US examining whether UK's encryption demand on Apple broke data treaty

> The Online Safety Act is about internet systems that are akin to traditional publishing

I won't consider myself an expert on this, but from what I've read, that's just not true. Perhaps that's the intent, but the vague wording makes it possible that all sorts of websites could be subject to it, even, for example, a small forum run by a hobbyist that has a few hundred members.

Even if the intent behind the Act is good (debatable!), the implementation of it seems designed to scare everyone and allow for selective enforcement, while people get pushed to the big social media platforms as smaller niche communities feel pressured to shut down.

> Speaking as the person who pops up to defend the Online Safety Act

Do you defend the aims of the Act, the Act itself, or both?

I'm having to figure out compliance for a volunteer run, donation funded forum, and I think the Act itself could (and should) have been better written. I don't think Ofcom can handle it better than they are, because until it's tested in court they haven't the ability to say what the vague and undefined terms mean.

> it holds the operators of those systems to the same standards to which we hold traditional publishers

This is not really true though, is it? Involving OFCOM holds the internet to broadcaster standards, which is very different from print standards. We ditched print censorship and "think of the children" in the Lady Chatterly case, long ago.

> I think the Investigatory Powers Act (which allows for this spat with Apple) is a terrible piece of legislation.

It is. Long ago I was briefly involved with the UK Campaign for Digital Rights campaigning against it. Nowadays that work is being done by the Open Rights Group (UK HN readers check it out!)

The deeper problem is the UK security services got stuck in counterinsurgency mode during the Troubles, and then the War on Terror, and that infects everything with paranoia. There's no way to tell these people "you are fighting yesterday's threats".

Same as people travelling to the US with encrypted devices: the border police have full discretion to ask you to do anything, and ban you from the country if you don't comply.

Well, the UK can lock you up until you give them your passwords. That method usually works pretty well for nation states.

I think you are subject to local laws when you travel. So the question is rather, can UK request you to unlock it yourself?

As far as I understand, the UK gave Apple an order that has effective worldwide extent to insert a backdoor. Clearly you can't have a backdoor that only works for people in a certain location, since people are not fixed in one place.

Apple chose to partially comply with the order, by disabling ADP for UK users, instead of inserting a backdoor.

Apple is making the distinction here between UK and non-UK, so they can define a "UK user" however they want. A foreign citizen travelling in the UK almost certainly won't be affected.

In other words, they aren't handling this case legally, or at least that is a matter that may be resolved in court if the UK is unsatisfied with Apple's method of compliance. Apple would seek to challenge the UK's jurisdiction in that case.

Demand isn’t the same thing as request. As long as the US is willing to rubber stamp most requests it’s not nearly as limiting in practice as it might seem in theory.

Except surely the UK hasn't?

What they've reportedly demanded is that systems be changed, so that later a demand for data may be be effective. As to if any hypothetical later demand for later would contravene the agreement would seem to simply be speculation for the moment.

Surely the UK could just be careful not make a contravening demand at that time? Which would then make this whole "review" a case of PR on the part of the US politician.

Now it is quite bad that the UK has apparently triggered this bit of the snoopers charter, but it would seem to be othogonal to that agreement.*

* Unless someone bothers to review the agreement, and finds that such meta-demand are covered.

I'm thinking in this case there is probably a legal difference between "may not" and "is not authorized", so I would expect the interpretation would be you can request data on a UK citizen in the US but not demand - so up to whoever you request it from.

For any U.S Person you may not say anything about it at all. I mean that is totally reasonable, if they want that data it's basically a diplomatic matter not a demand you issue.

UK is trying to force Apple grant access to any and all persons worldwide not just their own citizens. Practically strong arming an American company to spy on the entire world for them. Why would any other sovereign country allow their own citizens’ privacy to be violated in their own country for UK?

That's nonsensical. Every company has to abide by the laws in the country it is doing business in. It is a costly and complex issue that all international companies need to engage in. To not do so is to not do business.

This is nothing new. For example, Apple submits to much worse privacy-weakening in exchange for being allowed to operate in China.

Countries are free to set whatever conditions they like for allowing a company access to its market.

I don't really see the problem with this specific bit? You want big international companies to follow the local laws of the countries they operate in, or to move out if that doesn't work for them, that's a good thing.

Us ideals on privacy? Is this a joke I can't understand because I got a flu?

Well, the UK is a sovereign country so they have the right to tell companies operating in their borders to do what they please.