U.K. demand for a back door to Apple data threatens Americans, lawmakers say
153 comments
·February 13, 2025Nifty3929
amelius
> The worst thing a corporation is likely to do (other than giving your data to governments)
There, you said it. If we want to keep data out of the hands of wrong governments, we better keep it out of the hands of corporations.
schiffern
Thank you. If governments have more restrictions than corporations, all that will happen is that corporations will immediately spring up to exploit this arbitrage opportunity.
ta1243
I can hold my government accountable via the polling booth
I have no control over Apple or Amazon or Alphabet. I can petition the government through the court system if it tries to put me in jail, the government functions with a massive series of checks and balances.
I can't petition google, they are an unelected uncontrollable unaccountable entity that not even the government has power over
neogodless
It's easier to not buy an iPhone than it was trying to prevent a politician I didn't trust from getting in office.
In either case, collective action is, at best, the best you're going to have.
Do regulations not have meaning?
binarymax
That’s not the worst thing a corp can do. The worst things a corp can do is sell your private data to someone else, monopolize a critical function and squeeze you dry, or block you from a monopolized utility that is critical to modern society.
The focus need to be on both
Kudos
FYI, it's widely known that the US government has being being citizen data from data brokers.
sbszllr
I agree with your point that government overreach is more serious.
Which is why I want to emphasize that various government police (like FBI) notoriously buy data that they would need a warrant for otherwise.
I’m aware that you’re saying it, but I think you’re underestimating the extent to which preventing spying from the corps == preventing spying from the govt.
rdtsc
> The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want. They collect data so they can make money off you. That's not so scary to me. Governments want to put you in jail (or freeze your bank account, etc) if you get out of line.
It depends what government and what corporations. If it's a healthy functionally representative government then it's rules and laws can be to a certain extent controlled by the public. It may be harder to influence corporations. If a bank wants to close your account, or Visa stops accepting your payments or airlines don't let you fly, you can't complain, they'll just "well tough luck, it's our bank, our airplanes, our payment system, go create your own if you disagree". So I agree with you that this should be a worrying thing for the U.K. citizens, they should ask their government why the heck does it want all that data and maybe it should stop.
> Yes, corporations and the government are often in cahoots here - but even then we should be talking about how wrong it is for governments to be buying/taking/demanding data from corporations - keeping the focus squarely on the government.
Very much in cahoots. They hide behind each others backs, too. "(Apple): Sorry, government made us do it, our hands are tied". "(Govt): Sorry, _we_ are not spying on you. We just bought some data from Google or Apple".
impossiblefork
Corporations can steal your work, etc. and thereby cause enormous problems that do not fit governments.
For me I think they're a much greater danger than at least my government. My government has no reason to care about what's on my computer. A company however, has an incentive to use every scrap.
null
Shank
I think this is an unquestionable overreach on the UK's part. If you live in any country that isn't the UK, you should feel the threat from this: the UK government believes that it is entitled to a backdoor on your hardware, even if you've never stepped a foot on UK soil or intend to. Mass surveillance is a threat to everyone, but this is not an instance of that, which has guards against it, like encryption. This is the UK asking for an encryption backdoor to everything, including for phones that never traverse its soil or internet boundaries, or even cross anywhere near FVEY collection devices.
This is a dramatic overreach of authority.
kitd
Here's the BBC report on the matter: https://www.bbc.co.uk/news/articles/c20g288yldko
It applies to content stored using ADP, Apple's E2EE tech. A backdoor into that would mean applying a backdoor into iOS on the phone itself, which is a much larger attack surface than anything centralised.
All of which highlights the clownish nature of these regulations. They are so easy for bad actors to circumvent (eg using their own E2EE), resulting in the ridiculous situation where the innocent get their data stolen and the very people you're targeting being completely unaffected.
ljm
Since it seems to be illegal to even reveal if one of these requests was received, it's also worrying that, by extension, it would be illegal to declare a data breach once the backdoor was inevitably exploited by another bad actor.
So, how would anybody know that a foreign government was spying on them? Nothing would stop them installing Pegasus on your phone and exfiltrating even your 'secure' data.
The stupid thing is that these laws always find a way to say that people in government are exempt from the provisions, and everybody except them is allowed to be spied on, but they are obviously going to be the first people to be targeted. Not some randomer hoarding CSAM.
swores
I'm entirely against what the UK government wants, however I would say:
Although you're right that tech people would still be able to choose secure encrypted options, the fact is that the majority of criminals by pure numbers are not very sophisticated - so while this sort of backdoor obviously wouldn't be a guarantee that every criminal conversation could be snooped on, it would work on the 90-99% (I'd guess towards 99) who aren't both cautious enough to try to be secure and tech savvy enough to make the right choices.
(But it's still a terrible idea, both for the sake of general privacy principles, and for the risk that current or future governments or personnel will abuse the access, and for the risk that criminals outside government will be able to take advantage of the same backdoor.)
adim86
The idea that criminals are not sophisticated is a weak excuse for this system.
Once the government starts mining data from iPhones, criminals will quickly adapt while every law-abiding citizen gets caught in the crossfire. It opens the door for abuse: officials could easily spy on their partners, dig up dirt on rivals, or target those they dislike without breaking any laws. Meanwhile, cybercriminals will have an easy target since every phone comes with this built-in vulnerability.
This system is likely to snag small-time offenders, not the real masterminds behind organized crime. This isn’t a smart solution for crime. It just sacrifices our privacy for a few token arrests.
sejje
For three whole minutes until everyone knows it's totally compromised and stops doing that
eapressoandcats
Realistically most criminals probably don’t even turn on ADP, so it will probably move the needle not at all.
fakedang
Most GSW victims are killed by one or two bullets, not hundreds of them.
You don't need a "vast majority" of criminals to break down a system and exfiltrate data when just a single, possibly state-backed, criminal operation can break your system down and do the job.
trinsic2
There are already replies with sound arguments against the ideology that 90 of criminals arnt that sophisticated.
Secondly, I will also point out that criminals in general watch whats happening to other criminals. If people start going to jail because there mobile communications are being targeted, others will catch on and stop using mobile tech altogether for criminal activities.. People copy what works successfully, you don't need to be smart to do that. So yeah this argument is complete bullshit.
KennyBlanken
The majority of criminals have no idea that their their iMessage encryption keys and iMessages are synced into the cloud and available to law enforcement with a warrant. No need to break devices security, no need for back doors.
wonderwonder
This is a government that believes in thought crimes. They will likely arrest people for having illegal memes on their phones or for texting messages to friends of which the government does not approve. If there was prequal to 1984, it would look something like this.
cowfriend
By "thought crimes", would you mean firing people for holding positions responsible for DEI policies which were assigned to them and which there was a legal obligation to enforce?
Because that would NEVER happen in the US, certainly no government agency would fire its own people for having following legally enacted government policy just because that policy was no longer in fashion (though still legal government policy, because Congress hadn't yet changed the law).
tim333
It's not that bad. I think the demanding a backdoor from Apple is over the top / stupid. But I haven't heard mention of thought crimes yet (brit here).
hnlmorg
I really don’t like the UK governments stance on cyber security / counter-terrorism / et al either. In fact, as a UK citizen I’ve actively campaigned against a great many of their policies.
However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
What actually happened was people were arrested for instigating riots. This is no different to what happened in the US regarding the Capital Hill riots — people who helped organise it online were arrested too.
The UK has a long history of shitty policies invented to “protect people” but we need to be clear on what’s actually fact and what’s fiction. Otherwise you end up wasting energy protesting against things that are imaginary.
jeroenhd
A similar law passed in Australia a few years ago; various Australian law enforcement agencies can request or even demand companies to make changes to their code (read: introduce backdoors).
Until people and companies start treating Australian-made software as dangerous to the extent that it affects the economy, other countries will probably follow with similar laws.
That should include being hesitant to use American software as well. There's a good reason EU companies aren't allowed to store data on American servers.
pjc50
Current state of this, as far as I can tell: https://www.firstattribute.com/en/news/eu-data-boundary-for-...
Note that it's seemingly unclear whether it's OK for EU companies to store data even on EU servers of US parent companies. Although very little has actually been done about this and everyone, governments included, is still using Microsoft 365.
eapressoandcats
In principle as long as a state has legal hooks into a large enough part of the business it’s probably ok. Data centers are less tricky than phones because they don’t move.
I’m also not sure there’s so much practical difference between a company headquartered in the EU vs USA. The relevant thing would seem to be where operations happen, and what legal and practical hooks each side has into the company, including physical location of servers and the people who operate and write code for them.
dannyw
It’s not just at Australian made hardware or software. You think Australia won’t try to assert this against a global company with presence in Australia?
fransje26
> Until people and companies start treating Australian-made software as dangerous
Atlassian?
throwaway290
With a warrant a company can be forced to implement this capability for a specific case. Is it the same?
shakna
"TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible."
It's a step above a warrant, as an order, when building a new capability. But yes, its focused in on one case. As to "reasonable" - our current AG is a strong supporter of expanding government powers as a way to fix any new problem that appears. He's done some good. And some bad. It isn't hard to see him rubber-stamping these, if someone across the hall needs it done.
Also... If a TCN order comes through, you're not permitted to tell the business that you've been ordered to create a backdoor in them. And they can order random anyone in the company to comply - it doesn't have to go to the C-level.
JoshTriplett
We should not normalize the idea that it's acceptable within a country's borders either.
It's a massive overreach to demand a backdoor to phones within the country. Don't allow the even bigger overreach to move the Overton window and make it seem like it should ever be acceptable.
pc86
I think it's reasonable here to differentiate between acceptable and legal. It's completely unacceptable, but the British people have proven time and time again they're more than happy to make horrifically unacceptable things completely legal in the pursuit of "safety."
JoshTriplett
As with the US, I would not equate "British lawmakers passed" with "British people are happy to". British people are not given direct referendum on this issue specifically, and all of the mainstream British parties currently support the Snooper's Charter.
davethedevguy
I'm from the UK, and I completely agree.
The general public either don't know about growing mass surveillance and privacy invasions, or don't care. "Terrorism and child abuse = bad, and if this prevents it and I have nothing to hide then why would it be a problem for me?"
varsketiz
> This is a dramatic overreach of authority.
Well, the rest of the world lives with the USA constantly doing this. Hopefully you dont support that as well.
graeme
The US does not require Apple to make a backdoor to its encryption.
alt227
Apple has a history of giving the US government whatever user data they want, lying about it, then when it leaks publicly they are able to say 'Well we couldnt tell you because it would have been breaking the law, sorry about that'.
Have an example, of when it leaked that apple was secretly syphoning off all push notifications to the US government:
https://www.macrumors.com/2023/12/06/apple-governments-surve...
fsflover
Did you hear about the Snowden leaks? Apple participate(d) in PRISM according to them.
croes
But the US demands data from non US citizens stored in non-US countries aka CloudAct.
nickslaughter02
How do you know that? Similarly to the UK, USA has a process to force companies to add back doors. For all we know it might the USA wanting access and using its five eyes allies to get it done.
Workaccount2
But it is greatly in the interest of US agencies to perpetuate conspiracies that they have access to all data, all the time, with no court needed.
wellthisisgreat
Well there is still a HUGE difference between some backroom dealing that blows up in government’s face in the most scandalous, generation defining way when it gets exposed, and a bunch of power-hungry troglodytes saying they want to play Orwellian villains in the open.
matt-p
Right. Who would be the first country the US might go to if it wanted to spy on it's citizens from abroad? Perhaps one who already does this for them using other methods such as wire tapping?
quesera
Are you suggesting that the UK government isn't snoopy or creative enough to initiate this idea on their own??
jtbayly
Kind of like the EU overreach on privacy. Whether it’s for a good cause or a bad one, these sorts of overreach are to be opposed.
arlort
It'd be kinda like GDPR if the EU has demanded that non EU companies apply GDPR to non EU citizens
As described by the parent post it's nothing like EU "overreach" on privacy (whatever that even means)
jtbayly
How am I supposed to put up a website intended for US citizens onto the world-wide-web, without worrying about GDPR?
BiteCode_dev
The US, through the Intel ME software, already got a backdoor in most laptop. Using PRISM, it also had one on most big Saas, and now that it's over, it probably has a similar one we don't know about given Snowden's revelations about xkeyscore and how it works.
It's very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM and we can't check their proprietary system.
We also know China has backdoors to any software or hardware product you want to sell there.
So it is a problem that the UK is asking for this for us, but from their perspective, they are just catching up with the current horrible state of things.
quesera
> very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM
People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program.
PRISM was no such thing. PRISM was the US govt snarfing up whatever data they could (under questionable legal authority), but no one has ever alleged that the data they were snarfing was provided willingly or knowingly by Google, Apple, etc.
These companies are also victims of PRISM, not participants.
All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
alt227
> People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program. PRISM was no such thing.
Wheres the evidence to say they had no idea about it and it was purely an external hacking effort?
> All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
Except all the previous times they have lied because the government asked them to. Like the time they willingly gave all users push notifications to the US government and then lied and said they didn't, until it leaked and they admitted they did and then openly spoke about how the government had forced them to keep quiet about it.
https://www.macrumors.com/2023/12/06/apple-governments-surve...
gambiting
Not to be cynical, but if anyone has looked at anything revealed about security agencies in the last few years it's very clear what's happening here - whenever US wants to do something unpopular/straight up illegal, it just asks the UK(or any other partner country) to do it instead. American government can't ask Apple for data on any American citizen, but if UK obtains that data and then it happens to be shared between agencies......that's all fine. It's been happening already for years.
daedrdev
I highly doubt that considering this article is about US complaints towards the UK demand.
davethedevguy
UK governments have been pushing for this for years, usually invoking some recent terrorist event as justification.
I'm not suggesting you're wrong, but I don't think this is _just_ the UK being a US puppet, there is very much an appetite for it in the UK parliament too.
lcnPylGDnU4H9OF
Yes, officially since 1946.
https://en.wikipedia.org/wiki/Five_Eyes (look also for Nine and Fourteen Eyes on this page)
flir
I wouldn't go full-on conspiracy, because I expect the impetus came from the UK, but... I doubt it would have gotten this far without tacit US gov support.
michaelt
Governments are huge and constantly changing things.
The cops think this is great, more power in their hands.
The feds think it'll help them out, but those local cops will try to abuse it for sure, let's hope the courts keep on top of the warrants.
The spies already have access that's almost as good by illegal means, without the need for any of those pesky warrants. But it'll be useful not to have to keep their access secret.
The judges think this is a Fourth Amendment bust-up waiting to happen, why would you even... ugh.
The defensive cyber-security types think this is very obviously a bad move.
The diplomats think the Brits are OK and will do their warrant stuff properly, but for sure there will immediately be a request from some oil-rich middle eastern dictatorship for the same access. That will make for some awkward conversations.
The elected politicians in power want to get votes, and are safe against this power being used against them. Being tough on crime and Backing The Blue might be a vote-winner. 95% of voters don't know the difference between "encrypted end-to-end" and "encrypted in transit and at rest" so getting this right might not win you many votes. On the other hand, if this takes off in the public consciousness as snooping, or intrusion, or an expansion of state power, could lose you a lot of votes. Maybe wait and see how the public reacts?
The elected politicians who aren't in power think ooooh boy, this is not a power I want used against me, and not an administration I'd trust not to use it against me.
mjburgess
Not only would I not be surprised if this was a US demand on the UK, but I'd think it highly likely that the law which the UK passed to allow this was also a demand from the US.
sieabahlpark
[dead]
josefritzishere
You are right... I hadn't put that together.
nickslaughter02
In case you're wondering why there hasn't been any reaction from the EU, it's probably because EU has long waged war on encryption and would like to have access too.
"Anonymity is not a fundamental right": experts disagree with Europol chief's request for encryption back door (January 22, 2025)
https://www.techradar.com/computing/cyber-security/anonymity...
EU anti-encryption crusaders seek to turn your digital devices into spyware (June 12, 2024)
https://www.techradar.com/computing/cyber-security/eu-anti-e...
thiscatis
It's only a threat when non US countries demand it, otherwise it's just a safety measure.
richardw
Once you start this, every country will want the backdoor. The mere presence of it guarantees continued hacking attempts.
nessbot
How does this political story stay up but not the ones about DOGE? What gives?
crazygringo
There was a huge story with 1600 points three days ago:
https://news.ycombinator.com/item?id=42981756
We don't need new stories daily.
And stories about encryption back doors are as much technological as political.
nessbot
The story[0] I'm referring to is about the Technology Transformation Services, which I think is also apt. Also, I would argue that the actions of government are more political than technological or, actually, that making such a distinction is naive.
tim333
There are at least 60 recent DOGE stories on HN with comments on. I guess people get a bit DOGEd out.
It's probably part of the Trump/Musk strategy. 'Flood the zone' with so many things people can't follow it.
(on zone flooding https://youtu.be/iTSgL_R1CC4)
croes
It happened a lot more with DOGE
andyjohnson0
As a brit I would find it amusing if Apple, Google, Meta and Microsoft jointly announced that privacy is a hill to die on, and they'd rather collectively withdraw their businesses from the UK than accede to demands like this. My government would cave within the hour.
tim333
Probably Apple will refuse to comply then the UK govt will threaten fines and then nothing much will happen.
kypro
100%. We have very little power to demand this in my opinion.
Honestly I don't think Apple would even need to work with other tech giants on this (although that would help). The UK makes up a few percent of Apple's total revenues so while Apple would take a hit, they can afford to pull out of the UK and it could be worth doing if they're serious about proving how important privacy is to them.
Apple will face some reputational harm should they choose to put a back door in their products at the threat of an authoritarian government, and that harm will need to be weighed against the cost of pulling out of the UK entirely.
And realistically Apple announcing that they're going to pull out of the UK will result in panic in confidence in UK tech. How the hell are we going to build competitive tech companies if developers can't even access Apple products? And after 14 years of economic stagnation it's not like we have excess growth we can give up...
Apple should be very firm in their response to this. The UK are over playing their hand.
zombiwoof
Uk should demand Tulsi send back to Russia
null
I keep saying this, and nobody believes me, but I'm just going to keep trying:
These things happen because so often we focus the privacy conversation on corporations, which is exactly where the governments want it to be.
My controversial but strong opinion is that privacy from corporations matters very little, but privacy from governments matters very much.
We need to stop allowing the conversation to get distracted by talking about cookies and ad-tracking and whatnot, and always bring it right back to privacy from governments.
Yes, corporations and the government are often in cahoots here - but even then we should be talking about how wrong it is for governments to be buying/taking/demanding data from corporations - keeping the focus squarely on the government.
The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want. They collect data so they can make money off you. That's not so scary to me. Governments want to put you in jail (or freeze your bank account, etc) if you get out of line.