Apple Ordered by UK to Create Global iCloud Encryption Backdoor
246 comments
·February 7, 2025Lio
matthewdgreen
You're assuming that turning off ADP in the U.K. is sufficient to appease the British Government. The Investigatory Powers Act can also be interpreted to give the U.K. the right to ask for encrypted data from users outside of the U.K. (see Apple making this exact point in a filing here [1].) Turning off ADP in the U.K. doesn't end the controversy if that's what's at stake.
[1] https://bsky.app/profile/matthewdgreen.bsky.social/post/3lhl...
Spoom
I mean, "Apple refuses to hand over private data to government at cost of UK business" is a pretty good headline.
snapcaster
Yes, this would be something i would love to read
lenerdenator
Give me that sort of commitment to privacy and translucent colorful cases for future Macs and Tim Apple's got my money for the next five years at least.
hackernewds
I will stop using a service or hardware that could grant peaking rights into my folders to a possible administration like the one currently in the US. On day 1, zero hesitation
ForHackernews
I have bad news for you...
bilekas
> requires that Apple creates a back door that allows UK security officials unencumbered access to encrypted user data worldwide
How could this even be enforced if Apple pulls out cloud services of the UK ?
It's such a ridiculous request, the British Intelligence agencies must be bored coming up with new ways to make Apple look good.
bnjms
> the British Intelligence agencies must be bored coming up with new ways to make Apple look good.
We know they collude with US intelligence serviceUS
scarface_74
But as far as we know there is no encryption back door
tacomagick
"As far as we know" is the most important part.
spiderfarmer
We know.
hk1337
By collude, you mean responding to subpoenas they are legally obliged to respond to?
thinkingtoilet
Of course that's a thing. However, anyone who's ever read a history book has a pretty good reason to be suspicious it ends there.
mdhb
Collude is such a fucking weird word to describe an alliance.
cmsj
Apple still has legal entities in the UK. Pulling out cloud services would be insufficient to prevent the UK authorities from interfering with their activities.
bilekas
> prevent the UK authorities from interfering with their activities
I'm still missing how this could be enforced ? To my layman understanding, this reads the same as if China said : "Meta, Tesla, Valve etc has entities in China therefore we get to see all data they store in the EU and the US.
The UK has Zero jurisdiction in Ireland for example where a lot of EU data may be stored.
elashri
I have lived to the day that we give an example on china not doing something stupid a western democracy does about rights and freedom. Wild times to be alive. I am also surprised that they demand worldwide access and not just UK users data or all the data stored in UK jurisdiction. But this is going too far.
insane_dreamer
> I'm still missing how this could be enforced ?
By banning Apple from doing business in the UK.
The US used a similar strategy decades ago to break Swiss Bank Secrecy laws (either Swiss banks had to give up the info or they were going to be kicked out of the US).
piltdownman
Sadly jurisdiction has nothing to do with it.
https://www.irishtimes.com/business/technology/uk-spy-base-g...
This is not just a case of the British intelligence services secretly “tapping into” Irish telephonic and internet traffic via land and maritime cables. Rather in most cases they are being provided free (or commercial) access to the information by companies associated with the use, ownership or maintenance of these cables.
Post-Snowden the Irish government retroactively legalised it...
amelius
> I'm still missing how this could be enforced ?
Basically by saying that if they don't comply, they can't do business in the UK.
layer8
It would be enforced by fining the UK legal entities (or worse, like charging their legal representatives) if they don't comply. If the UK is serious about this, the only alternative for Apple would eventually be to completely cease operations in the UK.
By the way, this is similar to why for true GDPR compliance, data centers should be operated by EU companies that aren't subsidiaries of US companies, because even if the latter operate data centers located in the EU, they would still be bound to secret orders by the US government.
null
sandworm101
More importantly, apple has customers in the UK. The business from captured apple users is more valuable than apple's privacy reputation.
This all seems very similar to RIM and the aftermath of the riots in the UK. The backdoors became too obvious for customers to ignore. Did not go well for RIM in the market afterwards.
mrighele
That's not even the main issue in my opinion: how can Apple do this without breaking laws in other countries ?
I am not a lawyer, but I think that this would be illegal under EU privacy law.
tokioyoyo
The same way it operates in China? I guess, China is much bigger market, so it’s worth the effort. Not sure how it’ll go in the UK.
mrighele
> a back door that allows UK security officials unencumbered access to encrypted user data worldwide
As far as I can tell, China is asking to keep Chinese data in China and have access to it, but it is not asking to access data of American or European citizen and if it did we would be pissed off.
guappa
Probably a manouver to make them look good but also privately complying anyway.
simion314
>How could this even be enforced if Apple pulls out cloud services of the UK ?
Honest question, how Apple is doing it in China? Maybe the exact same scheme will work for UK.
latexr
> When asked by The Post whether any government had requested a backdoor, Google spokesman Ed Fernandez did not provide a direct answer but suggested none exist: "Google cannot access Android end-to-end encrypted backup data, even with a legal order," he stated.
No, that does not suggest none exists, it only says they don’t have access to it. They could have chosen or have been ordered to give the keys to the government agency but not keep one themselves. I’m not saying that’s likely, just that it’s important to not take these statements as saying more than they do. They wouldn’t hesitate to use “technically correct” as a defence and you have to take that into account.
em500
Before people immediately think the worst of Google or other corporate representatives, be aware that people working in these companies need to weight their words carefully. From The Verge's article on the issue:
The UK has reportedly served Apple a document called a technical capability notice. It’s a criminal offense to even reveal that the government has made a demand. Similarly, if Apple did cede to the UK’s demands then it apparently would not be allowed to warn users that its encrypted service is no longer fully secure.
latexr
Which is exactly why I’m making this point. If no government had requested a backdoor, they could’ve simply answered “no”. When you have to weight your words, it means you’re not at liberty to say whatever you want. That is itself a signal, and why warrant canaries are a thing.
derbOac
You're right to point out how carefully worded these statements are. But I suspect it's rare for companies of Google's status to not have been asked for a backdoor. It's not really an informative question to ask Google.
lysace
That concept has always sounded like tech people trying to hack the law without the proper real-world legal knowledge, IMO.
Bruce Schneier wrote in a blog post that "[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary.
Lots of similar discussion on HN already, e.g. in https://news.ycombinator.com/item?id=5871541.
free_bip
How does this work wrt false advertising laws? If I relied upon their end to end encryption and it turns out to be false advertising because there's a secret backdoor, who do I sue?
atonse
But they can still notify the public, through those canary statements. (I forgot the name commonly used).
For example (a simplistic one), you can have a statement like "we do not have any backdoors in our software" added to your legal documents (TOS, etc). But once a backdoor is added, you are compelled by your lawyers to remove that statement. So you aren't disclosing that you have added a backdoor. You're just updating your legal documents to make accurate claims.
null
highcountess
[dead]
cesarb
> No, that does not suggest none exists, it only says they don’t have access to it. They could have chosen or have been ordered to give the keys to the government agency but not keep one themselves.
The whole definition of "end-to-end encrypted" is that only the two ends have the keys. If anyone or anything other than the two ends (the one sending and the one receiving) has access to the keys, it's not end-to-end encrypted.
bux93
Whatsapp has had end-to-end encryption since 2016. But it only added encryption to cloud backups in 2021. They didn't share any key material with Google, just backed up the messages and media without any encryption to begin with.
null
JW_00000
But if they could give a key to the government agency, it wouldn't be end-to-end encrypted, right? Or are you thinking they would have a copy of users' keys that they gave out? (Which I guess is technically possible.)
aqme28
They could also cripple user key-generation. E.g. they choose random primes from a known subset. It would make communication crackable while also being difficult to detect.
jonhohle
It would be no different from how multiple devices and users access the same content (chat, shared data, etc.). The government’s keys would always be included in set which encrypts the real key. They don’t need the users’ key, Apple doesn’t need their private keys. So technically still end to end encrypted, just with a hidden party involved. Users have no way of knowing this doesn’t already happen.
And when their key leaks, it’s as good as no encryption, but still end-to-end encrypted.
null
theshrike79
If the other end is the government, then it's kinda valid? =)
null
arccy
if google were to transfer the keys elsewhere, they would have (temporary) custody of the keys, granting them access, and invalidating the statement.
latexr
> they would have (temporary) custody of the keys
No, they would have had custody of the keys. Meaning it would still be true they cannot (now) access the data.
jonhohle
My layman’s understanding is that a user’s private key is used to decrypt a random key, which is then used to protect data. Shared files then only require adding key access to that small secret by someone who knows the original key. If one of the original public keys is always one held by authorities, Google never needs to have custody of the private key and can’t access the data themselves making the statement true, but misleading.
negus
Not surprised, considering UK's ridiculous key disclosure law (United Kingdom The Regulation of Investigatory Powers Act 2000 (RIPA), Part III, activated by ministerial order in October 2007, requires persons to decrypt information and/or supply keys to government representatives to decrypt information without a court order.) that makes anyone with high-entropy random data (which is undistinguishable from the crypto-container) a criminal for "not providing the keys to decrypt"
Chance-Device
This is the way that the UK has passed laws for a while now, make them so broad that they potentially criminalise everyone, then selectively prosecute. This is a very obvious setup for future totalitarianism. I’m surprised that the British public stands for it, but I guess they must not care.
filcuk
People here are very passive and used to being pulled around. It's insane how far people's rights have eroded already. No right to protest, no right for privacy - what's next on the chopping block?
yesco
Future totalitarianism? Is the UK's government restricted in anyway right now? What line have they not crossed yet?
Chance-Device
As far as I know they haven’t started murdering political opponents yet, so that’s something. But I take your point, the UK is today not a serious country for a variety of reasons.
doublerabbit
> I’m surprised that the British public stands for it, but I guess they must not care.
I can educate people but it always comes back to "I've not got anything to hide". What are we suppose to do, go out to the streets and protest? Start a petition, right to a PM who has no idea what encryption is?
Mentioning Linux to my family opens a can of worms. We are naive to think protesting actually changes something, it's old fashion. Those with power just don't care so unless people attack with their wallets nothing will come from.
It's not 1995 so unless you have £ for lobbying surrounded by people in suites there is nothing public of any nation can do against anyone in power.
63
They have this power precisely because you have given up. Government power is derived from the consent of the goverened. Collective action does work and always will, but it needs to be coordinated. If enough people in the UK stopped going to work, they could affect change pretty quickly I reckon.
Chance-Device
Don’t you think maybe this attitude is part of the problem?
tim333
Brit here. Yeah from my experience people don't care. Hardly anyone gets prosecuted and those who do have often done something bad.
Most day to day complaints are they don't prosecute enough, often related to the bastard that snatched your phone. We have approximately zero people sitting in jail for failing to decrypt and similar.
>This is a very obvious setup for future totalitarianism.
No it really isn't. If they are planning a totalitarian takeover they are being very sneaky about it. There is a strong anti totalitarianism tradition here including elections since 1265, writing books like 1984 and bombing nazis.
cbeach
I've tried to explain the issues with the UK government's stance on digital privacy to my friends. The responses I get:
* I have nothing to hide, I don't care
* Oh come on, our government doesn't care what I'm up to
* The UK will never be totalitarian. I'm not scared of the government
* The UK civil service is incompetent and could never pull this off (fair point, although I worry about the safety of my personal data in the hands of such people)
Let's not forget we had a hard-left (Corbyn) socialist regime come close to power, whose cabinet members called for "direct action" against political opponents, just a few years ago.
https://www.spectator.co.uk/article/watch-john-mcdonnell-s-c...
I don't think people realise how quickly things could go wrong with these surveillance mechanisms in place, and spiteful, authoritarian politicians taking power.
cpymchn
What's new here?
As mentioned in the article, Salt Typhoon and the recency of this request by the UK. At this point they should know better.
My pet theory is anytime the US wants to do something illegal under US law, they simply ask the UK to do it and vice versa. That's why Salt Typhoon isn't and never will be a lesson learned.
cpymchn
I recommend Susan Landau as the goto person on this. She recently spoke with Lawfare on the current state of play.
[1] Susan Landau and Alan Rozenshtein Debate End-to-End Encryption (Again!) https://www.lawfaremedia.org/article/lawfare-daily--susan-la...!)
EdwardCoffin
Formatting in link is broken. This is a direct link to the youtube version: https://www.youtube.com/watch?v=AWBFXiOcR88
eptcyka
It is actually Australia where the US goes to test out far-out legislative ideas before implementing them at home.
y-curious
Australia does a great job of enacting wacky authoritarian policies in the last 5 years; It would make sense to use them as a staging ground. Does any specific legislation come to mind?
fukawi2
Social media ban for under 16s is the latest half witted idea enacted by the government here.
throwaway290
Any specific whacky examples?
ninalanyon
Surely any moderately sophisticated group of criminals can simply create there own end to end encryption apps. So even if the UK, or other governments, get there own way they will only et to see the content related to the less competent criminals. Perhaps it's still worth it to some.
botanical76
This is so disheartening. I thought we were making progress in the anti-surveillance privacy narrative, but this says otherwise. As a UK citizen, is there anything I can do to dissuade this?
edit: typo
snapcaster
In my mind, the only way to beat these efforts for good is to win hearts and minds of the larger public. Currently because only weirdos like us care about this stuff, we have to constantly be on top of these things and writing letters making posts etc.
Overall i agree with you, it is really disheartening. That being said, i've made progress with my family on valuing privacy and the dangers of surveillance. I think people might be changing their minds slowly but still lots of work to do.
A breakthrough with my sisters was when abortion was threatened here in the states. Mentioned to them that it would be easy for authorities to enforce abortion punishments by subpoenaing data from menstruation cycle tracker apps. This kind of "clicked" for them and they became more open to the other parts (not given ratukan or whatever their purchase history, etc. etc.)
scarface_74
Thought experiment: let’s say that Trump said that he thinks Apple is helping hide illegal immigrants because they are communicating with each other over channels that ICE can’t decrypt, how much pressure do you think he could put on legislatures to pass a law here?
Now let’s say that some Republican Senators and Representatives were ethically opposed to but then threatened to be primaried and President Musk said he would throw all of his money behind a potential opponent, how long do you think it would take a law to be passed?
Even without a law, we already see that Cook will willingly bend a knee to Trump as will Google.
Right now in my home state the governor was trying to get a law passed banning Western Union from allowing illegal immigrants from sending money overseas.
snapcaster
I'm not sure what the hypothesis is in your experiment, i agree that all that stuff is really bad
maeil
> As a UK citizen, is there anything I can do to dissuade this?
If you voted for this Tory-lite government, then you can stop voting for any future Tory-lite governments. If you did not, there's not much you can do in practice without devoting your life to it.
Lio
Which party, with a realistic chance of being first past the post, could you vote for that wouldn't bring this in?
This is Hobson's choice as far as I can see.
I don't think there's anyone you could currently vote for that wouldn't do this.
rvz
> If you voted for this Tory-lite government
If you agree that Brexit happened under the Tories and not Labour, then we can also agree that THIS order is happening under the newly elected "Labour Party" and not the "Tories", or so-called "Tory-lite" names.
It's completely pointless trying to remove accountability of this government's illogical actions and then to immediately resort to blaming the previous government for bad decisions like this one.
Just admit that this is under the Labour government.
galangalalgol
Coupd protest on weekends and holidays as a hobby, bring a Bluetooth speaker and blast the kinks.
gambiting
Well, in the UK just planning a non-violent protest can get you 5 years in prison as many people have already discovered. Protesting has been pretty much made illegal by a very broad legislation that defines any protest that causes "disruption" as illegal - what "disruption" means is up to interpretation of course.
briandear
Wait. The Tories aren’t in power yet you want to attribute this to “Tory-lite?” It’s the Labour Party that is in charge, so why not put the blame on the actual perpetrators? Is it because you don’t want Labour getting blamed? I am confused. The Labour Party is the one jailing people for speech, so it follows that they would want backdoors into iCloud so they can better investigate ThoughtCrime.
The director of public prosecutions of England and Wales, Stephen Parkinson (appointed by the Labour Attorney General), warned against "publishing or distributing material which is insulting or abusive which is intended to or likely to start racial hatred. So, if you retweet that, then you’re republishing that and then potentially you're committing that offense [incitement to racial hatred]."
He added further, "We do have dedicated police officers who are scouring social media. Their job is to look for this material, and then follow up with identification, arrests, and so forth."
This isn’t “Tory-lite,” this is Labour.
Sources: https://freespeechunion.org/labours-war-on-free-speech/
tim333
This stuff started from the Online Safety Act 2023 passed under Rishi Sunak's Tory government.
madeofpalk
Parent seems to be attempting to discredit, not protect, Labour by calling them "Tory-lite".
wkat4242
But the Tories are not in power. Can't labour just repeal it?
yunruse
"Tory-lite" is a pejorative for Labour, the implication being that they are almost identical in behaviour.
(I very much agree with the sentiment...)
bluehatbrit
Labour have no problem with it, just the same as the Online Safety Act which is causing chaos right now. They're fine with the legislation and have never expressed a desire to see it repealed. They didn't even do much to prevent it in the first place.
This is what the parent comment is getting at when they say "Tory-lite".
briandear
Labour caused it. Why would they repeal what they want?
InTheArena
Yeah know, at some point a historical review would suggest that the constant stream of labour led initiatives to end privacy might indicate that the problem is not just the tories.
dead_gunslinger
[dead]
brandon272
> I thought we were making progress in the anti-surveillance privacy narrative, but this says otherwise.
I think we are perhaps the lowest point ever in terms of anti-surveillance efforts. There seems to be bipartisan effort among many (most?) western governments that the government should have unfettered access to all data, regardless of any reasonable expectation of privacy.
Encryption seems barely tolerated these days. Governments are insisting on backdoors, they are making it illegal in some cases for companies to even discuss what is going on or that monitoring is happening.
We barely know what is going on with the programs and efforts that get leaked to the media, much less the programs that operate in total secret.
csmattryder
> I thought we were making progress in the anti-surveillance privacy na[rra]tive
What lead to to believe that? The Conservatives and Conservative-Continuity governments both agree that our data simply must be in the hands of the police, DEFRA, and your local council.
RIPA will never be repealed and only strengthened.
snapcaster
I don't disagree with your analysis but i wouldn't be so fatalistic. This stuff _isn't_ inevitable and i think it's possible to win people over to our side. Things can change for the better, but they won't unless people who care don't give up
csmattryder
Ahh, I used to have that opinion, but I've encountered too many "It's fine if they want it, I've got nothing to hide" people. (They never give you their Facebook password if you ask, though. Funny, that.)
Change what you can, I say, VPN on the network device.
cbeach
Let's start supporting parties that have principles.
And stop making excuses for parties that don't (i.e. Labour, Lib Dems and Conservatives).
At the moment, the UK public (and media) considers it a sport to disparage and smear parties like Reform, whose leaders want to shrink the power and over-reach of the state.
We are so concerned with appearing virtuous and internationally generous, we cannot be seen to align with a party that wants to put UK citizens first (border security? deporting dangerous criminals back to their home nation? gasp, how could we be so ghastly!)
This self-defeating attitude needs to change if we want a better future for our children.
Kenji
[dead]
Funes-
Further proof against the idea that we live in "democracies", if anyone still believes that. We're at the hands of petty tyrants. Modern societies are surveillance hellholes, and it seems to only get worse and worse. So much for "progress".
pentel-0_5
I think Technofeudalism, as Yanis Varoufakis put it, creates inverted totalitarianism where people are controlled not directly by government with guns but with corporations with access control and moderation power over apps that form the majority of the public commons, personal, and work lives. To resist this subjugation, individuals, municipalities, and groups, large and small, need to build their castles on the bedrock of non-profit co-op services in countries with strong privacy safeguards rather than on the uncertain sands of corporate shores where they will be swept away by the next wave. It's expensive, it's starting from scratch it many cases, and not going to be as immediately polished as corporate offerings, but the socioeconomic and human capital won't be as easily destroyed, manipulated, or raided by police or corporate whims.
alkonaut
I think this is unnecessarily defeatist. The UK is still a well functioning democracy. Using scare quotes around proper democracy just blurs the line to authoritarians and dictators.
We elect our politicians. We demand they stop serious crime and terrorism. When they have bad ideas about how to do that, we let them know that it's a bad idea. Or we don't elect them again. This works.
IceHegel
Certainly this decision seems intended to defend the state more than the people.
maeil
From the macrumors thread:
> So much for personal liberties. I'd like to give Labour the benefit of the doubt and assume this is a holdover from the last government knowing how fast the civil service actually works but given the Tory 3.0 plan they are going with I wouldn't put it passed them.
>We didn't vote for this.
You very much did vote for this, you voted for Labour under Keir Starmer and he did not particularly hide his being tory-lite. If one is surprised by this they must not have paid any attention before voting.
scrlk
Have people forgotten the authoritarian tendencies of the 1997–2010 Labour governments? This is nothing new.
blibble
quite why Labour deserve the benefit of the doubt on anything authoritarian I don't know
Labour was behind:
- forced key disclosure (Regulation of Investigatory Powers Act 2000), still in force
- 72 day detention without charge (Terrorism Act 2006), defeated before it became an Act
- national identity register and mandatory id cards (Identity Cards Act 2006), ripped up by the next Tory government
- various attempts at removal of ancient right to trial by jury (partially successful)
physicsguy
Labour are social democrats, not classical liberals…
cedws
The UK government drops the ball on just about every matter the public care about, but when it comes to overreaching digital surveillance, they're absolutely obsessed.
joey_spaztard
My response would be along the lines of:
"The USA fought a war in part because they did not like the use of general writs of assistance to allow agents of the British King to search peoples houses and papers where their suspicion chanced to fall. The UK lost that war so no way!"
axus
Apple Shrugged
ARandomerDude
In 10 years we'll all be shocked to discover this headline should have read "US Tells UK to Demand Apple Create Global iCloud Encryption Backdoor".
I don't the UK government would try to put Apple out of business if they don't comply it's more likely that they would just get heavily fined until they do so.
The most likely outcome, I would guess, is that Apple just stop offering Advanced Data Protection as a service in the UK rather than create some kind of backdoor.
It's a weak proposition from the government because anyone with something to hide will just move it somewhere else with encryption. Honest UK consumers are the one's getting the shitty end of the stick because we're about to loose protection from criminals.
Daft waste of time.