Apple pulls data protection tool after UK government security row
873 comments
·February 21, 2025bArray
marcprux
> you think Google didn't already sign up to this?
My understanding is that Android's Google Drive backup has had an E2E encryption option for many years (they blogged about it at https://security.googleblog.com/2018/10/google-and-android-h...), and that the key is only stored locally in the Titan Security Module.
If they are complying with the IPA, wouldn't that mean that they must build a mechanism into Android to exfiltrate the key? And wouldn't this breach be discoverable by security research, which tends to be much simpler on Android than it is on iOS?
nomel
My assumption is that Google has keys to everything in its kingdom [1].
[1] https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
marcprux
> My assumption is that Google has keys to everything in its kingdom
If that were true, then their claims to support E2E encrypted backups are simply false, and they would have been subject to warrants to unlock backups, just like Apple had been until they implemented their "Advanced Data Protection" in 2022.
Wouldn't there have been be some evidence of that in the past 7 years, either through security research, or through convictions that hinged on information that was gotten from a supposedly E2E-protected backup?
GeekyBear
Google didn't announce that they could no longer process geofence warrants because they no longer stored a copy of user location data on their servers until last October.
How much good does an encrypted device backup do when harvesting user data and storing it on your servers (to make ad sales more profitable) is your entire business model?
yellow_lead
This would mean no independent security researcher has ever taken a look at Google Drive's E2EE on Android. Or those that did missed the part where the key is uploaded.
It's possible to decrypt this network traffic and see if the key is sent. It may be obfuscated though.
foota
That's a bit silly seeing as e.g., https://www.npr.org/sections/thetwo-way/2014/03/20/291959446...
autoexec
My assumption is that the NSA does too.
null
thelittleone
Could that be true and at the same time a 'vulnerability' exists that megacorp is party to?
tholdem
> What concerns me more is that Apple is the only company audibly making a stand.
But still Apple operates in China and Google does not. This is weird to me. Google left China when the government wanted all keys to the citizens data. Apple is making a stand when it's visible and does not threaten their business too much.
Apple is not really in the business of protecting your data, they are just good at marketing and keeping their image.
GeekyBear
> Google left China when the government wanted all keys to the citizens data.
Google left China after China started hacking into Google's servers.
> In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company’s source code and even broke into the Gmail accounts of Chinese human rights advocates.
https://www.nytimes.com/2010/03/23/technology/23google.html
They were working to reenter the China market on China's terms many years later, when Google employees leaked the effort to the press. Google eventually backed down.
spoaceman7777
I'd imagine there were multiple factors that went into that business decision. Even if this was portrayed as the final straw.
noirbot
China feels like an important difference here though. Google leaving China doesn't protect Chinese citizen's data any more than Apple turning off ADP in the UK does. As far as I know, Apple isn't pretending that the data of Chinese users is encrypted from their government, and the way they're complying with the Chinese laws shouldn't impact the security of users outside of China.
Apple pulling ADP from UK users is similar - the UK has passed an ill-considered law that Apple doesn't think it can win a court case over, so they're complying in a way that minimally effects the security of people outside the UK. If, as someone outside the UK, I travel to the UK with ADP turned on, my understanding is it won't disable itself.
Would you have been more satisfied if Apple just pulled out of the UK entirely? Bricked every iPhone ever purchased there? Google doesn't seem to have made any stand for security ever - them pulling out of China feels more to do with it meaning they wouldn't have had access to Chinese users' data, which is what they really want.
WhyNotHugo
iCloud in China is operated by a local subsidiary. There is a dedicated screen explaining this when you set up an iCloud account in this region.
They adapt to the local rules of each region, much like they’re doing here in the UK.
Spooky23
It’s different. Apple follows Chinese law to operate their services in China, just like Microsoft.
With Google, their services are way broader. Operating a hunk of their search business with a third party Chinese firm just isn’t viable for their services, which are way more complex.
dclowd9901
Perhaps Apple has a greater leverage in China due to its outsized manufacturing presence. And it's likely they already dont offer ADP to Chinese citizens.
vineyardmike
> Perhaps Apple has a greater leverage in China due to its outsized manufacturing presence.
Perhaps china has greater leverage over apple in this case...
China had been an important area of growth for many companies during the 2010s. Apple bent over backwards to cater to that market. It was discussed in every financial release, and they obviously made tons of concessions for iCloud.
The UK just comparatively isn't that much revenue, and not worth the fallout.
SXX
> And it's likely they already dont offer ADP to Chinese citizens.
AFAIK before UK only region with ADP was China.
bitpush
lol you think Apple has more leverage than China? What world are you living in?
wrsh07
Eh Google had pretty good reasons to not operate in China (not seeing them in this thread, don't recall the details precisely enough to relate here)
Apple is deeply embedded in China (manufacturing) and benefits from a decent (but shrinking) userbase in the country. China isn't asking for the keys to all iphone user data, just data stored in China.
firecall
Also, I wondered if by complying with British law that they may somehow be breaking laws of another country?
Hypothetically, if Apple just provide a back door to the data they have on US Senators for instance, then providing that information may be considered treason by the US.
That's a totally made up example, and I have no idea, but it seems like it's possibly an issue.
Which is all about the issues around data sovereignty I suppose!
Zamiel_Snawley
That would not be treason, by a long shot.
Treason is the only crime defined in the constitution, and it is quite a high bar.
Spooky23
The king is a strict constitutionalist, who may disagree with you/ Pray he doesn’t.
nottorp
> have an Android device beside me that regularly asks me to back my device up to the cloud
But is that backup encrypted? If it's not, all they need is <whatever piece of paper a british security official needs, if any> to access your data.
This is about having access to backups that are theoretically encrypted with a key Apple doesn't have?
> We're talking about the largest back door I've ever heard of.
Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
mtrovo
> Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
Totally agree. Having this discussion so US centred just makes us miss the forest for the trees. Apart from data owned by US citizens, my impression is that data stored in the US is fair game for three letter agencies, and I really doubt most companies would spend more than five minutes agreeing with law enforcement if asked for full access to their database on non-US nationals.
Also, remember that WhatsApp is the go-to app for communication in most of the world outside the US. And although it's end-to-end encrypted, it's always nudging you to back up your data to Google or Apple storage. I can't think of a better target for US intelligence to get a glimpse of conversations about their targets in real time, without needing to hack each individual phone. If WhatsApp were a Chinese app, this conversation about E2E and backup restrictions would have happened a long time ago. It's the same on how TikTok algorithm suddenly had a strong influence on steering public opinion and instead of fixing the game we banned the player.
mox1
International users that have Advanced Protection enabled would in theory be safe from all of the 3-letter agencies (like safe from those agencies getting the data from Apple...not safe generally).
Realistically we are talking about FISA here, so in theory if the FBI gets a FISA court order to gather "All of the Apple account data" for a non-us person, Apple would either hand over the encrypted data OR just omit that....
Based on the stance Apple is taking here, its reasonable to assume they would do the same in the US (disable the feature if USG asked for a backdoor or attempted to compel them to decrypt)
causal
Agree in principle, though WhatsApp backups are encrypted with a user provided password, so ostensibly inaccessible to Google or whoever you use as backup
SJC_Hacker
> Totally agree. Having this discussion so US centred just makes us miss the forest for the trees. Apart from data owned by US citizens, my impression is that data stored in the US is fair game for three letter agencies, and I really doubt most companies would spend more than five minutes agreeing with law enforcement if asked for full access to their database on ̶n̶o̶n̶-̶U̶S̶ ̶n̶a̶t̶i̶o̶n̶a̶l̶s̶ anyone.
noinsight
> non US citizens whose data is stored in the US
They don't even care where it's stored...
See: CLOUD Act [1]
autoexec
I honestly doubt they even limit themselves to the data of non-US citizens. They have no respect at all for the fourth amendment.
null
crimsoneer
Android data isn't encrypted at rest (or at least not in a way Google doesn't have the key). If the uk gov has a warrant, they can ask Google to provide your Google Drive content. The whole point of this issue is Apple specifically designed ADP so they couldn't do that.
sunshowers
Android backups are encrypted at rest using the lockscreen PIN or passphrase: https://developer.android.com/privacy-and-security/risks/bac...
So not hugely secure for most people if they use 4-6 decimal digits, but possible to make secure if you set a longer passphrase.
I don't know what Google's going to do about this UK business.
edit: Ah it looks like they have a Titan HSM involved as well. Have to take Google's word for it, but an HSM would let you do rate limits and lockouts. If that's in place, it seems all right to me.
Gatorguy
Wrong. Google Android user cloud backups are E2EE by default.There is no option to opt out. Use Google's backup service and your data is encrypted at rest, in transit, and on device. aka end-to-end.
It's not just Google saying it. Google Cloud encryption is independently verified
squeaky-clean
> But is that backup encrypted? If it's not, all they need is <whatever piece of paper a british security official needs, if any> to access your data.
Based on them mentioning the difficulty of opting out, I presume OOP does not use Google's cloud backup.
burnerthrow008
> Doesn't the US have access to all the data of non US citizens whose data is stored in the US without any oversight?
Er, no...? I'm not sure where you get that idea. Access requires a warrant, and companies are not compelled to build systems which enable them to decrypt all data covered by the warrant.
See, for example, the Las Vegas shooter case, where Apple refused to create an iOS build that would bypass iCloud security.
nottorp
I asked if your Android backup is encrypted. Implies I'm talking about unencrypted data.
> See, for example, the Las Vegas shooter case
I am not in Las Vegas or anywhere else in the US. So as far as i know all the data about me that is stored in the US is easily accessible without a warrant unless it's encrypted with a key that's not available with the storage.
> companies are not compelled to build systems which enable them to decrypt all data covered by the warrant
Again, not what I was talking about.
I'm merely pointing out that your data is not necessarily encrypted, and that the "rest of the world" was already unprotected vs at least one state. The UK joining in would just add another.
93po
i think people focus on whether backups are encrypted too much. it really doesn't matter when the government has remote access equivalent to your live phone when it's in an unencrypted state, which they almost certainly do.
JumpCrisscross
> One scenario would be somebody in an airport and security officials are searching your device
No Heathrow connection necessary. “The law has extraterritorial powers, meaning UK law enforcement would have been able to access the encrypted iCloud data of Apple customers anywhere in the world, including in the US” [1].
[1] https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...
kimixa
The US claims the same
https://en.wikipedia.org/wiki/CLOUD_Act
Lots of Americans in this thread seem to be talking down to other countries laws while being completely unaware of their own
maeil
Spot on, 727 comments, most probably by Americans, and only 2 (including yours) bringing up the CLOUD Act, the much worse US equivalent. Incredible ignorance.
j-bos
> (where you don't even have the right to legal advice, or the right to remain silent)
A lot is posted about LEO's lying in the US, this seems worse.
IshKebab
> What concerns me more is that Apple is the only company audibly making a stand.
Meta also said they would make a stand if a similar request comes for WhatsApp. I'm not going to hold my breath though.
AutistiCoder
They wouldn't even be able to.
WA is end-to-end encrypted.
alex-robbins
WhatsApp is closed source. They could backdoor it if they wanted to (or were forced to).
kali_00
With almost everyones backups stored in plain-text, making it all a little silly.
Think about it for a second: you can re-establish your WA account on a new device using only the SIM card from your old device. SIM cards don't have a storage area for random applications' encryption keys, and even if they did, a SIM card cannot count as "end-to-end" anymore. Same goes for whatever mobile cloud platform those backups might be stored on. And you'd hope Apple or Google aren't happily sending off your cloud decryption keys to any app that wants them. Though maybe they are?
bustling-noose
You have no laws when traveling through immigration. Thats true in US too. There was an article (trying to look for it could be arstechnica verge I dont remember where) once where a US citizen journalist was detained at the border for hours while traveling into the US and questioned. You can be in the immigration for hours or even decades until you give out what they demand which can involve your unlocked phone and password. There are no laws protecting you.
ljm
Fundamentally, I think the issue is more about technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear. Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties.
On the authoritarianism: these laws are always worded in such a way that they can be applied or targeted vaguely, basically to work around other legislation. They will stop thinking of the children as soon as the law is put into play, and it's hardly likely that pedo rings or rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that their back door will know the difference between the good guys (presumably them) and the bad guys, and the bad guys will be locked out. However, the only real protection is security by obscurity: it's illegal to reveal that this backdoor exists or was even requested. Any bad guy can make a reasonable assumption that a multinational tech company offering cloud services has been compromised, so this just paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been infinitely curling with this, and it's a dream come true for any black or grey hat hacker who wants to try and compromise the government through a backdoor like this.
smsm42
It's not literacy. They don't care. They need control, and if establishing control means increased risks for you, it's not something they see as a negative factor. It's your problem, not theirs.
ben_w
The government put in restrictions against using certain powers in the Investigatory Powers Act to spy on members of parliament (unless the Prime Minister says so, section 26), so I think they're just oblivious to the risk model of "when hackers are involved, the computer isn't capable of knowing the order wasn't legal".
lozenge
That actually shows they understand and care because they don't want the law to apply to them. They don't care about its effects on other people.
cryptonector
They don't even need control. They want control. Why? Either they're idiots who think they need control or they are tyrants who know they'll need control later on when they start doing seriously tyrannical things.
smsm42
It's natural for the government to want control. It's literally what it is optimized for - control. More control is always better than less control. More data about subjects always better than less data. What if they do something that we don't want them doing and we don't know? It's scary. We need more control.
> they'll need control later on when they start doing seriously tyrannical things.
You mean like when they start jailing people for social media posts? Or when they are going to ban kitchen knives? Or when they're going to hide a massive gang rape scandal because it makes them look bad? Or when they would convict 900+ people on false charges of fraud because they couldn't admit their computer system was broken? Come on, we all know this is not possible.
hackernoops
It's the latter.
redeeman
opinion: any government that "needs" such control, is an enemy of the people and must be abolished, and anyone can morally and ethically do so
jbjbjbjb
Well it’s important that the argument is correct. They view ending end-to-end encryption as a way to restore the effectiveness of traditional warrants. It isn’t necessarily about mass surveillance and the implementation could prevent mass surveillance but allow warrants.
I oppose that because end to end encryption is still possible by anyone with something to hide, it is trivial to implement. I think governments should just take the L in the interest of freedom.
kypro
Agreed.
I used to think it was illiteracy, but when you hear politicians talk about this you realise more often than not they're not completely naive and can speak to the concerns people have, but fundamentally their calculation here is that privacy doesn't really matter that much and when your argument for not breaking encryption based around the right to privacy you're not going to convince them to care.
You see a similar thing in the UK (and Europe generally) with freedom of speech. Politicians here understand why freedom of speech is important and why people some oppose blasphemy laws, but that doesn't mean you can just burn a bible in the UK without being arrested for a hate crime because fundamentally our politicians (and most people in the UK) believe freedom from offence is more important than freedom of speech.
When values are misaligned (safety > privacy) you can't win arguments by simply appealing to the importance of privacy or freedom of speech. UK values are very authoritarian these days.
gerdesj
"Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties."
What is a "paternalistic state". I studied Latin so obviously I understand pater == father but what is a father-like state?
What on earth is: "authoritarian support across all parties".
The UK has one Parliament, four Executives (England, Northern Ireland, Scotland, Wales) and a Monarch (he's actually quite a few Monarchs).
Anyway, I do agree with you that destroying routine encryption is a bloody daft idea. It's a bit sad that Apple sold it as an extra add on. It does not cost much to run openssl - its proper open source.
walthamstow
Paternalism, unless I'm mistaken, is a belief among those in power that they what's best for you, better than you do, and will exercise power on your behalf in that manner. Just like your parents do when you're a child.
catlikesshrimp
In medicine, a paternalistic attitude towards the patient from a point of authority (like a father) The doctor acts as if he knows more and knows what is better. The patient has his own preferences and priorities, but they don't necessarily match with what the doctor does.
I suppose a paternalistic state functions to satisfy the needs of the people, and to define those needs. The people get what the state says is best for them.
kmeisthax
What the politicians want is partial security: something they can crack but criminals can't. That is achievable in physical security, but not in cybersecurity.
I have a feeling the politicians already know partial cybersecurity isn't an option, and don't care. Certainly, the intelligence community advising them absolutely does know. We don't even have to be conspiratorial about it: their jobs are easier in the world where secrets are illegal than in the world where hackers actually get stopped.
joncp
> That is achievable in physical security, but not in cybersecurity.
Not with physical security either, I'm afraid.
cryptonector
With physical security the state apparatus can provide physical security in the form of police and what not, as well as deterrence and punishment.
In the world of cryptography it's... a bit harder to do something similar. In the best case they can come up with a key escrow system that doesn't suck too much, force you to use it, and hopefully they don't ever get the master keys hacked and stolen or leaked. But they're not asking for key escrow. They're asking for providers to be the escrow agents or whatever worse thing they come up with.
EchoReflection
"it's hardly likely that pedo rings or rape gangs will be top of the list of priorities".... is this not one of the most disturbing, disgusting, psychologically troubling and damning ideas ever to be put to words/brought to awareness? . Right up there "let's meticulously plan out this horrific, atrocious, dehumanizing act and meditate upon the consequences, and then choose the most brutal and villainous option". Dear Lord....
AnthonyMouse
People are extremely opposed to pedos, so they're a primary rationalization for oppressive technology. But then you have two problems.
First, pedos know everybody hates them, so they take measures normal people wouldn't in order to avoid detection, and then backdooring the tech used by everybody else doesn't work against them because they'll use something else. But it does impair the security of normal people.
Second, there aren't actually that many pedos and the easy to catch ones get caught regardless and the hard to catch ones get away with it regardless, which leaves the intersection of "easy enough to catch but wouldn't have been caught without this" as a set plausibly containing zero suspects. Not that they won't use it against the ones who would have been caught anyway and then declare victory, but it's the sort of thing that's pretty useless against the ones it's claimed to exist in order to catch, and therefore not something it can be used effectively in order to do.
Whereas industrial espionage or LOVEINT or draining grandma's retirement account or manipulating ordinary people who don't realize they should be taking countermeasures -- the abuses of the system -- those are the things it's effective at bringing about, because ordinary people don't expect themselves to be targets.
exe34
> that having nothing to hide means you have nothing to fear
hopefully the US turning from leader of the free world to Russia's tool will give them the kick they need to realise that just because you trust the government now doesn't mean you trust the next government or the one after it.
GeekyBear
You probably don't want to look up which US President tried to force Apple to insert an encryption back door into iPhones back in 2015.
However, Google did only start moving to protect location data from subpoenas after people started to worry that location data could be used as a legal weapon against women who went to an abortion clinic, so your larger point stands.
jshier
That would be none, as it was the FBI, operating independently (as it's supposed to), which tried to force the issue. They even tried to go to Congress but found little support for their stunt. I'm not even sure Obama ever spoke in support of the backdoor, much less used any political power to make it a reality.
isaacremuant
> hopefully the US turning from leader of the free world to Russia's tool
So much humour in one short phrase.
Do you really believe your propaganda or is it just absentmindedly parroting pro permanent war talking points?
exe34
He demands $500bn of rare earth minerals, insists that Ukraine started the war by getting invaded and wants Zelensky to be replaced by a Russian puppet. It's amazing how the US went from the defender of the free world to just another thug.
miohtama
Furthermore, one UK head of state call everyone supporting encryption pedophiles
scott_w
Just to be clear: Wallace is not a head of state, or even an MP any more. At one point, he was Secretary of State for Defence, a Cabinet position, however he resigned this in 2023.
This doesn’t justify his position (it’s stupid) but he doesn’t speak for the current government.
onei
To clarify a bit further, the UK head of state is King Charles III, as he is for a bunch of other countries in the Commonwealth.
Head of state in the UK is a bit weird compared to countries that abolished or never had a monarchy.
GJim
> one UK head of state
What on earth are you talking about?
Charles III is head of state, and before that, Liz II. The monarch absolutely does not get involved in politics.
hackernoops
Ironic.
mschuster91
And that's why it is so important to nip this "pedo" / "think of the children" crap right in the bud.
Obviously pedos on the interwebs are bad, but hey as long as it's just anime they're whacking off to I don't care too much. But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile. And you're not gonna catch these pedos with banning encryption, that's a fucking smokescreen if I ever saw one, you're gonna catch them with police legwork and by actually teaching young children about their bodies!
worik
> But the real abuse, that's done by - especially in the UK - rich and famous people like Jimmy Savile
Jimmy Savile was a vile predator. He was protected by the inane customs of the British ruling class.
He was not alone among the toffs of England.
But do not be mistaken. It is not just the rich and powerful where you find sexual predators. They exist at all levels of society, all genders, most ages (I will except infants and the aged infirm....)
Jimmy Savile was a symptom of something much darker, much worse and widespread.
dhdjruf
[dead]
yubblegum
> technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear.
That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here.
Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues:
https://news.ycombinator.com/item?id=983717
Thank you in advance for clarifying your thought process here. Tech illiteracy -> what you got to hide there buddy?
stavros
I feel like the comment was clear, technical illiteracy leads politicians to believe that they'll be the only ones with access to this backdoor, which isn't true.
yubblegum
The comment's clarity was not questioned. You are passing around the same tired line that because politicians do not understand technology and how it can be used against anyone. Sure computers are new but communication technology is not. All a politician needs to understand is "capability". That is it. "We can read their communications", no degree in CS required. Also, they have power geeks advising them left and right. They know "capabilities" can be misused. They know this.
Is this clear?
ninalanyon
It isn't necessarily the case that they all care if criminals can get in to the average person's data so long as the authorities also can.
trinsic2
Yeah. Not buying it. They know, or someone smart enough told them that backdoors can be accessed by anyone with enough skill. They just don't care because the people that are asking for this are criminals already and wanting profit off of other people's data.
bunderbunder
Let me offer a possible example that might be more in line with the HN commenting guideline about interpreting people's comments as charitably as reasonably possible:
My password manager vault isn't exactly something to hide in the political sense, but it's definitely something I would fear is exposed to heightened risk of compromise if there were a backdoor, even one for government surveillance purposes. And it's a reasonable concern that I think a lot of people aren't taking seriously enough due, in part, to a lack of technical literacy. Both in terms of not realizing how it materially impacts everyday people regardless of whether they're up to no good, and in terms of not realizing just how juicy a target this would be for agents up to and including state-level adversaries.
As for Eric Schmidt, he's something of a peculiar case. I don't doubt his technical literacy, but the dude is still the head of one of the world's largest surveillance capitalist enterprises, and, as the saying goes, "It is difficult to get a man to understand something when his salary depends on his not understanding it."
kingkongjaffa
> Especially in the UK which operates as a paternalistic state and enjoys authoritarian support across all parties.
This seemed strange to point out. It’s not really any more or less “paternalistic” than most western nations including the US.
15155
Folks in the United States aren't routinely arrested for Facebook posts.
cmdli
The AP News was just kicked out of press conferences for not using the government-preferred term for the Gulf of Mexico. The new director of the FBI is pledging to go after members of the press that he doesn't like. The US is jumping headfirst in the "bad speech isn't free" direction in the past month.
jirf_dev
Of course they are. Violent threats and admitting illegal activity on social media can lead to arrests in the US. By being so unspecific your comment does not really foster good discussion on the topic. You should describe what kind of posts they are being arrested for and which laws/protections in the UK you are specifically criticizing.
4ndrewl
They're not arrested for posting on Facebook. They're arrested for _what_ they're posting on Facebook.
twixfel
There are limits to speech in every country, including the US. What I always find baffling is the sheer arrogance of Americans, that the only way to be a free and democratic country is their way, to the extent that they send their elected representatives to Germany of all places to implicitly argue for the legalisation of the Hitler salute.
Meanwhile their country has slid into fascism. Sad and tragic.
gleenn
If you see a red car driving down the street do you not call it red because there are many other red cars? They're adding color (pun intended) to their description of the general bias of the UK government. What you're doing is called Whataboutism - the argument that others are doing something similar or as bad in different contexts. It doesn't make what the UK is doing any less bad for citizens (and non-citizens) privacy or data sovereignty.
AlanYx
Many people might not be aware of it, but Apple publishes a breakdown of the number of government requests for data that it receives, broken down by country.
The number of UK requests has ballooned in recent years: https://www.apple.com/legal/transparency/gb.html#:~:text=77%...
Much of this is likely related to the implementation and automation of the US-UK data access agreement pursuant to the CLOUD Act, which has streamlined this type of request by UK law enforcement and national security agencies.
dvtkrlbs
The problem is AFAIK this act is a lot different and Apple or any party that gets this order is completely forbidden to talk about it. So these kind of requests would not show up in this transparency requests. It is IMHO fair to assume Apple will UK this backdoor given they chose to disable Advanced Data Encryption and public would have no insight to amount and reasons to the backdoor usage. It is really troubling.
sva_
Looking at the ones for Germany, those seem like rookie numbers
https://www.apple.com/legal/transparency/de.html#:~:text=77%...
AlanYx
It's also comparatively worse than the raw numbers suggest because the customer base of Apple phones in Germany is much smaller than in the UK.
crossroadsguy
I see numbers for USA and China very low as well.
Maybe they don't have/need to request? ;-) Just saying.
EasyMark
Sad to see the home of the magna carta slowly spiraling down into fascism and 1984. The government should be required to have a specific warrant to get at your personal data.
HaZeust
I don't share your findings, EVERY six-month period between January 2014 - June 2017 shows bigger requests than any six-month period in the last 5 years.
anoncow
>Online privacy expert Caro Robson said she believed it was "unprecedented" for a company "simply to withdraw a product rather than cooperate with a government.
>"It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments," she told the BBC.kelnos
It's also just false. Google pulled out of China many years ago because they didn't want to bow to the Chinese government's demands.
And they didn't just withdraw a product, they withdraw their entire business.
kshacker
I wonder what the impact of Apple withdrawing from China will be. I know we are talking about UK, but this made me think.
Not only their sales will reduce, but hey Chinese manufacturing cuts down. By how much? Will it be impactful? I would think so but wonder if it is quantifiable.
sneak
Almost all iPhones are made in China. They cannot pull out without shutting down.
They make on average 60,000 ios devices there every hour, 24 hours a day, 365 days a year.
yunesj
Fake privacy experts like Caro Robson need to be held accountable.
throwaway106382
>"It would be a very, very worrying precedent if other communications operators felt they simply could withdraw products and not be held accountable by governments,"
This would actually be a very very very very VERY GOOD precedent if you ask me.
Facebook pulled something similar when Canada passed the Online News Act and instead of extorting facebook to pay the media companies for providing a service to them (completely backasswards way to do things), they just pulled news out of Canada. I despise Meta as a company, but I had to give them credit for not just letting the government shake them down.
Good riddance. Governments need to be reminded from time to time that they are, in fact, not Gods. We can and should, just take our ball and go play in a different park or just go home rather than obey insane unjust laws.
donbox
I love their products: whatsapp and facebook
boxed
Governments forcing companies from other countries to do business in their country seems like the worrying precedent to me.
aqueueaqueue
"a product" and "cooperate" are doing so much work in that statement that they collapsed and look like ________ and ________
They re-emerged as "security feature" "add vulns to security features to make it an insecurity feature"
StanislavPetrov
>Online privacy expert Caro Robson
Ironic to refer to her as a "privacy expert" given her open hostility to privacy.
sholladay
So many questions around this that need answering, such as:
1. What happens if I have ADP enabled and then visit the UK? Will photos I take there still be E2E encrypted? If not, will I be notified? I realize that at the moment the answer is yes, that for now, they are only disabling ADP enrollment. But they are planning to turn it off for everyone in the UK in the future. So what happens then?
2. If they make an exception for visitors, such as by checking the account region, then obviously anyone in the UK who cares about security will just change their account region - a small inconvenience. Maybe this will be a small enough group that the UK government doesn’t really care, but it could catch on.
3. Is this going to be retroactive? It’s one thing to disallow E2E encryption for new content going forward, where people can at least start making different decisions about what they store in the cloud. It’s an entirely different thing for them to remove the protection from existing content that was previously promised to be E2E encrypted. When they turn off ADP for people who were already enrolled, how is their existing data going to be handled?
This is bad news and it is going to be messy.
ComputerGuru
Note that this doesn’t satisfy the government’s original request, which was for worldwide backdoor access into E2E-encrypted cloud accounts.
But I have a more pertinent question: how can you “pull” E2E encryption without data loss? What happens to those that had this enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense against backdooring E2E is the (US) doctrine that work cannot be compelled. Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer) if that capability already exists.
madeofpalk
When you disable ADP, your local encryption keys are uploaded to Apple's servers to be read by them.
Apple could just lock you out of iCloud until you do this.
oakesm9
That’s exactly the plan. Anyone with this enabled in the UK will need to manually disable it or they’ll get locked out of their iCloud account after a deadline.
kbolino
The hardware will not allow this, at least not without modifications. The encryption keys are not exportable from the Secure Enclave, not even to Apple's own servers.
Twisell
The Apple security paper describe how to disable ADP through a key rotation sequence.
This will be a "forced rotation", they just need to decide how to communicate to users and work out what happens to those who don't comply. Lockout until key rotation look like an option as someone said.
QuiEgo
Behind the scenes, it'd probably decrypt it locally piece-by-piece with the key in the Secure Enclave, and then reencrypt it with a new key that Apple has a copy of when you disable ADP.
sureIy
Are you gonna unlock that phone anytime soon?
Thanks for opening the enclave, don't mind if I ship these keys back home.
No notification needed, Apple has root access.
wrs
> how can you “pull” E2E encryption without data loss
You can’t. The article says if you don’t disable it (which you have to do yourself, they can’t do it for you, because it’s E2E), your iCloud account will be canceled.
nashashmi
At this point, the right thing to do is allow for an alt-service.
jmb99
How would an alt service help this situation? You’d just end up with backdoored services advertising E2EE, no? Apple’s move here is definitely the right one, introduce as much friction as possible to hopefully get the user pissed off at their government for writing such stupid laws.
sneak
Apple has an organization-wide mandate for services revenue.
Every product must make money on an ongoing basis, every month. That's why you get constantly spammed to subscribe to things on iOS.
Apple will never drop this anticompetitive practice of favoring their services until they are legally compelled to.
jl6
We are told the encryption keys reside only on your device. But Apple control “your” device so they can just issue an update that causes your device to decrypt data and upload it.
GeekyBear
Apple has already fought US government demands that they push an update that would allow the US governmrnt to break encryption on a user's device.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones.
https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_...
RenThraysk
Would just upload the keys
drexlspivey
Presumably these keys live in a hardware security module on your phone called “secure enclave” and cannot be extracted
sneak
Apple do not remotely control devices, and automatic updates are not mandatory.
TeaBrain
I think Prof Woodward's quote in the article will likely hold true for Apple's response to the original UK government request:
"It was naïve of the UK government to think they could tell a US technology company what to do globally"
ckcheng
> Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer)
I think it’s really speech [0], which is why it’s important to user privacy and security that Apple widely advertises their entire product line and business as valuing privacy. That way, it’s a higher bar for a court to cross, on balance, when weighing whether to compel speech/code (& signing) to break E2EE.
After all, if the CEO says privacy is unimportant [1], maybe compelling a code update to break E2EE is no big deal? (“The court is just asking you, Google, to say/code what you already believe”).
Whereas if the company says they value privacy, then does the opposite without so much as a fight and then the stock price drops, maybe that’d be securities fraud? [2]. And so maybe that’d be harder to compel.
[0]: https://news.ycombinator.com/item?id=43134235
[1]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid...
[2]: https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...
mtrovo
Apple is in a really tough position. I don't know if there's any way they could fulfil the original request without it effectively becoming a backdoor. Disabling E2E for the UK market is just kicking the can down the road.
Even simply developing a tool to coerce users out of E2E without their explicit consent to comply with local laws could be abused in the future to obtain E2E messages with a warrant on different countries.
A very difficult position to be in.
MetaWhirledPeas
> Apple is in a really tough position.
You mean Apple is in a unique position to make a statement. No more Apple products in the UK. Mic drop. Exit stage left.
sureIy
But… money
replete
Or, this is how they save face with their customers having complied with the request rather than stop trading with the UK.
tripdout
The iOS screenshot displays a message saying it's no longer available for new users.
kelnos
> the (US) doctrine that work cannot be compelled
Is this actually a thing? Telecoms in the US are compelled to provide wiretap facilities to the US and state and local governments.
ckcheng
>> Apple's defense against backdooring E2E is the (US) doctrine that [government can’t] be compelling work (or speech, if you prefer)
It’s really not "work” but speech. That’s why telecoms can be compelled to wiretap. But code is speech [2], signing that code is also speech, and speech is constitutionally protected (US).
The tension is between the All Writs Act (requiring “third parties’ assistance to execute a prior order of the court”) and the First Amendment. [1]
So Apple may be compelled to produce the iCloud drives the data is stored on. But they can’t be made to write and sign code to run locally in your iPhone to decrypt that E2EE data (even though obviously they technologically could).
[1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writ...
[2]: https://www.eff.org/deeplinks/2015/04/remembering-case-estab...
codedokode
It's weird bending of law. Code, especially closed-source code, is not a speech; it's a mechanism and the government may mandate what features a mechanism must have (for example, a safety belt in a car).
Goleniewski
Think about it.. You don't even have to be an Apple user to be affected by this issue. If someone backs up their conversations with you to apple cloud, your exchange is now fair game. You get no say in it either.
We all lose.
freeqaz
That's why it's important to use apps like Signal where you can set the retention of your messages. I've got everybody I know using it now!
hugh-avherald
Setting a retention time out is playing with fire. If the police get ahold of the other party's device, and present an exhibit which they say contains the true conversation, you could be worse off than if you retained the conversation. The fact that you have since deleted it could be incriminating.
In some jurisdiction, yes, legally, such evidence might not be probative, but you might still convicted because of it.
fdb345
message retention has literally NEVER been used as incrimination in a court of law. So you are wrong.
vuln
The retention time can be set by individual conversation not just the whole app.
nickburns
Ephemeral messaging is not a crime.
madeofpalk
Given historical backups are the norm here, retention only does so much.
Really, apps should encrypt their own storage with keys that aren't stored in the backups. That's how you get security/privacy back.
buran77
> That's how you get security/privacy back.
Nothing an app does on a device guarantees you security or privacy if you don't trust or fully control the device.
cma
Many people want control over whether they back up conversations with others, and think it would be crazy for sender to control the retention policy instead of receiver.
I think sender should just be able to send a recommended preference hint on retention and you could have an option to respect it or not.
fdb345
In a world where they cancel encryption they can't access... doesn't Signal and its CIA funded origins concern you?
HumblyTossed
Nope. I actually think that would bring more scrutiny and so I feel safer knowing it's not be cracked.
noahjk
Very similar to sites like LinkedIn, which ask you to share your personal info & contact list.
I don't want to share my contact details, but the second someone I know decides to opt in, I lose all rights to my own data as they've shared it on my behalf.
Maybe they have other info, such as birthday, home address, other emails or phone #s, etc. stored for me, which is all fair game, as well.
globular-toast
Security hinges on trust. The only real privacy tool is PGP which uses a web of trust model. But it only works if people own their own computers and storage devices. What they've done is got everyone to rent their computers and storage instead. There's no security model that works for the users here.
ta8645
Free speech already under threat and now y'all are giving up the right of private communication too? For anyone cheering this on, do you honestly think this will only affect the "bad people", and you'll never have your own neck under the government's boot? Even if you trust the government today, what happens when your neighbors elect a government you disagree with ideologically?
multimoon
I don’t think anyone is cheering this on.
int_19h
Many people do, unfortunately, so long as it's framed as "only terrorists and pedophiles need encryption that cops can't break".
botanical76
How do we actually beat this narrative? I've been proposing a E2EE-based chat application to my friend, and they asked me a similar question: won't it just be rife with pedophiles? How can you make a platform that will be used to that means?
I have strong views about privacy as a fundamental human right, but I don't know how to answer that question. I certainly don't want to make the world worse, but this feels like a lesser of two evils type of deal: either make it even harder to catch bad actors, such as child abusers, or make it plausible that your government take away your freedom forever.
Funes-
Most politicians are.
mihaaly
Instead of the word cheering we could use letting.
Bad people flourish over the inaction of good people.
(but yes, there are always several who protect and argue for things risking their own and everyone's livelihood, exposing themselves to shady elements, along singled out and elevated thin aspects, cannot understood why)
talldayo
[dead]
tene80i
I have a naive question, and it's genuine curiosity, not a defence of what's happening here.
This ADP feature has only existed for a couple of years, right? I understand people are mad that it's now gone, but why weren't people mad _before_ it existed? For like, a decade? Why do people treat iCloud as immediately dangerous now, if they didn't before?
Did they think it was fully encrypted when it wasn't? Did people not care about E2E encryption and now they do? Is it that E2E wasn't possible before? If it's such a huge deal to people now, why would they have ever used iCloud or anything like it, and now feel betrayed?
Shank
I guess I'm one of the people who was upset that it didn't exist before, and I didn't enable iCloud Backup as a result. I didn't use iCloud Photos. I had everything stored on a NAS (which was in-fact encrypted properly) and used a rube goldberg-esque setup to move data to it periodically. I used iMazing and local encrypted backups on a schedule.
Lots of people called for E2EE on this stuff, but let's be real about one thing: encryption as a feature being more accessible means more people can be exposed to it. Not everyone can afford a rube goldberg machine to backup their data to a NAS and not make it easily lost if that NAS dies or loses power. It takes immense time, skill, and energy to do that.
And my fear isn't the government, either, mind you. I simply don't trust any cloud service provider to not be hacked or compromised (e.g., due to software vulnerability, like log4j) on a relatively long timescale. It's a pain to think about software security in that context.
For me, ADP solves this and enables a lot of people who wouldn't otherwise be protected from cloud-based attacks to be protected. Sure, protection against crazy stuff like government requests is a bonus, but we've seen with Salt Typhoon that any backdoor can be found and exploited. We've seen major exploits in embedded software (log4j) that turn out to break massive providers.
So, there were people upset, their concerns were definitely voiced on independent blogs and random publications, and now, we're back in the limelight because of the removal of the feature for people in the UK.
But, speaking as a user of ADP outside of the UK, I am happy that ADP is standing up for it, and thankful that it exists.
(To be clear: government backdoors, and government requests also scare me, but they aren't a direct threat to myself as much as a vulnerability that enables all user data to be viewed or downloaded by a random third-party).
matthewdgreen
Many of us were very upset about Apple's slow-rolling this feature. There were many claims that they delayed the rollout due to government pressure [1] (note: that story is by the same reporter who broke today's news a couple of weeks ago.)
Rolling out encryption takes time, so the best I can say is "finally it arrived," and then it was immediately attacked by the U.K. government and has now been disabled over there. I imagine that Apple is also now intimidated to further advertise the feature even here in the U.S. To me this indicates we (technical folks) should be making a much bigger deal about this feature to our non-technical friends.
[1] https://www.reuters.com/article/world/exclusive-apple-droppe...
ziddoap
At one point in time, the entirety of web communication was completely unencrypted.
Why were people not mad then? Do you think people would be angrier now, if HTTPS were suddenly outlawed?
Among other valid answers, removing rights and privileges generally makes people angrier than not having those rights or privileges in the first place.
bostik
> Why were people not mad then?
Oh, we were. I am in the crowd who had been asking for generally used encryption since 1995. After all, we were already using SSH for our shell connections.
The first introduction to SSL outside of internet banking and Amazon was for many online services to use encryption only for their login (and user preferences) page. The session token was then happily sent in the clear for all subsequent page loads.
It took a while for always-on encryption to take hold, and many of the online services complained that enabling SSL for all their page loads was too expensive. Both computationally and in required hardware resources. When I wrote for an ICT magazine, I once did some easy benchmarking around the impact of public key size for connection handshakes. Back then a single 1024-bit RSA key encryption operation took 2ms. Doubling it to 2048 bits bumped that up to 8ms. (GMP operations have O(n^2) complexity in terms of keysize.)
aqueueaqueue
"We" is an special group. I am technical but never thought much about it back then. There is a boiling frog. The 90s internet was used for searching and silly emails. Now it has you life in the cloud. But that didn't happen in a day.
viciousvoxel
Counterpoint: when web communication was unencrypted it was before we did our banking, tax filing, sent medical records, and sent all other kinds of sensitive information over the internet. The risks today are not remotely the same as they once were.
null
muyuu
always used my own encryption and cyphered any sensitive data/communications, but the problem is that most people won't and you're often compromised by them
simple solutions like Whatsapp, Signal and ADP brought this to the masses - which some governments have issues about - and this makes a massive difference to everybody including those who wouldn't be caught dead using an iphone anyway
if we could go back to the early 1990s when only professionals, Uni students, techies and enthusiasts used the internet I'd go in a heartbeat but that's not the world we're living in
GeekyBear
You've always been able to perform encrypted backups to your own local PC or Mac out of the box, so people who do care about privacy have always had that option.
One thing I've found concerning is that Apple had encrypted cloud backups ready to roll out years ago, but delayed releasing the feature when the US government objected.
> After years of delay under government pressure, Apple said Wednesday that it will offer fully encrypted backups of photos, chat histories and most other sensitive user data in its cloud storage system worldwide, putting them out of reach of most hackers, spies and law enforcement.
https://www.washingtonpost.com/technology/2022/12/07/icloud-...
So the UK government isn't the only government that has objected to users having real privacy protections.
post_break
Yes, I was mad before it existed and didn't use icloud backups. With the E2E and ADP I turned it on. If it gets nuked in the US I'll go back to encrypted local backups only.
aqueueaqueue
People learn stuff over time. If you are not living like RMS you probably are allowing something to spy on you. If that spying gets removed you become aware. You don't want it back.
It is like anything that gets better. Fight for the better. It is like aviation safety: who cares about a few crashes this year when people didn't complain in the 70s.
hirako2000
A few factors
- e2e encryption is not ubiquitous yet, but awareness is ascending.
- distrust for government also is on the uptrend.
- more organized dissent to preserve privacy.
No people didn't assume data was encrypted.
Yes E2E has been possible for many decades, but businesses don't have privacy as a priority, sometimes even counter incentives to protect it. Personal data sells well.
Things have changed because more people are getting to understand why it matters, forcing the hand of companies having to choice but at least feign to secure privacy.
procaryote
An E2E encrypted thing that later gets a special backdoor added is obviously much worse than a not E2E encrypted thing.
It's like when google suddenly decided that their on-device-only 2FA app Google Authenticator should get an opt-out unencrypted cloud backup.
It means people who don't pay a lot of attention can suddenly have much less protection than they were originally sold on.
throwaway77385
The nightmare continues. For now I am using 3rd party backup services that are (currently) promising me that my backups are encrypted by a key they do not have access to, or control over. But can this even be believed in an age where these secret notices are being served to any number of companies? I suppose the next step would be to ensure that files don't ever arrive in the cloud unencrypted, but I have yet to see a service that allows me to do this with the same level of convenience as, say, my current backup solution, which seamlessly backs up all my phones, my family members' phones, my laptops, their laptops etc. I depend on having an offsite backup of my data. Which inevitably includes my clients' data also. Which I am supposedly keeping secret from outside access. So how does that work once everything becomes backdoored?
jahewson
In the case of the U.K., they can throw you in jail for not handing over your encryption key, so it’s a moot point. They’ve been slowly expanding this power for twenty years now.
bloqs
Not for content in the cloud, as far as I understand. Someone will correct me, but you can be arrested and threatened with terror charges if you dont unlock your device, but this does not give them permission to access other computers via the internet.
commandersaki
Tommy Robinson trial for refusing to provide his unlock credentials when ingressing UK is happening in March this year.
fdb345
ive been through all this with the law. no one ever got jailed for not handing over encryption keys unless they were a definitive criminal and theres strong evidence there is criminal data on the device.
they tried this with me (NCA) but the judge wouldnt sign off as they had nothning on me or my device. this did however REALLY want to access it! fuck them. pricks
callc
Ah yes, the “we have all the power but pinky promise to only use it on the bad guys” playbook. I have complete confidence and trust in that promise. /s
nemomarx
security and convenience are ever at war.
globular-toast
Convenience usually comes at a cost. You shouldn't have to trust anyone. Just use a generic storage service and only upload encrypted files to it. Syncthing + Rclone will probably get you a similar setup that you control.
grahamj
IMO the only thing you can have a high level of trust in is your own *nix server. Backup those devices to it then encrypt there before being sent to the cloud.
JohnFen
Handling the encryption yourself is the way to go, but for maximum security, don't send that encrypted data to the cloud. Keep it all on your own server(s).
That doesn't help people who aren't technically capable, of course. But at least those who are can protect themselves.
grahamj
Depends what kind of security. Local doesn't help if your house burns down or is robbed.
acuozzo
> your own *nix server
Just be sure it's pre-Intel Management Engine / pre-AMD Platform Security Processor!
golemiprague
[dead]
IceHegel
I'm sympathetic to the J.D. Vance angle, which is that European governments are increasingly scared of their own people. This is not doing a lot to change my mind.
kelnos
Governments should be scared of their people, though not in the way that I expect Vance means.
It's certainly better than the opposite, where citizens and residents are scared of their government, which wields the power to deprive them of their freedom, possessions, and life.
dennis_jeeves2
>Governments should be scared of their people, though not in the way that I expect Vance means.
A guillotine once in a while for some politicians/bureaucrats will do some good. There is a rich history of the French doing it. I'm not even trying to be funny.
duxup
I think the US government has made these kinds of requests too, similar tactics such as mass data collection without a warrant and so on.
I don't think it is "scared" as much as just the usual human desire to do whatever the task is ... without thinking of the consequences.
Cornbilly
The unspoken part of that is Vance likely thinks that the people should fear their government.
null
buzzerbetrayed
This sounds more like what you want to be true than anything. Your comment reveals nothing of JD Vance, and a lot about your own biases.
saagarjha
Unlike your comment, obviously.
Cornbilly
He likened Trump to Hitler and then ran with him. That reveals everything about Vance.
bilbo0s
True.
It's a very unwise position Vance takes.
The world would clearly be better run if all governments feared their people, than it would if all people fear their governments.
The UK can pull this kind of stuff precisely because they do not fear any consequences from their people.
imperial_march
[dead]
odiroot
On our continent, the obvious solution to every problem under the sun is "more state".
deelowe
Then Vance should do something about the 5 eyes which is likely the source of this sort of thing.
draw_down
[dead]
gnfargbl
To give you a counterpoint: from this side of the pond it is extremely surprising to see how effective Vance's speech has been in distracting a good proportion of the American public. Which, I have to suspect, was the real point.
imperial_march
[dead]
mihaaly
Very wrong conclusions.
They are not scared of people, but of working, doing their job, especially when it is difficult (catching criminals). They expect the job to be done for them by others, on the expense of everyone, while they collecting all the praise.
On sympathetic to Vance I did not really found a presentable reaction, would not find on any other accidentally agreeable sentence leaving his mouth (very low chance btw.). Talking a lot about all kind of things sooner or later will hit something acceptable, which will not yield an unacceptable and destructive to society figure sympathetic.
You also should be aware of practices and conducts the various US security services practice (and probably all governemnts out there), if not from news or law but at least from the movies. When we come to the topic of who is afraid of their own.
rdm_blackhole
Exactly, it's the same thing with the Chat Control law in the EU and it reminds me of the scene in the movie Office Space where the consultants are trying to figure out who is doing what in the company.
Basically instead of doing their jobs, the cops expect Apple, Meta et al to intercept all the data, then feed it into some kind of AI black box (not done by them but contracted out to someone else at the taxpayer's expense) that will then decide if you get arrested within the next 48H (I am exaggerating but only slightly)
What are the cops doing instead of doing their jobs? That's my question. Aren't they paid to go out and catch the criminals or do they simply expect to get the identity of people each day that need to be investigated?
RIMR
Well put. It's pretty much impossible to sympathize with Vance saying this when the administration he is a part of is scaremongering about "the enemy within".
null
lrdd
As a citizen, I don’t understand what the UK government thinks they are getting here - other than the possibility of leaks of the nation’s most sensitive data.
Also is it not possible to set up my Apple account outside of the UK while living here?
GJim
> other than the possibility of leaks of the nation’s most sensitive data
Amusing when you consider the National Cyber Security Centre (NCSC, a part of GCHQ), along with the Information Commissioners Office, both publish guidance recommending, and describing how to use, encryption to protect personal and sensitive data.
Our government is almost schizophrenic in its attitude to encryption.
palmotea
> Our government is almost schizophrenic in its attitude to encryption.
Of course: it's not a monolithic entity. It's a composite of different parts that have different goals an interests.
spwa4
And yet if I steal your money and refuse to give it back, or let you steal it back, you'll call that hypocritical. What does the size of an entity have to do with whether this is idiotic or not?
hkwerf
I suppose they don't believe certain facts engineers are telling them. With Brexit it was coined "Project Fear". Now they're being told that adding backdoors to an encrypted service almost completely erodes trust in the encryption and, as in the case with Apple here, in the vendor. However, I suppose it is very hard to find objective facts to back this. I'd guess this is why Apple chose to both completely disable encryption and inform users about the cause.
Now we're probably just waiting for a law mandating encryption of cloud data. Let's see whether Apple will actually leave the UK market altogether or introduce a backdoor.
wrs
In the US, the NSA has always had both missions (protect our country’s data and expose every other country’s data). Since everyone uses the same technology nowadays, that’s a rather hard set of missions to reconcile, and sometimes it looks a little ridiculous. As of fairly recently, they have a special committee that decides how to resolve that conflict for discovered exploits.
Macha
I mean, this is no different than one part of the government suggesting running laundry at night to reduce the environmental impact of energy use, while another suggests only running it while awake to reduce fire hazard. Governments and corporations rarely have complete internal alignment.
Am4TIfIsER0ppos
That's because GCHQ knows they can kill if you refuse to decrypt so they have no problem suggesting it to you.
gjsman-1000
Correct me if I'm wrong here, and maybe this is too charged for HN, but looking over at you guys from the US:
The US has problems (don't get me wrong, look at our politics, enough said); but the UK seems to be speedrunning a collapse. The NHS having patients dying in hallways; Rotherham back in the popular mind; a bad economy even by EU standards; a massive talent exodus (as documented even on HN regarding hardware engineers); a military in the news for being too run down to even help Ukraine; and most relevant to this story - the government increasingly acting in every way like it is extremely paranoid of the citizens.
Any personal thoughts?
pjc50
There's a lethargy, but it's hardly speedrunning. Things will be the same or slightly worse in a decade. I'm not sure I can say the same for the US, it seems different this time.
> The NHS having patients dying in hallways
Sadly routine in winter. Nobody wants to spend the money to fix this. Well, the public want the money spent, but they do not want it raised in taxes.
> Rotherham back in the popular mind
The original events were between 1997 and 2013. The reason they're back in the mind is the newspapers want to keep them there to maintain islamophobia. Other incidents (more recently Glasgow grooming gangs) aren't used for that purpose.
> a bad economy even by EU standards
Average by EU standards. But stagnant, yes.
> the government increasingly acting in every way like it is extremely paranoid of the citizens.
They've been like this my entire life. Arguably it was a bit worse until the IRA ceasefire. Certainly the security services have been pushing anti-encryption for at least three decades.
captain_coffee
Yes - that is my impression as well as someone currently living in London. Literally ever single system that I have to interact with seems to be somewhere on the spectrum between barely functioning and complete disfunctionality, with almost very few exceptions that come to mind. By system in this context I mean every institution, service provider, company, business... everything. Couple that with low salaries across the board - including the "high paying tech jobs in London" with price increases that are out of control with no reason to believe this is ever going to stop you end up with a standard of living significantly lower than let's say for example the EU countries of Eastern Europe. Currently trying to figure out where to go next
munksbeer
I'm an immigrant to the UK. I have lived here permanently for 21 successive years, though I was actually in and out of the UK for years before that. My current anecdotal feeling about the UK is at a pretty low point.
If it was an option, I would seriously look to emigrate again, but I honestly don't know where. The most appealing option for me is Australia, but my age works against me. I know everywhere has its issues, but I'm just so worn down by the horrible adversarial political system and gutter press in the UK right now. We seem unable to do anything of note recently. A train line connecting not very much of the UK has cost so much money, and in the end it hasn't even joined up the important part.
I don't know, life is good at a local level. I am privileged and live in a fantastically beautiful town, and life here is safe and friendly. If I ignored everything else for a while it would probably do me good.
NegativeLatency
Seems like the US is trying to catch up, especially with the whole talent exodus thing and defunding of vital research funding.
lucasRW
Many people think like you. Western Europe in general has been destroyed by a certain ideology, and whoever can emigrate does emigrate.
aSithLord
[dead]
world2vec
You need a valid payment method from that country and then cancel all current subscriptions and change to that new country/region.
mr_toad
You’ll probably want a method of downloading apps tied to the UK app store though - particularly banking apps.
chatmasta
btw, anyone know if this cancels Apple+ Support too? I’ve been resisting switching countries because I don’t want to lose that subscription since you can only subscribe within 60 days of device purchase.
feb012025
I don't know, they've definitely been cracking down on journalists over the past year. Could be an attempt to crack down harder / create a chilling effect
mr_toad
> Also is it not possible to set up my Apple account outside of the UK while living here?
The ability to turn on Advanced Data Protection does seem to be tied to your iCloud region (as of now I can still turn it on, and I’m in the UK but have an account from overseas).
null
vr46
You need a non-UK card to use on your Apple Account to change its region.
tick_tock_tick
The UK is arresting people for posting memes. They want full control and that's it.
null
Too right, it was far more problematic than they ever made out.
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.