NCSC, GCHQ, UK Gov't expunge advice to "use Apple encryption"
92 comments
·March 5, 2025bigyabai
Fights like this only legitimize the EU's DSA to me. UK users would not be beholden to Apple for E2EE if their clients had legitimate alternatives to the first-party iCloud service. There would be no world where Apple could even threaten to disable it.
Break the walled garden down, and all of the sudden it doesn't matter what Apple's stance on E2EE is. But Apple wouldn't want that, since then you might realize they aren't the sole arbiters of online privacy.
freehorse
> There would be no world where Apple could even threaten to disable it.
They did not "threaten to disable it" and apple's stance on E2EE is not the issue here, UK's stance is. UK essentially made icloud E2EE by demanding apple to make a global backdoor into it, and essentially thus forced them to disable it. It is not disabled anywhere else in the world.
Essentially the UK (and other states) want somehow to have their pie and eat it too, but that's just not possible.
doublerabbit
If UK is already doing this, then what's them from banning all new iPhones? Some countries do.
mikestew
then what's them from banning all new iPhones?
The torches and pitchforks that are soon to follow? You might get away with that in oppressive “some countries”, but I just can’t imagine it ending well in someplace like the UK.
jjani
Bread and circuses is what stops them. Whoever would get the iPhone banned is guaranteed never to win another election. Like banning beer or football.
It would also be banning Macbooks, imagine what companies would have to say about that.
The reason Apple isn't calling their bluff is not that they're scared the UK will actually ban their products. It's for optical and political reasons.
ziddoap
>UK users would not be beholden to Apple for E2EE if their clients had legitimate alternatives to the first-party iCloud service.
Any sufficiently popular alternative would be subject to the same issue: you can't backdoor encryption without making it insecure.
>There would be no world where Apple could even threaten to disable it.
Your framing of this seems to blame Apple, and I don't understand why.
alwayslikethis
You can have a service beyond the reach of UK law enforcement. Somehow piracy on the clearnet never really stopped with it being illegal in most countries.
ziddoap
You're suggesting that Apple, a giant publicly traded company with known people that can be summoned to court and assets located in places that can be seized, should ignore lawful orders from a country they are operating in?
Can I ask you how you think that would play out?
>Somehow piracy on the clearnet never really stopped with it being illegal in most countries.
I'm sure you can spot the difference between a small group of people running a piracy site and a multinational company selling physical devices in physical stores.
tree_enjoyer
If you're a company with offices, personnel, and assets in the UK, well your "service" may be beyond the reach, but the rest isn't.
nkellenicki
I'm all for the DSA as well, but this argument doesn't hold water. Any sufficiently large cloud provider alternative (ie. Google, Microsoft, etc) would likely be the target of similar government instructions. In fact, I bet they already are - they just can't talk about it.
And of course, it's already possible to disable iCloud backups and use a smaller provider or host your own alternatives. I already do, through Nextcloud, etc. It's not as fully integrated of course, but you bet that if it was, then the largest alternatives would be targeted all the same.
petedoyle
If Apple were to add new APIs, it might be possible to use personal cloud storage (NAS, Decentralized Web Nodes, etc.) with the same UX as iCloud with E2EE.
zimpenfish
> it might be possible to use personal cloud storage [...] with E2EE
Which would quickly become illegal if UKGOV is set on getting access to people's iOS backups / cloud storage / etc. Hell, it's already a legal requirement to hand over your keys if UKGOV demands them[0].
[0] "Regulation of Investigatory Powers Act 2000 part III (RIPA 3) gives the UK power to authorities to compel the disclosure of encryption keys or decryption of encrypted data by way of a Section 49 Notice." https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
Aloisius
Bit more complicated than that. iCloud isn't passive storage. A fair bit of the logic exists on the server.
alwayslikethis
You can always have an company without legal presence in the UK to do the operations, beyond the reach of the UK government. If you are allowed to run your own software on your devices, you can always encrypt before sending. Apple and to a lesser extent Google got themselves in this position of being able to spy by building their walled gardens.
alecmuffett
OP here. I am sympathetic, really I am, but the challenge then is a diversity of solutions tends to lack really good high quality security systems integration, meaning that data leaks differently. It's hard to have a high integrity solution which is an open standard and implemented equally well by all players.
bigyabai
I would rather that Apple invests in solving hard problems. Spending that money on legal representation only kicks the can down the road.
alecmuffett
One of the hardest problems you can face is getting a community of disparate developers to do the right thing at scale; sometimes the easiest solution for that is a monolithic integrated blob.
jeroenhd
The UK demands a backdoor in the backups, so having an alternative backup app isn't the solution here. All the alternatives would just get forced into also adding backdoors, or everyone working for the companies that provide alternatives find themselves unable to ever enter the UK again.
That said, I do wish there were more backup solutions for mobile platforms. Android has an API for this, but it's only available to software signed with manufacturer keys. LineageOS and various other custom ROMs use this to allow Seedvault backups, but as a stock Android user I can only pick between Google backups and no backups.
On the other hand, these backups do contain material you don't necessarily want random apps to have access to. Seeing how powerful stalkerware/"parental control" already is on Android, I recognise that there are dangers that the general population might not realise. Adding additional warnings and messages about backups (even when the backups are made using manufacturer software) would probably strike a balance, though.
t00
Both Apple and Android (stock) are candidates for anti-monopoly regulations regarding the limited, vendor locked backup API.
Enforcing choice of the backup solution would solve the problem of rogue countries like the UK meddling with privacy and security.
Like the browser choice, backup provider choice can end up being enforced, likely by the EU as they have a good history of breaking up vendor lock-ins.
Possibly an information/lobby campaign can be started and endorsed by some major online storage providers?
easytiger
The EU and the EUC are not your friend when it comes to privacy
https://home-affairs.ec.europa.eu/networks/high-level-group-...
bigyabai
Nor is the jurisdiction Apple is headquartered in: https://arstechnica.com/tech-policy/2023/12/apple-admits-to-...
It feels like a moot point, to me.
easytiger
How is an exploration of broad spectrum legislative attacks on all forms of encryption regardless of hosting and corporate ownership and data communication moot?
cs02rm0
So the question in my mind is: is the UK Government attempting to cover-up its previous advocacy of ADP, by censoring this old document?
In a word, yes.
I'd be fascinated to know who in the hive mind decided to do it though; I can't see someone too senior coming up with an http redirect as the answer. I guess the scrub order came down the chain and an automaton jumped into action.
mike-the-mikado
Perhaps they know that ADP security is broken. That would justify both changing the recommendation and asking to read it.
mig39
Man, you know you're the baddies when you have to have "secret courts."
crimsoneer
... this is very silly. Sometimes the government needs to have secret stuff, and that needs an oversight body... and they need to see the secret stuff
93po
There is absolutely no reason why the public at large can't know that some three letter agency is legally forcing a company to provide information with a national security letter. The public knowing that this is happening doesn't divulge any useful information to anyone. The fact that free speech is in fact being trounced in the US is really freaking gross to me.
genbugenbu
That's a pretty naive take imo ; divulging such information leads to change in behaviour of nefarious actors.
I totally get the viewpoint, but there are other perspectives to consider
paulddraper
Specific details, sure.
Locations of military assets, passcodes, officials' personal details, etc.
But you cannot have a democracy without the people knowing what their government is doing.
timewizard
The oversight body is the legislature. The judiciary has no ability to provide oversight. The judiciary cannot act on it's own. It cannot conduct investigations. It can only act on cases and motions within those cases. The two ideas you've presented do not have anything to do with eachother.
ndegruchy
Didn't realize he was also talking about the US secret courts. Sorry.
Uh...[1] yeah. Secret courts are the worst! Those British and their secrets!
[1]: https://en.wikipedia.org/wiki/United_States_Foreign_Intellig...
mig39
Like I said, you know you're the baddies when you have to use "secret courts."
abtinf
A charge of hypocrisy necessarily implies you agree with the principle.
ben_w
Not so. Hypocritical positions tell you an error exists, but not which of the two contradictory positions is the wrong one.
ndegruchy
I don't. I was merely pointing out the hypocrisy, not understanding that he meant it as a blanket statement for both/all countries with secret courts.
paulddraper
FISA abuse has been broadly reported in recent years.
Aloisius
Simply turning off ADP for UK users seems like it wouldn't satisfy the UK who likely wants the keys to people's data who live outside the UK as well.
So Apple either has to fight this in court, compromise security worldwide, disable iCloud worldwide or exit the UK market.
The same law can arguably be used to compel Apple to backdoor phones and devices themselves as well.
gjsman-1000
The good news: The US Director of National Intelligence, Tulsi Gabbard, is fully aware of the request and has responded to a letter from Congress about it. She has stated that in her opinion, while this plays out, it would actually be possibly illegal for the UK to make this request, let alone Apple to comply with it, under the US CLOUD Act. If this is true, Apple will have no choice but to leave the UK than comply, and the UK will find themselves in a no-win situation for this demand.
https://www.reuters.com/technology/us-examining-whether-uks-...
Edit: This is in addition (for better or worse, I’m just the messenger) to Trump personally calling the EU’s rules for tech unfair, JD Vance giving a speech accusing the UK and Europe at large of violating free speech, the UK’s prime minister being personally teased by Vance at their meeting about free speech (overshadowed by Zelensky’s meeting later the same day), and FCC Commissioner Brendan Carr stating the EU Digital Services Act is incompatible with American free speech values. In my opinion, this turned out to be the dumbest possible time for the UK to attempt such a move, even if it wasn’t foreseeable when the demand was issued.
bigyabai
That's great news, now Ron Wyden won't have to feel so lonely when congress ignores his demands to end illegal surveillance of American citizens. It'll be like a hunky-dory, bipartisan "anti-surveillance surveillance club" or something!
sarcasticfish
Could someone that understands more than a third of what was written explain what's going on?
Hizonner
One part of the UK government is trying to force Apple to introduce back doors in cloud data encryption. The back doors are intended for UK government access to user data. This undermines the whole feature. Meanwhile, other parts of the UK government have been encouraging at-risk people to use the same feature, including to hide information from hostile foreign governments. The UK government as a whole has apparently realized that this is embarrassing and taken down the advice.
dingdingdang
Surely Apple's lawyers can use this information in court - the fact that the government itself is relying on, and recommending, citizens and (presumably) intelligence assets to use Apple's encryption technology abroad makes it VERY clear that outlawing said technology will systematically weaken ALL UK information infrastructure and make it 110% easier for foreign powers to exploit and sabotage the UK as whole.
edit: removed political quip since, as evidenced by sub-comments, it too easily derails from the primary discussion point, excuse-moi.
danparsonson
> Do we really need Reform in power for common sense to flourish in the UK to any degree?!
No. You've mistaken demagoguery for common sense I'm afraid. That's one of their favourite tricks though, so you could be forgiven for the mistake.
miohtama
Apple is not planning to fight for the UK citizens over encryption.
It's a job for the democracy and voters.
jen20
If you think Reform are likely to be in favour of anything other than the most authoritarian implantation of whatever law enforcement suggests they want, I don’t think you’ve been paying attention to who Reform are.
treesknees
It was not removed out of embarrassment, it's just wrong advice. The government can't tell people use this feature, because the feature no longer exists for them to use.
HPsquared
Notice which side wins out.
nickthegreek
Uk Govt wanted Apple to give them backdoor keys to all accounts. Not even just UK accounts, all accounts. Apple said no and said they will remove encryption from iCloud for UK users. Apple then sued UK govt to try and get the whole thing stopped so that they dont need to remove the encryption from UK. But some parts of the govt were telling other parts to use some of the encryption features.
null
dark-star
As I understand it (which might be incorrect), they don't want to tell people "use Apple encryption" anymore and e silently removed that advice from their websites. Probably due to the fact that they didn't get their Backdoor access to user data, so now they want people to just now encrypt stuff
null
vfclists
There is too much deflection from the true purpose for these regulations.
The main thing here is that if a Govt approaches a party to gain access to their encrypted data the party can stall them, destroy the data, claim amnesia or point the Govt in the direction of their lawyers. If the Govt approaches Apple or some other company, the companies don't have to inform the targets and can probably compel the companies not to inform the targets.
With encryption there is even no hard evidence that the data sought exists.
This is the main reason for the laws. Their purpose is to gain access to encrypted information without their target's knowledge.
rvz
Why would you want to live in the UK, especially under this government?
Unless you want to enjoy a full surveillance state close to China?
Even if you are running away from the US, you should just ignore the UK as a destination at this point.
ajsnigrutin
Most people were born there and have nowhere to go.
The problem is, that it's spreading... EU already wants "AI" to read our private messages, US and it's patriot act was not much better (+ everything within wikileaks), etc.
ohgr
Wankers! Sorry that's not constructive. But that's what they are.
Especially when government ministers regularly accidentally delete everything and get away with it...
gred
Muppets!
(As an American, I love UK slang. It's both familiar and exotic at the same time.)
petecooper
>I love UK slang
I recommend checking your preferred book source for Roger's Profanisaurus:
martinsnow
Did the site get hugged to death?
bigfatkitten
Yes. Here's the substance of the post:
dang
I've made a (shortened) copy of your comment and pinned it to the top of the thread. I hope that's ok with you! I just thought it's only fair for you to get the karma.
(If not, let me know and I'll undo.)
bigfatkitten
It was fine, but I inadvertently deleted it before I saw your comment. I saw it in my comment history and thought I double-posted!
martinsnow
Thank you
dizhn
works fine for me
marcellus23
not working for me.
edit: it did load eventually after waiting for a minute or two
https://archive.is/YZF6r