wrote:
| > they really didn't have a choice here
|
| They did have a choice. They could have said they will just
| get out of UK. That would have resulted in enough political
| turmoil in UK that their government would roll back this
| stupid law. Apple chickened out.
| nobankai wrote:
| Abandoning the UK market would hurt Apple more than it
| would hurt the UK. They are not a nation-state, Apple
| cannot wage diplomacy by threatening the government, they
| can only shoot their own foot off and say it was for the
| good of everyone.
|
| It would also partially validate the EU's regulation if
| they abandoned the UK but stayed in Europe. Apple very
| much doesn't want to feed either side a line.
| busymom0 wrote:
| They could have started with not offering iCloud at all
| in UK. See how the blowback gets UK government to play
| ball and rollback the law.
|
| It may have hurt Apple in the short term but helped in
| the long term.
| thewebguyd wrote:
| Then instead of mandating a backdoor to cloud data, the
| UK would just mandate backdoor access to the devices
| themselves, again forcing Apple's hand to either comply
| or GTFO, if they want it bad enough.
|
| We're losing the fight, and people are as apathetic as
| ever around privacy and security issues.
|
| Besides, never trust E2EE where you don't control both
| ends, but everyone here should have already known that.
| scarface_74 wrote:
| If the UK wants the law to change, that's up to the
| citizens of the UK. These are the people they elected.
|
| Don't expect Apple to rescue the UK citizens to from
| their own choices.
| busymom0 wrote:
| So, Apple will just give in to whoever is in power? They
| were not this soft in the San Bernardino case when FBI
| asked them to unlock a phone.
| scarface_74 wrote:
| The FBI doesn't create laws. If Congress had passed a law
| then you would have a good analogy.
|
| Yes Apple follows the _laws_ of every country it operates
| in just like any other company.
| ImJamal wrote:
| There is an easy way to avoid having to follow laws of a
| country. Don't operate in that country.
| ben_w wrote:
| If you don't want to be sued by activist investors, you
| need a _good reason_ for that, and to be able to tell
| those investors what else you tried first before
| escalating that far if you eventually do pull out of a
| market.
| maeil wrote:
| Apple absolutely does not follow the _laws_ of every
| country it operates in, else TikTok wouldn 't be back on
| the App Store.
| scarface_74 wrote:
| If only I had thought about that, I might have mentioned
| it.
|
| Oh wait
|
| https://news.ycombinator.com/item?id=43128684
|
| > _Now going back on Twitter to get in the good graces of
| President Musk and bringing TikTok back to the AppStore
| even though it is clearly against the law is different._
| maeil wrote:
| Then why subsequently say that they follow the laws of
| every country they operate in? They don't, so whether the
| FBI makes the laws is not relevant.
| scarface_74 wrote:
| The UK made the law years ago and someone in authority
| said they were going to start enforcing it.
|
| In the case of TikTok, the law was passed a year ago and
| the executive branch said they wouldn't enforce it.
| ben_w wrote:
| > So, Apple will just give in to whoever is in power?
|
| This is definitionally why a country is sovereign and a
| company isn't.
|
| > They were not this soft in the San Bernardino case when
| FBI asked them to unlock a phone.
|
| FBI has to follow the laws of the USA.
|
| The UK _writes_ the laws of the UK, which Apple (if they
| want to operate in the UK) has to follow.
| madeofpalk wrote:
| They did. They've giving the UK Government a backdoor to all UK
| users.
|
| Apple lost here.
| balozi wrote:
| Technically, they are leaving the front door open to all
| interested parties
| gormandizer wrote:
| But Apple is not giving the UK Government anything they
| didn't already have. Now iCloud encryption will function in
| the UK just as it has for years (decades?) before the
| inception of ADP.
| eugenekolo wrote:
| They heavily compete on "privacy" and "security", so I wouldn't
| expect them to. Additionally, once you start rolling with one
| government, every one wants you to do something for them while
| offering you no additional money for the work and weakening of
| your project.
| connorgurney wrote:
| Really disappointed that our government decided to take such a
| stance.
|
| What are people using when self-hosting services in the scope of
| iCloud nowadays? Nextcloud seems the closest comparable service.
| alt227 wrote:
| If you own an iPhone then nothing can come close to the feature
| set of iCloud. Apple just have it on lockdown and dont expose
| the functionality that would be needed for a competitor to take
| advantage of this.
|
| A great time for all people to jump to android IMO and
| experience the freedom of choice it gives you.
| jiriknesl wrote:
| I wonder, what are the alternatives now?
|
| Tresorit? Self-hosted Nextcloud?
| fguerraz wrote:
| There is no alternative really as only iCloud can back-up your
| settings, saved networks, and apps data.
|
| Other apps like Nextcloud, can only backup documents (those not
| in apps) and pictures, because there's an API for this.
|
| iTunes backup is an option, but it's not automatic and
| convenient.
| dmix wrote:
| It encrypts your entire phone backups as well
| alt227 wrote:
| Is that true? Only iCloud can back up an iPhone? They dont
| provide any way to even extract an encrypted archive so you
| can keep it safe for yourself?
|
| I get more and more amazed at Apples lock in tactics. This is
| why I own nothing Apple, and have complete control over
| everything in my digital world.
| SSLy wrote:
| No, you can use iTunes to make a local backup too. It was a
| thing long before iCloud.
| alt227 wrote:
| Fair enough, however iTunes is also Apple software no?
|
| So your choice is use Apple software to make your
| backups, or....?
| SSLy wrote:
| well, yeah, iphones could be bit more open, and I wish
| they were. But there's no real way for UK to force Apple
| into adding backdoors into _that_.
| int_19h wrote:
| Interacting with any device running iOS requires Apple
| software (or reverse engineered hacks) for many features.
|
| However, in this case, the point is that you can use
| Apple software to make a local backup (and you can
| enforce the "local" part by doing so offline), and then
| use whatever you want to encrypt and stash away the
| resulting files.
| nikisweeting wrote:
| iTunes backup is perfectly reasonable alternative to iCloud
| that retains e2ee, I don't know why they were dissing it.
| It can back up everything that iCloud can and it's
| automatic, you just plug your phone in, no lock in tactics.
| scarface_74 wrote:
| It's really not that complicated and none of those options can
| serve as an adequate backup for iOS devices including app data
| and meta data.
|
| Just back up your phone to your computer via iTunes (Windows)
| or the built in facility on Macs
| lrdd wrote:
| As a citizen, I don't understand what the UK government thinks
| they are getting here - other than the possibility of leaks of
| the nation's most sensitive data.
|
| Also is it not possible to set up my Apple account outside of the
| UK while living here?
| world2vec wrote:
| You need a valid payment method from that country and then
| cancel all current subscriptions and change to that new
| country/region.
| chatmasta wrote:
| btw, anyone know if this cancels Apple+ Support too? I've
| been resisting switching countries because I don't want to
| lose that subscription since you can only subscribe within 60
| days of device purchase.
| mr_toad wrote:
| You'll probably want a method of downloading apps tied to the
| UK app store though - particularly banking apps.
| GJim wrote:
| > other than the possibility of leaks of the nation's most
| sensitive data
|
| Amusing when you consider the National Cyber Security Centre
| (NCSC, a part of GCHQ), along with the Information
| Commissioners Office, both publish guidance recommending, and
| describing how to use, encryption to protect personal and
| sensitive data.
|
| Our government is almost schizophrenic in its attitude to
| encryption.
| gjsman-1000 wrote:
| Correct me if I'm wrong here, and maybe this is too charged
| for HN, but looking over at you guys from the US:
|
| The US has problems (don't get me wrong, look at our
| politics, enough said); but the UK seems to be speedrunning a
| collapse. The NHS having patients dying in hallways;
| Rotherham back in the popular mind; a bad economy even by EU
| standards; a massive talent exodus (as documented even on HN
| regarding hardware engineers); a military in the news for
| being too run down to even help Ukraine; and most relevant to
| this story - the government increasingly acting in every way
| like it is extremely paranoid of the citizens.
|
| Any personal thoughts?
| captain_coffee wrote:
| Yes - that is my impression as well as someone currently
| living in London. Literally ever single system that I have
| to interact with seems to be somewhere on the spectrum
| between barely functioning and complete disfunctionality,
| with almost very few exceptions that come to mind. By
| system in this context I mean every institution, service
| provider, company, business... everything. Couple that with
| low salaries across the board - including the "high paying
| tech jobs in London" with price increases that are out of
| control with no reason to believe this is ever going to
| stop you end up with a standard of living significantly
| lower than let's say for example the EU countries of
| Eastern Europe. Currently trying to figure out where to go
| next
| card_zero wrote:
| Well Albanians apparently want to live in Norwich,
| leading to a bizarre anti-propaganda campaign with bleak
| black-and-white photography to convince them it's
| horrible.
|
| https://www.bbc.com/news/articles/c99n0x4r17mo
|
| Probably your money would go futher in Albania, and
| they've got a cool flag, but the devil's in the details.
| captain_coffee wrote:
| I was referring to EU [European Union] countries. Albania
| is not in the EU so I am not sure what the point of your
| comment was besides trolling
| card_zero wrote:
| It isn't? Huh, you're right, a lot of the Balkans aren't,
| I did not know that.
|
| I don't think anywhere in the EU really describes itself
| as Eastern Europe, though. That's Ukraine, Belarus,
| Moldova. So really just Romania, sometimes.
| captain_coffee wrote:
| Literally quite a significant number of EU countries
| describe themselves as Eastern European, what you said is
| factually wrong. At this point I am considering your
| replies as either trolling or interacting in bad faith.
| card_zero wrote:
| Can't I just be incorrect?
|
| For my education, which countries?
| munksbeer wrote:
| I'm an immigrant to the UK. I have lived here permanently
| for 21 successive years, though I was actually in and out
| of the UK for years before that. My current anecdotal
| feeling about the UK is at a pretty low point.
|
| If it was an option, I would seriously look to emigrate
| again, but I honestly don't know where. The most appealing
| option for me is Australia, but my age works against me. I
| know everywhere has its issues, but I'm just so worn down
| by the horrible adversarial political system and gutter
| press in the UK right now. We seem unable to do anything of
| note recently. A train line connecting not very much of the
| UK has cost so much money, and in the end it hasn't even
| joined up the important part.
|
| I don't know, life is good at a local level. I am
| privileged and live in a fantastically beautiful town, and
| life here is safe and friendly. If I ignored everything
| else for a while it would probably do me good.
| DeepSeaTortoise wrote:
| Australia is hardly any better. E.g. it forces software
| engineers to try to sneak backdoors into the software
| they're working on.
|
| Imagine hiring someone you didn't know had an Australian
| dual citizenship and two years later all your customers'
| data is leaked onto the net.
| denismi wrote:
| Australian law explicitly prohibits requests that have
| someone "implement or build a systemic weaknesses, or a
| systemic vulnerability, into a form of electronic
| protection" - including any request to "implement or
| build a new decryption capability", anything which would
| "render systematic methods of authentication or
| encryption less effective", anything aimed at one person
| but could "jeopardise the security or any information
| held by another person", anything which "creates a
| material risk that otherwise secure information can be
| accessed by an unauthorised third party".
|
| This UK request as reported would not be legal in
| Australia.
| nickslaughter02 wrote:
| Since 2018:
|
| > Technical Capability Notices (TCNs): TCNs are orders
| that require a company to build new capabilities that
| assist law enforcement agencies in accessing encrypted
| data. The Attorney-General must approve a TCN by
| confirming it is reasonable, proportionate, practical,
| and technically feasible.
|
| > It's that final one that's the real problem. The
| Australian government can force tech companies to build
| backdoors into their systems.
|
| https://www.schneier.com/blog/archives/2024/09/australia-
| thr...
| denismi wrote:
| Yes. Since the 'Telecommunications and Other Legislation
| Amendment (Assistance and Access) Bill 2018' which I was
| directly quoting from, and explicitly prohibits systemic
| backdoors.
|
| That blog's own reference points this out:
|
| > Regular use of encryption as electronic protection,
| such as online banking or shopping, is not of primary
| concern in the Act. To reinforce this, the Act includes
| safeguards between government and industry, such as
| restricting backdoors and decryption capabilities,
| preventing the creation of systemic weaknesses, and
| accessing communication without proper jurisdiction,
| warrants, or authorisations.
|
| So I can only assume that the author is either too lazy
| to bother reading their own reference in full (let alone
| researching the topic of their blog), or is being
| knowingly dishonest.
| fdb345 wrote:
| Like most immigrants you were sold a lie. Enjoy.
| munksbeer wrote:
| Sorry? The UK has been an amazing place for me. It still
| is, when I focus locally, instead of being swept up by
| everything else.
|
| Are you also an immigrant to the UK? I suggest you
| embrace it.
| fdb345 wrote:
| Go home. We dont want you. Havent you noticed yet?
| NegativeLatency wrote:
| Seems like the US is trying to catch up, especially with
| the whole talent exodus thing and defunding of vital
| research funding.
| pjc50 wrote:
| There's a lethargy, but it's hardly speedrunning. Things
| will be the same or slightly worse in a decade. I'm not
| sure I can say the same for the US, it seems different this
| time.
|
| > The NHS having patients dying in hallways
|
| Sadly routine in winter. Nobody wants to spend the money to
| fix this. Well, the public want the money spent, but they
| do not want it raised in taxes.
|
| > Rotherham back in the popular mind
|
| The original events were between 1997 and 2013. The reason
| they're back in the mind is the newspapers want to keep
| them there to maintain islamophobia. Other incidents (more
| recently Glasgow grooming gangs) aren't used for that
| purpose.
|
| > a bad economy even by EU standards
|
| Average by EU standards. But stagnant, yes.
|
| > the government increasingly acting in every way like it
| is extremely paranoid of the citizens.
|
| They've been like this my entire life. Arguably it was a
| bit worse until the IRA ceasefire. Certainly the security
| services have been pushing anti-encryption for at least
| three decades.
| lucasRW wrote:
| Many people think like you. Western Europe in general has
| been destroyed by a certain ideology, and whoever can
| emigrate does emigrate.
| hkwerf wrote:
| I suppose they don't believe certain facts engineers are
| telling them. With Brexit it was coined "Project Fear". Now
| they're being told that adding backdoors to an encrypted
| service almost completely erodes trust in the encryption and,
| as in the case with Apple here, in the vendor. However, I
| suppose it is very hard to find objective facts to back this.
| I'd guess this is why Apple chose to both completely disable
| encryption and inform users about the cause.
|
| Now we're probably just waiting for a law mandating
| encryption of cloud data. Let's see whether Apple will
| actually leave the UK market altogether or introduce a
| backdoor.
| palmotea wrote:
| > Our government is almost schizophrenic in its attitude to
| encryption.
|
| Of course: it's not a monolithic entity. It's a composite of
| different parts that have different goals an interests.
| spwa4 wrote:
| And yet if I steal your money and refuse to give it back,
| or let you steal it back, you'll call that hypocritical.
| What does the size of an entity have to do with whether
| this is idiotic or not?
| pjc50 wrote:
| You're not an entity, you're a person. Scale really does
| make a difference.
| spwa4 wrote:
| You're making the argument that the UK government will
| stop using encryption itself once the information about
| this becoming illegal makes it through the government.
|
| It won't. The courts will refuse to force them to stop,
| and even if the courts attempt to force it, some
| government departments just won't listen, and be
| protected from the consequences.
|
| This is another case of "the law applies to you, but not
| to me".
| pjc50 wrote:
| The law is that encrypted comms must be provided to the
| security services on request. This is not a problem for
| government agencies. It is not illegal per se.
| spwa4 wrote:
| I went digging a bit. No. You're wrong. You cannot
| substitute the law we're discussing with something else.
| If the law truly is that encrypted comms must be provided
| to the security services upon request, then Apple
| Encryption is not a problem. Security services simply
| should ask the owner of the icloud account ...
|
| So that's NOT what the law says.
|
| The law says that private sector entities cannot have
| effective encryption (so NOT government agencies). Why do
| I put it like that? Because it MUST be possible for the
| security services to get access to any data they can
| intercept in any way WITHOUT telling/alerting the
| participants. They must be able to ALTER those
| communications. Or to make it more practical: any
| software maker MUST be able to provide access to any data
| the security services physically intercept, encrypted
| hard drives, ssh capture ... anything. And no, there is
| no exception for open source software.
|
| ANYONE who puts this in software is criminally liable, as
| well as any firm (director/...) of any firm that has
| software doing this: // we're done with
| the key for this session, erase the key key := 0
|
| Obviously this means any government agency that runs a
| https website is violating this law. Publish an IOS app?
| Violation! (you're using encryption that is designed not
| to let anyone, including you yourself, alter the app on
| the wire). Publish an android app? Same. Publish a
| fucking rpm package on yum? (the signing code obviously
| violates this law). A fucking garbage collector violates
| this law. BUT ...
|
| But there is one VERY specific limitation. Only the
| government gets to complain about this, and obviously,
| there is zero plans to enforce this equally. The
| government sure as hell is not planning to actually put
| in the effort to make the encryption they use compliant
| with this law. It's just to get at the contents of
| confiscated harddrives. It's just to force foreign
| companies to unlock phones that have been confiscated.
|
| Oh and there's stricter punishments if you tell anyone
| you're complying with this. This law can be used to
| arrest Linus Torvalds until he backdoors encrypted loop
| devices, and threaten him with decades prison if he tells
| anyone he's done that.
|
| And can I just say? If this law was put, properly
| explained, to the people of the UK, there's no way it
| would get 50% of the vote.
| palmotea wrote:
| >> Of course: it's not a monolithic entity. It's a
| composite of different parts that have different goals an
| interests.
|
| > And yet if I steal your money and refuse to give it
| back, or let you steal it back, you'll call that
| hypocritical.
|
| That's a bad analogy.
|
| > What does the size of an entity have to do with whether
| this is idiotic or not?
|
| Because it's not about the size, _and I said nothing
| about the size_. It 's about it being composed of
| different minds, organized into different organizations,
| focused on different goals.
|
| It's just not going to behave like one mind (without a
| lot of inefficiency, because you'd need literal central
| planning), because that's not the kind of thing that it
| is.
| wrs wrote:
| In the US, the NSA has always had both missions (protect our
| country's data and expose every other country's data). Since
| everyone uses the same technology nowadays, that's a rather
| hard set of missions to reconcile, and sometimes it looks a
| little ridiculous. As of fairly recently, they have a special
| committee that decides how to resolve that conflict for
| discovered exploits.
| Macha wrote:
| I mean, this is no different than one part of the government
| suggesting running laundry at night to reduce the
| environmental impact of energy use, while another suggests
| only running it while awake to reduce fire hazard.
| Governments and corporations rarely have complete internal
| alignment.
| Am4TIfIsER0ppos wrote:
| That's because GCHQ knows they can kill if you refuse to
| decrypt so they have no problem suggesting it to you.
| feb012025 wrote:
| I don't know, they've definitely been cracking down on
| journalists over the past year. Could be an attempt to crack
| down harder / create a chilling effect
| lucasRW wrote:
| They've been sending people to prison for posting memes....
| mr_toad wrote:
| Memes with illegal content. It's not hard to imagine
| creating a meme that would have the FBI knocking on your
| door.
| vr46 wrote:
| You need a non-UK card to use on your Apple Account to change
| its region.
| dawnerd wrote:
| Would a Wise card work?
| gambiting wrote:
| No, because it still has a British billing address.
| mr_toad wrote:
| You need proof of address.
| varispeed wrote:
| It's for Labour "data analysts" to go through people photos and
| search for nudes.
| mr_toad wrote:
| > Also is it not possible to set up my Apple account outside of
| the UK while living here?
|
| The ability to turn on Advanced Data Protection does seem to be
| tied to your iCloud region (as of now I can still turn it on,
| and I'm in the UK but have an account from overseas).
| tick_tock_tick wrote:
| The UK is arresting people for posting memes. They want full
| control and that's it.
| retinaros wrote:
| full control on everyone they deem as an opponent. in UK being
| dimmed and oponent is about posting the wrong meme or even
| standing in the wrong street at the wrong moment.
| world2vec wrote:
| I regret immensely not having turned ADP before... Now I'm
| feeling really angry at this whole thing.
| matthewdgreen wrote:
| The best time to turn on ADP was before this happened. For
| folks not in the U.K., the second best time is right now. The
| more people who use it, the more disruptive it will be to turn
| off.
|
| Keep in mind there are some risks with any E2EE service! You'll
| need to store a backup key or nominate a backup contact, and
| there's a risk you could lose data. Some web-based iCloud
| services don't work (there is a mode to reactivate them, with
| obvious security consequences.) for what it's worth, I've been
| using it for well over a year (including one dead phone and
| recovery) and from my perspective it's invisible and works
| perfectly.
| dmix wrote:
| Here's how:
|
| On iPhone or iPad Open the Settings app.
| Tap your name, then tap iCloud. Scroll down, tap
| Advanced Data Protection, then tap Turn on Advanced Data
| Protection. Follow the onscreen instructions to
| review your recovery methods and enable Advanced Data
| Protection.
|
| On Mac Choose Apple menu > System Settings.
| Click your name, then click iCloud. Click Advanced
| Data Protection, then click Turn On. Follow the
| onscreen instructions to review your recovery methods and
| enable Advanced Data Protection.
| soraminazuki wrote:
| Unfortunately, the title says
|
| > Apple pulls data protection tool after UK government
| security row
| dmix wrote:
| Only in the UK, everyone else should still do it. Not on by
| default
| grahamj wrote:
| Apple should start prompting users to enable it.
| dmix wrote:
| probably avoiding the support issues of users losing
| access to encryption key recovery
| doublerabbit wrote:
| Can confirm.
|
| "Apple can no longer deliver ADP in the United Kingdom to
| new users" with the enable button disabled.
| tomwphillips wrote:
| The article reports that it will be disabled for existing users
| at a later date.
| basisword wrote:
| I'm guessing this is because they haven't figured out a way
| to do it yet. I'm not very well versed in how these systems
| work but surely this type of encryption can't be disabled by
| Apple remotely (or they would have that backdoor they don't
| want)?
| neilalexander wrote:
| They will either just automatically turn it off in a future
| device software update, or they'll just post a deadline
| after which they will delete user data and prevent sync if
| it isn't disabled by the user.
| robinhouston wrote:
| The Bloomberg article has a little more detail about this:
|
| > Customers already using Advanced Data Protection, or ADP,
| will need to manually disable it during an unspecified
| grace period to keep their iCloud accounts. The company
| said it will issue additional guidance in the future to
| affected users and that it does not have the ability to
| automatically disable it on their behalf.
| basisword wrote:
| Wow, thanks for sharing! I thought that might be the case
| but "disable it or we'll have to nuke your data" seems so
| extreme I thought there must be a better way.
| george_perez wrote:
| I'm thinking that by losing their iCloud account is just
| means it will be blocked from syncing anything with
| Apple's servers.
| int_19h wrote:
| Anything else would be indicative of ADP encryption not
| working the way they said it does.
| snowwrestler wrote:
| The "grace period" will also function nicely as a period
| of time for UK citizens to shout at their government
| representatives about this.
| kennysoona wrote:
| If you care, then it's time to ditch iPhone and Android phones
| altogether. It's not like anything they offer will be safe. You
| need to invest instead in a FairPhone with e/OS or a PinePhone
| or some similar alternative. Something where you have complete
| control of the software and ideally the hardware.
| piyuv wrote:
| This can set a dangerous precedent. Now why wouldn't any country
| demand the same, basically eliminating Advanced Data Protection
| everywhere, making user data easily accessible to Apple (and
| therefore governments)?
| JKCalhoun wrote:
| Wait, are you saying the U.S. might demand the same? In the
| current political environment?
| piyuv wrote:
| UK is much smaller than US and they didn't even fight this
| -\\_(tsu)_/-
| ziddoap wrote:
| The choice was either eliminate it now (globally, via
| introduction of a backdoor) or eliminate it in the UK (but keep
| it globally).
|
| So, perhaps this is a bit of a dangerous precedent, but it was
| the least-bad option.
| piyuv wrote:
| When UK demanded a backdoor to e2ee in iMessage, Apple told
| them they'd rather get out of UK. Why not do the same here?
| You're posing a false dichotomy.
| ziddoap wrote:
| What would that change, effectively, other than have Apple
| lose money?
|
| The UK would still lose ADP (and then also just Apple
| products in general). A precedent would still be set.
|
| Your posing a strictly worse third option. Sure, it's an
| option, I guess. Apple could also just close down globally,
| as a fourth option. Or sell off to Google as a fifth. But I
| was trying to present the least-bad option (turn off ADP),
| rather than an exhaustive list.
| elfbargpt wrote:
| I totally get your point, but calling the UK's bluff
| could work. Are they really willing to ban Apple products
| in the UK? Maybe, maybe not
| maeil wrote:
| Depends on if the US emperor and his cronies have the
| UK's backs on this issue. If they don't, calling the
| bluff would work, there's zero chance the UK gov would
| ban Apple products without US approval. The backlash
| among the public would be far worse than the TikTok ban.
| Imagine all companies using Macs. The order of power here
| is US > Apple > UK.
| GeekyBear wrote:
| > Apple told them they'd rather get out of UK
|
| To my knowledge, Apple has always said that their response
| would be to withdraw affected services rather than break
| encryption.
|
| > Apple has said planned changes to British surveillance
| laws could affect iPhone users' privacy by forcing it to
| withdraw security features, which could ultimately lead to
| the closure of services such as FaceTime and iMessage in
| the UK.
|
| https://www.theguardian.com/technology/2023/jul/20/uk-
| survei...
| piyuv wrote:
| True! Thanks for the correction.
|
| IMO they could've categorized the whole iCloud service as
| "affected" and disable all of it.
| GeekyBear wrote:
| My guess is that the order they received would have only
| effected encrypted device backups, at least so far.
|
| Users in the UK do still have the option to perform an
| encrypted backup to their local PC or Mac.
| philsnow wrote:
| That's a false dichotomy.
|
| Another choice, however unpalatable to all parties, would
| have been for Apple to stop doing business in the UK.
| ziddoap wrote:
| See my other reply.
|
| They could also sell the entire business to Google. Why
| bother with listing options even worse for everyone
| involved?
| v3xro wrote:
| I mean they could have tried not complying, and fighting
| a lawsuit at the ECHR (right of every person to a private
| life). Takes money and time but more attractive than the
| other options.
| ziddoap wrote:
| It's less attractive, riskier, and more costly of a
| decision for Apple. Apple is a corporation, not an
| altruist.
|
| This play by Apple applies pressure to the UK government
| indirectly via its citizens, for free, rather than taking
| the risk and expenses of a lawsuit.
| netdevphoenix wrote:
| Why do pro-privacy tech folks on here act like Apple is
| some charity? Apple is a business. It won't fight a
| citizen's fight on your behalf. It is on citizens to use
| their democratic power to ensure their representatives act
| as the voting base wants. Apple's goal is to make money.
| The government is a representation of your will.
| haswell wrote:
| > _Apple is a business. It won 't fight a citizen's fight
| on your behalf._
|
| Being a business does not remove ethical considerations.
| And I'm an environment where corporations are considered
| people, it seems reasonable to expect some degree of
| alignment with normal citizens.
|
| > _Apple 's goal is to make money. The government is a
| representation of your will._
|
| The government is increasingly _not_ a representation of
| the collective will, and is instead captured by those
| corporations.
|
| I can't help but feel the "but they exist to make money"
| line too often ignores the many ways this is _not_ a
| sufficiently complex explanation of the situation.
| netdevphoenix wrote:
| Corporations are people in the legal sense not in any
| other philosophical way. Just like non-humans proposed
| for personhood, they are not entities expected to behave
| ethically. Like a dog, you set rules and apply
| punishments when they breach it. You don't argue ethics
| with a dog because they are not relevant to them
| kennysoona wrote:
| > where corporations are considered people,
|
| People always get this wrong. Corporations are not
| people. They just have certain rights like owning
| property. Corporate personhood != full personhood.
| lowbloodsugar wrote:
| lol. It literally does. This is a great example. You
| believe this is an ethical issue. Other shareholders (you
| are a shareholder, right?) could disagree and now there
| is a lawsuit. "Complying with national law" seems like an
| easy win for them.
| v3xro wrote:
| Because while a business goal is to make money, it is not
| necessarily, unlike what you have 80% of the people here
| believe, to make the most money possible. Ethics can
| exist in businesses too.
| aqueueaqueue wrote:
| This, plus privacy is in Apple's brand. Without this and
| other Apple-esque things (lack of bloatware etc.) you may
| as well get a Samsung for 2/3 price.
| madeofpalk wrote:
| > would have been for Apple to stop doing business in the
| UK
|
| Apple employes thousands of people in the UK. I really
| don't see any practical way they could have done that.
| spacedcowboy wrote:
| They _could_
|
| They could pull out of the UK, and to hell with the
| consequences, but then if the EU decide to do the same
| thing, or the US, or China says "hold my beer", then the
| problem becomes much larger.
|
| Losing the UK market wouldn't impact Apple that much -
| it'd be a hit to the stock, of course, but as a fraction
| of worldwide business, it isn't that huge. Larger markets
| would be a bigger issue.
| bargainbin wrote:
| I'm full in on Apple and hoped they nuked iCloud in the UK
| for this rather than compromise the product.
|
| This is still better than a back door but it sets an awful
| precedent.
| llm_nerd wrote:
| It isn't really a precedent. Companies, even high-rolling
| American tech companies, have to abide by the laws and
| regulations of the countries that they operate in. I guess
| there is a question of whether this is a legal demand that they
| truly had to follow, or just a request, and whether they could
| fight it in court, but Apple seems to be hoping to adjudicate
| it in the court of public opinion (apparently the initial
| backdoor request was secret and it got leaked).
| GeekyBear wrote:
| > abide by the laws and regulations of the countries that
| they operate in.
|
| In this case, the UK is seeking to use local law to change
| what is allowable on an international basis.
|
| That's a bit different than a nation controlling the law on
| their own soil.
| llm_nerd wrote:
| That was Apple's interpretation : That to comply with what
| the UK requested they would have to have the same thing
| everywhere.
|
| But of course that is nonsense, and Apple _could_
| theoretically have a nation-specific backdoor (e.g. for
| accounts in a given country a separate sequestered
| decryption key is created and kept in escrow for court
| order).
|
| I mean, Apple "complied" by disabling ADP just in the UK.
| They undermined their own "worldwide" claim, as ADP still
| works everywhere else, and the UK has no access.
| GeekyBear wrote:
| > of course that is nonsense
|
| Organizations like the EFF do not agree.
|
| > most concerning, the U.K. is apparently seeking a
| backdoor into users' data regardless of where they are or
| what citizenship they have.
|
| https://www.eff.org/deeplinks/2025/02/uks-demands-apple-
| brea...
| llm_nerd wrote:
| So Apple is non-compliant, given that all they did is
| disable ADP in the UK.
|
| Right?
| ziml77 wrote:
| IANAL but that's not for any of us to decide. Depending
| on their initial motivations, the UK might consider this
| to be enough to rescind the demand for a backdoor. If
| it's not then Apple will face going to court and in that
| case they could choose more extreme actions like ceasing
| business in the UK.
| spacedcowboy wrote:
| I think that's right, and I think the UK will tell them
| so, and the issue will escalate.
|
| Perhaps, if the UK continues to push, Apple will indeed
| pull out of the UK, but it'll make it as public as
| possible and tell the world who it was that forced its
| hand and what the consequences are - and I don't think
| the UK government is going to like that result.
| adgjlsfhk1 wrote:
| they're non-complient but they made it a lot harder for
| the UK to fight. by showing that the "backdoor" is
| disabling the feature, for the UK to pursue this further,
| the need a judge to rule that the UK has the authority to
| prevent an American company from providing a feature in
| America.
| kbolino wrote:
| The keys are stored only in the Secure Enclave.
| Encryption and decryption are handled outside the
| standard CPU and OS. This is hardware-level protection,
| not just some flag on a cloud account to be flipped. The
| only way for Apple to break this system is to break it
| for everyone, since anything else would risk bleed over
| or insufficient compliance.
| grahamj wrote:
| > They undermined their own "worldwide" claim, as ADP
| still works everywhere else, and the UK has no access.
|
| Disagree. There is a difference between ADP being
| unavailable in one country and it working differently in
| that country. Implementing a backdoor would mean changing
| the way ADP works.
| bananapub wrote:
| what do you mean? other countries have demanded the same, e.g.
| China.
| juanpicardo wrote:
| China only requires it for their citizens. The UK asked
| access to any person's data in the world.
| declan_roberts wrote:
| I don't get what's happening to civil liberty in Europe.
| GJim wrote:
| Pot, meet kettle!
|
| Frankly, our democracies are currently in a rather precarious
| state.
| vroomvroomboom wrote:
| Nothing is happening to it. Governmental overreach, and then if
| people really want encryption they will vote in privacy-
| friendly officials. Here in Oregon, USA, we have Ron Wyden, who
| knows more about netsec than most IT graduates.
|
| As long as you can vote there is still civil liberty, just vote
| for the right people who care about this stuff.
| thenaturalist wrote:
| None of what you just said translates to any European
| country.
|
| None.
|
| Executive power is very representative, not direct, with the
| sole exception imo being Switzerland?
| doublerabbit wrote:
| This was Brexits doing. As we are no longer EU, we have our own
| cool rules such as the upcoming PM allowed to watch me take a
| piss law.
| zimpenfish wrote:
| > This was Brexits doing.
|
| Not really? We've had horrors like the 2000 RIP[0] well
| before Brexit. The Blair government made a huge dent in civil
| liberties and the Tories carried it on.
|
| [0] https://en.wikipedia.org/wiki/Regulation_of_Investigatory
| _Po...
| Jigsy wrote:
| This is one of the reasons why I will never vote Labour.
|
| The UK has always hated not allowing people to self-
| incriminate, though...
| zimpenfish wrote:
| > This is one of the reasons why I will never vote
| Labour.
|
| The Tories are generally worse. But I agree it's
| currently a case of "lesser of two evils".
| Jigsy wrote:
| I wouldn't vote for Tory either.
|
| I usually vote for Lib Dem. Though they do things from
| time to time I don't like...
| doublerabbit wrote:
| This is why Scotland needs independence. It was once and
| with it chained by the UK, they're squeezing everything
| they can. Look at Wales, just pets for the UK. Scotland
| is an actually pretty awesome country but like Canada is
| kept pet by a leader. The only thing that could save this
| shitshow is Scotland getting independence. Lets be honest
| here. You thought Boris Johnson was bad ripping holes
| left right and center. Trump makes Boris look like a pet
| rat. And that's an insult to real rats.
| int_19h wrote:
| I may be wrong here, but my impression of Scottish
| politics is that it's just as paternalistic and nanny-
| state if not more so.
| doublerabbit wrote:
| Yes and no. But Scottish politics have more progressive.
|
| Ultimately Scotland is governed by the UK so any first
| party rounds are annulled before they get a chance by the
| UK.
| sunaookami wrote:
| The EU is currently planning exactly the same thing with Chat
| Control.
| nickslaughter02 wrote:
| What EU is planning with chat control is much worse. The UK
| still requires a warrant to access your iCloud data. EU
| wants to force companies to install spyware on your devices
| that will monitor whatever you send or receive in real time
| without any probable cause or suspicion.
| dumbledoren wrote:
| Eu isnt 'planning' anything like that. Some Euparl MPs
| backed by people like Ashton Kutcher tried to push a law to
| spy on all chat apps. Then when the dirty web of American-
| style regulatory manipulation was exposed, they backed off.
| It was a proposal for a law by some MPs. Not something 'Eu'
| did.
| sunaookami wrote:
| They backed off "for now". They are trying this for ages,
| did you forget about ACTA and Von der Leyen's past
| censorship attempts in Germany? Have you read the DSA? Of
| course the EU is planning to go full authoritian in the
| name of "protecting democracy".
| anal_reactor wrote:
| At least we don't get to pee in the cup at work
| alt227 wrote:
| We can drink alcohol in outdoor public places, can Americans?
| 15155 wrote:
| This is specific to each municipality/state. The United
| States federally has no laws regarding the outdoor
| consumption of alcohol.
| spacebanana7 wrote:
| The problem is the decline. We had more liberties 10 years
| ago than we do today.
|
| Whether Americans are free or unfree shouldn't distract us
| from this.
| tekla wrote:
| Yes.
| dumbledoren wrote:
| The empire is collapsing, so the chairs are being moved aside,
| the curtain behind the stage is being drawn and the ugly brick
| wall is being exposed...
| thraway3837 wrote:
| Could moves like this by other repressive regimes finally open
| the door to consumer-owned, consumer-controlled, decentralized
| cloud storage systems that are fully encrypted and inaccessible
| by any agency or individual except by the owner?
|
| Would be a beautiful thing to see. Not sure how storage would
| work though since you cannot take payment (that would make it
| centralized), and storage would have to be distributed, but by
| who?
| zimpenfish wrote:
| > inaccessible by any agency or individual except by the owner?
|
| I believe the UK already has "you must unlock anything we ask"
| as part of the RIP/2000[0].
|
| [0]
| https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
| herf wrote:
| Why is there only one "iCloud" to backup your iPhone and store
| photos? Lots of ADP users would use a corporate or self-hosted
| solution instead.
| nobankai wrote:
| The reason is that Apple was never required by UK law to offer
| any alternative. I think the DSA intended to challenge that,
| but it would do nothing for UK residents.
| snowwrestler wrote:
| As far as I know you can still opt to backup your entire iPhone
| to a local computer instead of iCloud.
|
| You can also manually transfer photos to the computer. Or you
| can enable a different app (Google Photos or Dropbox for
| example) to store copies of every picture you take, and then
| turn off iCloud Photos.
|
| Note that neither Google nor Dropbox are E2E encrypted either
| though.
| varispeed wrote:
| What would you recommend as a DIY method?
|
| I have a NAS that is accessible through VPN. But I don't
| trust its encryption, thought it is in my controlled
| location.
| spacedcowboy wrote:
| Doing it locally doesn't really help. The RIP bill can
| force you to disclose your own encryption keys to the UK
| government, and if you "forgot them" you can be put in jail
| as if you were convicted of whatever they're accusing you
| of.
|
| That's why cloud backup was useful.
|
| [edit: actually I mis-remembered this, it's "only" 2 years
| (or 5 if it's national-security-related) that they'll jail
| you for. "Only" carrying a lot of water there...]
| varispeed wrote:
| For this you can use truecrypt nested containers, so it
| will reveal data depending on your given password and
| there is no way to prove there is something else in the
| container.
|
| To be fair this should be standard.
| int_19h wrote:
| The simplest arrangement for me was to have the device back
| up to my Mac, and then said Mac has Time Machine set up to
| back up to the NAS. iOS and Mac local backups can be
| encrypted by the OS itself.
| arccy wrote:
| because Apple privacy is just marketing, they just want you to
| pay for it, they don't really care if it's possible to do
| better for free / by others
| vroomvroomboom wrote:
| It's the right choice: don't bow to government pressure, let the
| people pressure the government.
| ethagnawl wrote:
| > let the people pressure the government.
|
| Hopefully they will.
| tmjwid wrote:
| I can't imagine many here (UK) will really care, we've had
| multiple breeches of privacy imposed on us by the powers that
| be. - Removed incorrect assumption of this not being
| reported.
| darrenf wrote:
| It's literally the number one story on
| https://www.bbc.co.uk/news/ as I type this comment.
| tmjwid wrote:
| Yeah my bad.
| gambiting wrote:
| And I guarantee that the reaction from most people will
| be "good, I have nothing to hide so I have nothing to
| worry about". The apathy around this stuff in the UK is
| unbelivable - I've been trying to point out that hey, for
| years now something like 17 government agencies(including
| DEFRA - department of agriculture lol) can access your
| internet browsing history WITHOUT A WARRANT and that's
| absolutely fine. ISPs are required to keep your browsing
| history for a year too. Again, nothing to hide, why would
| I worry about it.
| genewitch wrote:
| Does and of the doh or other DNS stuff help with this at
| all? Is the only solution to VPN out of Europe?
| DeepSeaTortoise wrote:
| Only DNSCrypt provides any privacy. If you setup your
| relays properly.
| spwa4 wrote:
| The same is happening Europe-wide too. Everybody always
| points to the GPDR legislation. You know what is a
| feature of the GPDR too?
|
| Every European government (even some non-EU ones) can
| grant any exception to anyone to the GPDR for any reason.
| And, of course, every last one has granted an exception
| to the police, to courts, to the secret service, their
| equivalent of the IRS, and to government health care
| (which imho is a big problem when we're talking mental
| health care), and when I say government health care, note
| that this includes private providers of health care, in
| other words insurances.
|
| Note: these GPDR exclusions includes denying patients
| access to their own medical records. So if a hospital
| lies about "providing you" with mental health treatment
| (which they are incentivized to do, they get money for
| that), it can helpfully immediately be used in your
| divorce. For you yourself, however, it is conveniently
| impossible to verify if they've done this. Nor can you
| ask (despite GPDR explicitly granting you this right) to
| have your medical records just erased.
|
| In other words. GPDR was explicitly created to give
| people control over their own medical records, and to
| deny insurance providers and the IRS access. It does the
| exact opposite.
|
| Exactly the sort of information I would like to hide,
| exactly the people I would find it critical to hide it
| from. In other words: GPDR applies pretty much only to US
| FANG companies ... and no-one else.
|
| So: if you don't pay tax and use that money to pay for a
| cancer treatment, don't think for a second the GPDR will
| protect you. If you have cancer and would like to get
| insured, the insurance companies will know. Etc.
| alt227 wrote:
| I agree, have an upvote.
|
| Even though its making the media headlines today, 99% of UK
| citizens will forget this tomorrow and it will fade into
| the mists of time. Just like evey other security
| infringement that any government has imposed on its
| citizens.
| basisword wrote:
| There was a lot of campaigning against the Investigatory
| Powers bill when it was introduced. It didn't help much given
| the people in power want more power regardless of where they
| sit on the political spectrum.
| miroljub wrote:
| How?
|
| In the UK, there's no right to bear arms, so people are pretty
| helpless against their oppressing government.
| saintfire wrote:
| I'm sure shooting at the government would have solved this
| privacy issue.
| marknutter wrote:
| It solved the taxation issue
| krapp wrote:
| As far as I know Americans are still required to pay
| taxes, so no.
| brink wrote:
| We're working on it.
| spacedcowboy wrote:
| As a green-card holder, it really didn't.
| Tostino wrote:
| Surprisingly, the people in the government don't much like
| being shot. See the reaction to the UHC CEO for an example.
| FergusArgyll wrote:
| This is a decent point.
|
| They're now getting investigated by the DOJ and their
| stock tanked
| krapp wrote:
| Weird. In the US there is a right to bear arms, yet people
| are also pretty helpless against their oppressing government.
| cupcakecommons wrote:
| Who do you know that's been arrested for posting on social
| media? I don't know of anyone.
| krapp wrote:
| True.
|
| American police will shoot people dead in the streets
| with impunity, the military industrial complex engages in
| constant wars regardless of popular sentiment and the
| American government is currently being carved up by neo-
| nazis and oligarchs but you _can_ legally be racist on
| the internet. I guess it truly is the land of the free.
|
| Also... wait six months.
| cupcakecommons wrote:
| You're currently delusional in a very particular way and
| that's fine. I'm looking forward to you finding your way
| and things turning out much better than you expect (at
| least in the US) in six months.
| basisword wrote:
| >> In the UK, there's no right to bear arms, so people are
| pretty helpless against their oppressing government.
|
| There's a right to bear arms in the US and it doesn't seem to
| be helping them with their oppressive government.
| protonbob wrote:
| Look into the Black Panthers. It actually does work quite
| effectively.
| krapp wrote:
| How? the Black Panthers were infiltrated and undermined
| by COINTELPRO and effectively destroyed from within,
| meanwhile the white supremacist capitalist system they
| fought against persists.
|
| Their biggest success as far as I know is starting free
| school lunches in the US, but that wasn't at gunpoint.
| ch4s3 wrote:
| Ahh yes the murders of Alex Rackley and Betty Van Patter,
| truly brave and revolutionary acts!
| jahewson wrote:
| The fact that I can't tell if this is a joke speaks
| volumes.
| bloqs wrote:
| You people cannot seriously be this poorly educated
| throw16180339 wrote:
| The Mulford Act
| (https://en.wikipedia.org/wiki/Mulford_Act), a California
| gun control act that prohibits open carry, was originally
| passed back in the 60s to disarm the Black Panthers.
| cupcakecommons wrote:
| I feel like it's working pretty great
| grahamj wrote:
| It only works when the gun nuts aren't on the side of the
| oppressors.
| ornornor wrote:
| Because that's working so well for the US
| cupcakecommons wrote:
| it's working really well, we don't get arrested for social
| media posts as far as I can tell
| philipwhiuk wrote:
| https://www.justice.gov/usao-edny/pr/social-media-
| influencer...
|
| https://www.bbc.co.uk/news/articles/c86l4p583y6o
|
| https://www.aljazeera.com/news/2021/1/19/holdindigenous-
| man-...
|
| Yes you do
| jahewson wrote:
| That's not the same thing. You know what he means.
| ornornor wrote:
| If that's the bar then I guess yes it's a resounding
| success for freedom.
| cupcakecommons wrote:
| The UK seems to be actively covering up the mass rape of
| little girls and throwing dissidents in prison. They've
| sustained mass immigration for decades against their own
| peoples' will. The US just shook off, at least in part,
| the same mass immigration and the same clamping down of
| free speech in the US. It's not the only bar, but I would
| definitely consider it a resounding success. I can't help
| but think the 1st and 2nd amendment play a part because
| the 1st is obviously implicated and the 2nd is required
| to maintain the 1st.
| defrost wrote:
| > The UK seems to be actively covering up the mass rape
| of little girls
|
| They're doing the worst cover up ever given grooming
| gangs and where they operate have been headlines in the
| UK for decades.
|
| What they're not very good at is keeping the UK citizens
| at large well informed with a realistic sense of
| proportion given the scale of child sexual abuse far
| exceeds the activities of grooming gangs.
| Molitor5901 wrote:
| Technically I guess you're right, but one hopes that the
| foundations of British democracy provide its citizens with
| the tools to fight against an oppressive government. The only
| rub is getting them to stand up and do that.
| jahewson wrote:
| Like what? Britain is a constitutional monarchy. Its
| foundations anticipated an oppressive king, not an
| oppressive parliament. Britain never had a revolution, it
| never had free speech to begin with. It seems to me that
| what made Britain successful in the past is maladaptive to
| its current situation.
| quickthrowman wrote:
| Small arms are no match for drones and a fully armed
| military, a successful rebellion by any populace against a
| first world military is impossible unless the military lays
| their arms down voluntarily, full stop.
| protonbob wrote:
| Rebels are able to use techniques that a government never
| could or would. I think you underestimate the usefulness of
| small arms in guerilla warfare.
| gus_massa wrote:
| You underestimate the nasty things goverments have done.
| quickthrowman wrote:
| I think you underestimate the lethality of remotely
| piloted drones with missiles and IR cameras and the
| futility of fighting against them.
| sillywalk wrote:
| The Taliban would argue otherwise.
| protonbob wrote:
| You can pretty easily build / buy these. Look at Ukraine.
| Lots of their drones were just off the shelf. Jamming is
| super directional and easy to spot so fighting forces use
| it sparingly.
| filoleg wrote:
| Every time this argument comes up, I just feel like rolling
| eyes, it is so overplayed.
|
| Yes, in a direct confrontation and an all out war, the
| populace stands no chance against the US military (assuming
| the military will unwaveringly side against the populace),
| no argument there.
|
| But an all out war is not an option, the government
| wouldn't be trying to pulverize an entire nation and leave
| a rubble in place. If you completely destroy your populace
| and your cities in an all-out direct war, you got no
| country and people left to govern. It is all about
| subjugation and populace control. You can't achieve this
| with air strikes that level whole towns.
|
| Similarly, if the US wanted to "win" in Afganistan by just
| glassing the whole region and capturing it, that would be
| rather quick and easy (from a technical perspective, not
| from the perspective of political consequences that would
| follow). Turns out, populace control and compliance are way
| more tricky to achieve than just capturing land. And while
| having overwhelming firepower and technological advantage
| helps with that, it isn't enough.
| bloqs wrote:
| I roll my eyes when I see this blissfully naive
| LARP/mallninja imagined scenario, but I do have to remind
| myself that the US was founded on the basis of forming a
| milita etc. and I would probably say the same thing if I
| had that upbringing. You forget that the vast majority of
| people are stupid and easily scared (this is not a
| solvable problem)
|
| Help me out - how can policing possibly work if no one is
| legally required to be policed? You just end up with
| murderers, rapists etc. expressing their right to
| "resist" with arms like in spaghetti westerns. It is
| totally symbolic, and would crumble at the first instance
| of serious government interest of arresting
| 'troublemakers', which would of course start with a well
| crafted PR campaign to get the rest of the public on
| their side. I think it's naive.
| jahewson wrote:
| This feels like a strawman because you're only
| hypothesizing a situation in which it wouldn't work well.
|
| Imagine a dark future with a sudden military coup by a
| small faction of extreme radicals that 85% of the
| population opposes. could enough citizens rise up and
| stop them? Could the calculus of being that coup leader
| be changed by the likelihood that they will be
| assassinated in short order, by one of millions of
| potential assassins? Quite possibly. These are not
| everyday concerns, of course, but the concerns of dark
| and dangerous times. It's a bit like buying life
| insurance: hopefully I never need it.
| quickthrowman wrote:
| A first world military that has remotely piloted drones
| with IR cameras and other surveillance tools will have no
| problem crushing any form of resistance. They don't even
| need to field any troops, they can remotely kill the
| rebels. How on earth do you wage a rebellion against such
| a force?
| emorning3 wrote:
| Guns are an inefficient/stupid way to kill people anyway.
|
| Just ask Russia and Ukraine.
|
| Look around, human beings are quite clever.
| fdb345 wrote:
| I just dont interact with the government or British society
| at all. I have turned my back on it.
|
| If they ever come to my door I'll either go postal or leave
| the country.
|
| Its so bad here now.
| mr_toad wrote:
| > In the UK, there's no right to bear arms, so people are
| pretty helpless against their oppressing government.
|
| When people want to revolt it doesn't seem like the right to
| bear arms has much to do with it. Not having the right to
| bear arms certainly hasn't stopped countless rebellions and
| revolutions across the world. It's not like the French of the
| Russians had a right to bear arms before their successful
| revolutions.
|
| Even in the UK, the lack of a right to bear arms didn't stop
| Cromwell using firearms to defeat Charles II at the Battle of
| Worcester.
| blitzar wrote:
| We could try the American way, bear our arms and shoot up a
| school, but I don't see how that will help.
| Molitor5901 wrote:
| NO, it's the wrong choice. Most people do not understand this
| stuff enough to truly care about, and they just want their
| devices to work. This is an awful decision by Apple. There's
| really nothing consumers can do to pressure the British
| government.
| MikeKusold wrote:
| Those people aren't enabling ADP to begin with.
| Molitor5901 wrote:
| Exactly. There is a technological disconnect for a lot of
| people. They accept actions like this because they don't
| fully appreciate, IMHO, the ramifications. We do, and we
| must do more to educate people.
| afthonos wrote:
| Consumers being unable to pressure government, even if true,
| does not imply this is a bad decision.
| Molitor5901 wrote:
| It's a terrible decision that will have grave
| ramifications. I see no positive to this action.
| madeofpalk wrote:
| This is Apple condeeding. Apple lost. UK Government got
| (almost) what they wanted - a backdoor into iCloud accounts.
|
| Apple's only consolation prize is that its limited to UK users
| for now. But it seems inevitable that ADP will gradually be
| made illegal all around the world.
| jahewson wrote:
| Given that they've only prevented new signups it looks to me
| more like Apple is trying to apply pressure to the U.K.
| government to get them to back down. The law that permits
| this was passed in 2016 so the situation was default lost
| already.
| alt227 wrote:
| They have said all existing ADP enabled accounts will be
| disabled or deleted in time. They need to give people time
| to migrate their data out before they nuke it.
| vroomvroomboom wrote:
| It's the right decision. Don't bow to the government, let the
| people demand it from their leaders, and vote in new ones.
| v3xro wrote:
| Yes, countries lacking in proportional representation and
| having obscure procedures like proroguing parliament are the
| best at listening to important but fairly obscure issues from
| their voters. </s>
| v3xro wrote:
| Very disappointed with this, but I think will be finding
| alternatives.
|
| Family sharing especially of Reminders is a hard one - we use
| lists for grocery shopping and it is extremely convenient.
|
| Has anyone tried out Ente https://ente.io/ for photos?
| b800h wrote:
| What happens if you're an international traveller?
| SXX wrote:
| This will likely depend on your primary account region. Apple
| can't just turn off E2EE on existing account nilly willy.
| A4ET8a8uTh0_v2 wrote:
| << Apple can't just turn off E2EE on existing account nilly
| willy.
|
| If they are able to, then then can be compelled. Do you mean
| won't/wouldn't?
| SXX wrote:
| They can break a sync on server-side for your account.
|
| They can't disable it on device though.
| int_19h wrote:
| They control the software running on your device, and
| said software ultimately has access to the encryption
| keys stored there (subject to the usual hoops; e.g. it
| might need you to do a FaceID unlock first, but it's not
| like you aren't already doing that many times every day).
| buildbot wrote:
| "Apple said it will issue additional guidance in the future
| to affected users and that it "does not have the ability to
| automatically disable it on their behalf.""
|
| From https://www.macrumors.com/2025/02/21/apple-pulls-
| encrypted-i...
| tome wrote:
| I'm confused. I thought iCloud was end-to-end encrypted anyway,
| and I've never heard of ADP before. Is ADP encryption _at rest_ ,
| whereas normal iCloud storage is only encrypted from the device
| to the server?
| dmix wrote:
| The only difference is Apple doesn't hold the encryption keys
| when you use ADP.
|
| In both cases it's encrypted in transit and at rest.
| tome wrote:
| TIL that Apple holds the keys to my iCloud encrypted data!
| AlanYx wrote:
| For most of it, yes. There are exceptions, e.g., Health and
| Keychain, for which Apple does not have the keys even
| without ADP enabled.
| burnerthrow008 wrote:
| Yes, otherwise, how would the web interface (iCloud.com)
| work?
| blitzar wrote:
| Or account recovery
| jamesmotherway wrote:
| See the "Data categories and encryption" section:
|
| "The table below provides more detail on how iCloud protects
| your data when using standard data protection or Advanced Data
| Protection."
|
| https://support.apple.com/en-us/102651
| pyuser583 wrote:
| How does this affect me if I travel to the UK with an E2E
| encrypted IThing?
| bananapub wrote:
| not at all
| cgcrob wrote:
| Removed all my stuff from iCloud about a month ago in preparation
| for this.
| ranger_danger wrote:
| The beginning of the end. A sad day for Brits
| Jigsy wrote:
| I don't like Apple, nor do I use any of their products, but as
| someone from the UK, I do respect them for doing this.
|
| Now if only the other companies who said they'd leave would grow
| a backbone...
| bArray wrote:
| Too right, it was far more problematic than they ever made out.
|
| > The UK government's demand came through a "technical capability
| notice" under the Investigatory Powers Act (IPA), requiring Apple
| to create a backdoor that would allow British security officials
| to access encrypted user data globally. The order would have
| compromised Apple's Advanced Data Protection feature, which
| provides end-to-end encryption for iCloud data including Photos,
| Notes, Messages backups, and device backups.
|
| One scenario would be somebody in an airport and security
| officials are searching your device under the Counter Terrorism
| Act (where you don't even have the right to legal advice, or the
| right to remain silent). You maybe a British person, but you
| could also be a foreign person moving through the airport.
| There's no time limit on when you may be searched, so all people
| who ever travelled through British territory could be searched by
| officials.
|
| Let that sink in for a moment. We're talking about the largest
| back door I've ever heard of.
|
| What concerns me more is that Apple is the only company audibly
| making a stand. I have an Android device beside me that regularly
| asks me to back my device up to the cloud (and make it difficult
| to opt out), you think Google didn't already sign up to this? You
| think Microsoft didn't?
|
| Then think for a moment that most 2FA directly goes via a large
| tech company or to your mobile. We're just outright handing over
| the keys to all of our accounts. Your accounts have never been
| less protected. The battle is being lost for privacy and
| security.
| sameermanek wrote:
| Feels like marvel was onto something with captain america and
| winter soldier.
| pplante wrote:
| Life is imitating too many dystopian books, movies, etc these
| days. I think we need to put an end to all creative works
| before the timeline becomes irrecoverably destroyed.
| ekm2 wrote:
| Banning art?
| immibis wrote:
| Burning books, more specifically. Can't be a dystopia if
| nobody knows what the word "dystopia" means *taps
| forehead*
| Arubis wrote:
| I suspect you're being flippant, but destruction of and
| restrictions on creative works as an _antidote_ to dystopia
| is a take I haven't seen before.
| pplante wrote:
| Yes, I am being very flippant. Sometimes we need to jest
| in order to digest reality.
| dingdingdang wrote:
| The /s is strong with this one.
| dmonitor wrote:
| The real prescient threat in that movie was the predictive AI
| algorithm that tracked individual behaviors and identified
| potential threats to the regime. In the movie they had a big
| airship with guns that would kill them on sight, but a more
| realistic threat is the AI deciding to feed them
| individualized propaganda to curtail their behavior. This is
| the villain's plot in Metal Gear Solid 2, which is another
| great story.
|
| This got me thinking about MGS2 again and rewatching the
| colonel's dialogue at the end of the game:
| https://www.youtube.com/watch?v=eKl6WjfDqYA
|
| > Your persona, experiences, triumphs, and defeats are
| nothing but byproducts. The real objective was ensuring that
| we could generate and manipulate them.
|
| It's really brilliant to use a video game to deliver the
| message of the effectiveness of propaganda. 'Game design' as
| a concept is just about manipulation and hijacking dopamine
| responses. I don't think another medium can as effectively
| demonstrate how systems can manipulate people's behavior.
| nottorp wrote:
| > have an Android device beside me that regularly asks me to
| back my device up to the cloud
|
| But is that backup encrypted? If it's not, all they need is
| <whatever piece of paper a british security official needs, if
| any> to access your data.
|
| This is about having access to backups that are theoretically
| encrypted with a key Apple doesn't have?
|
| > We're talking about the largest back door I've ever heard of.
|
| Doesn't the US have access to all the data of non US citizens
| whose data is stored in the US without any oversight?
| burnerthrow008 wrote:
| > Doesn't the US have access to all the data of non US
| citizens whose data is stored in the US without any
| oversight?
|
| Er, no...? I'm not sure where you get that idea. Access
| requires a warrant, and companies are not compelled to build
| systems which enable them to decrypt all data covered by the
| warrant.
|
| See, for example, the Las Vegas shooter case, where Apple
| refused to create an iOS build that would bypass iCloud
| security.
| nottorp wrote:
| I asked if your Android backup is encrypted. Implies I'm
| talking about unencrypted data.
|
| > See, for example, the Las Vegas shooter case
|
| I am not in Las Vegas or anywhere else in the US. So as far
| as i know all the data about me that is stored in the US is
| easily accessible without a warrant unless it's encrypted
| with a key that's not available with the storage.
|
| > companies are not compelled to build systems which enable
| them to decrypt all data covered by the warrant
|
| Again, not what I was talking about.
|
| I'm merely pointing out that your data is not necessarily
| encrypted, and that the "rest of the world" was already
| unprotected vs at least one state. The UK joining in would
| just add another.
| skydhash wrote:
| People always overestimate how much companies will defy
| their government for you, legally or otherwise.
| GeekyBear wrote:
| This is why Apple, and more recently Google, create
| systems where they don't have access to your unencrypted
| data on their servers.
|
| > Google Maps is changing the way it handles your
| location data. Instead of backing up your data to the
| cloud, Google will soon store it locally on your device.
|
| https://www.theverge.com/2024/6/5/24172204/google-maps-
| delet...
|
| You can't be forced to hand over data on your servers
| that you don't have access to, warrant or no.
|
| The UK wants to make this workaround illegal on an
| international basis.
| pmontra wrote:
| > You can't be forced to hand over data on your servers
| that you don't have access to, warrant or no.
|
| But you can be forced to record and store that data even
| if you don't want to.
| GeekyBear wrote:
| Which is why Apple takes the stance that the users device
| shouldn't be sending data to the mothership at all, if it
| isn't absolutely necessary.
|
| Compare Apple Maps and Google Maps.
|
| Google initially hoovered up all your location data and
| kept it forever. They learned from Waze that one use case
| for location data was keeping your map data updated.
|
| Apple figured out how to accomplish the goal of keeping
| map data updated without storing private user data that
| could be subject to a subpoena.
|
| > "We specifically don't collect data, even from point A
| to point B," notes Cue. "We collect data -- when we do it
| -- in an anonymous fashion, in subsections of the whole,
| so we couldn't even say that there is a person that went
| from point A to point B.
|
| The segments that he is referring to are sliced out of
| any given person's navigation session. Neither the
| beginning or the end of any trip is ever transmitted to
| Apple. Rotating identifiers, not personal information,
| are assigned to any data sent to Apple... Apple is
| working very hard here to not know anything about its
| users.
|
| https://techcrunch.com/2018/06/29/apple-is-rebuilding-
| maps-f...
| acka wrote:
| Google or Apple could be forced by authorities to perform
| correlation on the map tiles being requested by users
| under investigation. Not as accurate as GPS coordinates
| but probably useful nonetheless.
|
| One more reason to prefer offline maps for those who
| value privacy.
| GeekyBear wrote:
| Given that you can browse map data for any location, not
| just where you happen to be, I'm betting that
| triangulation data from your carrier would be more
| accurate.
| acka wrote:
| Sure, triangulation of carrier signals could lead to more
| accurate position estimates, but if the carrier isn't
| based in the US they are under no obligation to make this
| data available to US authorities.
|
| Apple and Google are based in the US so are bound by the
| CLOUD Act to provide any and all data they have upon
| request, no matter where in the world it is being
| collected or stored.
| Gatorguy wrote:
| Small correction.
|
| Google had "created a system where they don't have access
| to your data on their servers" a couple of years BEFORE
| Apple. Android 10 introduced it in 2019.
| GeekyBear wrote:
| Google didn't announce plans to stop storing a copy of
| user location data on their servers until the middle of
| last year.
|
| See the story linked above.
|
| They didn't announce that they could no longer access
| user location data on their servers to respond to
| geofence warrants until the last quarter of 2024.
| Gatorguy wrote:
| We're talking iCloud and data encryption compared to
| Google's Android Cloud E2EE, and you're doing maps.
| GeekyBear wrote:
| Were talking about protecting your personal data from
| government overreach, and Google's entire business model
| is to collect as much of your personal data as possible
| and store it on their servers to make ad sales more
| profitable.
|
| Apple does its best not to collect personal data in the
| first place.
| spankalee wrote:
| > all the data about me that is stored in the US is
| easily accessible without a warrant
|
| No, law enforcement needs a warrant to legally access any
| data. This is why Prism was illegal, and why companies
| like Google are pushing back against overly broad
| geofence search warrants.
| alt227 wrote:
| > This is why Prism was illegal
|
| Yet it still existed, and was used for surveillance by 3
| letter agencies. Why do you think this is any different?
| somenameforme wrote:
| No idea why the two of you are using past tense. PRISM is
| still very much alive and well.
| fdb345 wrote:
| All Encrochat evidence was illegal in at least three
| different ways. UK Law enforcement didn't care. They just
| lied.
| multjoy wrote:
| No it wasn't.
|
| The Dutch cracked and wiretapped it. It has been held not
| to be intercept evidence per RIPA so capable of being
| used in evidence.
|
| Most went guilty because they caught red-handed in the
| most egregious criminality you've seen.
|
| Encro was designed to enable and protect criminal
| communications. It had no redeeming public value.
| mtrovo wrote:
| > Doesn't the US have access to all the data of non US
| citizens whose data is stored in the US without any
| oversight?
|
| Totally agree. Having this discussion so US centred just
| makes us miss the forest for the trees. Apart from data owned
| by US citizens, my impression is that data stored in the US
| is fair game for three letter agencies, and I really doubt
| most companies would spend more than five minutes agreeing
| with law enforcement if asked for full access to their
| database on non-US nationals.
|
| Also, remember that WhatsApp is the go-to app for
| communication in most of the world outside the US. And
| although it's end-to-end encrypted, it's always nudging you
| to back up your data to Google or Apple storage. I can't
| think of a better target for US intelligence to get a glimpse
| of conversations about their targets in real time, without
| needing to hack each individual phone. If WhatsApp were a
| Chinese app, this conversation about E2E and backup
| restrictions would have happened a long time ago. It's the
| same on how TikTok algorithm suddenly had a strong influence
| on steering public opinion and instead of fixing the game we
| banned the player.
| causal wrote:
| Agree in principle, though WhatsApp backups are encrypted
| with a user provided password, so ostensibly inaccessible
| to Google or whoever you use as backup
| scripturial wrote:
| What makes you think WhatsApp backups don't have a
| secondary way to unlock the encryption key? Wouldn't it
| be more logical to assume the encryption key for whatsapp
| backups can also be unlocked by an alternate "password"
|
| If the US is willing to build an entire data center in
| Outback Australia to allow warrantless access to US
| citizen data, why wouldn't they be forcing WhatsApp
| backups to be unlockable?
| mox1 wrote:
| International users that have Advanced Protection enabled
| would in theory be safe from all of the 3-letter agencies
| (like safe from those agencies getting the data from
| Apple...not safe generally).
|
| Realistically we are talking about FISA here, so in theory
| if the FBI gets a FISA court order to gather "All of the
| Apple account data" for a non-us person, Apple would either
| hand over the encrypted data OR just omit that....
|
| Based on the stance Apple is taking here, its reasonable to
| assume they would do the same in the US (disable the
| feature if USG asked for a backdoor or attempted to compel
| them to decrypt)
| mtrovo wrote:
| Would your answer be the same if this encrypted data was
| stored in China instead of US?
|
| I don't think messages should ever leave the device, if
| you want to migrate to a different device this could be
| covered by that user flow directly. Maybe you want to
| sync media like photos or videos shared on a group chat
| and I'm fine with that compromise but I see more risks
| than benefits on backing up messages on the cloud, no
| matter if it's encrypted or not.
| r3trohack3r wrote:
| I think the average human will disagree with you. They
| want to preserve their data and aren't technically
| competent and organized enough to maintain their own
| backups with locally hosted hardware. Even the
| technically literate encourage _offsite_ backups of your
| data.
|
| Know your threat model and what actions your trying to
| defend against.
|
| Typical humans need trusted vendors that put in actual
| effort to make themselves blind to your personal data.
| nickburns wrote:
| > its reasonable to assume they would do the same in the
| US (disable the feature if USG asked for a backdoor or
| attempted to compel them to decrypt)
|
| I think it's more likely that Apple would challenge it in
| US courts and prevail. Certainly a legal battle worth
| waging, unlike in the UK.
| GeekyBear wrote:
| This has already happened, and Apple did fight it in the
| US courts.
|
| Eventually the US government withdrew their demand.
|
| https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_encrypt
| ion...
| nickburns wrote:
| Exactly.
|
| https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_encryptio
| n_d...
| autoexec wrote:
| It's worth pointing out that just because the FBI didn't
| have the access they wanted, it doesn't mean that other
| agencies don't, or that the FBI couldn't get the data
| they wanted by other means (which was exactly what they
| ended up doing in that specific case). It just means that
| they wanted Apple to make it easier for them to get the
| data.
|
| It's good that Apple refused them, but I wouldn't count
| that as evidence that the data is secure from the US
| government.
| GeekyBear wrote:
| It's also worth noting that the US courts have long held
| that computer code is speech.
|
| Apple's legal argument that the government's demand that
| they insert a backdoor into iOS was tantamount to
| compelled speech (in violation of the first amendment)
| was going over a little too well in court.
|
| The Feds will often find an excuse to drop cases that
| would set a precedent they want to avoid.
| SJC_Hacker wrote:
| > Totally agree. Having this discussion so US centred just
| makes us miss the forest for the trees. Apart from data
| owned by US citizens, my impression is that data stored in
| the US is fair game for three letter agencies, and I really
| doubt most companies would spend more than five minutes
| agreeing with law enforcement if asked for full access to
| their database on non-US nationals anyone.
| wkat4242 wrote:
| This is different IMO. When you buy Apple you buy an
| American product and you _know_ the company is beholden to
| US law. Snowden has made perfectly clear how much they can
| be trusted. When you buy it anyway it 's an informed
| choice.
|
| Here a country that has no ties with most of apple's
| customers is just butting in and claiming access to all of
| them.
|
| So what's next. Are we also giving access to everyone's
| data to Russia? Iran?
| squeaky-clean wrote:
| > But is that backup encrypted? If it's not, all they need is
| <whatever piece of paper a british security official needs,
| if any> to access your data.
|
| Based on them mentioning the difficulty of opting out, I
| presume OOP does not use Google's cloud backup.
| crimsoneer wrote:
| Android data isn't encrypted at rest (or at least not in a
| way Google doesn't have the key). If the uk gov has a
| warrant, they can ask Google to provide your Google Drive
| content. The whole point of this issue is Apple specifically
| designed ADP so they couldn't do that.
| sunshowers wrote:
| Android backups are encrypted at rest using the lockscreen
| PIN or passphrase: https://developer.android.com/privacy-
| and-security/risks/bac...
|
| So not hugely secure for most people if they use 4-6
| decimal digits, but possible to make secure if you set a
| longer passphrase.
|
| I don't know what Google's going to do about this UK
| business.
|
| edit: Ah it looks like they have a Titan HSM involved as
| well. Have to take Google's word for it, but an HSM would
| let you do rate limits and lockouts. If that's in place, it
| seems all right to me.
| autoexec wrote:
| I wonder how hard it would be for the US government to
| force Google to just get the lockscreen pin off of your
| device or for them to just infect your device with
| something to capture it themselves.
| Gatorguy wrote:
| Wrong. Google Android user cloud backups are E2EE by
| default.There is no option to opt out. Use Google's backup
| service and your data is encrypted at rest, in transit, and
| on device. aka end-to-end.
|
| It's not just Google saying it. Google Cloud encryption is
| independently verified
| noinsight wrote:
| > non US citizens whose data is stored in the US
|
| They don't even care where it's stored...
|
| See: CLOUD Act [1]
|
| [1] https://en.wikipedia.org/wiki/CLOUD_Act
| autoexec wrote:
| I honestly doubt they even limit themselves to the data of
| non-US citizens. They have no respect at all for the fourth
| amendment.
| 93po wrote:
| i think people focus on whether backups are encrypted too
| much. it really doesn't matter when the government has remote
| access equivalent to your live phone when it's in an
| unencrypted state, which they almost certainly do.
| grahamj wrote:
| This is why, while I applaud what Apple is doing here, they
| need to allow us to supply our own E2E encryption keys.
| shuckles wrote:
| That's literally what the feature they're removing did.
| kbolino wrote:
| Not exactly. It generates the keys for you and stores them
| on device in the Secure Enclave. You cannot "bring your
| own" encryption key, but the primary benefit of doing so--
| that Apple does not have access to it--is intentionally
| accomplished anyway by the implementation.
| shuckles wrote:
| I'm not sure I appreciate the value of literally bringing
| your own keys. My device generating them on my behalf as
| part of a setup process seems sufficient. You'd use
| openssl or something and defer to software to actually do
| keygen no matter what.
| grahamj wrote:
| It depends what kind of backdoor the UK is asking for but
| "encryption backdoor" sounds like cryptographic
| compromise. I don't know if that's what it means but
| either way the only way to be sure your keys are secure
| is to generate them yourself.
| kbolino wrote:
| BYOK does not provide any additional security over the
| Secure Enclave (and similar security coprocessors). In
| fact, unless the Secure Enclave were to directly accept
| your input and bypass the OS, BYOK is _worse_ because the
| software can just upload your key to a server as soon as
| you type it in. Whereas, a key generated on the Secure
| Enclave stays there, because there exists no operation to
| export it.
| rkagerer wrote:
| I agree it seems sort of academic at first blush, but I'm
| going to venture a guess it's the idea that you own them,
| instead of Apple.
|
| So you can eg. keep a backup on your own (secure)
| infrastructure. Transfer them when switching devices or
| even mirror on two different ones*. Extract your own
| secret enclave contents. Improve confidence they were
| generated securely. And depending on implementation,
| perhaps reduce the ease with which Apple might
| "accidentally" vacuum the keys up as a result of an
| update / order.
|
| _*Not sure how much these two make sense in the iOS
| ecosystem. I know on the Android side I 'd absolutely
| love to maintain a "hot standby" phone that is an exact
| duplicate of my daily driver, so if I drop it in the
| ocean I can be up and running again in a heartbeat with
| zero friction (without need to restore backups, reliance
| on nerfed backup API's outside the ones Google uses,
| having to re-setup 2FA, etc. and without ever touching
| Google's creepy-feeling cloud)._
| kbolino wrote:
| You would need to have a completely trusted software and
| hardware stack to actually _own_ the keys. And that is
| already hard enough to get on a PC where ownership still
| means something, it is not going to happen on most mobile
| devices. To whatever extent you trust any of the stack
| already, the Secure Enclave is a better bet than BYOK.
| The real risk, as you imply, is if Apple is able to
| compromise the security coprocessor with an OTA firmware
| update, but they can definitely already push a regular OS
| update that exfiltrates any key you type in.
| codedokode wrote:
| Just make an airgapped Linux device on a DYI FPGA CPU.
| This part is not that difficult comparing to persuading
| commercial vendors let you use your own cloud and your
| own encryption/backup mechanisms.
| rkagerer wrote:
| Yeah... unfortunately it ought to be the other way
| around. They should have a hard time pursuading _us_ to
| trust them enough to use theirs.
|
| If your phone company asked you to give them the key to
| your house, in perpetuity, how would you feel about that?
| (Particularly if they insisted you sign a 15 page Terms
| of Use first that disclaims all their liability if
| anything goes missing).
| vandahm wrote:
| But if you don't trust Apple, how to you get the key into the
| Secure Enclave to begin with? Doesn't Apple control the
| software on your device that provides the interface into the
| Secure Enclave from outside of it?
| IshKebab wrote:
| > What concerns me more is that Apple is the only company
| audibly making a stand.
|
| Meta also _said_ they would make a stand if a similar request
| comes for WhatsApp. I 'm not going to hold my breath though.
| AutistiCoder wrote:
| They wouldn't even be able to.
|
| WA is end-to-end encrypted.
| alex-robbins wrote:
| WhatsApp is closed source. They could backdoor it if they
| wanted to (or were forced to).
| bitpush wrote:
| And so in Apple and iOS. What is your point?
| IshKebab wrote:
| His point was that it is technically possible for
| WhatsApp to add a backdoor. Apple could too.
| kali_00 wrote:
| With almost everyones backups stored in plain-text, making
| it all a little silly.
|
| Think about it for a second: you can re-establish your WA
| account on a new device using only the SIM card from your
| old device. SIM cards don't have a storage area for random
| applications' encryption keys, and even if they did, a SIM
| card cannot count as "end-to-end" anymore. Same goes for
| whatever mobile cloud platform those backups might be
| stored on. And you'd hope Apple or Google aren't happily
| sending off your cloud decryption keys to any app that
| wants them. Though maybe they are?
| acka wrote:
| Reestablishing your WhatsApp account on a new device
| doesn't give access to your old chat messages, you need
| to restore a WhatsApp backup for that. The backup doesn't
| need to be stored in the cloud, you can choose to create
| a local file and manually transfer that to your new
| device.
|
| In any case, as soon as you start using WhatsApp on a new
| device, users in the chats you participate in will
| receive a message informing them that your encryption
| keys have changed.
| j-bos wrote:
| > (where you don't even have the right to legal advice, or the
| right to remain silent)
|
| A lot is posted about LEO's lying in the US, this seems worse.
| dustingetz wrote:
| how much distance between
|
| 1) tech monopoly strong enough to stand up to G7 nation state
| demands
|
| 2) tech monopoly strong enough to remove itself from G7 nation
| state jurisdiction?
|
| edit: s/monopoly/empire, apologies
| r00fus wrote:
| It's amusing to think of Apple as a "monopoly" (if anything
| they have a monopsony on TSMC production) but let's just
| replace that with "giant" for purposes of discussion.
|
| Tech giants typically devolve local operations to small
| companies to avoid liability - think petroleum suppliers not
| owning gas stations (because those typically end up as
| superfund sites). Not sure if this analogy this works for
| Google Android and all the manufacturers that deploy it for
| their smartphones too.
|
| So corporations have been doing this forever, trying to find
| legal loopholes where they can have their cake and eat it
| too.
| stalfosknight wrote:
| Apple is not a monopoly.
| fdb345 wrote:
| Your Android and Microsoft backup aren't encrypted. They are
| already fair game for a warrant.
| Krasnol wrote:
| It's always hilarious to see how far people here are ready to
| go to twist some bad Apple news into something which might be
| considered good.
|
| I mean seriously. Apple making a stand? What stand? They are
| ripping security out of their customers hands. Customers which
| are already dependent on the company's decision in their locked
| in environment.
|
| There is absolutely nothing good about it, and you dragging
| Android into it and making it look like it's even worse is
| suspicious. You can have full control over your Android device.
| Something impossible on an Apple phone. You can make your
| Android device safer than your iPhone.
| amatecha wrote:
| There is an upside (if you trust them) -- they're pulling a
| feature rather than adding a back door to it. Supposedly,
| anyway.
| Krasnol wrote:
| Well, sure it could be worse.
|
| Doesn't make that one good, though.
| yunwal wrote:
| The government forced them to pull the feature. Would you
| rather they left a toggle-switch that doesn't actually do
| anything? Or are you thinking they should just pull out of
| the EU altogether?
| Krasnol wrote:
| Making a stand would be leaving UK (UK is not in the EU)
| altogether.
|
| This is almost as bad as building a backdoor. This is
| leaving your customer in the rain.
|
| Fortunately for Apple, most of them won't even know or
| realize it.
| yunwal wrote:
| > This is leaving your customer in the rain.
|
| vs. taking their phone away??? Idk if you're trolling or
| what but I would be incredibly pissed at Apple if they
| deprecated my phone over something like this.
| Krasnol wrote:
| Yes, imagine the outrage in the rich and influential in
| the UK if Apple would seriously threaten to leave the
| country about this. They would cause the law to be fixed
| which would help everybody.
|
| But instead. They run away.
|
| Selling this as "making a stand" is ridiculous. Nothing
| more.
| codedokode wrote:
| Making a stand would be displaying a full-screen
| notification about why they cannot provide protection for
| British users' data and which party voted for this.
| Krasnol wrote:
| No. Making a stand would be to threaten to leave and
| watch all those influential iPhone users scramble to get
| this law rolled back. Everything else is marketing and
| cowardice.
| musictubes wrote:
| No, this tells the customer that backups to iCloud are
| not secure from the government. Adding the back door
| would make people think that there was more security than
| there was. Transparency is always better than deception.
|
| Dropping the feature that the UK was targeting allows
| their customers to use all the other ways that Apple does
| things. Leaving the UK altogether is the nuclear option
| denying their customers of everything. "Apple should just
| leave the UK/China" never takes into consideration the
| millions of customers that bought or might want to buy in
| the future. Nobody would better off if Apple withdraws
| from a country.
| Krasnol wrote:
| I don't think we both have the same concept of "making a
| stand".
|
| Yes, it would have been the nuclear option, but this is
| Apple. Probably most of the most influential people in
| the UK have an Apple phone. Just saying that you leave
| would cause an avalanche of influence targeted at this
| law. Maybe other companies would have joined them.
|
| This, this is just cover dance and I wish they'd pay for
| this, but they won't and they know it. People locked into
| the Apple bubble only change if it REALLY hurts. This
| doesn't hurt the average Apple user, and those who really
| care moved onto a system they can control themselves.
| troupo wrote:
| > What concerns me more is that Apple is the only company
| audibly making a stand.
|
| They are not making a stand. They roll over without a peep. And
| this is concerning users' privacy which they say is the core of
| the company.
|
| Compare it to fighting every government tooth and nail over
| every single little thing concerning the "we don't know if it's
| profitable and we don't keep meeting records" AppStore
| givinguflac wrote:
| " They roll over without a peep."
|
| What are you talking about? This is literally them doing the
| opposite, and there are multiple other public instances of
| them making a stand, not to mention in the design of their
| systems.
|
| Truly curious how you see this that way.
| troupo wrote:
| "Literally doing the opposite" would be keeping encryption
| on.
|
| Removing encryption for everyone is literally doing the
| opposite of making a stand
| coaksford wrote:
| They had two paths to comply with the law. Silently
| backdoor the worldwide cloud serving every Apple device,
| or loudly tell people in the UK they don't get to have
| security because their government prohibits them. Between
| these two options, this is clearly "making a stand".
|
| It's not as much "making a stand" as telling a major
| government that you have substantial seizable assets
| under their jurisdiction who is a major market you want
| to be in, that you're not going to do the thing that
| their laws say you are required to do, but it's hardly
| simple compliance either, instead of doing what the
| government wants them to do, they are making sure there
| is blowback.
|
| Whether to try to fight it in court likely depends on
| details of case law and the wording of the laws they'd be
| contesting, I imagine much of the delay in their response
| to the demand was asking their lawyers how well they
| think they would fare in court.
| dumbledoren wrote:
| > tell people in the UK
|
| This doesn't affect only people in the UK. It allows
| access to all Apple users' data globally:
|
| > No Heathrow connection necessary. "The law has
| extraterritorial powers, meaning UK law enforcement would
| have been able to access the encrypted iCloud data of
| Apple customers anywhere in the world, including in the
| US" [1].
|
| > https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6
| d4df8...
|
| https://news.ycombinator.com/item?id=43132160
|
| So they can spy on you regardless of where you live even
| in violation of your own country's privacy laws.
| immibis wrote:
| "Not making a stand" would be leaving everything as is, and
| handing your encryption keys over to the government. By
| loudly disabling ADP and saying this feature is illegal in
| the UK (they really should have said "illegal" instead of
| "unavailable" so people would know it was the government),
| they are at least making half a stand. By leaving it enabled
| in other regions and for visitors from other regions to the
| UK, they're making three quarters of a stand.
| troupo wrote:
| > By loudly disabling ADP and saying this feature is
| illegal in the UK
|
| They didn't say anything loudly, or said it was illegal in
| the UK.
|
| All they had was a single comment to a single (or perhaps a
| handful at most) comment to a media outlet that they
| disabled it.
|
| They didn't even bother with a press release, or notify
| their users.
|
| It's not even half a stand. It's a rollover
| alt227 wrote:
| > Apple is the only company audibly making a stand
|
| Apples stand is false, they take with one hand and give with
| the other. There have been many times that Apple have been
| caught giving user data to governments at their request, lied
| about it, then later on admitted it once it had leaked from
| another source.
|
| This whole 'we will never make a backdoor' is a complete
| whitewash marketing stunt, why do they need to make a backdoor
| when they are providing any and all metadata to any government
| on request.
|
| https://www.macrumors.com/2023/12/06/apple-governments-surve...
| jonhohle wrote:
| I think that's the whole point of their push to E2E encrypt
| as much as possible. Saying they can't unencrypted something
| worked for a while.
| lilyball wrote:
| > _There have been many times that Apple have been caught
| giving user data to governments at their request, lied about
| it, then later on admitted it once it had leaked from another
| source._
|
| In other words, Apple complies with legal government orders,
| as they are required to. The government can compel them with
| a warrant to hand over data that they have, and can prohibit
| them from talking about it. That's the whole reason for the
| push towards end-to-end encryption and for not collecting any
| data Apple doesn't need to operate the products. This also
| ties into things like photo landmark identification, where
| Apple designed it such that they don't get any information
| about the requests and so they don't have any information
| that they could be compelled to hand to the government.
| tholdem wrote:
| > What concerns me more is that Apple is the only company
| audibly making a stand.
|
| But still Apple operates in China and Google does not. This is
| weird to me. Google left China when the government wanted all
| keys to the citizens data. Apple is making a stand when it's
| visible and does not threaten their business too much.
|
| Apple is not really in the business of protecting your data,
| they are just good at marketing and keeping their image.
| dclowd9901 wrote:
| Perhaps Apple has a greater leverage in China due to its
| outsized manufacturing presence. And it's likely they already
| dont offer ADP to Chinese citizens.
| bitpush wrote:
| lol you think Apple has more leverage than China? What
| world are you living in?
| raincole wrote:
| A world where HN commentators can read English.
| SXX wrote:
| > And it's likely they already dont offer ADP to Chinese
| citizens.
|
| AFAIK before UK only region with ADP was China.
| vineyardmike wrote:
| > Perhaps Apple has a greater leverage in China due to its
| outsized manufacturing presence.
|
| Perhaps china has greater leverage over apple in this
| case...
|
| China had been an important area of growth for many
| companies during the 2010s. Apple bent over backwards to
| cater to that market. It was discussed in every financial
| release, and they obviously made tons of concessions for
| iCloud.
|
| The UK just comparatively isn't that much revenue, and not
| worth the fallout.
| chii wrote:
| > China had been an important area of growth for many
| companies during the 2010s. Apple bent over backwards to
| cater to that market
|
| and it is the same with european car companies (like
| volkswagon). Look at where they are now.
|
| I don't believe for a second, that china will not oust
| apple the moment there's a good reason to.
| vineyardmike wrote:
| > Look at where they are now.
|
| Apples revenue from china has been super dependent on new
| iPhone looking different, and has been steadily declining
| or flat for years, except for a few quarters when Huawei
| was sanctioned.
|
| Chinese money was absolutely the forbidden temptress that
| continues to screw businesses. Luxury goods, cars,
| electronics, etc were all banking on china's economic
| rise to grow their revenue, and post covid recovery saw
| all that money stay domestic.
|
| China won't oust Apple because twisting Tim Cook's arm is
| way more useful. Same with Tesla and any other company
| that makes a big bet there. But they absolutely won't be
| giving American companies an equal chance at success.
| noirbot wrote:
| China feels like an important difference here though. Google
| leaving China doesn't protect Chinese citizen's data any more
| than Apple turning off ADP in the UK does. As far as I know,
| Apple isn't _pretending_ that the data of Chinese users is
| encrypted from their government, and the way they 're
| complying with the Chinese laws shouldn't impact the security
| of users outside of China.
|
| Apple pulling ADP from UK users is similar - the UK has
| passed an ill-considered law that Apple doesn't think it can
| win a court case over, so they're complying in a way that
| minimally effects the security of people outside the UK. If,
| as someone outside the UK, I travel to the UK with ADP turned
| on, my understanding is it won't disable itself.
|
| Would you have been more satisfied if Apple just pulled out
| of the UK entirely? Bricked every iPhone ever purchased
| there? Google doesn't seem to have made any stand for
| security ever - them pulling out of China feels more to do
| with it meaning they wouldn't have had access to Chinese
| users' data, which is what they really want.
| viraptor wrote:
| > Would you have been more satisfied if Apple just pulled
| out of the UK entirely? Bricked every iPhone ever purchased
| there?
|
| The request/law would be rolled back in minutes in that
| case. They wouldn't dare though. (wouldn't even have to be
| bricking - just disable services like icloud)
| madeofpalk wrote:
| Apple has 40 retail stores in the UK with thousands of
| employees. They have a big new HQ in London where they
| have engineering, etc there.
|
| I cannot see Apple completely shutting down in the UK,
| firing thousands of staff, selling off any property, and
| cancelling leases, just for a week long bargaining chip.
| WhyNotHugo wrote:
| iCloud in China is operated by a local subsidiary. There is a
| dedicated screen explaining this when you set up an iCloud
| account in this region.
|
| They adapt to the local rules of each region, much like
| they're doing here in the UK.
| wrsh07 wrote:
| Eh Google had pretty good reasons to not operate in China
| (not seeing them in this thread, don't recall the details
| precisely enough to relate here)
|
| Apple is deeply embedded in China (manufacturing) and
| benefits from a decent (but shrinking) userbase in the
| country. China isn't asking for the keys to all iphone user
| data, just data stored in China.
| GeekyBear wrote:
| > Google left China when the government wanted all keys to
| the citizens data.
|
| Google left China after China started hacking into Google's
| servers.
|
| > In January, Google said it would no longer cooperate with
| government censors after hackers based in China stole some of
| the company's source code and even broke into the Gmail
| accounts of Chinese human rights advocates.
|
| https://www.nytimes.com/2010/03/23/technology/23google.html
|
| They were working to reenter the China market on China's
| terms many years later, when Google employees leaked the
| effort to the press. Google eventually backed down.
| spoaceman7777 wrote:
| I'd imagine there were multiple factors that went into that
| business decision. Even if this was portrayed as the final
| straw.
| Spooky23 wrote:
| It's different. Apple follows Chinese law to operate their
| services in China, just like Microsoft.
|
| With Google, their services are way broader. Operating a hunk
| of their search business with a third party Chinese firm just
| isn't viable for their services, which are way more complex.
| timewizard wrote:
| I want to buy my phone from a phone manufacturer.
|
| I want to backup my data with a managed service.
|
| I do NOT want these to be the same company.
|
| The government, with anti trust laws, could easily force this
| issue. On the other hand, they really love how few places
| they have to go with FISA warrants to just take anyones data.
| This is the long tail of the American security state. So it's
| really ironic that China takes most of the blame.
| JumpCrisscross wrote:
| > _One scenario would be somebody in an airport and security
| officials are searching your device_
|
| No Heathrow connection necessary. "The law has extraterritorial
| powers, meaning UK law enforcement would have been able to
| access the encrypted iCloud data of Apple customers anywhere in
| the world, including in the US" [1].
|
| [1]
| https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...
| kimixa wrote:
| The US claims the same
|
| https://en.wikipedia.org/wiki/CLOUD_Act
|
| Lots of Americans in this thread seem to be talking down to
| other countries laws while being completely unaware of their
| own
| maeil wrote:
| Spot on, 727 comments, most probably by Americans, and only
| 2 (including yours) bringing up the CLOUD Act, the much
| worse US equivalent. Incredible ignorance.
| bustling-noose wrote:
| Providing encrypted data and not providing encryption are
| two different things. The CLOUD act requires you to hand
| over data. It could be encrypted. The UK government is
| asking to hand over data that is also not encrypted. The
| two are not the same. Note : Not American.
| Fnoord wrote:
| > There's no time limit on when you may be searched, so all
| people who ever travelled through British territory could be
| searched by officials.
|
| > Let that sink in for a moment. We're talking about the
| largest back door I've ever heard of.
|
| Codename 'Krasnov' is the largest backdoor _I_ have ever heard
| of. And, we only need to look at his behavior.
|
| These E2EE from USA can be tainted in so many ways, and FAMAG
| sits on so much data, that codename 'Krasnov' can abuse such to
| target whoever he wants in West. Because everyone you know is
| or has been in ecosystem of Apple, Google, or Microsoft.
|
| Whataboutism! Fair. From my PoV, as European, the UK government
| is (still) one of the good guys who will protect Europe from
| adversaries such as those who pwn codename 'Krasnov'. Such
| protection may come with a huge price.
| martin_a wrote:
| > We're talking about the largest back door I've ever heard of.
|
| Meh, I don't know. I can still decide to not go the UK and be
| fine. I think the CLOUD Act is much worse because it's
| independent from where I am.
| h4ck_th3_pl4n3t wrote:
| Remember that the last fiasco was related to 2FA stores being
| stored unencrypted on google's backup cloud, namely google
| authenticator.
|
| And yes, it's still pwnable this way, and happens regularly.
|
| Everything in the cloud is not yours anymore, and you should
| always treat it like that.
| marcprux wrote:
| > you think Google didn't already sign up to this?
|
| My understanding is that Android's Google Drive backup has had
| an E2E encryption option for many years (they blogged about it
| at https://security.googleblog.com/2018/10/google-and-
| android-h...), and that the key is only stored locally in the
| Titan Security Module.
|
| If they are complying with the IPA, wouldn't that mean that
| they must build a mechanism into Android to exfiltrate the key?
| And wouldn't this breach be discoverable by security research,
| which tends to be much simpler on Android than it is on iOS?
| nomel wrote:
| My assumption is that Google has keys to everything in its
| kingdom [1].
|
| [1] https://qz.com/1145669/googles-true-origin-partly-lies-
| in-ci...
| marcprux wrote:
| > My assumption is that Google has keys to everything in
| its kingdom
|
| If that were true, then their claims to support E2E
| encrypted backups are simply false, and they would have
| been subject to warrants to unlock backups, just like Apple
| had been until they implemented their "Advanced Data
| Protection" in 2022.
|
| Wouldn't there have been be some evidence of that in the
| past 7 years, either through security research, or through
| convictions that hinged on information that was gotten from
| a supposedly E2E-protected backup?
| scripturial wrote:
| It is possible to set up end to end encryption where two
| different keys unlock your data. Your key, and a
| government key. I assume google does this.
|
| 1. encrypt data with special key 2. encrypt special key
| with users key, and 3. encrypt special key with
| government key
|
| Anyone with the special key can read the data.the user
| key or the government key can be used to get special key.
|
| This two step process can be done for good or bad
| purposes. A user can have their key on their device, and
| a second backup key could be in a usb stick locked in a
| safe, so if you loose your phone you can get your data
| back using the second key.
| echoangle wrote:
| Would that still count as E2E-encrypted if another party
| has access? That would still count as lying to me.
| lttlrck wrote:
| That depends on the definition of "end".
| tbihl wrote:
| To say nothing of the definition of "definition", or at
| least a common understanding.
|
| https://m.youtube.com/watch?v=gRelVFm7iJE
| blitzar wrote:
| It depends on what the meaning of the word 'is' is
| dtpro20 wrote:
| To call it lying is just arguing about the meanings of
| words. This is literally what lawyers are paid to do. The
| data payload can be called end to end encrypted. You can
| easily say to the user that "your emails are encrypted
| from end to end, they are encrypted before it leaves your
| computer and decrypted on the receivers computer" without
| talking about how your key server works.
|
| Systems that incorporate a method to allow unlocking
| using multiple keys don't usually advertise the fact that
| this is happening. People may even be legally obligated
| to not tell you.
| mirekrusin wrote:
| TIL man in the middle = e2e encryption.
| scripturial wrote:
| E2E encryption is not the same as MITM. You're not adding
| anything useful to the conversation.
|
| E2E encryption is not vulnerable to MITM. E2E encryption
| is vulnerable only to how many keys there are and who has
| access to them.
| chii wrote:
| SO if google still has access in an E2E system, but you
| didnt know, is it still E2E?
|
| What if google told you they also have a key? Does that
| change the above answer to the question?
| echoangle wrote:
| If someone except the communicating parties has access to
| the keys, it's not E2E encrypted anymore though. At least
| according to this definition:
|
| https://en.wikipedia.org/wiki/End-to-end_encryption
| catlifeonmars wrote:
| > To call it lying is just arguing about the meanings of
| words.
|
| Or, as us lowly laypeople call it, lying.
| echoangle wrote:
| Well Wikipedia says this about E2E:
|
| "End-to-end encryption (E2EE) is a method of implementing
| a secure communication system where only communicating
| users can participate. No one else, including the system
| provider, telecom providers, Internet providers or
| malicious actors, can access the cryptographic keys
| needed to read or send messages."
|
| So if you send another set of keys to someone else, it's
| obviously not E2E.
| ptero wrote:
| This is a high level description of intent (by a third
| party), not a legal promise.
|
| This is not enforceable and promises that are not
| enforceable are usually seen by BigCos of today as
| optional. My 2c.
| echoangle wrote:
| Well I wasn't saying I would sue them, I was arguing
| this:
|
| > It is possible to set up end to end encryption where
| two different keys unlock your data. Your key, and a
| government key. I assume google does this.
|
| Which by definition is wrong (unless the government is a
| party in the communication you want to E2E-Encrypt).
| barsonme wrote:
| E2EE means only your intended recipients can access the
| plaintext. Unless you intend to give the government
| access to your plaintext, what you described isn't E2EE.
| mu53 wrote:
| Is that google's definition or your definition? not being
| rude, but its pretty easy to get tricky about this.
|
| Since you are sending the data to google, isn't google an
| intended recipient? Google has to comply with a variety
| of laws, and it is likely that they are doing the best
| they can under the legal constraints. The law just
| doesn't allow systems like this.
| gtirloni wrote:
| What's the intended recipient of your message? It's not
| Google, right?
|
| You're discussing encryption in transit vs encryption at
| rest in this thread.
| mu53 wrote:
| I agree with you, but these abstract technical systems
| have enough wiggle room for lawyers and marketers to bend
| the rules to get what they want
| brookst wrote:
| If Google is employing this "one simple trick", they will
| get sued into the ground for securities fraud and false
| advertising.
| 1oooqooq wrote:
| history already proved you wrong. companies offering
| backdoor to abusive law enforcement are never sued.
|
| they also employ things like exempt cases. for example,
| Whatsapp advertise E2E... but connect for the first time
| with a business account to see all the caveats that in
| plain text just means "meta will sign your messages from
| this point on with a dozen keys"
| brookst wrote:
| It's the lying that gets companies in trouble.
|
| The claim is that Google has implemented a security
| weakness and lied about it in claims to customers and
| investors.
|
| Show me another company that did this, was exposed, and
| was not sued.
| tsimionescu wrote:
| You are extremely naive if you think a company the size
| of Google or Microsoft or Apple will face any serious
| consequence from lying about E2EE actually being open to
| various governments.
|
| They have lawyers aplenty, governments would file amicus
| briefs "explaining" E2EE and so on. Worse case they'll
| settle for a pittance.
| ipaddr wrote:
| Those companies never get sued? Never face class action
| lawsuits either?
| alt227 wrote:
| > It's the lying that gets companies in trouble.
|
| It isnt if the government have asked them to lie.
| wkat4242 wrote:
| Oh thanks. I've never done that before. I'll try that,
| it'll be very interesting to see those disclaimers.
|
| I guess for consumer use all that stuff is hidden in the
| T&C legalese which is unreadable for normal people. I
| know the EU was trying to enforce that there must be a
| TL;DR in normal language but I haven't seen much effect
| of that yet.
| fc417fc802 wrote:
| > E2EE means only your intended recipients can access the
| plaintext.
|
| No, it does not. It means that only endpoints - not
| intermediaries - handle plaintext. It says nothing about
| who those endpoints are or who the software is working
| for.
|
| Key escrow and E2EE are fully compatible.
| barsonme wrote:
| No, it is not. This is precisely why we have the term
| E2EE. An escrow agent having your keys but pinky
| promising not to touch them is indistinguishable from the
| escrow agent simply having your plaintext.
|
| Unless you're fine with the escrow agent and anybody
| they're willing to share the keys with being a member of
| your group chat, in which case my original point still
| stands.
| zxcvgm wrote:
| Well, WhatsApp backups claim they are E2E encrypted, but
| there's a flow that uses their HSM for the encryption
| key, which still feels like some escrow system.
|
| https://engineering.fb.com/2021/09/10/security/whatsapp-e
| 2ee...
| wkat4242 wrote:
| True but you can choose to store the key completely
| yourself. That fixes a big backdoor that's been around
| for ages.
|
| The biggest problem remaining to me is that you don't
| chat alone. You're always chatting with one or more
| people. Right now there's no way of knowing how they
| handle their backups and thus the complete history of
| _your_ chats with them.
|
| It's the same thing as trying to avoid big tech reading
| your emails by setting up your own mailserver.
| Technically you can do it but in practice it's pointless
| because 95% of your emails go to users of Microsoft or
| Google anyway these days.
| fc417fc802 wrote:
| Edit: I think you might be confusing your personal
| intention (ie I wanted this to be private but didn't
| realize the service provider retained a copy of the keys)
| with the intention of the protocol (ie what the system is
| designed to send where). Key escrow is "by design"
| whereas E2EE protects against both system intrusions
| (very much not by design) as well as things like bugs in
| server software or human error when handling data.
|
| > is indistinguishable
|
| Technically correct (with respect to the escrow agent
| specifically) but rather misleading. With E2EE
| intermediary nodes serving or routing a request do not
| have access to it. This protects you against compromise
| of those systems. That's the point of E2EE - only
| authorized endpoints have access.
|
| The _entire point_ of key escrow is that the escrow agent
| is authorized. So, yes, the escrow agent has access to
| your stuff. That doesn 't somehow make it "not E2EE". The
| point of E2EE is that you don't have to trust the infra.
| You do of course have to trust anyone who has the keys,
| which includes any escrow agents.
|
| If we used the definition "only your intended recipients
| can access the plaintext" ... well let's be clear here,
| an escrow agent is very much an "intended recipient", so
| there's no issue.
|
| But lets extrapolate that definition. That would make
| E2EE a property of the session rather than the
| implementation. For example if my device is compromised
| and my (E2EE) chat history leaks suddenly that history
| would no longer be considered E2EE ... even though the
| software and protocol haven't changed. It's utterly
| nonsensical.
| KronisLV wrote:
| > I think you might be confusing your personal intention
| with the intention of the protocol
|
| So what would be the name for a mechanism where escrow is
| deliberately not a part of the design and nobody aside
| from the sender and recipient can access the plaintext
| data, no 3rd parties whatsoever, as long as those two
| participants aren't compromised.
|
| I'm not disagreeing with you but I've heard people talk
| about E2EE while actually thinking it's more like the
| above. There is probably a term for truly private
| communication but I'm sleepy and it eludes me.
| fc417fc802 wrote:
| The literal answer to your question would be "E2EE
| without key escrow" I guess. Or E2EE between just me and
| this single party.
|
| However I don't think that's so much a technical
| mechanism as it is a statement of preference or
| understanding about who you intend to have access to
| something.
|
| To that end, you'll need to define "intended recipient"
| pretty carefully. After all, your intended recipient
| could take a screenshot and share it. Or there could be
| someone in a group chat who isn't participating and you
| forgot was there. Etc.
|
| > There is probably a term for truly private
| communication
|
| I'd argue that E2EE is "truly private" between the
| intended recipients, and that understanding who exactly
| those are is entirely the responsibility of the user.
|
| Of course I recognize that we're talking past each other
| at that point. Your concern seems to be users not
| realizing an escrow agent is present. To the extent they
| might have been deceived about the implementation I'd
| point out that "snuck in an escrow agent" is just the tip
| of the security iceberg. They could also have been
| deceived about the implementation itself. And even if
| they weren't deceived initially, a binary or web app
| could be intentionally updated with a malicious version.
| Does it count as "truly private" if you didn't compile it
| yourself?
| prophesi wrote:
| > Key escrow and E2EE are fully compatible.
|
| Wild to see someone on HN even entertain this idea.
| fc417fc802 wrote:
| It's literally the point of key escrow. My views on a
| given practice are entirely irrelevant to the definition
| of the relevant terminology.
| prophesi wrote:
| With key escrow, by definition you can only implement
| end-to-many-ends encryption.
| fc417fc802 wrote:
| TIL group chats can't be considered E2EE. /s
| baq wrote:
| Wild to think otherwise.
| tredre3 wrote:
| Manufacturers have lied about E2EE since the beginning.
| Some claim that having the key doesn't change that it's
| e2ee. Others claim that using https = e2ee, because it's
| encrypted from one end to the other, you see? (A recent
| example is Anker Eufy)
|
| The point is that the dictionary definition of E2EE
| really doesn't matter. Being pedantic about it doesn't
| help. The only thing that matters is that the vendor
| describes what they call E2EE.
| GoblinSlayer wrote:
| Google intends you and the government as recipients of
| data here.
| hot_gril wrote:
| Yes, but going by that, most messaging services
| advertised as "E2EE" are already not E2EE by default. You
| trust them to give you the correct public keys for peer
| users, unless you verify your peers in-person. Some like
| iMessage didn't even have that feature until recently.
| immibis wrote:
| Sure is - three ends - you, the intended recipient, and
| the government.
| DarkmSparks wrote:
| I expect this is what they are all doing tbh, although
| isnt google open source? should be checkable, if the
| binaries the distribute match the source... oh...
|
| "a special key" afaik is where instead of using 2 large
| primes for a public key, it uses 1 large prime and the
| other is a factor of 2 biggish primes, where 1 of the
| biggish is known, knowing one of the factors lets you
| factor any public key with a not insignificant but still
| more compute than most people have access to.
|
| UK has also invested in some serious compute that would
| appear dedicated to exactly this task.
|
| basically if you dont have full control over the key
| generation mechansim and enc/dec mechansim it is
| relatively trivial for states to backdoor anything they
| want.
| hilbert42 wrote:
| _" ...two different keys.... Your key, and a government
| key. I assume google does this."_
|
| With the present state of politics--lack of both
| government and corporate ethics, deception, availability
| of much fake news, etc.--there's no guarantee that you
| could be certain of the accuracy of any information about
| this no matter what its source or apparent authenticity.
|
| I'd thus suggest it'd be foolhardy to assume that total
| privacy is assured on any of these services.
|
| BTW, I don't have need of these E2E services and don't
| use them, nor would I ever use them intentionally to send
| encrypted information. That said, occasionally, I'll send
| a PDF or such to say a relative containing some personal
| info and to minimize it being skimmed off by all-and-
| sundry--data brokers, etc. I'll encrypt it, but I always
| do so on the assumption that government can read it
| (that's if it's bothered to do so).
|
| Only fools ought to think otherwise. Clearly, those in
| the know who actually require unbreakable encryption use
| other systems that are able to be better audited. If I
| were ever in their position, then I'd still be suspicious
| and only out of sheer necessity/desperation would I send
| an absolute minimum of information.
| scripturial wrote:
| Yes. There is no ability to know one way or the other if
| Google, and similar services retain a secondary way to
| access decryption key. In light of this the only option
| is to _assume_ they have the capability.
|
| Given the carefully crafted way companies describe their
| encryption services, it seems more likely than not they
| have master keys of some sort.
| pinoy420 wrote:
| > I don't care for encryption or need it
|
| > encrypts a pdf sent to tech illiterate family members
| hilbert42 wrote:
| From where did you get both _' care'_ and _' illiterate'_
| -- words that I never used?
|
| Not only have you misquoted me, but also you've attempted
| to distort what I actually said by changing its
| inference.
| KronisLV wrote:
| > ...there's no guarantee that you could be certain of
| the accuracy of any information about this no matter what
| its source or apparent authenticity.
|
| In any case like this, the only thing you could truly
| trust would be the source code and even then you'd have
| to be on the lookout for backdoors, which would
| definitely be beyond my own capability to spot.
|
| In other words, the best bet is to probably only use open
| source solutions that have been audited and have a good
| track record, wherever available. Not that there are
| _that_ many options when it comes to mobile OSes,
| although at least there are some for file storage and
| encryption.
| hilbert42 wrote:
| Obviously, that's the ideal course of action but I'd
| reckon that in practice those who would have both a good
| understanding of the code as well as the
| intricacies/strengths of encryption algorithms _and_ who
| also have need to send encrypted messages is vanishing
| small--except perhaps for some well-known government
| agencies.
| anakaine wrote:
| Just because something you do today is legal and not a
| cause for scrutiny does not mean the same will be true
| tomorrow.
|
| We have seen this many times throughout history, where
| people like academics, researchers, teachers, people of
| particular faith, etc are targeted and each of them has
| some sort of "evidence" produced as to some sort of crime
| they have committed either in the present or past to
| justify their arrest.
|
| The group who needs it today may be small, but having it
| on and secure by default for all is a far better
| protection than any justification that the current need
| is small.
| menacingly wrote:
| I don't know the particulars, but in general, silence
| around a massive tech company on warrants does not mean
| "they said no and the feds decided to leave them alone"
| reshlo wrote:
| Is the source code for every binary blob present on an
| Android device available for inspection, and is the code
| running on every Android device verifiable as having been
| built from that source?
|
| > or through convictions
|
| If they wanted to use this evidence for a normal criminal
| case, they would just do parallel construction.
| dylan604 wrote:
| Would it be possible that they feel that the revelation
| of this backdoor would be too big of a loss so that any
| of these theoretical cases of the past 7 years have used
| parallel construction to avoid revealing the encrypted
| data was viewed?
| catlifeonmars wrote:
| That's a big and brittle conspiracy. You have to have
| little to no defectors. It's not a stable equilibrium
| jiggawatts wrote:
| A trivial method for circumventing code review is to
| simply push a targeted update of the firmware to devices
| subject to a government search order.
|
| There are no practical end-user protections against this
| vector.
|
| PS: I strongly suspect that at least a few public package
| distribution services are run by security agencies to
| enable this kind of attack. They can distribute clean
| packages 99.999% of the time, except for a handful of
| targeted servers in countries being spied upon. A good
| example is Chocolatey, which popped up _out of nowhere_ ,
| had no visible source of funding, no mention of their
| ownership structure anywhere, and was incorporated along
| with hundreds of other companies in a small building in
| the middle of nowhere. It just _screams_ of being a CIA
| front, but obviously that 's hard to prove.
| jen20 wrote:
| > Chocolatey, which popped up out of nowhere
|
| Chocolatey assuredly did not "pop up out of nowhere" - it
| was a labour of love from Rob Reynolds to make Windows
| even barely usable. It likely existed for years before
| you ever heard of it.
|
| > had no visible source of funding
|
| Rob was employed by Puppet Labs to develop it until he
| started the commercial entity which now backs it.
|
| > a small building in the middle of nowhere.
|
| As I recall, Rob lives in Topeka, Kansas. It follows that
| his business would be incorporated there, no?
| jiggawatts wrote:
| There was no evidence of any of this on the website until
| recently (maybe 2 or 3 years ago?), and I did look at
| every page on there. Similarly, I searched on Google for
| a while and raised the question in more than a few
| forums. I dug through the business registration records,
| etc... and found none of the above.
|
| Sure, _now_ , they have staff photos and the actual names
| of people on their about page, but just a few years ago
| it was almost completely devoid of information: https://w
| eb.archive.org/web/20190906125729/https://chocolate...
|
| Look at it from the perspective of a paranoid sysadmin
| half way around the world raising a quizzical eyebrow
| when random Reddit posts mention how convenient it is,
| but it's distributing binaries to servers with absolutely
| no obvious links back to any organisations, people, or
| even a legitimate looking business building.
| brookst wrote:
| The end user protection is to sign updates and publish
| the fingerprints. It should not be possible for one
| device to get a different binary than everyone else.
| autoexec wrote:
| > Wouldn't there have been be some evidence of that in
| the past 7 years, either through security research, or
| through convictions that hinged on information that was
| gotten from a supposedly E2E-protected backup?
|
| I wouldn't count on it. The main way we'd know about it
| would be a whistleblower at Google, and whistleblowers
| are extremely rare. Evidence and court records that might
| expose a secret backdoor or that the government was
| getting data from Google that was supposed to be private
| could easily be kept hidden from the public by sealing it
| all away for "national security reasons" or by obscuring
| it though parallel construction.
| catlifeonmars wrote:
| People are incredibly bad at keeping secrets. And there
| are a LOT of people at Google. I don't buy it.
| ChrisMarshallNY wrote:
| That's why Rule #1 of Security, is limit access;
| regardless of clearance.
|
| Which explains why there's all these security levels
| above "Top Secret," which is really just a baseline.
| GoblinSlayer wrote:
| Google can just borrow a certified encryption library
| elsewhere.
| autoexec wrote:
| There were a lot of people working for the NSA besides
| snowden, but none of them blew the whistle even though
| some of the programs he exposed had been around for 12
| years. There were a whole lot of people working at AT&T
| but employees weren't lining up to tell us about Room
| 641A (https://en.wikipedia.org/wiki/Room_641A) before
| Mark Klein. How did everyone else manage to be kept
| quiet? The details about MKUltra and the Manhattan
| Project were successfully kept a secret for _decades_
| before eventually being declassified.
|
| It'd be a huge mistake to look at the instances where
| somebody did come forward and spill a secret and assume
| that it means secrets aren't possible to keep or that
| there are no secrets being kept right now. It's may not
| be easy to keep a secret, but governments and
| corporations are extremely well practiced and have many
| documented successes.
| ajb wrote:
| It's worth noting that what the security services _don
| 't_ have access to is as secret as what they do have
| access to. According to the late Ross Anderson, for many
| years the police were unable to trace calls (or was it
| internet access?) on one of the major UK mobile networks,
| because it had been designed without that and in such a
| way that it was hard to retrofit. This was considered
| highly confidential, lest all the drug dealers etc switch
| to that network.
| autoexec wrote:
| My assumption is that the NSA does too.
| yellow_lead wrote:
| This would mean no independent security researcher has ever
| taken a look at Google Drive's E2EE on Android. Or those
| that did missed the part where the key is uploaded.
|
| It's possible to decrypt this network traffic and see if
| the key is sent. It may be obfuscated though.
| foota wrote:
| That's a bit silly seeing as e.g.,
| https://www.npr.org/sections/thetwo-
| way/2014/03/20/291959446...
| GeekyBear wrote:
| Google didn't announce that they could no longer process
| geofence warrants because they no longer stored a copy of
| user location data on their servers until last October.
|
| How much good does an encrypted device backup do when
| harvesting user data and storing it on your servers (to
| make ad sales more profitable) is your entire business
| model?
| skybrian wrote:
| The linked article makes a lot of assumptions about the
| "Massive Digital Data Systems Program". It seems this
| program existed. For example, here is a 1996 paper [1]
| about research funded by the "Massive Digital Data Systems
| (MDDS) Program, through the Department of Defense."
|
| But it's not clear that funding for early research into
| data warehousing (back when a terabyte was a lot of data)
| has anything to do with whether or not Google uses end-to-
| end encryption? Lots of research got funded through the
| Department of Defense.
|
| Without having relevant evidence, this is just "let's
| assume X is true, therefore X is true."
|
| [1] https://papers.rgrossman.com/proc-047.htm
| tim333 wrote:
| I doubt it. Much to my annoyance they moved Google Maps
| Timeline from their database to an encrypted copy on my
| phone specifically so if law enforcement asks for the
| records of where you were at a given time and place they
| can say dunno, can't tell. If they had the keys it would
| wreck their legal strategy not to get hassled every time
| law enforcement are trying to track someone.
| thelittleone wrote:
| Could that be true and at the same time a 'vulnerability'
| exists that megacorp is party to?
| EduardoBautista wrote:
| Apple's ADP is not E2E for only its backups, it's E2E for
| _everything_ in iCloud Drive and a few other iCloud services.
| j-krieger wrote:
| Even more shocking that Germany - my country - leads the
| leaderboard with over ten times as much requests as the second
| place.
| zahllos wrote:
| I don't really understand your comment to be honest. Section 3
| of the Regulation of Regulatory Powers Act 2000 allows for
| compelled key disclosure (disclosure of the information sought
| instead of the key is also possible). Schedule 7 of the
| Counter-Terrorism Act allows 9 hour detention, questioning and
| device search at the border. With these powers it isn't
| necessary to get access to iCloud backups, as you can get the
| device and/or the data.
|
| I don't think the e2e icloud backup is problematic under
| existing legislation / before the TCN. While you can't disclose
| the key because it lives in the secure enclave, you can
| disclose the information that is requested because you can log
| into your apple account and retrieve it. IANAL, but I believe
| this to be sufficient (and refusing would mean jail).
|
| The Investigatory Powers Act allows for technical capability
| notices, and the TCN in this case says (as far as we know)
| "allow us a method to be able to get the contents of any iCloud
| backup that is protected by E2EE for any user worldwide". This
| means that there is no need to ask the target to disclose
| information and if implemented as asked, also means that any
| user worldwide could be a target of the order, even if they'd
| never been to the UK.
|
| Relevant info:
|
| -
| https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
| Aloisius wrote:
| I imagine they want the ability to look at someone's iCloud
| backups without notifying the owner that they are doing so or
| they want to do it when the owner is unwilling or unable to
| provide keys.
|
| For the latter, there are a lot of cases where jail isn't
| much a threat (e.g. the person is dead or not in the
| country).
| zahllos wrote:
| Also given automatic iPhone backup it might contain
| information they want as part of an investigation that
| they'd otherwise have to demand key disclosure for (if
| cloud backup didn't exist)... Absolutely.
|
| The jail time for failure to comply with key disclosure is
| 2 years unless it is national security, then it is 5. But
| if you're organised crime and facing who knows what for
| being a snitch it might be better simply to do the time.
|
| I can see why they want it. I just don't understand why the
| person I'm replying to said the feature (I think) was
| problematic. Not really a criticism, I'm just struggling to
| identify the tone and why 'too right' and 'more problematic
| than they let on'.
| endgame wrote:
| "technical capability notice" under the Investigatory Powers
| Act (IPA)
|
| Sounds a lot like the godawful "assistance and access" laws
| that were rushed through in Australia a couple of years ago,
| right down to the name of the secret instrument sent to the
| entity who gets forced into to building the intercept
| capability.
|
| Now that Apple has caved once, I expect to see other providers
| strongarmed in the same way, as well as the same move tried in
| other countries.
| osigurdson wrote:
| What is going on in the UK? How do they stand for this?
| nomdep wrote:
| When "misinformation" or "hate speech" are illegal, and the
| government decides what those are, you cannot risk
| complaining
| vixen99 wrote:
| Irrespective of political leanings, a lot of British people
| are saying this. They stand for it because they have to. It's
| a government that was voted in by a large margin only six
| months ago. Disquiet, if that's the word, is pretty much
| universal and I am not sure we've been quite in this position
| before. Keir Starmer's decline in approval ratings 'marks the
| most substantial post-election fall for any British prime
| minister in recent history'.
|
| https://politicalpulse.net/uk-polls/keir-starmer-approval-
| ra...
| jamiek88 wrote:
| This is a law enacted by the previous government.
| osigurdson wrote:
| Did Starmer run on this big brother type platform?
| JansjoFromIkea wrote:
| By a large margin with their seat count doubling off a 1.6%
| swing in their favour. The decline in approval ratings
| should have been entirely predictable to them.
| firecall wrote:
| Also, I wondered if by complying with British law that they may
| somehow be breaking laws of another country?
|
| Hypothetically, if Apple just provide a back door to the data
| they have on US Senators for instance, then providing that
| information may be considered treason by the US.
|
| That's a totally made up example, and I have no idea, but it
| seems like it's possibly an issue.
|
| Which is all about the issues around data sovereignty I
| suppose!
| Zamiel_Snawley wrote:
| That would not be treason, by a long shot.
|
| Treason is the only crime defined in the constitution, and it
| is quite a high bar.
| Spooky23 wrote:
| The king is a strict constitutionalist, who may disagree
| with you/ Pray he doesn't.
| thaumasiotes wrote:
| > Treason is the only crime defined in the constitution,
| and it is quite a high bar.
|
| Well, it's defined, or bounded above, in the constitution.
| It's not exactly a high bar:
|
| > Treason against the United States, shall consist only in
| levying War against them, or in adhering to their Enemies,
| giving them Aid and Comfort.
|
| So, if you happened to know Nicolas Maduro, thought he was
| looking stressed, and bought him some food, that would
| qualify as treason. There's no requirement that you act
| against the interests of the United States. The
| constitution will stop you from being prosecuted for
| treason for sleeping with Melania Trump. It won't stop you
| from being prosecuted for treason for completely spurious
| reasons.
| wkat4242 wrote:
| Treason is a very heavy charge and as far as I know it
| applies more to individuals. Can a company be prosecuted for
| treason? I guess it depends on the country and I don't know
| US law well (never even visited there)
|
| But I'm sure local laws conflict heavily between countries
| yes. I'm often wondering how multinationals manage to
| navigate this maze. This is why we have such a big legal
| department I guess :) And the company I work for is a pretty
| honest one, I've never seen any skullduggery going on with eg
| privacy or media manipulation. In fact employees are urged to
| report such things and I have to do a course on responsible
| behaviour yearly. Probably a result of being purely B2B. But
| anyway I digress, just wanted to say that getting away with
| stuff does not seem to be the reason for us having a big
| legal dept.
|
| But just look at the laws of e.g. the EU and Iran. Pretty
| diametrically opposed on many topics. There's no way to
| satisfy them both.
|
| I think what helps to make this happen is that most countries
| don't try to push their laws outside of their jurisdiction.
| Which the UK is trying to do here.
| bustling-noose wrote:
| You have no laws when traveling through immigration. Thats true
| in US too. There was an article (trying to look for it could be
| arstechnica verge I dont remember where) once where a US
| citizen journalist was detained at the border for hours while
| traveling into the US and questioned. You can be in the
| immigration for hours or even decades until you give out what
| they demand which can involve your unlocked phone and password.
| There are no laws protecting you.
| dunham wrote:
| > the largest back door I've ever heard of.
|
| Do you know of the clipper chip?
| https://en.wikipedia.org/wiki/Clipper_chip
|
| From what I recall, we were only spared from it by someone
| hacking it before it was deployed.
| bboygravity wrote:
| And now imagine for a second that the only thing the UK is
| doing here is getting the same direct access that the US (NSA)
| has already had for decades.
| HenryBemis wrote:
| What I fund 'amusing' is the swap between Left vs Right.
|
| 'Back in the day' it was the "Right" that wanted have total
| access/total control over everything. So people turned a bit
| "left". Now the "Left" government is seeking totalitarian-style
| control ('because paedophiles/drugs/etc.).
|
| As a reminder, both Right and Left extremes went from
| 'liberal/conservatives' to "we don't need elections ever again
| - trust me!".
|
| I saw this happening in the US, in Saudi (e.g. Blackberry
| 'keys'). Now I see it in the UK. So I interpret this in two
| ways: 1) The "Left is the new Right" (or "Right is the new
| Left") 2) Left and Right are irrelevant terms when it comes
| down to "we need to exert control over
| people/knowledge/data/information/etc. And the 'guise' of
| Left/Right is just on the fiscal policies. So UK has been
| playing around with 'snooper charter' but at 'that' time
| Apple's encryption was not on the table.
|
| Apple (I don't blame them - very much - just a little) does
| what a company does. Makes money. And they prefer to sell-out
| the data of their clients and keep their money, than lose that
| money.
|
| So... yeah.. if your data is in someone else's server, that
| happens.
| sib wrote:
| >> 'Back in the day' it was the "Right" that wanted have
| total access/total control over everything.
|
| It was the Clinton administration that pushed for the Clipper
| chip.
|
| Are you talking about a 'day' before that time?
| abalone wrote:
| _> One scenario would be somebody in an airport and security
| officials are searching your device under the Counter Terrorism
| Act_
|
| No, it's much broader than that. The UK is asking for a
| backdoor to your data and backups in the cloud, not on your
| device. Why bother with searching physical devices when they
| can just issue a secret subpoena to any account they want?
|
| It's actually pretty amazing that Apple made ADP possible for
| the general public. This is the culmination of a major
| breakthrough in privacy architecture about ten years ago.
|
| Traditionally you had to make a choice between end-to-end
| encryption and data recoverability. If you went with E2EE, it's
| only useful if you use a strong password, but if you forget it
| then Apple can't help you recover your account (no password
| reset possible). So that was totally unsuitable for precious
| memories like photos for the average user.
|
| Apple's first attempt to make this feasible was a recovery key
| that you print out and stuff in a drawer somewhere. But you
| might lose this. The trusted contact feature is also not
| totally reliable either, because chances are it's your spouse
| and they might also lose their device at that same time as you
| (for example in a house fire).
|
| So while recovery keys and trusted contacts help, the solution
| that _really_ made the breakthrough for ADP was iCloud Keychain
| Backup. This thing is low-key so cool and kind of rips up the
| previous assumptions about E2EE.
|
| iCloud Keychain Backup makes it possible to recover your data
| with a simple, weak 6 digit passcode that you are virtually
| guaranteed never to forget, yet you are also protected from
| brute force attacks on the server. It is specifically designed
| to work on "adversarial clouds" that are being actively
| attacked. This is... sort of not supposed to be possible in the
| traditional thinking. But they added something called hardware
| security modules to limit the number of guesses an attacker can
| make before it wipes your key.
|
| And crucially it ensures you don't forget this passcode because
| it's your device passcode which the OS keeps in sync with the
| backup key. This is part of the reason your iPhone asks you to
| enter your passcode now and then even though your biometrics
| work just fine.
|
| It is a true secret that only you know and can keep in your
| brain even when your house burns down and nobody (hopefully)
| can derive from something they can research about you. This
| didn't really exist for the general populace until smartphones
| came along. And that ultimately was the breakthrough that
| allowed for changing the conventional wisdom on E2EE.
|
| iCloud Keychain Backup came out about a decade ago and it has
| taken this long to gradually test the feasibility of going 100%
| E2EE without significantly risking customer data loss. The UK
| is kind of panicking but when people see how well ADP protects
| their most personal data from breaches, I think they will
| demand it. It just wasn't practical before.
| prmoustache wrote:
| > What concerns me more is that Apple is the only company
| audibly making a stand.
|
| Dropping the functionality for a particular market hardly
| equals to making a stand. Sure they haven't added a backdoor
| that would give all user's data access to UK icloud user's data
| so in the end UK residents didn't win anything.
|
| And who knows if they simply have an agreement with US gov to
| have a backdoor only available to them and not the other govs.
| neop1x wrote:
| For photos, it's probably best to use an open-source (also
| self-hostable) service like Ente. For files it's best to self-
| host Nextcloud or similar. And rely on other people's computers
| as little as possible. Sadly, operating systems are very
| complex and mostly composed of proprietary blobs nowadays so
| there is still a risk of it leaking data but people can still
| do at least something.
| chatmasta wrote:
| Ugh. Is this by App Store country? Anyone know what happens if I
| already have it configured? I'm actually in US App Store region
| and sometimes switch to UK... I wonder if that would disable it.
| drcongo wrote:
| Could any hackers on here now please hack the fuck out of UK
| government ministers please?
| alecco wrote:
| I doubt it would play out like you think.
| wackget wrote:
| So instead of building a back door they're just completely
| removing the option to use E2E encryption altogether, thus making
| everything freely available to government by default?
|
| How is that not worse or at least equivalent to a back door?
| wonderwonder wrote:
| The UK requested the backdoor for all users, not just UK
| citizens.
| mholt wrote:
| No illusion of privacy.
| roughly wrote:
| They're just pulling the feature in the UK. If they put in a
| back door, they're pulling the feature for everyone.
| ziddoap wrote:
| > _How is that not worse or at least equivalent to a back
| door?_
|
| It's bad for the citizens of the UK and better for everyone
| else on the planet with an iPhone. UK citizens should be angry
| with their government, not Apple.
| poisonborz wrote:
| Much better than a false sense of security. Customers know what
| they get, and can choose other products instead of being
| confused or cheated.
| incorrecthorse wrote:
| It _is_ equivalent to a back door, that's the point. The UK
| demand can be accessed more rapidly and properly by disabling
| the feature than by implementing a backdoor, since it is the
| same thing.
| varispeed wrote:
| Many departments use iphones. I wonder how it will affect
| government security or government employees will be exempt?
| Eavolution wrote:
| What are you actually supposed to do in the UK if you oppose this
| sort of thing to stop laws like this coming in? It feels like the
| government has been incredibly out of touch for the last number
| of years.
| redox99 wrote:
| I would guess you'd vote a libertarian party.
| Apfel wrote:
| Probably the best on the civil liberties front are the
| Liberal Democrats (they were pretty good at quashing
| mandatory national ID cards back in the day, at least).
|
| That being said, they still have a lot of folk angry at them
| for allowing university fees to be introduced 15 years ago
| when they were in coalition government (a Tory policy!).
| IneffablePigeon wrote:
| Join the ORG for starters. Contact your MP. But yes, the number
| of people who care is small and so things will not change until
| it is large.
| i2km wrote:
| You get the hell out and emigrate. I did so last year. It's not
| going to get better chap
| globular-toast wrote:
| Where did you go?
| maeil wrote:
| > It feels like the government has been incredibly out of touch
| for the last number of years.
|
| Did you vote for any single one of them?
|
| If you did, then what you're supposed to do is stop voting for
| Tory-lite governments (such as the current one).
|
| If you didn't vote for any of these governments (including this
| one), everything else that you could do would be dangerous
| nowadays.
| wonderwonder wrote:
| The UK wanted access to anyone's data. Not just UK citizens and
| then additionally added regulations forbidding apple to disclose
| this.
|
| UK is ~3-4% of apples income. While I appreciate Apples actions
| here, I wish they would make a real stand here and pull
| completely out of the UK.
| mtrovo wrote:
| I really wish they would sit down and negotiate this more
| openly. The silence from the other players is what really makes
| me uncomfortable. The fact that only Apple is making a stand
| against this ask is really scary.
| wonderwonder wrote:
| Agreed, the UK is speed running 1984 right in front of us.
| kobieps wrote:
| Only three (well, now four) mentions of 1984 in the
| comments tells you all you need to know
| wonderwonder wrote:
| sorry friend, I am actually not sure what you mean by
| this comment. Not sure if you are agreeing or disagreeing
| :) Apologies, probably my fault.
| ta8645 wrote:
| Free speech already under threat and now y'all are giving up the
| right of private communication too? For anyone cheering this on,
| do you honestly think this will only affect the "bad people", and
| you'll never have your own neck under the government's boot? Even
| if you trust the government today, what happens when your
| neighbors elect a government you disagree with ideologically?
| multimoon wrote:
| I don't think anyone is cheering this on.
| mihaaly wrote:
| Instead of the word cheering we could use letting.
|
| Bad people flourish over the inaction of good people.
|
| (but yes, there are always several who protect and argue for
| things risking their own and everyone's livelihood, exposing
| themselves to shady elements, along singled out and elevated
| thin aspects, cannot understood why)
| int_19h wrote:
| Many people do, unfortunately, so long as it's framed as
| "only terrorists and pedophiles need encryption that cops
| can't break".
| botanical76 wrote:
| How do we actually beat this narrative? I've been proposing
| a E2EE-based chat application to my friend, and they asked
| me a similar question: won't it just be rife with
| pedophiles? How can you make a platform that will be used
| to that means?
|
| I have strong views about privacy as a fundamental human
| right, but I don't know how to answer that question. I
| certainly don't want to make the world worse, but this
| feels like a lesser of two evils type of deal: either make
| it even harder to catch bad actors, such as child abusers,
| or make it plausible that your government take away your
| freedom forever.
| pacifika wrote:
| I suppose it is conflating lack of trust in government /
| law enforcement with criminal matters.
|
| Don't give power over yourself to people with a proven
| history of misusing it, according to your values. You
| don't have to look hard for examples.
| Funes- wrote:
| Most politicians are.
| ohnoitsahuman wrote:
| Let's vote Labor and Liberal to keep the UK from going fascist on
| our data.
|
| Oh wait....shit.
| basisword wrote:
| This was done under the Investigatory Powers Act which was
| brought in in 2016. Saying that Labour weren't exactly against
| it at the time. Point being snooping isn't left or right - they
| all love it.
| switch007 wrote:
| Labour are not anti authoritarian. Often quite pro
| b800h wrote:
| The party most likely to cut this stuff out is Reform, although
| they'd probably be closer to ambivalent about it.
| spacebanana7 wrote:
| I'm pretty sure Reform would scrap this stuff, given the
| belief their part of politics has been a victim of these
| laws.
|
| Also worth considering Lib Dem if you're not into right wing
| politics- they did vote against the relevant investigatory
| powers act back in 2016.
| JansjoFromIkea wrote:
| UKIP/Brexit/Reform as a vehicle to hold large influence over
| politics from outside Westminster might.
|
| I would imagine the party's attitudes on a myriad of things
| would shift if they were in power though.
| rvz wrote:
| They got what they voted for and now that those voters are
| surprised?
|
| It's really hilarious to try to blame previous governments for
| such unpopular moves like this one.
|
| If Labour was any better, then they would never have used the
| Investigatory Powers Act to force Apple to take actions such as
| this.
|
| For those who thought Labour would never do this, should just
| admit that this move was done under Labour and they are no
| better than the Tories.
| JansjoFromIkea wrote:
| The Blairite wing of that party has always been extremely bad
| with this kind of thing (see Tony Blair's obsession with ID
| cards over the decades) so it's unsurprising they'd push
| something like this.
| ilumanty wrote:
| What exactly can UK users do now? Turn off "backup iPhone to
| iCloud" and stop syncing notes?
| buildbot wrote:
| If you have ADP, Leave it on and have them automatically delete
| it at some point? Otherwise yes.
|
| "Customers who are already using Advanced Data Protection, or
| ADP, will need to manually disable it during an unspecified
| grace period to keep their iCloud accounts, according to the
| report. Apple said it will issue additional guidance in the
| future to affected users and that it "does not have the ability
| to automatically disable it on their behalf."
| GeekyBear wrote:
| UK users can still perform an encrypted backup to their local
| PC or Mac.
| Jackknife9 wrote:
| I'm going to start purging anything I store on the cloud. I'm not
| doing anything illegal, but why does the government want to treat
| me like I am.
| docmars wrote:
| Indeed. Time to leave the panopticon!
| dsmurrell wrote:
| _disables apple cloud sync_
| tw600040 wrote:
| Ok, I am not very technical. Can someone help me understand this.
| I don't have Advanced data Protection on. Does that mean UK Gov
| can see my data now?
| itishappy wrote:
| Potentially. It really just means your data is stored
| unencrypted, so anybody that has access to Apple's servers can
| access your data. I don't believe any government has open
| access to Apple's servers, but they can get a warrant.
| tw600040 wrote:
| I just realized ADP is not same as Lockdown mode. which Apple
| mentioned that only people that are likely to be targets need
| to turn on.
|
| Now I don't see any reason why I shouldn't turn ADP on.
| Turning on now.
| frizlab wrote:
| They always could. With advanced data protection they could
| not. The law mandated to add a backdoor to allow the government
| to also see encrypted data (which made the encryption insecure
| by definition). Apple refused to comply so you don't even have
| the option to encrypt your backups now.
| tene80i wrote:
| It means Apple has the encryption keys to your backed-up data.
| So they can, in theory, access it, if the UK Gov demands that
| they do. That might never happen to you, but with ADP it would
| have been impossible, because even Apple can't access it.
|
| See https://support.apple.com/en-us/102651
| Goleniewski wrote:
| Think about it.. You don't even have to be an Apple user to be
| affected by this issue. If someone backs up their conversations
| with you to apple cloud, your exchange is now fair game. You get
| no say in it either.
|
| We all lose.
| noahjk wrote:
| Very similar to sites like LinkedIn, which ask you to share
| your personal info & contact list.
|
| I don't want to share my contact details, but the second
| someone I know decides to opt in, I lose all rights to my own
| data as they've shared it on my behalf.
|
| Maybe they have other info, such as birthday, home address,
| other emails or phone #s, etc. stored for me, which is all fair
| game, as well.
| folmar wrote:
| If you are in EU, request your data be redacted.
| freeqaz wrote:
| That's why it's important to use apps like Signal where you can
| set the retention of your messages. I've got everybody I know
| using it now!
| madeofpalk wrote:
| Given historical backups are the norm here, retention only
| does so much.
|
| Really, apps should encrypt their own storage with keys that
| aren't stored in the backups. That's how you get
| security/privacy back.
| cma wrote:
| Many people want control over whether they back up
| conversations with others, and think it would be crazy for
| sender to control the retention policy instead of receiver.
|
| I think sender should just be able to send a recommended
| preference hint on retention and you could have an option
| to respect it or not.
| buran77 wrote:
| > That's how you get security/privacy back.
|
| Nothing an app does on a device guarantees you security or
| privacy if you don't trust or fully control the device.
| Aachen wrote:
| Yes, but they'd have to issue another one of these
| snooping demands to either the app's developer (there's
| loads of developers so this would get out of hand
| quickly) or to Apple to patch the build or read the
| memory or something to get the unencrypted data
|
| This current demand isn't blanket access to your device,
| it's access to things uploaded to Apple's online storage
| service. Having to get a backdoor that works with every
| app's encryption takes a lot more work while running the
| data through an authenticated encryption algorithm is
| relatively trivial for a developer
| hugh-avherald wrote:
| Setting a retention time out is playing with fire. If the
| police get ahold of the other party's device, and present an
| exhibit which they say contains the true conversation, you
| could be worse off than if you retained the conversation. The
| fact that you have since deleted it could be incriminating.
|
| In some jurisdiction, yes, legally, such evidence might not
| be probative, but you might still convicted because of it.
| fdb345 wrote:
| message retention has literally NEVER been used as
| incrimination in a court of law. So you are wrong.
| sangeeth96 wrote:
| Umm, isn't this related?
| https://www.theverge.com/2024/4/26/24141801/ftc-amazon-
| antit...
| nickburns wrote:
| No. That's a civil discovery matter.
| dvtkrlbs wrote:
| I don't think so. Corporate communication is bound by
| different laws and you have way higher burden of evidence
| in case of legal requests. I don't think this creates a
| precedent for personal communications.
| bunderbunder wrote:
| This isn't Amazon getting in trouble for implementation
| of a routine records retention policy. It's Amazon
| getting in trouble for violating a document retention
| mandate related to an ongoing lawsuit.
| the_other wrote:
| Yes, but if I'm reading it right, Amazon staff were
| already inder instruxtion to retain and share data
| relevant to an ongoing investigation. They were aware of
| the process and, if the article is to be believed, worked
| against the instructions.
|
| That's quite different from turning disappearing messages
| on when you're not explicitly under insteuctions to keep
| records.
| vuln wrote:
| The retention time can be set by individual conversation
| not just the whole app.
| nickburns wrote:
| Ephemeral messaging is not a crime.
| fdb345 wrote:
| In a world where they cancel encryption they can't access...
| doesn't Signal and its CIA funded origins concern you?
| HumblyTossed wrote:
| Nope. I actually think that would bring more scrutiny and
| so I feel safer knowing it's not be cracked.
| fdb345 wrote:
| interesting and illogical reply
| HumblyTossed wrote:
| No more illogical than trusting Apple's security because
| it is ... Apple.
| fdb345 wrote:
| Well, here you are discussing why UK law needed a pass
| because they are literally blocked by Apples security.
| Talk about Low IQ
| HumblyTossed wrote:
| Thanks for the attack on my IQ. I see I have nothing to
| worry about.
| sneak wrote:
| I use a patched Signal client that disables retention
| deletion and remote delete messages.
| ruined wrote:
| and that's awfully rude of you, but if you were concerned
| about message retention you wouldn't do that. so what's
| your point?
| Vaslo wrote:
| Scary - I try to use signal as much as possible now for this
| reason.
| IshKebab wrote:
| Signal can't evade this law either.
| blfr wrote:
| Why not? Signal was willing to run all kinds crazy setups
| to evade foreign laws, like domain fronting.
|
| https://signal.org/blog/doodles-stickers-censorship/
| botanical76 wrote:
| If Signal can do it, then why doesn't Apple make a stand?
| buzzerbetrayed wrote:
| If signal doesn't make a stand, the entire value prop of
| signal collapses and they cease to be a thing.
|
| For Apple, privacy is one value prop. But seemingly
| smaller one than the UK market.
| globular-toast wrote:
| Security hinges on trust. The only real privacy tool is PGP
| which uses a web of trust model. But it only works if people
| own their own computers and storage devices. What they've done
| is got everyone to rent their computers and storage instead.
| There's no security model that works for the users here.
| ComputerGuru wrote:
| Note that this doesn't satisfy the government's original request,
| which was for _worldwide_ backdoor access into E2E-encrypted
| cloud accounts.
|
| But I have a more pertinent question: how can you "pull" E2E
| encryption without data loss? What happens to those that had this
| enabled?
|
| Edit:
|
| Part of my concern is that you have to keep in mind Apple's
| defense against backdooring E2E is the (US) doctrine that work
| cannot be compelled. Any solution Apple develops that enables
| "disable E2E for this account" makes it harder for them to claim
| that implementing that would be compelling work (or speech, if
| you prefer) if that capability already exists.
| madeofpalk wrote:
| When you disable ADP, your local encryption keys are uploaded
| to Apple's servers to be read by them.
|
| Apple could just lock you out of iCloud until you do this.
| oakesm9 wrote:
| That's exactly the plan. Anyone with this enabled in the UK
| will need to manually disable it or they'll get locked out of
| their iCloud account after a deadline.
| pacifika wrote:
| And I guess Apple gets fined for not allowing government
| approved alternatives to these services not long after.
| kbolino wrote:
| The hardware will not allow this, at least not without
| modifications. The encryption keys are not exportable from
| the Secure Enclave, not even to Apple's own servers.
| sureIy wrote:
| Are you gonna unlock that phone anytime soon?
|
| Thanks for opening the enclave, don't mind if I ship these
| keys back home.
|
| No notification needed, Apple has root access.
| kbolino wrote:
| Assuming the enclave can receive OTA firmware updates and
| those updates can completely compromise it, which are not
| actually proven facts, there's no way to target this to
| the UK alone without either exempting tourists and
| creating a black market for loophole phones or else
| turning all of Britain into a "set foot here and ruin
| your iPhone forever" zone.
| jkbbwr wrote:
| Unless I am making a mistake here, you still can't
| extract keys of an opened enclave. You can just run
| operations against those keys.
| Twisell wrote:
| The Apple security paper describe how to disable ADP
| through a key rotation sequence.
|
| This will be a "forced rotation", they just need to decide
| how to communicate to users and work out what happens to
| those who don't comply. Lockout until key rotation look
| like an option as someone said.
| kbolino wrote:
| Yeah, this seems the most likely thing to happen here.
| You'll be forced to disable ADP to continue using iCloud
| in the UK. This still leaves the question of tourists and
| other visitors, but it at least fits within the
| parameters of the system without changing its
| fundamentals.
| QuiEgo wrote:
| Behind the scenes, it'd probably decrypt it locally piece-
| by-piece with the key in the Secure Enclave, and then
| reencrypt it with a new key that Apple has a copy of when
| you disable ADP.
| jl6 wrote:
| We are told the encryption keys reside only on your device. But
| Apple control "your" device so they can just issue an update
| that causes your device to decrypt data and upload it.
| RenThraysk wrote:
| Would just upload the keys
| drexlspivey wrote:
| Presumably these keys live in a hardware security module on
| your phone called "secure enclave" and cannot be extracted
| RenThraysk wrote:
| Ah yes, good point.
| fsflover wrote:
| Is this module auditable though, or is "just trust us",
| like everything in the Apple world?
| LPisGood wrote:
| It's auditable in the sense that there is a very high
| potential for reward (both reputationally and
| financially) for security researchers to break it.
| theshrike79 wrote:
| If someone has a reliable and workable secure enclave
| hack they can become a multi-millionaire for selling to
| state actors or become one of the most famous hackers in
| the world overnight (and possibly get a life changing
| amount of bounty from Apple)
|
| Basically it's not a hack someone just throws on the
| internet for everyone to use, it's WAY too valuable to
| burn like that.
| jmb99 wrote:
| An HSM bypass (extracting keys, performing
| unauthenticated crypto ops) on any recent iOS device is
| worth 10s of millions, easily. Especially if combined
| with a one-click/no click. In that sense, it's auditable,
| because it's one of the biggest targets for any colour
| hat, and the people smart enough to find a bug/backdoor
| would only be slightly aided by a spec/firmware source,
| and a bit more by the verilog.
|
| This is true for pretty much every "real" hsm on the
| planet btw. No one is sharing cutting edge enclave
| details, Apple isn't unique in this regard.
| watusername wrote:
| From the Advanced Data Protection whitepaper [0], it
| appears the keys are stored in the iCloud Keychain
| domain, so not the Secure Enclave:
|
| > Conceptually, Advanced Data Protection is simple: All
| CloudKit Service keys that were generated on device and
| later uploaded to the available-after-authentication
| iCloud Hardware Security Modules (HSMs) in Apple data
| centers are deleted from those HSMs and instead kept
| entirely within the account's iCloud Keychain protection
| domain. They are handled like the existing end-to-end
| encrypted service keys, which means Apple can no longer
| read or access these keys.
|
| [0]: https://support.apple.com/guide/security/advanced-
| data-prote...
| jiveturkey wrote:
| wrapped by a key hierarchy ultimately rooted by a key
| stored in the secure enclave.
| watusername wrote:
| Well yes, the entire storage is. I was trying to explain
| how it's extractable.
| jiveturkey wrote:
| fair!
| kevincox wrote:
| Apple can push firmware updates to the HSM just like the
| device. So if they really wanted they could add an
| operation that extracted the keys (likely by encrypting
| them to a key that lives in Apple's cloud).
| GeekyBear wrote:
| Apple has already fought US government demands that they push
| an update that would allow the US governmrnt to break
| encryption on a user's device.
|
| > In 2015 and 2016, Apple Inc. received and objected to or
| challenged at least 11 orders issued by United States
| district courts under the All Writs Act of 1789. Most of
| these seek to compel Apple "to use its existing capabilities
| to extract data like contacts, photos and calls from locked
| iPhones running on operating systems iOS 7 and older" in
| order to assist in criminal investigations and prosecutions.
| A few requests, however, involve phones with more extensive
| security protections, which Apple has no current ability to
| break. These orders would compel Apple to write new software
| that would let the government bypass these devices' security
| and unlock the phones.
|
| https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_.
| ..
| sneak wrote:
| Apple do not remotely control devices, and automatic updates
| are not mandatory.
| rdtsc wrote:
| > how can you "pull" E2E encryption without data loss? What
| happens to those that had this enabled?
|
| They'll keep your data hostage and disable your iCloud account.
| Clever, huh? So they are not deleting it, just disabling your
| account. "If you don't like it, make your own hardware and
| cloud storage company" kind of a thing.
| lynx97 wrote:
| More like "If you don't like it, talk to your local
| politicians", which is, IMO, a totally valid approach.
| rdtsc wrote:
| > "If you don't like it, talk to your local politicians",
|
| Indeed people only noticed this because Apple tried to do
| the right thing and now it's somehow also Apple's fault. No
| good deed goes unpunished, I guess.
|
| I think there is a feeling the government power is so
| overwhelming that they are hoping maybe some trillion
| dollar corporation would help them out somehow.
| tripdout wrote:
| The iOS screenshot displays a message saying it's no longer
| available for new users.
| globular-toast wrote:
| > But I have a more pertinent question: how can you "pull" E2E
| encryption without data loss? What happens to those that had
| this enabled?
|
| Well exactly. The UK just showed the whole thing is a joke and
| that Apple _can_ do this worldwide.
| wrs wrote:
| > how can you "pull" E2E encryption without data loss
|
| You can't. The article says if you don't disable it (which you
| have to do yourself, they can't do it for you, because it's
| E2E), your iCloud account will be canceled.
| nashashmi wrote:
| At this point, the right thing to do is allow for an alt-
| service.
| sneak wrote:
| Apple has an organization-wide mandate for services
| revenue.
|
| Every product must make money on an ongoing basis, every
| month. That's why you get constantly spammed to subscribe
| to things on iOS.
|
| Apple will never drop this anticompetitive practice of
| favoring their services until they are legally compelled
| to.
| bryan_w wrote:
| > you get constantly spammed to subscribe to things on
| iOS.
|
| Ad companies are the worst
| jmb99 wrote:
| How would an alt service help this situation? You'd just
| end up with backdoored services advertising E2EE, no?
| Apple's move here is definitely the right one, introduce as
| much friction as possible to hopefully get the user pissed
| off at their government for writing such stupid laws.
| NitpickLawyer wrote:
| > introduce as much friction as possible to hopefully get
| the user pissed off at their government for writing such
| stupid laws.
|
| I'm actually surprised that they didn't add more direct
| text in that screen. "We are unable to provide this
| service... BECAUSE OF YOUR GOVERNMENT 1984 STYLE
| REQUESTS. Contact your MPs here and here and oh, here's
| their unlocked icloud data, might want to add some choice
| pictures to their stash..." would have been a tad more on
| the nose...
| mtrovo wrote:
| Apple is in a really tough position. I don't know if there's
| any way they could fulfil the original request without it
| effectively becoming a backdoor. Disabling E2E for the UK
| market is just kicking the can down the road.
|
| Even simply developing a tool to coerce users out of E2E
| without their explicit consent to comply with local laws could
| be abused in the future to obtain E2E messages with a warrant
| on different countries.
|
| A very difficult position to be in.
| replete wrote:
| Or, this is how they save face with their customers having
| complied with the request rather than stop trading with the
| UK.
| MetaWhirledPeas wrote:
| > Apple is in a really tough position.
|
| You mean Apple is in a unique position to make a statement.
| _No more Apple products in the UK._ Mic drop. Exit stage
| left.
| sureIy wrote:
| But... money
| musictubes wrote:
| But customers. People keep saying they should just not be
| in that country. It is far better to have the choice of
| using an iPhone even if particular features are no longer
| available.
| TeaBrain wrote:
| I think Prof Woodward's quote in the article will likely hold
| true for Apple's response to the original UK government
| request:
|
| "It was naive of the UK government to think they could tell a
| US technology company what to do globally"
| kelnos wrote:
| > _the (US) doctrine that work cannot be compelled_
|
| Is this actually a thing? Telecoms in the US are compelled to
| provide wiretap facilities to the US and state and local
| governments.
| ckcheng wrote:
| >> Apple's defense against backdooring E2E is the (US)
| doctrine that [government can't] be compelling work (or
| speech, if you prefer)
|
| It's really not "work" but speech. That's why telecoms can be
| compelled to wiretap. But code is speech [2], signing that
| code is also speech, and speech is constitutionally protected
| (US).
|
| The tension is between the All Writs Act (requiring "third
| parties' assistance to execute a prior order of the court")
| and the First Amendment. [1]
|
| So Apple may be compelled to produce the iCloud drives the
| data is stored on. But they can't be made to write and sign
| code to run locally in your iPhone to decrypt that E2EE data
| (even though obviously they technologically could).
|
| [1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-
| writ...
|
| [2]: https://www.eff.org/deeplinks/2015/04/remembering-case-
| estab...
| codedokode wrote:
| It's weird bending of law. Code, especially closed-source
| code, is not a speech; it's a mechanism and the government
| may mandate what features a mechanism must have (for
| example, a safety belt in a car).
| ckcheng wrote:
| > Any solution Apple develops that enables "disable E2E for
| this account" makes it harder for them to claim that
| implementing that would be compelling work (or speech, if you
| prefer)
|
| I think it's really speech [0], which is why it's important to
| user privacy and security that Apple widely _advertises_ their
| entire product line and business as valuing privacy. That way,
| it's a higher bar for a court to cross, on balance, when
| weighing whether to compel speech /code (& signing) to break
| E2EE.
|
| After all, if the CEO says privacy is unimportant [1], maybe
| compelling a code update to break E2EE is no big deal? ("The
| court is just asking you, Google, to say/code what you already
| believe").
|
| Whereas if the company says they value privacy, then does the
| opposite without so much as a fight and then the stock price
| drops, maybe that'd be securities fraud? [2]. And so maybe
| that'd be harder to compel.
|
| [0]: https://news.ycombinator.com/item?id=43134235
|
| [1]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-
| schmid...
|
| [2]:
| https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...
| yapyap wrote:
| yikes
| DataOverload wrote:
| This was predictable vs creating a backdoor
| mynameyeff wrote:
| Yikes... looks like Apple sun is setting. This cannot be allowed
| to happen.
| HPsquared wrote:
| It's not just an Apple thing. It's not even just a UK thing.
| throwaway77385 wrote:
| The nightmare continues. For now I am using 3rd party backup
| services that are (currently) promising me that my backups are
| encrypted by a key they do not have access to, or control over.
| But can this even be believed in an age where these secret
| notices are being served to any number of companies? I suppose
| the next step would be to ensure that files don't ever arrive in
| the cloud unencrypted, but I have yet to see a service that
| allows me to do this with the same level of convenience as, say,
| my current backup solution, which seamlessly backs up all my
| phones, my family members' phones, my laptops, their laptops etc.
| I depend on having an offsite backup of my data. Which inevitably
| includes my clients' data also. Which I am supposedly keeping
| secret from outside access. So how does that work once everything
| becomes backdoored?
| nemomarx wrote:
| security and convenience are ever at war.
| grahamj wrote:
| IMO the only thing you can have a high level of trust in is
| your own *nix server. Backup those devices to it then encrypt
| there before being sent to the cloud.
| JohnFen wrote:
| Handling the encryption yourself is the way to go, but for
| maximum security, don't send that encrypted data to the
| cloud. Keep it all on your own server(s).
|
| That doesn't help people who aren't technically capable, of
| course. But at least those who are can protect themselves.
| grahamj wrote:
| Depends what kind of security. Local doesn't help if your
| house burns down or is robbed.
| cg5280 wrote:
| Why couldn't the government just get a warrant and take
| your local servers? At that point there doesn't seem to be
| much of a difference with respect to this threat model, at
| least cloud is convenient.
| acuozzo wrote:
| > your own *nix server
|
| Just be sure it's pre-Intel Management Engine / pre-AMD
| Platform Security Processor!
| globular-toast wrote:
| Convenience usually comes at a cost. You shouldn't have to
| trust anyone. Just use a generic storage service and only
| upload encrypted files to it. Syncthing + Rclone will probably
| get you a similar setup that you control.
| jahewson wrote:
| In the case of the U.K., they can throw you in jail for not
| handing over your encryption key, so it's a moot point. They've
| been slowly expanding this power for twenty years now.
| bloqs wrote:
| Not for content in the cloud, as far as I understand. Someone
| will correct me, but you can be arrested and threatened with
| terror charges if you dont unlock your device, but this does
| not give them permission to access other computers via the
| internet.
| commandersaki wrote:
| Tommy Robinson trial for refusing to provide his unlock
| credentials when ingressing UK is happening in March this
| year.
| fdb345 wrote:
| ive been through all this with the law. no one ever got
| jailed for not handing over encryption keys unless they were
| a definitive criminal and theres strong evidence there is
| criminal data on the device.
|
| they tried this with me (NCA) but the judge wouldnt sign off
| as they had nothning on me or my device. this did however
| REALLY want to access it! fuck them. pricks
| callc wrote:
| Ah yes, the "we have all the power but pinky promise to
| only use it on the bad guys" playbook. I have complete
| confidence and trust in that promise. /s
| kiratp wrote:
| https://www.telegraph.co.uk/news/2024/10/25/tommy-
| robinson-c...
| fdb345 wrote:
| you just gave an example of a man who was highly likely
| to have something of interest on his phone. (as signed by
| a judge)
| infinitifall wrote:
| It is likely there is something of interest on your phone
| (as signed by my friend Joe). Now unlock your phone or
| you will be jailed.
| jcarrano wrote:
| The smartphone is a terrible platform. Something like this could
| never happen on the PC, where you can install any encryption and
| backup software that you want.
|
| While Apple did the right thing by refusing to give the UK
| government a backdoor, they are responsible for getting users in
| this situation in the first place.
|
| I'm not familiar with the iPhone and maybe there is already an
| alternative to iCloud ADP, although that would make this whole
| situation completely nonsensical.
| snowwrestler wrote:
| I haven't checked lately but since it launched the iPhone has
| allowed the owner to choose whether to back up to Apple's
| servers (which would be affected by the UK order) or back up to
| their local computer.
| inetknght wrote:
| > _or back up to their local computer._
|
| You mean back up to their Apple computer, yes?
|
| I certainly can't back up an iPhone to my Linux computer.
| sumuyuda wrote:
| Actually I think you can backup and restore your iPhone on
| Linux using libimobiledevice. They reverse engineered the
| protocols for the backup and restore service running on
| your iPhone.
|
| https://libimobiledevice.org/
| int_19h wrote:
| It's not an either-or, actually, even though the setting is
| worded like it is. But even if you have cloud backups
| enabled, you can still manually trigger a local backup.
| inetknght wrote:
| > _Something like this could never happen on the PC, where you
| can install any encryption and backup software that you want._
|
| Microsoft wants to have a word with you regarding their Windows
| operating system that's installed on their device that you're
| renting.
| shuckles wrote:
| The smartphone platform is the most secure by default personal
| computer most people own, largely because of the control
| enforced by Apple.
| sunshowers wrote:
| But along with that also comes a massive pressure point for
| rogue states to take advantage of. With a diversity of
| services this would not be nearly as possible.
| devsda wrote:
| If we are saying "secure", we should talk about what we are
| securing and against whom.
|
| A smartphone may be secure against malicious individual
| actors but its certainly not the most secure when it comes to
| your private data. Modern day smartphone is designed to
| maximize capturing your private information like location,
| communication patterns, activity and (sometimes) health
| information and pass it on to as many private players(a.k.a
| apps) as possible, even to governments without your
| knowledge. You don't have much control over it.
|
| In that aspect it is less secure than your typical PC. A PC
| doesn't have that level of private information in the first
| place and whatever information it has will leak only if you
| opt-in or get infected by malware.(recent Windows versions
| without necessary tweaks may be considered a malware by
| some).
| shuckles wrote:
| Plenty of people access their health records, etc. on a PC
| via files downloaded to random places on their computer.
| Are you trying to just say smartphones have a lot of
| sensors and are carried around in intimate places?
| globular-toast wrote:
| Secure for Apple, not for the users.
| jahewson wrote:
| Given that the most popular software of this kind is Dropbox
| I'm quite confident that nothing you've said is true.
| fjjjrjj wrote:
| Does this mean I should treat travel to the UK the same way as
| China and only bring a burner device with no information on it or
| on cloud backup accounts?
| gnfargbl wrote:
| Border control agents in all countries -- including the US --
| have fairly extensive powers to search your devices or deny you
| entry. I'm not sure this decision should change your calculus
| on that point.
|
| See also https://medium.com/@thegrugq/stop-fabricating-travel-
| securit...
| fjjjrjj wrote:
| Company trade secrets probably shouldn't be on the device?
| Edit - or the device's cloud backups?
| tene80i wrote:
| I have a naive question, and it's genuine curiosity, not a
| defence of what's happening here.
|
| This ADP feature has only existed for a couple of years, right? I
| understand people are mad that it's now gone, but why weren't
| people mad _before_ it existed? For like, a decade? Why do people
| treat iCloud as immediately dangerous now, if they didn't before?
|
| Did they think it was fully encrypted when it wasn't? Did people
| not care about E2E encryption and now they do? Is it that E2E
| wasn't possible before? If it's such a huge deal to people now,
| why would they have _ever_ used iCloud or anything like it, and
| now feel betrayed?
| writtenAnswer wrote:
| I think it is more about going backwards. It is often difficult
| to remove laws than to add them. This is a similar situation.
|
| In this situation, I agree that it is bad day for personal
| privacy/security
| RenThraysk wrote:
| Think most people had no idea how it worked, it was magic to
| them.
|
| iCloud hacks (like in 2014) have raised awareness for the need
| for E2EE.
| Shank wrote:
| I guess I'm one of the people who was upset that it didn't
| exist before, and I didn't enable iCloud Backup as a result. I
| didn't use iCloud Photos. I had everything stored on a NAS
| (which was in-fact encrypted properly) and used a rube
| goldberg-esque setup to move data to it periodically. I used
| iMazing and local encrypted backups on a schedule.
|
| Lots of people called for E2EE on this stuff, but let's be real
| about one thing: encryption as a feature being more accessible
| means more people can be exposed to it. Not everyone can afford
| a rube goldberg machine to backup their data to a NAS and not
| make it easily lost if that NAS dies or loses power. It takes
| immense time, skill, and energy to do that.
|
| And my fear isn't the government, either, mind you. I simply
| don't trust any cloud service provider to not be hacked or
| compromised (e.g., due to software vulnerability, like log4j)
| on a relatively long timescale. It's a pain to think about
| software security in that context.
|
| For me, ADP solves this and enables a lot of people who
| wouldn't otherwise be protected from cloud-based attacks to be
| protected. Sure, protection against crazy stuff like government
| requests is a bonus, but we've seen with Salt Typhoon that any
| backdoor _can_ be found and exploited. We 've seen major
| exploits in embedded software (log4j) that turn out to break
| massive providers.
|
| So, there were people upset, their concerns were definitely
| voiced on independent blogs and random publications, and now,
| we're back in the limelight because of the removal of the
| feature for people in the UK.
|
| But, speaking as a user of ADP outside of the UK, I am _happy_
| that ADP is standing up for it, and thankful that it exists.
|
| (To be clear: government backdoors, and government requests
| also scare me, but they aren't a direct threat to _myself_ as
| much as a vulnerability that enables all user data to be viewed
| or downloaded by a random third-party).
| freeone3000 wrote:
| iCloud and iPhones have traditionally resisted _US_
| governmental overreach, only giving data to iCloud in cases of
| actual criminal prosecution against specific individuals. As
| well, iPhone backups in iCloud is relatively new, as are many
| other arbitrary storage features -- it used to just be your
| songs and your photos! Now it's data from all of your apps and
| a full phone backup. Hence the resistance: the stories of
| police being unable to recover data from a locked iPhone may
| now be over
| hirako2000 wrote:
| A few factors
|
| - e2e encryption is not ubiquitous yet, but awareness is
| ascending.
|
| - distrust for government also is on the uptrend.
|
| - more organized dissent to preserve privacy.
|
| No people didn't assume data was encrypted.
|
| Yes E2E has been possible for many decades, but businesses
| don't have privacy as a priority, sometimes even counter
| incentives to protect it. Personal data sells well.
|
| Things have changed because more people are getting to
| understand why it matters, forcing the hand of companies having
| to choice but at least feign to secure privacy.
| ziddoap wrote:
| At one point in time, the entirety of web communication was
| completely unencrypted.
|
| Why were people not mad then? Do you think people would be
| angrier now, if HTTPS were suddenly outlawed?
|
| Among other valid answers, removing rights and privileges
| generally makes people angrier than not having those rights or
| privileges in the first place.
| viciousvoxel wrote:
| Counterpoint: when web communication was unencrypted it was
| before we did our banking, tax filing, sent medical records,
| and sent all other kinds of sensitive information over the
| internet. The risks today are not remotely the same as they
| once were.
| bostik wrote:
| > _Why were people not mad then?_
|
| Oh, we were. I am in the crowd who had been asking for
| generally used encryption since 1995. After all, _we_ were
| already using SSH for our shell connections.
|
| The first introduction to SSL outside of internet banking and
| Amazon was for many online services to use encryption _only_
| for their login (and user preferences) page. The session
| token was then happily sent in the clear for all subsequent
| page loads.
|
| It took a while for always-on encryption to take hold, and
| many of the online services complained that enabling SSL for
| all their page loads was too expensive. Both computationally
| _and_ in required hardware resources. When I wrote for an ICT
| magazine, I once did some easy benchmarking around the impact
| of public key size for connection handshakes. Back then a
| single 1024-bit RSA key encryption operation took 2ms.
| Doubling it to 2048 bits bumped that up to 8ms. (GMP
| operations have O(n^2) complexity in terms of keysize.)
| aqueueaqueue wrote:
| "We" is an special group. I am technical but never thought
| much about it back then. There is a boiling frog. The 90s
| internet was used for searching and silly emails. Now it
| has you life in the cloud. But that didn't happen in a day.
| muyuu wrote:
| always used my own encryption and cyphered any sensitive
| data/communications, but the problem is that most people
| won't and you're often compromised by them
|
| simple solutions like Whatsapp, Signal and ADP brought this
| to the masses - which some governments have issues about -
| and this makes a massive difference to everybody including
| those who wouldn't be caught dead using an iphone anyway
|
| if we could go back to the early 1990s when only
| professionals, Uni students, techies and enthusiasts used the
| internet I'd go in a heartbeat but that's not the world we're
| living in
| jahewson wrote:
| The problem here is not with iCloud but with the U.K.
| government. People like to tell themselves the government isn't
| actually trampling their rights but events like this make it
| impossible to ignore.
| matthewdgreen wrote:
| Many of us were very upset about Apple's slow-rolling this
| feature. There were many claims that they delayed the rollout
| due to government pressure [1] (note: that story is by the same
| reporter who broke today's news a couple of weeks ago.)
|
| Rolling out encryption takes time, so the best I can say is
| "finally it arrived," and then it was immediately attacked by
| the U.K. government and has now been disabled over there. I
| imagine that Apple is also now intimidated to further advertise
| the feature even here in the U.S. To me this indicates we
| (technical folks) should be making a much bigger deal about
| this feature to our non-technical friends.
|
| [1] https://www.reuters.com/article/world/exclusive-apple-
| droppe...
| post_break wrote:
| Yes, I was mad before it existed and didn't use icloud backups.
| With the E2E and ADP I turned it on. If it gets nuked in the US
| I'll go back to encrypted local backups only.
| xyst wrote:
| People were mad. Remember the Snowden leaks and PRISM program
| from NSA? [1]
|
| In fact, Apple began to adopt "privacy" first marketing due to
| this fallout. Apple even doubled down on this by not assisting
| FBI with unlocking a terrorist suspects Apple device in 2016.
| [2]
|
| It was around that time I actually had _some_ respect for
| Apple. I was even a "Apple fanboy" for some time. But that
| respect and fanboi-ism was lost between 2019 and now.
|
| Between the deterioration of the Apple ecosystem (shitty macOS
| updates), pushing scanning of photos and uploading to central
| server (CSAM scanning scandal?), the god awful "Apple wall",
| very poor interoperability, and very anti-repair stance of
| devices.
|
| [1] https://www.theguardian.com/world/2013/jun/06/us-tech-
| giants...
|
| [2] https://money.cnn.com/2016/03/28/news/companies/fbi-apple-
| ip...
| GeekyBear wrote:
| You've always been able to perform encrypted backups to your
| own local PC or Mac out of the box, so people who do care about
| privacy have always had that option.
|
| One thing I've found concerning is that Apple had encrypted
| cloud backups ready to roll out years ago, but delayed
| releasing the feature when the US government objected.
|
| > After years of delay under government pressure, Apple said
| Wednesday that it will offer fully encrypted backups of photos,
| chat histories and most other sensitive user data in its cloud
| storage system worldwide, putting them out of reach of most
| hackers, spies and law enforcement.
|
| https://www.washingtonpost.com/technology/2022/12/07/icloud-...
|
| So the UK government isn't the only government that has
| objected to users having real privacy protections.
| fauigerzigerk wrote:
| I think it makes sense for the services we rely on to get more
| secure as the world gets more dangerous. It's an arms race. You
| don't want to go back.
| nikisweeting wrote:
| I was mad for years that ADP didn't exist / was being witheld
| due to Apple+FBI negotiations for years.
|
| I 100% treated iCloud as dangerous until they released it, and
| I cheered in the streets when they finally did.
| AzzyHN wrote:
| Hacker News is a small subsection of the internet. I think the
| majority of people, probably 90% or more, simply do not care
| that much.
| TradingPlaces wrote:
| Apple and the FBI were squabbling over this for a few years,
| and then Apple decided to end the conversation one day and
| implement ADP
| procaryote wrote:
| An E2E encrypted thing that later gets a special backdoor added
| is obviously much worse than a not E2E encrypted thing.
|
| It's like when google suddenly decided that their on-device-
| only 2FA app Google Authenticator should get an opt-out
| unencrypted cloud backup.
|
| It means people who don't pay a lot of attention can suddenly
| have much less protection than they were originally sold on.
| LeoPanthera wrote:
| iCloud did a lot less, in the past. Disabling it now gives you
| access to more data than it did a few years ago. And I also
| suspect it has far more users today than it did a few years
| ago.
| deelowe wrote:
| Apple has been advertising security and privacy as a top
| feature for years now. It would make sense for people to get
| upset if those features were removed.
| mihaaly wrote:
| The situation was not something existed since the beginning of
| time, it evolved gradually. Long ago not that much and not that
| many critically private data was circulating the net, it
| increased and got essential living online by time, in some
| instances forced in an increasing portion of situations. Worry
| then had no grounds yet. As exposure of the population grew, so
| did the benefit for adverse elements breaking online data
| stores, growing in numbers fast, not all made properly in the
| headless chase of success. Damage and hence awareness grew
| gradually.
|
| But basically yes, people are stupid and gave no shit but
| believed all f nonsense, the marketing frauds made them eating
| up their crap happy if it had pretty words and pictures,
| promising something halfway to Paradise. Like the Cloud mirage.
| Those of careful personality were cautious since the first time
| Apple and alike pushed on people giving up control over their
| own data for tiny comfort (or no comfort eventually due to all
| hostile patterns in the full picture) not putting all and every
| precious or slightly valuable stuff to some unknown server on
| the internet protected only by hundreds of years old method:
| password (so not protected at all essentially). Memories,
| contacts, schedules, communications, documents, clone of their
| devices in full, putting all into 'cloud' (much before secure
| online storage became a thing)? Many times to the very same
| one? Who are that much idiots, really?!
| saljam wrote:
| i mainly use apple devices, but never put anything on icloud
| before adp came out.
| aqueueaqueue wrote:
| People learn stuff over time. If you are not living like RMS
| you probably are allowing something to spy on you. If that
| spying gets removed you become aware. You don't want it back.
|
| It is like anything that gets better. Fight for the better. It
| is like aviation safety: who cares about a few crashes this
| year when people didn't complain in the 70s.
| fdb345 wrote:
| How will they enforce this?
|
| They will have to send out messages 'You have 32465 hours before
| you account is deleted unless you decrypt'
|
| This is NOT a good look.
| perdomon wrote:
| Can someone explain what's changed in the UK that they would
| consider requesting unfettered access to all Apple customer data
| (including outside their own borders)? I get that the NSA is
| infamous for warrant-less surveillance, but this seems a step
| further.
| varispeed wrote:
| Uncontrolled immigration and terrorist threat, but also
| probably they want to look at people's nudes. Jolly lot.
| chippiewill wrote:
| Nothing's changed, they just want the same access to people's
| data they've always had. They loved completely unencrypted text
| messages.
|
| The rise of first-party end-to-end encryption has made life
| difficult for the security services so they just want to get
| rid of it.
|
| Also historically the US government loved the UK doing all this
| spying because the US wasn't allowed to do a lot of it on their
| own citizens.
| r00fus wrote:
| This is part and parcel of the collapse of western capitalism
| (aka American empire). You get two main choices when capitalism
| fails - fascism or communism/socialism. It's clear that the UK
| has chosen fascism (either liberals like Labor or extreme right
| like Reform).
| dumbledoren wrote:
| That choice exists only in cases in which the people can
| effect a revolution. The UK elite is too strongly in control
| of the country through its establishment, so, it will be a
| loud tumble down the hillside towards fascism...
| crimsoneer wrote:
| This isn't warrant-less, it's with a warrant. This isn't really
| a change the UK, it's the UK trying to adapt to the
| proliferation of E2E encryption - ten years ago, law
| enforcement could _always_ access your messages, now the
| default if you 're on whatsapp/iMessage is they can't because
| E2E is on by default. UK lawmakers aren't happy with a default
| position of the state being totally incapable of reading
| messages, no matter what the law says.
|
| It might not be cryptographically sensible, but it is
| responding to a real change in the strength of the state.
| guccihat wrote:
| It is "just" the domestic intelligence agency ordering Apple to
| backdoor their own system be able to supply data for lawful
| interception. As I read the article, it's not a UK backdoor in
| the sense they can roam around in every users data. The
| domestic agencies still need to follow the rules of lawful
| interception, namely they need a warrant, and it is targeted at
| UK nationals only. At least that is how I read the article.
| drak0n1c wrote:
| Labour Party was elected six months ago. It is doubling down on
| existing government surveillance policy as a cure-all weapon to
| investigate and chill opposition, and to humble foreign tech
| companies.
| kouru225 wrote:
| I'm at the point where I'm ready to get a pixel and install
| graphene
| varispeed wrote:
| Until it will be illegal to do so.
| noescgchq wrote:
| Right but then you are jailed at Heathrow for not unlocking
| your phone.
|
| The UK has made it clear that Counter Terrorism legislation has
| no limits in UK law even if that means compromising all systems
| and leaving them vulnerable to state actor attacks.
|
| MPs will continue to use encrypted messaging systems that
| disappear messages during any inquiries of course.
| sangnoir wrote:
| Schiphol was already the superior airport for connections
| anyway, not being arrested just sweetens the deal.
| shaky-carrousel wrote:
| You can provide a self destroy PIN with GrapheneOS.
| runjake wrote:
| And that certainly wouldn't raise their suspicion. Surely,
| they'd immediately let you go after that stunt.
| dclowd9901 wrote:
| But it would be up to him, wouldn't it? I think that's
| the main deal here: cart blanche access to your data, or
| giving into someone's bullshit fishing attempt because
| it's inconvenient.
| shaky-carrousel wrote:
| Of course they could throw a tantrum, but it wouldn't be
| nothing but that, and they will have to release you once
| they cool down.
|
| What are they going to say? That they won't release you
| until you magically unerase the phone? There's nothing to
| wait for.
| Aachen wrote:
| I agree there is nothing to coerce out of you anymore and
| so you'd not be held on this forced decryption law... but
| not complying with such a court order probably results in
| another offence for which you can then get punished (not
| sure if a fine, community service, or jail time would be
| most likely for this), on top of that it doesn't look
| good to the judge who presides over the original case in
| which they de demanded the decryption in the first place
| fdb345 wrote:
| Except no one has ever been jailed for simply refusing to
| unlock a phone unless there was heavy evidence there was
| something on the phone.
|
| Stop spreading incorrect FUD
| timc3 wrote:
| No one that we have heard of yet.
| okasaki wrote:
| You're an ignorant fool:
| https://www.theregister.com/Print/2009/11/24/ripa_jfl/
| fdb345 wrote:
| LOL literally a suspected terrorsit.
| Aachen wrote:
| Being in court for something doesn't make you guilty of
| said thing. What's the "heavy evidence" you say they had
| before jailing this person?
| aqueueaqueue wrote:
| Take a dumb phone (or none)?
| wishfish wrote:
| I'm in a similar position. Strongly considering replacing my
| iPhone with a Pixel. But I realize I'm vulnerable via cloud
| services. GrapheneOS won't save me from someone poking through
| my Dropbox. I'll have to find another option for that too.
| AlgebraFox wrote:
| Nextcloud works great on GrapheneOS if you are willing to
| self host.
| andyjohnson0 wrote:
| Presumably this applies to the iPhones owned by UK government
| ministers, civil servants, personal devices of military
| personnel, UK businesses, etc.
|
| As a brit, I find that my government's stupidity is almost its
| only reliable attribute.
| mrweasel wrote:
| Presumably not, politicians have a way of excepting themselves
| in these types of laws. It's almost as if they understand the
| need for privacy, they just fail to apply that understanding to
| any scenarios beyond their own.
| andyjohnson0 wrote:
| I meant that Apple's decision to withdraw ADP applies to
| them, not the Investigatory Powers Act. Or are you saying
| that Apple will give them a free exemption?
| fdb345 wrote:
| "Presumably not"
|
| Rubbish. Give me one example? They will have to abide as
| well.
| 8fingerlouie wrote:
| Not a UK example, but Chat Control (2.0) explicitly exempts
| various politicians and government officials from being
| spied on.
| santiagobasulto wrote:
| What happens if a British citizen/resident buys an iPhone in the
| USA?
|
| Btw, as a European citizen, I always buy my devices in the USA.
| We can complain about the US as much as we want, but Europe is on
| another level.
| Ylpertnodi wrote:
| As an EU citizen, the US* (govts) can stay way from my stuff. I
| won't even vpn through the
|
| *or any other gubments.
|
| Of course, when the rubber truncheon comes out, I'd be happy to
| show my encrypted stuff. But until then, or without a warrant,
| I'd prefer not to.
| commandersaki wrote:
| I think the iCloud services is based on the region of your
| Apple Account. So you could theoretically use a US region Apple
| Account and enjoy iCloud services. But that means you won't get
| UK region apps, except in the app store you can switch to
| different Apple Accounts as you please, so you can have
| multiple accounts for different regions (which is what I do).
| Ruq wrote:
| Honestly I'm surprised that rather than trying to build stupid
| backdoors and such, tyrannical governments don't just try to make
| a encryption key database. They hold ALL the keys and can get
| into anything they want, anytime they want. If you get caught
| with keys or encrypted data they can't access, punishment ensues.
|
| Like if you're gonna try to eliminate privacy and freedom, just
| be honest and open about your intentions.
| xyst wrote:
| If you care about privacy and security of your data, you aren't
| using public services from Apple or Google, or "big tech"
| anyways.
|
| I always thought of "cloud" services to be a sham. I only trust
| them with transient data or junk data anyways (glorified temp
| storage, at best).
| j-bos wrote:
| This law raises serious concerns about being a non UK resident
| using British software, like Linux Mint.
| nobankai wrote:
| No, it really does not.
| Ylpertnodi wrote:
| How can you definitively know?
| nobankai wrote:
| In the case of Linux Mint, I can check the commit history,
| build the software myself and even validate it against
| public checksums. It is expressly defended against these
| types of attacks, making it an odd choice to single out.
| mihaaly wrote:
| Isn't it already a law violation using it in certain
| scenarios? Or will be soon?
| Aachen wrote:
| No? Instead of speaking in question marks, why not link
| or reference the law or scenarios you're talking about?
| mihaaly wrote:
| You seriously need to re-learn what the concept of asking
| a question means!
|
| It looks like you were using it so long for passive
| agressive arguing that it lost its original meaning for
| you completely!
|
| I was asking.
| Aachen wrote:
| So was I, because I have no idea what you're talking
| about so I'm curious about any more details to be able to
| look up why Linux Mint would be illegal in the UK.
| There's a myriad of laws it could fall under so
| undirected keyword searches won't let me find it and I'm
| also not sure if anyone can even read all laws that exist
| to see if there's anything related to what Linux Mint
| is/does, the question seems unanswerable but hints
| towards a certain thing being potentially illegal without
| saying what it is
| sumuyuda wrote:
| Apple could have disabled iCloud completely for UK users. This
| would protect both UK users and other users who's data would also
| been captured in an iCloud backup.
|
| They would lose some money on services, but would have been the
| better choice to stand up to the UK government and protect the UK
| users.
| jdminhbg wrote:
| It's fine to continue providing the service as long as people
| know it's not encrypted. I am not worried about my photos being
| subpoenaed; I am worried about losing them. I'd rather have the
| service.
| CodeWriter23 wrote:
| If Apple was a real American Company they would solve this issue
| by withdrawing their devices from the UK.
| int_19h wrote:
| Is Palantir a Real American Company?
| nomilk wrote:
| Wow - how sad. To think the 2nd highest scoring post ever on
| hacker news is Apple's 2016 _A Message to Our Customers_. A
| display of intelligence, morality and courage under great
| pressure: https://hn.algolia.com
|
| How things have changed.
|
| > In a statement Apple said it was "gravely disappointed"
|
| So are we, Apple. So are we.
| okeuro49 wrote:
| Apple did the right thing.
|
| I would much rather they were transparent, so that people can
| move services, rather than build a backdoor in secret, to
| appease the far-left Labour government.
| nomilk wrote:
| Building a backdoor and telling us is better than building a
| backdoor and not telling us, but not building a backdoor at
| all is ideal.
| stoobs wrote:
| Oh stop with "far left" nonsense, none of our main political
| parties are much further than slightly left or right of
| centrist.
| ljm wrote:
| Fundamentally, I think the issue is more about technical literacy
| amongst the political establishment who consistently rely on the
| fallacy that having nothing to hide means you have nothing to
| fear. Especially in the UK which operates as a paternalistic
| state and enjoys authoritarian support across all parties.
|
| On the authoritarianism: these laws are always worded in such a
| way that they can be applied or targeted vaguely, basically to
| work around other legislation. They will stop thinking of the
| children as soon as the law is put into play, and it's hardly
| likely that pedo rings or rape gangs will be top of the list of
| priorities.
|
| On the technical literacy: the government has the mistaken belief
| that their back door will know the difference between the good
| guys (presumably them) and the bad guys, and the bad guys will be
| locked out. However, the only real protection is security by
| obscurity: it's illegal to reveal that this backdoor exists or
| was even requested. Any bad guy can make a reasonable assumption
| that a multinational tech company offering cloud services has
| been compromised, so this just paints another target on their
| backs.
|
| I've said it before, but I guarantee that the monkey's paw has
| been infinitely curling with this, and it's a dream come true for
| any black or grey hat hacker who wants to try and compromise the
| government through a backdoor like this.
| kmeisthax wrote:
| What the politicians want is partial security: something they
| can crack but criminals can't. That is achievable in physical
| security, but not in cybersecurity.
|
| I have a feeling the politicians already know partial
| cybersecurity isn't an option, and don't care. Certainly, the
| intelligence community advising them absolutely does know. We
| don't even have to be conspiratorial about it: their jobs are
| easier in the world where secrets are illegal than in the world
| where hackers actually get stopped.
| joncp wrote:
| > That is achievable in physical security, but not in
| cybersecurity.
|
| Not with physical security either, I'm afraid.
| cryptonector wrote:
| With physical security the state apparatus can provide
| physical security in the form of police and what not, as
| well as deterrence and punishment.
|
| In the world of cryptography it's... a bit harder to do
| something similar. In the best case they can come up with a
| key escrow system that doesn't suck too much, force you to
| use it, and hopefully they don't ever get the master keys
| hacked and stolen or leaked. But they're not asking for key
| escrow. They're asking for providers to be the escrow
| agents or whatever worse thing they come up with.
| eterm wrote:
| > That is achievable in physical security, but not in
| cybersecurity
|
| This isn't accurate though, and leads us down the path of
| trying to prevent these bad laws from a technical perspective
| when we should be fighting the principle of the bad law not
| just decrying it for being "unworkable".
|
| It is possible to construct encryption schemes with a
| "backdoor key" while still being provably secure against
| anyone else.
|
| This creates precisely the "partial security" you describe:
| Criminals can't crack the encryption, but the government can
| use their backdoor-key.
|
| But like those who argue online age-consent schemes can't
| work, it doesn't help to argue against the technical aspects
| of such bad laws. The law, particularly UK law, doesn't care
| for what's technically possible. The bad laws can sit on the
| books regardless of the technical feasibility of enforcement.
| Eventually technology can catch up, or the law can simply be
| applied on a best endeavours / selective enforcement
| approach.
| jliptzin wrote:
| And what happens when someone in the government inevitably
| leaks the key either intentionally or because of a hack?
| jmholla wrote:
| > This creates precisely the "partial security" you
| describe: Criminals can't crack the encryption, but the
| government can use their backdoor-key.
|
| No, it doesn't. Now criminals just have to get the key.
| These schemes have been tried many times. They've been
| discovered by actors that shouldn't have access to them.
|
| Please don't go around advising government leaders and
| organizations. This is exactly the problem solving
| capabilities of governmental leaders that security experts
| are decrying here in this thread.
|
| I honestly though get you're comment was going to go along
| the lines of perfect physical security can only be
| perfectly secure from everyone, including the people it
| shouldn't be. We constantly see the hacking oh physical
| locations. The big things keeping some orgs from being
| attacked: redundancy, observability, and ENCRYPTION WITHOUT
| BACKDOORS!
| kingkongjaffa wrote:
| > Especially in the UK which operates as a paternalistic state
| and enjoys authoritarian support across all parties.
|
| This seemed strange to point out. It's not really any more or
| less "paternalistic" than most western nations including the
| US.
| 15155 wrote:
| Folks in the United States aren't routinely arrested for
| Facebook posts.
| 4ndrewl wrote:
| They're not arrested for posting on Facebook. They're
| arrested for _what_ they're posting on Facebook.
| pb7 wrote:
| Yes, people in the US don't get arrested for that.
| maccard wrote:
| Yes, they do.
|
| https://www.justice.gov/usao-az/pr/page-man-charged-
| threaten...
|
| https://edition.cnn.com/2015/04/30/us/georgia-woman-
| facebook...
|
| https://www.cnbc.com/amp/2023/10/19/influencer-gets-
| months-i...
|
| https://www.justice.gov/usao-ndal/pr/birmingham-man-
| sentence...
| 4ndrewl wrote:
| Stop it. We don't deal in "facts" any more.
| fencepost wrote:
| No, they get arrested for conduct that would be criminal
| no matter where they did it. Facebook (2x) and Twitter
| (2x) were the (virtual) venues where the crimes were
| committed, but the crimes were attempting to organize a
| mob to burn down a courthouse, inciting and threatening
| to murder police, conspiracy to suppress votes and
| threatening to kill the President. The crimes would be
| just as criminal had they been done in person at a local
| bar (or any other physical location).
| maccard wrote:
| Which is exactly the same as in the UK.
|
| > The crimes would be just as criminal had they been done
| in person at a local bar (or any other physical
| location).
|
| I agree. Where the US differs is that because of the US's
| 1st amendment it's _not_ a crime to say those things even
| in a bar.
|
| Anyway, all of that to say that americans are arrested
| for posting things on the internet, despite what people
| claim.
| JBSay wrote:
| Just like any other authoritarian state
| 4ndrewl wrote:
| Hardly. There are limits to speech in most jurisdictions.
| That hardly crosses the threshold for "authoritarian".
| The high profile cases in the UK have been around
| incitement to violence and contempt of court.
| jirf_dev wrote:
| Of course they are. Violent threats and admitting illegal
| activity on social media can lead to arrests in the US. By
| being so unspecific your comment does not really foster
| good discussion on the topic. You should describe what kind
| of posts they are being arrested for and which
| laws/protections in the UK you are specifically
| criticizing.
| twixfel wrote:
| There are limits to speech in every country, including the
| US. What I always find baffling is the sheer arrogance of
| Americans, that the only way to be a free and democratic
| country is their way, to the extent that they send their
| elected representatives to Germany of all places to
| implicitly argue for the legalisation of the Hitler salute.
|
| Meanwhile their country has slid into fascism. Sad and
| tragic.
| cmdli wrote:
| The AP News was just kicked out of press conferences for
| not using the government-preferred term for the Gulf of
| Mexico. The new director of the FBI is pledging to go after
| members of the press that he doesn't like. The US is
| jumping headfirst in the "bad speech isn't free" direction
| in the past month.
| gleenn wrote:
| If you see a red car driving down the street do you not call
| it red because there are many other red cars? They're adding
| color (pun intended) to their description of the general bias
| of the UK government. What you're doing is called
| Whataboutism - the argument that others are doing something
| similar or as bad in different contexts. It doesn't make what
| the UK is doing any less bad for citizens (and non-citizens)
| privacy or data sovereignty.
| polshaw wrote:
| You don't say it's "especially" red then do you. The
| comparison was started by the GP.
| exe34 wrote:
| > that having nothing to hide means you have nothing to fear
|
| hopefully the US turning from leader of the free world to
| Russia's tool will give them the kick they need to realise that
| just because you trust the government now doesn't mean you
| trust the next government or the one after it.
| GeekyBear wrote:
| You probably don't want to look up which US President tried
| to force Apple to insert an encryption back door into iPhones
| back in 2015.
|
| However, Google did only start moving to protect location
| data from subpoenas after people started to worry that
| location data could be used as a legal weapon against women
| who went to an abortion clinic, so your larger point stands.
| jshier wrote:
| That would be none, as it was the FBI, operating
| independently (as it's supposed to), which tried to force
| the issue. They even tried to go to Congress but found
| little support for their stunt. I'm not even sure Obama
| ever spoke in support of the backdoor, much less used any
| political power to make it a reality.
| GeekyBear wrote:
| Sorry, but the FBI is part of the executive branch.
|
| This is exactly like saying that President Trump has
| nothing to do with the actions of the executive branch
| agencies today.
| exe34 wrote:
| it's true that the honour system only works when there's
| honour in the people in charge.
|
| when a clown moves into a palace, the clown doesn't
| become the king - the palace becomes a circus.
| GeekyBear wrote:
| Haven't we already learned that gaslighting the public is
| counterproductive?
|
| President Obama sold himself as a Constitutional scholar
| who would set right the civil liberties overreach of his
| predecessor.
|
| You aren't going to convince sane people that his
| executive branch agencies sought to gut the fourth
| amendment without his being aware of it, despite months
| of extensive press coverage.
| exe34 wrote:
| "the other side is just as bad" isn't the justification
| that a lot of people seem to think it is. if you don't
| like what the other side has done, don't just copy them.
| do better.
| GeekyBear wrote:
| It's simpler. If you claim that a particular action would
| be bad if the other political team were to perform it,
| don't suddenly make excuses for that very same action if
| it turns out that your favored political team has
| previously performed it.
| exe34 wrote:
| you're still doing it.
| dguest wrote:
| Points about Russia or partisan politics aside, there are
| now at least 10M people living in the US who have a very
| strong incentive to hide all their data from the executive
| branch. That's to say nothing of the countless millions who
| might want to help them.
|
| The demand for encryption just exploded, in a legal gray
| area (city, state, and federal laws seem to be in conflict
| here) it's just a question of whether governments allows
| the supply to follow.
| isaacremuant wrote:
| > hopefully the US turning from leader of the free world to
| Russia's tool
|
| So much humour in one short phrase.
|
| Do you really believe your propaganda or is it just
| absentmindedly parroting pro permanent war talking points?
| exe34 wrote:
| He demands $500bn of rare earth minerals, insists that
| Ukraine started the war by getting invaded and wants
| Zelensky to be replaced by a Russian puppet. It's amazing
| how the US went from the defender of the free world to just
| another thug.
| isaacremuant wrote:
| "defender of the free world" is just so funny to me. I'm
| sorry to burst your bubble of jingoism and US imperialism
| excepcionalism.
| exe34 wrote:
| what do you call US nukes in Europe? that's exactly what
| it was - Pax Americana, 70 years of peace and prosperity
| has come to an end for most countries. Now Russia has an
| ally in their old enemy.
| bspammer wrote:
| What would you call the ridiculous claim that Ukraine
| started the war? Who else does that serve but Russia?
| exe34 wrote:
| "your honour, they repeatedly hit my fist with their
| face".
| miohtama wrote:
| Furthermore, one UK head of state call everyone supporting
| encryption pedophiles
|
| https://x.com/BenWallace70/status/1892972120818299199
| scott_w wrote:
| Just to be clear: Wallace is not a head of state, or even an
| MP any more. At one point, he was Secretary of State for
| Defence, a Cabinet position, however he resigned this in
| 2023.
|
| This doesn't justify his position (it's stupid) but he
| doesn't speak for the current government.
| onei wrote:
| To clarify a bit further, the UK head of state is King
| Charles III, as he is for a bunch of other countries in the
| Commonwealth.
|
| Head of state in the UK is a bit weird compared to
| countries that abolished or never had a monarchy.
| scott_w wrote:
| You're correct, however I gave GP the benefit of the
| doubt and assumed they meant Secretary of State ;-)
|
| And, to be fair, while I'm generally a small r
| republican, I'm seeing benefits of having a non
| politically aligned head of state after J6. While the
| monarch has limited power, booting out a PM that can't
| command the confidence of Parliament is one of them. The
| question of whether Johnson would accept being dethroned
| a la Trump was always silly given his consent was never
| needed.
| onei wrote:
| The UK monarch's power is largely based on convention
| more than active decision making. For example, a
| government is formed at the invitation of the monarch,
| but that's long reflected the results of an election.
| Getting rid of a PM generally happens when they run out
| of luck. That sometimes coincides with the ruling
| party/coalition imploding. The next PM is then
| shortlisted by MPs and selected by a minority of the
| electorate.
|
| I guess the US equivalent is the leader of the house
| being unable to hold their majority together. In some
| ways the presidential election feels more democratic if a
| relative outsider (like Trump was) can win. But a 2 year
| lead up is crazy.
| worik wrote:
| > And, to be fair, while I'm generally a small r
| republican, I'm seeing benefits of having a non
| politically aligned head of state
|
| One of the benefits of a constitutional monarchy is the
| head of state did not campaign for the position.
| c0ndu17 wrote:
| I've become a bit of fan of it over the last few years.
| That said, I don't think the UK can be replicated.
|
| It wraps ultimate power up in a contradiction, you have
| it but you can't use it. Sure, technically you could but
| it would be your last act.
|
| Another important aspect, the for and against is
| currently split between parties, so there's somewhat of
| unification factor between parties on that divide as
| well.
|
| It gets a lot of hate, because it is imperfect, but I
| don't think it gets its fair shake. My views more of, if
| it ain't broke is it really worth the risk changing it.
| ojhp wrote:
| Technically we did abolish the monarchy back in the 17th
| century, but the replacement was so bad we brought them
| back about 10 years later, which I think makes us a
| minority of one and even more weird.
|
| Anyway, back on topic: this is a ridiculous law that is
| forcing services to erode their security while smart
| criminals can just use some nice free open-source
| software somewhere else for E2E communication. And a lot
| of this is definitely down to lawmakers not understanding
| technology.
| ttepasse wrote:
| The vast majority of democracies separated the roles of
| head of state and head of government.
| ThePowerOfFuet wrote:
| https://xcancel.com/BenWallace70/status/1892972120818299199
| doublerabbit wrote:
| Thank you.
| mschuster91 wrote:
| And that's why it is so important to nip this "pedo" / "think
| of the children" crap right in the bud.
|
| Obviously pedos on the interwebs are bad, but hey as long as
| it's just anime they're whacking off to I don't care too
| much. But the real abuse, that's done by - especially in the
| UK - rich and famous people like Jimmy Savile. And you're not
| gonna catch these pedos with banning encryption, that's a
| fucking smokescreen if I ever saw one, you're gonna catch
| them with police legwork and by actually teaching young
| children about their bodies!
| worik wrote:
| > But the real abuse, that's done by - especially in the UK
| - rich and famous people like Jimmy Savile
|
| Jimmy Savile was a vile predator. He was protected by the
| inane customs of the British ruling class.
|
| He was not alone among the toffs of England.
|
| But do not be mistaken. It is not just the rich and
| powerful where you find sexual predators. They exist at all
| levels of society, all genders, most ages (I will except
| infants and the aged infirm....)
|
| Jimmy Savile was a symptom of something much darker, much
| worse and widespread.
| mschuster91 wrote:
| Yeah but if you sell the populace on the idea that pedos
| are only something that's a threat on the interwebs the
| populace won't care about all the other pedos, and if
| there is a pedo scandal like the next Savile the
| government can just go and shrug and say "we did all we
| could". And _that_ is the point behind all that pedo
| scare.
| bigfudge wrote:
| Jimmy Saville was many things, but I don't think he was a
| toff. His ability to abuse was about power, and perhaps
| gender, but not class.
| kypro wrote:
| Honestly if the UK wants to reduce sexual crimes against
| children and adults one of the easiest ways to achieve
| that would be to reform UK liable law.
|
| In the UK if you're raped by someone famous you'd be an
| utter idiot to say anything unless you're loaded or have
| a massive amount of hard evidence. You couldn't have a me
| to movement in the UK because everyone who came forward
| would be sued into bankruptcy. This is why so many people
| knew about Savile but no one said anything.
| worik wrote:
| The rules of evidence in court are important too.
|
| It is the victim on trial, many times.
| GJim wrote:
| > one UK head of state
|
| What on earth are you talking about?
|
| Charles III is head of state, and before that, Liz II. The
| monarch absolutely _does not_ get involved in politics.
| sib wrote:
| >> The monarch absolutely does not get involved in
| politics.
|
| The monarch picks the Prime Minister, no? That seems pretty
| involved.
| polshaw wrote:
| No, the monarch does not pick the Prime Minister. At all.
|
| They have a ceremonial role in confirming them. Like they
| do with every law that Parliament creates. If they ever
| actually practically exercised this theoretical power it
| would be the end of the monarchy.
| hackernoops wrote:
| Ironic.
| yubblegum wrote:
| > technical literacy amongst the political establishment who
| consistently rely on the fallacy that having nothing to hide
| means you have nothing to fear.
|
| That's an awfully generous assessment on your part. Kindly
| explain just what "technical literacy" has to do with the
| formulation you note. From here it reads like you are
| misdirecting and clouding the -intent- by the powerful here.
|
| Also does ERIC SCHMIDT an accomplished geek (who is an official
| member of MIC since (during?) his departure from Sun
| Microsystems) suffers from "technical literacy" issues:
|
| https://news.ycombinator.com/item?id=983717
|
| Thank you in advance for clarifying your thought process here.
| Tech illiteracy -> what you got to hide there buddy?
| stavros wrote:
| I feel like the comment was clear, technical illiteracy leads
| politicians to believe that they'll be the only ones with
| access to this backdoor, which isn't true.
| ninalanyon wrote:
| It isn't necessarily the case that they all care if
| criminals can get in to the average person's data so long
| as the authorities also can.
| trinsic2 wrote:
| Yeah. Not buying it. They know, or someone smart enough
| told them that backdoors can be accessed by anyone with
| enough skill. They just don't care because the people that
| are asking for this are criminals already and wanting
| profit off of other people's data.
| yubblegum wrote:
| The comment's clarity was not questioned. You are passing
| around the same tired line that because politicians do not
| understand technology and how it can be used against
| anyone. Sure computers are new but communication technology
| is not. All a politician needs to understand is
| "capability". That is it. "We can read their
| communications", no degree in CS required. Also, they have
| power geeks advising them left and right. They know
| "capabilities" can be misused. They know this.
|
| Is this clear?
| stavros wrote:
| >> Kindly explain just what "technical literacy" has to
| do with the formulation you note.
|
| >> Thank you in advance for clarifying your thought
| process here.
|
| > The comment's clarity was not questioned.
| bunderbunder wrote:
| Let me offer a possible example that might be more in line
| with the HN commenting guideline about interpreting people's
| comments as charitably as reasonably possible:
|
| My password manager vault isn't exactly something to hide in
| the political sense, but it's definitely something I would
| fear is exposed to heightened risk of compromise if there
| were a backdoor, even one for government surveillance
| purposes. And it's a reasonable concern that I think a lot of
| people aren't taking seriously enough due, in part, to a lack
| of technical literacy. Both in terms of not realizing how it
| materially impacts everyday people regardless of whether
| they're up to no good, and in terms of not realizing just how
| juicy a target this would be for agents up to and including
| state-level adversaries.
|
| As for Eric Schmidt, he's something of a peculiar case. I
| don't doubt his technical literacy, but the dude is still the
| head of one of the world's largest surveillance capitalist
| enterprises, and, as the saying goes, "It is difficult to get
| a man to understand something when his salary depends on his
| not understanding it."
| smsm42 wrote:
| It's not literacy. They don't care. They need control, and if
| establishing control means increased risks for you, it's not
| something they see as a negative factor. It's your problem, not
| theirs.
| ben_w wrote:
| The government put in restrictions against using certain
| powers in the Investigatory Powers Act to spy on members of
| parliament (unless the Prime Minister says so, section 26),
| so I think they're just oblivious to the risk model of "when
| hackers are involved, the computer isn't capable of knowing
| the order wasn't legal".
|
| https://www.legislation.gov.uk/ukpga/2016/25/section/26
| lozenge wrote:
| That actually shows they understand and care because they
| don't want the law to apply to them. They don't care about
| its effects on other people.
| ben_w wrote:
| No, it shows they're thinking of computers like they
| think of police officers.
|
| Computer literacy 101: to err is human, to really foul up
| requires a computer.
|
| They don't understand that by requiring the capability
| for going after domestic criminals, they've given a huge
| gift to their international adversaries' intelligence
| agencies. (And given this is about a computer
| vulnerability, "international adversaries" includes
| terrorists, and possibly disgruntled teenagers, not just
| governments).
| newdee wrote:
| I think it could be for both reasons
| soulofmischief wrote:
| They understand. Signal Foundation's president, Meredith
| Whittaker, among many other tech leaders, have made it
| abundantly clear to both the UK and the EU.
|
| https://techcrunch.com/2023/09/21/meredith-whittaker-
| reaffir...
|
| If politicians don't understand after such campaigning,
| it's a choice in willful ignorance, not bad computer
| literacy.
| ben_w wrote:
| I personally campaigned at the time the law was being
| debated. Met my local MP, even.
|
| If I'd known about the idea of "inferential gap" at the
| time, my own effort might not have been completely
| ignored... though probably still wouldn't have changed
| the end result as I still don't know how to show
| lawmakers that their model of how computers and software
| functions has led to a law that exposed them, personally,
| to hostile actors.
|
| How even do you explain to people with zero computer
| lessons that adding a new access mechanism increases the
| attack surface and makes hacking easier?
|
| The politicians seem to see computers as magic boxes,
| presumably in much the same way and for much the same
| reason that I see Westminster debates and PMQs as 650
| people who never grew out of tipsy university debating
| society life.
|
| (And regardless of if it is fair for me to see them that
| way, that makes it hard to find the right combination of
| words to change their minds).
| soulofmischief wrote:
| > How even do you explain to people with zero computer
| lessons that adding a new access mechanism increases the
| attack surface and makes hacking easier?
|
| You literally tell them that. That's it. As prominent
| tech leaders have been doing. They either choose to
| believe experts, or disbelieve them. Or they could get a
| CS major. They chose option #2. They ostensibly
| disbelieve experts because what they're hearing does not
| mesh with what they want.
|
| But let's be honest with ourselves; it's not that they
| disbelieve them, or don't understand. It's that they
| don't care. You are giving these people way too much of a
| benefit of the doubt. They have the tools at their
| disposal to remove any ignorance.
| ben_w wrote:
| > You literally tell them that. That's it. As prominent
| tech leaders have been doing.
|
| As it's not working, QED not "that's it".
|
| > You are giving these people way too much of a benefit
| of the doubt.
|
| They're hurting their own interests in the process. If
| they were _just_ hurting my interests, I 'd agree with
| you. But this stuff increases the risk to themselves,
| directly. I may have even told them about
| https://cve.mitre.org/cgi-
| bin/cvename.cgi?name=CVE-2015-0204 given the timing.
| tehwebguy wrote:
| Absolutely not, MPs are not too stupid to process the
| concept of "a back door is a back door" they simply want
| this power and do not care about security or privacy if
| non-MPs. Everyone who voted for this needs to be thrown out
| of politics, but that will obviously not happen.
| redeeman wrote:
| opinion: any government that "needs" such control, is an
| enemy of the people and must be abolished, and anyone can
| morally and ethically do so
| jbjbjbjb wrote:
| Well it's important that the argument is correct. They view
| ending end-to-end encryption as a way to restore the
| effectiveness of traditional warrants. It isn't necessarily
| about mass surveillance and the implementation could
| prevent mass surveillance but allow warrants.
|
| I oppose that because end to end encryption is still
| possible by anyone with something to hide, it is trivial to
| implement. I think governments should just take the L in
| the interest of freedom.
| AnthonyMouse wrote:
| > They view ending end-to-end encryption as a way to
| restore the effectiveness of traditional warrants.
|
| Traditional warrants couldn't retroactively capture
| historical realtime communications because that stuff
| wasn't traditionally recorded to begin with.
|
| > It isn't necessarily about mass surveillance and the
| implementation could prevent mass surveillance but allow
| warrants.
|
| The implementation that allows this is the one where
| executing a warrant has a high inherent cost, e.g.
| because they have to physically plant a bug on the
| device. If you can tap any device from the server then
| you can tap every device from the server (and so can
| anyone who can compromise the server).
| jbjbjbjb wrote:
| They shouldn't be able to tap any device from a server.
| I'm guessing they would have to apply for a warrant and
| serve the warrant to Apple who review the warrant and
| provide the data.
| AnthonyMouse wrote:
| Putting the panopticon server in a building that says
| Apple or Microsoft at the entrance hasn't solved
| anything. Corporations are hardly more trustworthy than
| the government, can be coerced into doing the mass
| surveillance under gag orders, could be doing it for
| themselves without telling anyone, and would still be
| maintaining servers with access to everything that could
| be compromised by organized crime or foreign governments.
|
| Which is why the clients have to be doing the encryption
| themselves in a documented way that establishes the
| server can't be doing that.
| staplers wrote:
| governments should just take the L in the interest of
| freedom
|
| This was written into the US constitution. Unfortunately,
| most either don't know or care that it's all but ignored
| in practice.
| cryptonector wrote:
| They don't even need control. They _want_ control. Why?
| Either they 're idiots who think they need control or they
| are tyrants who know they'll need control later on when they
| start doing seriously tyrannical things.
| hackernoops wrote:
| It's the latter.
| cryptonector wrote:
| Of course it is.
| smsm42 wrote:
| It's natural for the government to want control. It's
| literally what it is optimized for - control. More control
| is always better than less control. More data about
| subjects always better than less data. What if they do
| something that we don't want them doing and we don't know?
| It's scary. We need more control.
|
| > they'll need control later on when they start doing
| seriously tyrannical things.
|
| You mean like when they start jailing people for social
| media posts? Or when they are going to ban kitchen knives?
| Or when they're going to hide a massive gang rape scandal
| because it makes them look bad? Or when they would convict
| 900+ people on false charges of fraud because they couldn't
| admit their computer system was broken? Come on, we all
| know this is not possible.
| jamil7 wrote:
| > Why? Either they're idiots who think they need control or
| they are tyrants
|
| Many politicians are individuals without any talent who
| desire power and control, politics is the only avenue open
| to people like that.
| cryptonector wrote:
| And many are sociopaths and psychopaths who love to wield
| power over others. Some of those sociopaths and
| psychopaths are very very smart.
| kypro wrote:
| Agreed.
|
| I used to think it was illiteracy, but when you hear
| politicians talk about this you realise more often than not
| they're not completely naive and can speak to the concerns
| people have, but fundamentally their calculation here is that
| privacy doesn't really matter that much and when your
| argument for not breaking encryption based around the right
| to privacy you're not going to convince them to care.
|
| You see a similar thing in the UK (and Europe generally) with
| freedom of speech. Politicians here understand why freedom of
| speech is important and why people some oppose blasphemy
| laws, but that doesn't mean you can just burn a bible in the
| UK without being arrested for a hate crime because
| fundamentally our politicians (and most people in the UK)
| believe freedom from offence is more important than freedom
| of speech.
|
| When values are misaligned (safety > privacy) you can't win
| arguments by simply appealing to the importance of privacy or
| freedom of speech. UK values are very authoritarian these
| days.
| EchoReflection wrote:
| "it's hardly likely that pedo rings or rape gangs will be top
| of the list of priorities".... is this not one of the most
| disturbing, disgusting, psychologically troubling and damning
| ideas ever to be put to words/brought to awareness? . Right up
| there "let's meticulously plan out this horrific, atrocious,
| dehumanizing act and meditate upon the consequences, and then
| choose the most brutal and villainous option". Dear Lord....
| AnthonyMouse wrote:
| People are extremely opposed to pedos, so they're a primary
| rationalization for oppressive technology. But then you have
| two problems.
|
| First, pedos _know_ everybody hates them, so they take
| measures normal people wouldn 't in order to avoid detection,
| and then backdooring the tech used by everybody else doesn't
| work against them because they'll use something else. But it
| does impair the security of normal people.
|
| Second, there aren't actually that many pedos and the easy to
| catch ones get caught regardless and the hard to catch ones
| get away with it regardless, which leaves the intersection of
| "easy enough to catch but wouldn't have been caught without
| this" as a set plausibly containing zero suspects. Not that
| they won't use it against the ones who would have been caught
| anyway and then declare victory, but it's the sort of thing
| that's pretty useless against the ones it's claimed to exist
| in order to catch, and therefore not something it _can_ be
| used effectively in order to do.
|
| Whereas industrial espionage or LOVEINT or draining grandma's
| retirement account or manipulating ordinary people who don't
| realize they should be taking countermeasures -- the abuses
| of the system -- those are the things it's effective at
| bringing about, because ordinary people don't expect
| themselves to be targets.
| dsign wrote:
| > is this not one of the most disturbing, disgusting,
| psychologically troubling and damning ideas ever to be put to
| words/brought to awareness? .
|
| Hmm? Hell has depths. Your yard might be a little too short
| to measure them? In that case, just think about this: rape is
| probably most common in prisons, where you will send
| innocents the moment this dragnet thing glitches.
| gerdesj wrote:
| "Especially in the UK which operates as a paternalistic state
| and enjoys authoritarian support across all parties."
|
| What is a "paternalistic state". I studied Latin so obviously I
| understand pater == father but what is a father-like state?
|
| What on earth is: "authoritarian support across all parties".
|
| The UK has one Parliament, four Executives (England, Northern
| Ireland, Scotland, Wales) and a Monarch (he's actually quite a
| few Monarchs).
|
| Anyway, I do agree with you that destroying routine encryption
| is a bloody daft idea. It's a bit sad that Apple sold it as an
| extra add on. It does not cost much to run openssl - its proper
| open source.
| catlikesshrimp wrote:
| In medicine, a paternalistic attitude towards the patient
| from a point of authority (like a father) The doctor acts as
| if he knows more and knows what is better. The patient has
| his own preferences and priorities, but they don't
| necessarily match with what the doctor does.
|
| I suppose a paternalistic state functions to satisfy the
| needs of the people, and to define those needs. The people
| get what the state says is best for them.
| walthamstow wrote:
| Paternalism, unless I'm mistaken, is a belief among those in
| power that they what's best for you, better than you do, and
| will exercise power on your behalf in that manner. Just like
| your parents do when you're a child.
| ljm wrote:
| Government knows what's best for the people (colloquially we
| call it the nanny state).
|
| All our main political parties have an authoritarian slant so
| these policies have rarely received long-lasting opposition.
| Literally every government in office for the past 30-odd
| years has presented legislation like this.
| elAhmo wrote:
| > the government has the mistaken belief that their back door
| will know the difference between the good guys (presumably
| them) and the bad guys
|
| This is a very good point, and in the recent months we have
| been witnessing that people in government, or aiming to become
| the government, are definitely not the good guys. So, even if
| what they are asking would be limited to just governments
| (which it wouldn't), they can't claim they are the good guys
| anymore.
| freedomben wrote:
| Devil's Advocate (meaning I don't agree with this, in fact I
| disagree with it, but I don't see this argument being made
| anywhere and think it would be interesting. If you're one of the
| people who are offended by this practice of people steel-manning
| "the other side" and only want to read comments that affirm your
| position, please don't read this comment).
|
| Question: Wouldn't it be better for Apple to build a UK-only
| encryption that is backdoored but is at least better than
| nothing? If Apple really cared about people's privacy, why just
| abandon them?
|
| My position: No because this is a war, not a battle. Creating a
| backdoored encryption would immediately trigger every government
| on the planet passing laws banning use of non-back-doored
| encryption, which would ultimately lead us to a much, much worse
| world. Refusing to do it is the right thing IMHO.
| cat_meowpspsps wrote:
| The UK's law here is specifically targetting encrypted data
| globally.
|
| > The UK government's demand came through a "technical
| capability notice" under the Investigatory Powers Act (IPA),
| requiring Apple to create a backdoor that would allow British
| security officials to access encrypted user data globally.
| everfree wrote:
| Without Advanced Data Protection, your data is still encrypted
| at rest, it's just that Apple safeguards the encryption key.
| The purpose of ADP is to remove control of this key from Apple,
| so that it's impossible for Apple to leak your data to any
| third party, even if they are compelled to.
|
| So to me, backdoor encryption seems like it defeats the whole
| point of ADP, no? But if not - even if there is some tiny
| marginal benefit - cryptography is extremely expensive to get
| right. It's doubtful that it makes financial sense to Apple to
| develop a new encryption workflow for a single country for very
| slight security benefits.
|
| And it still wouldn't be complying with the UK's demands
| anyways. The UK demanded access to accounts worldwide. If Apple
| is going to be non-compliant, then they might as well be non-
| compliant the easy way.
| nomilk wrote:
| Wonder what the cost/benefit looks like from Apple's perspective.
|
| If this requirement increases the proportion of data on Apple's
| servers that is now unencrypted (or encrypted but which _can_ be
| trivially unencrypted), that could be a huge plus to Apple; more
| data to use for ad targeting (or to sell to third parties), and
| more data to train AI models on.
| smashah wrote:
| Notice all the undemocratic dictatorships that did not require
| this of apple. The UK is in decline completely.
| Kim_Bruning wrote:
| The current EU-UK adequacy decision[1] is up for review this 27
| June [2] .
|
| Aspects of the UK investigatory powers act is close enough to US
| FISA [2] that I think this might have some influence, if brought
| up. IPA 2016 was known at the time of the original adequacy
| decision, but IPA was amended in 2024 . While some things might
| be improvements, the changes to Technical Capability Notices
| warrant new scrutiny.
|
| Especially seeing this example where IPA leads to reduced
| security is of some concern, I should think. The fact that
| security can be subverted in secret might make it a bit tricky
| for the EU to monitor at all.
|
| [1] https://eur-lex.europa.eu/legal-
| content/EN/TXT/HTML/?uri=CEL...
|
| [2] ibid. Article 4
|
| [3] FISA section 702
| https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/...
| cynicalsecurity wrote:
| Could this have been a reason UK pushed to separation from the
| EU?
|
| EU is all for privacy while UK is slowly drifting towards
| becoming a Stasi state.
| nickslaughter02 wrote:
| No, EU is NOT "all for privacy". I don't know where this myth
| comes from but I see it repeated here often.
|
| 1. EU is pushing for mandatory on-device scanning of all your
| messages (chat control). The current proposal includes scanning
| of all videos and images all the time for all citizens. The
| proposal started with analyzing all text too. The discussions
| are happening behind close doors. EU Ombudsman has accused EU
| commission of "maladministration", no response.
|
| 2. EU is allowing US companies to scan your emails and messages
| (ePrivacy Derogation). Extended for 2025.
|
| 3. EU is pushing for expansion of data retention and to
| undermine encryption security (EU GoingDark).
|
| "The plan includes the reintroduction and expansion of the
| retention of citizens' communications data as well as specific
| proposals to undermine the secure encryption of data on all
| connected devices, ranging from cars to smartphones, as well as
| data processed by service providers and data in transit."
| https://www.patrick-breyer.de/en/eugoingdark-surveillance-pl...
|
| 4. EU is pushing for mandatory age verification to use email,
| messengers and web applications. Citizens will be required to
| use EU approved verification providers. All accounts will be
| linked back to your real identity.
|
| 5. "Anonymity is not a fundamental right": experts disagree
| with Europol chief's request for encryption back door (January
| 22, 2025)
|
| https://www.techradar.com/computing/cyber-security/anonymity...
|
| -----
|
| Do you still believe EU is all for privacy? EU's privacy is
| deteriorating faster than in any other developed country /
| bloc. Some of these proposals have been blocked by Germany for
| now but that is expected to change after the upcoming
| elections.
| dumbledoren wrote:
| < EU is pushing for mandatory on-device scanning of all your
| messages (chat control)
|
| Again and again, 'Eu' is not pushing anything like that. A
| few Euparl MPs backed by those like Ashton Kutcher did.
|
| > Eu isnt 'planning' anything like that. Some Euparl MPs
| backed by people like Ashton Kutcher tried to push a law to
| spy on all chat apps. Then when the dirty web of American-
| style regulatory manipulation was exposed, they backed off.
| It was a proposal for a law by some MPs. Not something 'Eu'
| did.
| nickslaughter02 wrote:
| How can you say EU isn't planning anything like that when
| the last meeting to introduce just that was a few weeks
| ago?
|
| https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfname
| _...
|
| Nobody backed off, it's still on the agenda. You are right
| however that the main lobby comes from US NGOs as exposed
| by documents coming from EU Commission.
| rdm_blackhole wrote:
| This is blatantly false.
|
| The EU has been pushing to pass the Chat Control law for the
| last 3 years which is even worse because at least in the UK the
| government would still need to get a warrant for the data they
| want whereas the EU wants to analyze your chat messages, emails
| and pictures in real time without cause or need to justify
| themselves.
| izacus wrote:
| The Chat Control law was voted down and it would not apply
| for UK if they'd still be in EU.
| rdm_blackhole wrote:
| See my comment above, it doesn't matter that it was voted
| down. The point is that it was allowed to go to a vote in
| the first place.
|
| How do you square being pro privacy but at the same time
| demanding to have unlimited access to all chat messages,
| emails, pictures and so on of all your citizens without the
| need for a warrant, without justification and without the
| citizens having any say on the matter?
|
| The answer is that you can't. You either are for privacy or
| you are not.
|
| As for not applying to the UK, that is a moot point because
| as soon as the EU gets it's wish then the UK will demand
| the same kind of access. Why would the UK government turn
| down such an opportunity?
| nickslaughter02 wrote:
| It has been voted down _twice_ now. Guess what? That doesn
| 't mean it's dead. It's being worked on as we speak. The
| last meeting was just a few weeks ago.
|
| https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfname
| _...
| dumbledoren wrote:
| > Again and again, 'Eu' is not pushing anything like that. A
| few Euparl MPs backed by those like Ashton Kutcher did.
| rdm_blackhole wrote:
| The EU is pushing for this. The EU "Going Dark" group is
| pushing for this as well as per https://edri.org/our-
| work/high-level-group-going-dark-outcom...
|
| The fact of the matter is that if the EU was, as it's been
| said, for privacy this proposal would not have been on the
| table in the first place. It should have been stopped 3
| years ago but here we are again fighting for our rights and
| our privacy.
|
| And it doesn't matter how many times it gets shot down by
| some of the countries in the EU, the commission changes a
| few words and starts the process all over again because
| they know that sooner or later they will get it through.
|
| You can't have it both ways. You either are for privacy or
| you are not. If you are then this proposal should never
| have seen the light of the day and the people pushing for
| it should have been given a warning that this was off-
| limits.
|
| Instead they are biding their time so that when the time is
| right they can come back with a slightly altered but still
| incredibly damaging proposal hoping that it will pass.
|
| The EU pro-privacy stance is joke. They want access to the
| same data as the US except they don't have the courage to
| come out and say it so they wrap it in a nice little gift
| bag with the words "protect the children" on it.
|
| This is hypocrisy in it's purest form. Then some
| governments in the EU have the gall to call out
| authoritarians regimes around the world when they crack
| down on dissent and free speech? Give me a break!
| adfm wrote:
| It's a drag that we're seeing this crap happen, but
| authoritarians will be authoritarians. What's the general opinion
| of tools like Cryptomator? [^1]
|
| [^1]: https://cryptomator.org
| leonewton253 wrote:
| They should of forced ADP on by default and this would of never
| happened.
| commandersaki wrote:
| That would alienate users due to key management complexity.
| Apple is about having a smooth user experience.
| blitzar wrote:
| Apple processes multiple orders of magnitude more account
| recoveries for customers each day than receive government
| requests.
| int_19h wrote:
| The problem with that is that if the user loses their key,
| their account is no longer recoverable. As things are with ADP,
| enabling it comes with a bunch of warnings about that, and IIRC
| it also forces you to print out the recovery key for safe
| storage.
| IceHegel wrote:
| I'm sympathetic to the J.D. Vance angle, which is that European
| governments are increasingly scared of their own people. This is
| not doing a lot to change my mind.
| pathless wrote:
| This unexpected news really cemented that point for him.
| Cornbilly wrote:
| The unspoken part of that is Vance likely thinks that the
| people should fear their government.
| bilbo0s wrote:
| True.
|
| It's a very unwise position Vance takes.
|
| The world would clearly be better run if all governments
| feared their people, than it would if all people fear their
| governments.
|
| The UK can pull this kind of stuff precisely because they do
| _not_ fear any consequences from their people.
| duxup wrote:
| I think the US government has made these kinds of requests too,
| similar tactics such as mass data collection without a warrant
| and so on.
|
| I don't think it is "scared" as much as just the usual human
| desire to do whatever the task is ... without thinking of the
| consequences.
| deelowe wrote:
| Then Vance should do something about the 5 eyes which is likely
| the source of this sort of thing.
| mihaaly wrote:
| Very wrong conclusions.
|
| They are not scared of people, but of working, doing their job,
| especially when it is difficult (catching criminals). They
| expect the job to be done for them by others, on the expense of
| everyone, while they collecting all the praise.
|
| On sympathetic to Vance I did not really found a presentable
| reaction, would not find on any other accidentally agreeable
| sentence leaving his mouth (very low chance btw.). Talking a
| lot about all kind of things sooner or later will hit something
| acceptable, which will not yield an unacceptable and
| destructive to society figure sympathetic.
|
| You also should be aware of practices and conducts the various
| US security services practice (and probably all governemnts out
| there), if not from news or law but at least from the movies.
| When we come to the topic of who is afraid of their own.
| RIMR wrote:
| Well put. It's pretty much impossible to sympathize with
| Vance saying this when the administration he is a part of is
| scaremongering about "the enemy within".
| rdm_blackhole wrote:
| Exactly, it's the same thing with the Chat Control law in the
| EU and it reminds me of the scene in the movie Office Space
| where the consultants are trying to figure out who is doing
| what in the company.
|
| Basically instead of doing their jobs, the cops expect Apple,
| Meta et al to intercept all the data, then feed it into some
| kind of AI black box (not done by them but contracted out to
| someone else at the taxpayer's expense) that will then decide
| if you get arrested within the next 48H (I am exaggerating
| but only slightly)
|
| What are the cops doing instead of doing their jobs? That's
| my question. Aren't they paid to go out and catch the
| criminals or do they simply expect to get the identity of
| people each day that need to be investigated?
| kelnos wrote:
| Governments _should_ be scared of their people, though not in
| the way that I expect Vance means.
|
| It's certainly better than the opposite, where citizens and
| residents are scared of their government, which wields the
| power to deprive them of their freedom, possessions, and life.
| dennis_jeeves2 wrote:
| >Governments should be scared of their people, though not in
| the way that I expect Vance means.
|
| A guillotine once in a while for some politicians/bureaucrats
| will do some good. There is a rich history of the French
| doing it. I'm not even trying to be funny.
| gnfargbl wrote:
| To give you a counterpoint: from this side of the pond it is
| extremely surprising to see how effective Vance's speech has
| been in _distracting_ a good proportion of the American public.
| Which, I have to suspect, was the real point.
| dtquad wrote:
| J.D. Vance's problem with Europe is that we have too many brown
| people.
|
| As a very privacy-oriented European I don't need American alt-
| right populists to concern troll about surveillance and privacy
| in Europe.
| bongodongobob wrote:
| What the fuck? They _should_ be. They absolutely aren 't right
| now and that's a major problem.
| odiroot wrote:
| On our continent, the obvious solution to every problem under
| the sun is "more state".
| randunel wrote:
| You might be unaware of FATCA, then.
| blitzar wrote:
| I am unsympathetic to those that lecture others on not doing
| the very thing they are doing.
| retinaros wrote:
| lol. ask JD Vance what he thinks about Assange or Snowden.
| als0 wrote:
| Is there a way for a UK iPhone to circumvent the warning and
| enable ADP? Like connecting through a VPN?
| mrandish wrote:
| > Online privacy expert Caro Robson said she believed it was
| "unprecedented" for a company "simply to withdraw a product
| rather than cooperate with a government".
|
| > "It would be a very, very worrying precedent if other
| communications operators felt they simply could withdraw products
| and not be held accountable by governments," she told the BBC.
|
| Attributing this shockingly pro-UK-spy-agencies quote to an
| "online privacy expert" without pointing out she consults for the
| UN, EU and international military agencies is typical BBC pro-
| government spin. In fact, Caro, it would be "very, very worrying"
| if communications operators didn't withdraw a product rather than
| be forced to make it deceptive and defective by design.
| AlanYx wrote:
| Many people might not be aware of it, but Apple publishes a
| breakdown of the number of government requests for data that it
| receives, broken down by country.
|
| The number of UK requests has ballooned in recent years:
| https://www.apple.com/legal/transparency/gb.html#:~:text=77%...
|
| Much of this is likely related to the implementation and
| automation of the US-UK data access agreement pursuant to the
| CLOUD Act, which has streamlined this type of request by UK law
| enforcement and national security agencies.
| sva_ wrote:
| Looking at the ones for Germany, those seem like rookie numbers
|
| https://www.apple.com/legal/transparency/de.html#:~:text=77%...
| AlanYx wrote:
| It's also comparatively worse than the raw numbers suggest
| because the customer base of Apple phones in Germany is much
| smaller than in the UK.
| crossroadsguy wrote:
| I see numbers for USA and China very low as well.
|
| Maybe they don't _have /need to_ request? ;-) Just saying.
| dvtkrlbs wrote:
| The problem is AFAIK this act is a lot different and Apple or
| any party that gets this order is completely forbidden to talk
| about it. So these kind of requests would not show up in this
| transparency requests. It is IMHO fair to assume Apple will UK
| this backdoor given they chose to disable Advanced Data
| Encryption and public would have no insight to amount and
| reasons to the backdoor usage. It is really troubling.
| HaZeust wrote:
| I don't share your findings, EVERY six-month period between
| January 2014 - June 2017 shows bigger requests than any six-
| month period in the last 5 years.
| EasyMark wrote:
| Sad to see the home of the magna carta slowly spiraling down
| into fascism and 1984. The government should be required to
| have a specific warrant to get at your personal data.
| fdb345 wrote:
| Are anyone of you lot getting the realisation onto why they are
| pushing Passkeys so hard?
|
| They know they access 8 out of 10 phones they seize.
|
| DONT USE PASSKEYS
| butterknife wrote:
| If you're in the UK, please consider signing the below petition.
| Thanks.
|
| https://you.38degrees.org.uk/petitions/keep-our-apple-data-e...
| wrboyce wrote:
| I never understand why people create petitions (targeted at the
| gov) on a non-official site.
| Aachen wrote:
| I'm not familiar with UK law, but what's the matter? They're
| equally valid in jurisdictions that I know of, a signature is
| a signature no matter where it was put
|
| I'd personally just trust the government variant more with my
| government ID data than a third party but that's up to the
| petitioners to weigh and decide
| -__---____-ZXyw wrote:
| Workers in tech jobs over the past few decades are the ones who
| are primarily to blame for the total degradation of the very
| notion of privacy, and our societies are, I think, reaping the
| consequences of this now in many ways.
|
| This story didn't spring up out of nowhere, like a monster from
| under the bed. It's been a gradual decline since, let's say, the
| 90s or so.
|
| I don't want to be vulgar, but the people who understood the best
| what was happening were mostly too busy taking large paychecks to
| get too upset about the whole thing. It got explained away,
| rationalised, joked about, and here we are.
| mihaaly wrote:
| Easier to push away the blame for a foot soldier, claiming to
| do things on orders or claiming to be absolutely f clueless
| where it leads, one is worse than the other. Thousands had to
| make this work and function as it is.
|
| Still, this is a different topic than the government use of law
| enforcement for preserving the shity situation that was built
| by the industry and its actors just when the trend becomes of
| fixing what was made to be crap, just when people want to
| correct the f up of the ignorant collaborants.
| ianopolous wrote:
| If anyone's looking for open-source, self-hostable, E2EE storage
| then checkout Peergos (disclaimer: lead here):
|
| https://peergos.org
| cluckindan wrote:
| The UK backdoor means US and other FVEY states are able to freely
| request any person's private data from GCHQ.
| anoncow wrote:
| >Online privacy expert Caro Robson said she believed it was
| "unprecedented" for a company "simply to withdraw a product
| rather than cooperate with a government.
|
| That is such a self serving comment. If Apple provides UK a
| backdoor, it weakens all users globally. With this they are
| following the local law and the country deserves what the rulers
| of the country want. These experts are a bit much. In the next
| paragraph they say something ominous. >"It
| would be a very, very worrying precedent if other communications
| operators felt they simply could withdraw products and not be
| held accountable by governments," she told the BBC.
| yunesj wrote:
| Fake privacy experts like Caro Robson need to be held
| accountable.
| Aachen wrote:
| I often notice journalistic pieces interview people and then
| use maybe 30 seconds' worth of material from a 20-minute
| interview. The "expert" could have condemned it in any number
| of ways until the topic of applying data protection laws came
| up and she said that companies need to be held accountable
| (could be about GDPR, could be about snooping laws) which the
| journalist then quoted, not out of malice but because
| everyone already condemns it and this is the most interesting
| statement of the interview
|
| Anyway, so while I don't think we should condemn people based
| on such a single quoted sentence... I took a look at her
| website and the latest video reveals at 00:38 that she worked
| for the UK crime agency, which does sound like the one of the
| greatest possible conflicts of interest for someone called
| upon for privacy matters rather than crime fighting. Watching
| the rest of that interview, she approaches it fairly
| objectively but (my interpretation of) her point of view
| seems to be on the side of "even with this backdoor, a
| warrant needs issuing every time they use it and so there's
| adequate safeguards and the UK crime fighters and national
| security people should just get access to anything they can
| get a warrant for"
| mistercow wrote:
| Assuming you've framed it fairly, that's a pretty atrocious
| point of view for someone calling themselves a privacy
| expert to hold. A privacy expert should know that backdoors
| are dangerous to privacy even if you trust the people who
| are supposed to have the keys.
| boxed wrote:
| Governments forcing companies from other countries to do
| business in their country seems like the worrying precedent to
| me.
| kelnos wrote:
| It's also just false. Google pulled out of China many years ago
| because they didn't want to bow to the Chinese government's
| demands.
|
| And they didn't just withdraw a product, they withdraw their
| entire business.
| kshacker wrote:
| I wonder what the impact of Apple withdrawing from China will
| be. I know we are talking about UK, but this made me think.
|
| Not only their sales will reduce, but hey Chinese
| manufacturing cuts down. By how much? Will it be impactful? I
| would think so but wonder if it is quantifiable.
| sneak wrote:
| Almost all iPhones are made in China. They cannot pull out
| without shutting down.
|
| They make on average 60,000 ios devices there every hour,
| 24 hours a day, 365 days a year.
| samldev wrote:
| Your math adds up to 525,600,000 iOS devices per year.
| That can't possibly be right
| helloplanets wrote:
| > In 2023, Apple shipped 234.6 million iPhones, capturing
| 20.1% market share and growing 3.7% year over year,
| according to IDC data. [0]
|
| So, probably not 525.6 million iOS devices a year, but
| safe to assume it's going to be 300+ million for 2025.
|
| 35k devices an hour, give or take.
|
| [0]: https://www.forbes.com/sites/johnkoetsier/2024/01/16
| /apple-1...
| medwezys wrote:
| Apple has more devices than iPhones, so the OPs numbers
| are not unbelievable
| mianos wrote:
| Google pulled out but their phones are made in China.
| When push comes to shove money always wins still in
| China.
| aqueueaqueue wrote:
| "a product" and "cooperate" are doing so much work in that
| statement that they collapsed and look like ________ and
| ________
|
| They re-emerged as "security feature" "add vulns to security
| features to make it an insecurity feature"
| StanislavPetrov wrote:
| >Online privacy expert Caro Robson
|
| Ironic to refer to her as a "privacy expert" given her open
| hostility to privacy.
| throwaway106382 wrote:
| >"It would be a very, very worrying precedent if other
| communications operators felt they simply could withdraw
| products and not be held accountable by governments,"
|
| This would actually be a very very very very VERY GOOD
| precedent if you ask me.
|
| Facebook pulled something similar when Canada passed the Online
| News Act and instead of extorting facebook to pay the media
| companies for providing a service to them (completely
| backasswards way to do things), they just pulled news out of
| Canada. I despise Meta as a company, but I had to give them
| credit for not just letting the government shake them down.
|
| Good riddance. Governments need to be reminded from time to
| time that they are, in fact, not Gods. We can and should, just
| take our ball and go play in a different park or just go home
| rather than obey insane unjust laws.
| donbox wrote:
| I love their products: whatsapp and facebook
| sandblast wrote:
| Why?
| rapjr9 wrote:
| This is actually an increasing concern, that large
| multinational companies are so powerful that they don't have to
| obey governments any more, and can instead blackmail them by
| withdrawing products. Pornhub has done this in US states. Meta
| has threatened to do it in various countries. There has always
| been pushback to regulation from powerful companies, but
| punishing countries by withdrawing products seems to be used as
| a tactic more often recently. There are other tools of power
| companies use as well, like deciding where to create jobs and
| build facilities. Musk has used that, moving from California to
| Texas. Defence and oil companies use these tactics also.
| adultSwim wrote:
| Google News pulling out of Spain..
| anoncow wrote:
| I disagree but respect your opinion. Companies have the right
| to free speech. In the tussle between regulators and
| companies, companies are disadvantaged. If we can force
| companies to do the regulators bidding and not allow them to
| use free speech to act in their best interests, we would have
| global tyranny. The regulators and companies both acting
| towards their own goals with freedom allows us to have a
| world with balance.
|
| I believe in this however I think we are testing limits of
| this approach with scenarios like the one with encryption.
| Ideally privacy needs E2E encryption. But concerns on misuse
| of such technology that governments raise are also not
| without merit. I wonder if this tussle between regulators and
| companies can end in any way in which privacy is not
| compromised. Mathematically it doesn't seem that there is a
| way to be safe and private.
| rhaksw wrote:
| > In the tussle between regulators and companies, companies
| are disadvantaged.
|
| When society once again properly separates governmental
| powers, it will restore balance, and then companies will no
| longer need to fear "regulators."
|
| In the US, businesses are _supposed_ to be regulated by
| Congress. That way, if Congress does something foolish, we
| can vote them out.
|
| But in the last 100 years or so, "administrative law"- that
| is, binding regulations created by the Executive branch-
| has become a huge part of law-making [1]. Widespread use of
| Administrative Law allows Congress to wash its hands of any
| real decision making.
|
| It isn't supposed to be this way, and I think we will find
| our way out of it.
|
| Your statement that companies are disadvantaged only rings
| true because _Executive_ -branch regulators are not held to
| account. Lower-level staff generally do not rotate from
| administration to administration, and so they make tons of
| binding rules without oversight. Fortunately, SCOTUS
| recently overturned some of this [2].
|
| The fundamental problem is that the separation of powers,
| which is where America's strength comes from, has been
| upended. Power has been collected, by parties on all sides,
| within the Executive branch. It's supposed to be, Congress
| writes law, Judiciary interprets law, and the Executive
| enforces law. The Administrative State, however, combines
| all three powers into one under the Executive. It gives
| itself executive agencies that can bind citizens, and its
| own courts (ALJs) to determine their fate. See [1] for a
| comprehensive review.
|
| [1] https://press.uchicago.edu/ucp/books/book/chicago/I/bo1
| 74366...
|
| [2]
| https://www.supremecourt.gov/opinions/23pdf/22-451_7m58.pdf
| AutistiCoder wrote:
| How many UK people who haven't heard of ADP will now enable it?
| SirMaster wrote:
| Well this is double plus ungood...
| mmaunder wrote:
| Not relevant to the Apple story but as a general comment on UK
| surveillance/search/detainment laws: Five Eyes means the US just
| needs to get their citizen into the UK for their partner to gain
| access that the US doesn't have to their citizen. The reciprocity
| possibilities are endless.
| ancorevard wrote:
| Deep betrayal by Apple.
|
| "privacy is a fundamental human right" - Tim Cook.
| Zufriedenheit wrote:
| Does Apple offer this type of encryption in China?
| edge17 wrote:
| Are there non-icloud backup options? There used to be local
| encrypted backups through itunes, but I can't tell if that
| feature is still around.
| aqueueaqueue wrote:
| ITunes but it is a PITA. Do a test backup restore too. It may
| not restore if the phone was nearly full (maybe 80%) when
| backed up.
| commandersaki wrote:
| Still exists but now backup is integrated into Finder. You can
| also do encrypted backup on Windows but I forgot what the app
| is called (from Apple).
| mattfrommars wrote:
| Could this be the catalyst for the rise of third party encryption
| companies that operate in UK? Or perhaps, rise to third party
| self host E2E cloud solution?
|
| Only time will tell.
|
| I've already invested in USB storage :)
| ein0p wrote:
| How do you like your "liberal democracy", UK-ians? Is that
| democratic enough for you yet? Do you feel in control?
| EGreg wrote:
| Why can't governments simply compel every software developer to
| create a backdoor, or go to jail?
|
| If even one government does it, then the backdoors exist
| globally. Here is an overview of the global situation:
| https://community.qbix.com/t/the-global-war-on-end-to-end-en...
| sensanaty wrote:
| Lol so much for the privacy-first Apple BS everyone keeps touting
|
| If they had any balls whatsoever they would've rejected this and
| pulled out of the UK, but of course money comes before anything
| else.
| 1vuio0pswjnm7 wrote:
| This provides an incentive for Apple computer users to do the
| right thing: Stop storing sensitive data on Apple servers.
| Unfortunately, due to Apple's pre-installed proprietary operating
| systems that phone home incessantly, that may be more challenging
| than it should be.
| keepamovin wrote:
| They are not the first country to do this. Apples advanced
| security features are rolled out non-uniformly across global
| markets. You get different capabilities, depending on where you
| are and where your account is resident, it would be great if
| there was a website that listed the countries and the security
| protections Apple provides in those countries.
| reader9274 wrote:
| "Existing users' access will be disabled at a later date."
|
| Hmmm how? How can they decrypt your already end-to-end encrypted
| and uploaded data without you entering the passphrase to do so? I
| can understand them removing the data from iCloud completely, or
| asking you to send the keys to Apple, but I don't understand how
| they can disable the feature for already uploaded data.
| mu53 wrote:
| I am going to say something a bit controversial around here,
| but all of this E2E and security stuff is just lip service for
| marketing to consumers.
|
| These companies have to comply with so many laws and want cozy
| relationships with governments, so they play both sides. It
| likely does things differently, but if the keys are not secure,
| then its not secured
| Aloisius wrote:
| They will lock UK users out of iCloud until they manually
| disable ADP.
|
| When a user turns off ADP in settings, their device uploads the
| encryption keys to Apple servers.
| reader9274 wrote:
| What if the users don't agree to disable ADP? So if one pays
| for iCloud+, they'll be refunded? And what happens to their
| already uploaded data? Is it deleted?
| sneak wrote:
| This is almost the status quo in the USA, given that nobody turns
| on the optional e2ee anyway.
| nisten wrote:
| ok so while being AI safety concerned.. uk politicians go ahead
| and remove humanity's single logical control tool that they have
| to keep AI in check.. encryption maths.
|
| gg
| dk1138 wrote:
| The more I live I'm less concerned about what are often described
| as "bad actors". The bad actors are often the state, and this
| kind of information is collected without thought to the risk of
| future politicians who don't follow the rules or who don't have
| any respect for the laws.
| wcerfgba wrote:
| States are not inherently good, they are just large
| organisations with a monopoly on certain social functions. All
| large organisations have the capacity to inflict terrible harm.
| IceHegel wrote:
| Through all history state security has been a thing. The Stasi
| and KGB are transparently state security forces to the West,
| but the CIA and MI5/6 are... what exactly?
|
| The primary purpose of these agencies, despite what has been
| written down on paper, is NOT to protect the citizens of the
| countries that fund them. It is to protect the system that
| taxes those citizens.
| ajdude wrote:
| Related discussion:
|
| U.K. orders Apple to let it spy on users' encrypted accounts
| (washingtonpost.com) 762 points by Despegar 14 days ago | 1070
| comments https://news.ycombinator.com/item?id=42970412
| willtemperley wrote:
| What the UK government achieved:
|
| Lowering the data protection of it's citizens in comparison to
| the rest of the world.
|
| I was under the impression governments were supposed to protect
| their citizens.
| bruce511 wrote:
| >> Lowering the data protection of it's citizens in comparison
| to the rest of the world. I was under the impression
| governments were supposed to protect their citizens.
|
| This depends on whether you see "citizens" as individuals or as
| a group. In other words it's possible that to improve the
| security (and thus protect) the majority, the rights of
| individual citizens need to be eroded.
|
| For example, to protect vulnerable citizens from crime (the
| cliche of child porn is useful here, but it extends to most-all
| crime) it's useful for prosecutors to be able to collect
| evidence against guilty parties. This means that the erosion of
| some privacy of those parties.
|
| Thus the govt balances "group security" with "individual
| privacy". It has always been so. So to return to your original
| hypothesis;
|
| >> Lowering the data protection of it's citizens in comparison
| to the rest of the world. ... and also, making it easier to
| detect and prosecute criminals, and thus protect the citizens
| from physical harm.
|
| Now, of course, whenever it comes to balancing one thing
| against another, there's no easy way to make everyone happy. We
| all want perfect privacy, coupled with perfect security. Some
| will say that they'll take more privacy, less security - others
| will take more security and less privacy. Where you stand on
| this issue of course depends on which side you lean.
|
| More fundamentally though there's a trust issue. Citizens
| (currently) do not trust governments. They assume that these
| tools can be used to harm more than just criminals. (They're
| not wrong.) If you don't trust the govt to act in good faith
| then naturally you choose privacy over security.
| arccy wrote:
| the government's monopoly on force just means they're thugs
| most people tolerate...
| LAC-Tech wrote:
| At some point, we need to stop being surprised at authoritarian
| countries doing authoritarian things.
|
| Here's hoping the inevitable regime change will be a peaceful
| one.
| bigfatkitten wrote:
| It's just a shame that Apple didn't include the contact details
| for the Home Office officials responsible as the place for
| inquires regarding the matter.
| codedokode wrote:
| This is a good reminder that the one who cares about privacy and
| security cannot rely on closed-source products from commercial
| companies; don't be deceived by marketing slogans.
| 6510 wrote:
| Being locked into an ecosystem seems really nice.
|
| The problem is that you don't really know your future jailer.
| sholladay wrote:
| So many questions around this that need answering, such as:
|
| 1. What happens if I have ADP enabled and then visit the UK? Will
| photos I take there still be E2E encrypted? If not, will I be
| notified? I realize that at the moment the answer is yes, that
| for now, they are only disabling ADP enrollment. But they are
| planning to turn it off for everyone in the UK in the future. So
| what happens then?
|
| 2. If they make an exception for visitors, such as by checking
| the account region, then obviously anyone in the UK who cares
| about security will just change their account region - a small
| inconvenience. Maybe this will be a small enough group that the
| UK government doesn't really care, but it could catch on.
|
| 3. Is this going to be retroactive? It's one thing to disallow
| E2E encryption for new content going forward, where people can at
| least start making different decisions about what they store in
| the cloud. It's an entirely different thing for them to remove
| the protection from existing content that was previously promised
| to be E2E encrypted. When they turn off ADP for people who were
| already enrolled, how is their existing data going to be handled?
|
| This is bad news and it is going to be messy.
| sureIy wrote:
| These are important questions, particularly 2 because even a
| layover in London or Dublin puts you under UK jurisdiction. So
| now you have to put that into account when traveling.
|
| The precedent here is China. I spent a few days in China and,
| as far as I know, my region is still <other country> and ADP is
| still active.
| biztos wrote:
| How does a layover in Dublin put you in UK jurisdiction?
|
| I have seen advice in big companies to only take a burner
| phone when going to China on business. Perhaps the same will
| apply to the UK.
| aryan14 wrote:
| Absolutely mental the kind of people that have power. Dealing
| with this like immature children.
|
| "We don't get what we want? We ruin it for everyone."
|
| Trying to backdoor a privacy feature for no real reason, just for
| the sake of having a backdoor. Pathetic
| blufish wrote:
| its a shame
| retinaros wrote:
| concessions afer concessions we gave away our freedom. the axis
| of good is mostly responsible for this but the opposition also
| wanted to remove anonymity and freedom from the web.
|
| no one fought when the democrats called snowden or assange
| russian spys for revealing clinton corruption. they just blindly
| sided with their own corrupt political party and gave away
| freedom. just like previous govs censored trump, banned political
| opponents they created a precedent and opened the door to the end
| of freedom. its now beyond politics, we should fight for the last
| moments of freedom we have before its too late.
| Ylpertnodi wrote:
| ...you go first. I'll applaud, and call everyone else over, if
| anything interesting happens.
| vegabook wrote:
| I live between France and the UK. How do I move my iCloud account
| out of Britain?
| QuiEgo wrote:
| The cloud is just someone else's computer. If you really, really
| care about privacy, self host.
| Aachen wrote:
| For those to whom that sounds scary: buy a regular consumer
| NAS. They run quite a few applications nowadays (besides being
| file storage as a base feature) and are meant to be setuppable
| by an average person
| AlgebraFox wrote:
| That works for nerds like us. But my sister or my non tech
| friends don't have knowledge to self host. It is like asking a
| person to do a surgery on themselves when they don't have
| medical knowledge. E2E services are very crucial for such
| normal people.
|
| How long do you think for governments to make it illegal to
| self host or backdoor Linux builds? They have already went too
| far by just asking backdoor to data of every single person on
| the planet. We should oppose such unethical laws rather than
| finding workarounds.
| QuiEgo wrote:
| > How long do you think for governments to make it illegal to
| self host or backdoor Linux builds?
|
| Probably never, it won't be worth the trouble because it's
| always going to be a fringe thing for the reasons you say :).
| One can hope anyways.
|
| Also, if the government decides I'm a baddie, they can always
| just show probable cause to a judge and come physically get
| my hardware, so they have a more traditional path there to
| handle weirdos like me already :).
|
| FWIW, I agree completely strong encryption in SAAS is
| necessary for privacy. But pragmatically, there's little hope
| laws like this won't eventually take root in more places. So
| the statement stands irregardless of the challenges: the
| cloud is just someone else's computer.
|
| One final note: I don't think E2E means what most people
| think it means unfortunately - lots of companies imply that
| you're the only one with access to the encryption keys when
| E2E is on, but if you read the fine print, it often really
| just says is the data is encrypted in flight, not what the
| policy is for protecting the data on the other "end."
|
| This is the awesome thing about ADP - they spell out the full
| policy in glorious detail.
| MagicMoonlight wrote:
| They keep asking for more and more ridiculous powers, but then
| someone on a terrorist watchlist will go and stab a bunch of
| toddlers. They don't need more powers, they need to just do their
| jobs.
| uni_baconcat wrote:
| Write to local MP and Home Office. This is totally unacceptable.
| rhubarbtree wrote:
| As a British citizen I am amazed at how much the government has
| invaded our privacy. I think it started after 9/11 when they
| first introduced terrorism laws and saw they could get away with
| it. I wonder if the ruling classes are nervous, given the state
| and direction of our economy and the inequality, as well as the
| iron grip a small part of the country has maintained on society.
| They are perhaps making preparations for a class revolt.
|
| Having said that, in practice to date the extraordinary powers
| the government has acquired are rarely used, eg to quell the race
| riots last year. It feels more like a risk for the future and
| that makes it harder to argue against now. One day this will hit
| the fan.
|
| I'm very curious, however, to see Americans criticise our
| government for its (mostly theoretical) overreach, whilst
| simultaneously the constitution of America is being torn to
| shreds by the actions of Musk and Trump, with some in the tech
| community even cheering on DOGE.
| yew wrote:
| Hm. I see them as connected - "we must confront our problems
| domestically before we fight them abroad."
| rhubarbtree wrote:
| Please could you expand? I'm very confused by what's going on
| in the states, particular the attitude in the tech community,
| so any clarity would be appreciated!
| yew wrote:
| Not particularly. The matter is no longer up for
| discussion. Silence and action are best.
| yew wrote:
| (Unsafety and fear always motivate silence and action.
| You might expect certain people to understand that better
| than most.)
| oddb0d wrote:
| Hopefully it'll spur growth of decentralised, distributed peer to
| peer mobiles like the new Holochain-based Volla Phone
| https://volla.online/en/
| MrCroxx wrote:
| I'm drunk. No offense. Why our world ends up like this.
| giorgioz wrote:
| > Caro Robson said she believed it was "unprecedented" for a
| company "simply to withdraw a product rather than cooperate with
| a government".
|
| She believes wrong. Google retreated from the Chinese market to
| not give in. Apple stayed in China and also banned VPNs on App
| Stores for Chinese customers. Kudos to Apple to not giving in to
| a backdoor in this case but some there companies took a even
| higher moral stand in some other situations, so there is
| precedent indeed.
| UnreachableCode wrote:
| What is stopping me from using something like Proton in the same
| way? Why does the UK government simply make an example out of
| Apple on this one?
| quitit wrote:
| What's stopping Apple from launching an AppleTV-esque device that
| functions as personal iCloud storage?
|
| The design of ADP is that even taking control of the data centre
| won't allow access to the information held within. Decentralising
| the service makes it significantly harder to write ham-fisted
| legislation that aims to prevent tech companies from offering
| secure products.
|
| Additionally there isn't a technical need for ADP to interface
| with iCloud. Apple could feasibly release free software for DIY
| ADP.
|
| My expectation is that either the UK will alter the law, or Apple
| will work around it. I don't think we're looking at the end of
| this.
| nobankai wrote:
| Commercial security is pure theatre at the end of the day.
| Apple could pretend to make a big stink, release a new
| encrypted Time Machine or leave the UK... but why? None of that
| makes them money. It's a band-aid for the user freedom that was
| amputated decades ago.
|
| I don't expect Apple to fight this like, say, the EU
| regulations. Without a profit incentive, it's hard to mobilize
| Apple to seek a solution.
| arccy wrote:
| > Apple > freely release
|
| If Apple can't get you to pay for it, it won't happen. They
| only pay as much lip service to privacy as they need for
| marketing purposes
| ej1 wrote:
| This is a great article!
| holoduke wrote:
| Reading all the comments here makes me sick. I really need to
| move to a remote place where people are not constantly bashing
| each other.
| mrkramer wrote:
| I always thought that metadata and circumstantial evidence is
| enough to incriminate someone. Do you really need plaintext data
| and communication to put criminals behind bars?
___________________________________________________________________
(page generated 2025-02-22 23:00 UTC)