UK Orders Apple To Let It Spy on Users' Encrypted Accounts

The UK government has ordered Apple to create a backdoor allowing access to encrypted cloud backups of users worldwide, Washington Post reported Friday, citing multiple sources familiar with the matter. The unprecedented demand, issued last month through a technical capability notice under the UK Investigatory Powers Act, requires Apple to provide blanket access to fully encrypted material rather than assistance with specific accounts.

Apple is likely to discontinue its encrypted storage service in the UK rather than compromise user security globally, the report said. The company would still face pressure to provide backdoor access for users in other countries, including the United States. The order was issued under Britain's 2016 Investigatory Powers Act, which makes it illegal to disclose such government demands, according to the report. While Apple can appeal to a secret technical panel and judge, the law requires compliance during any appeal process. The company told Parliament in March that the UK government should not have authority to decide whether global users can access end-to-end encryption.

Already Exists

[bill_mcgonigle]

Apple has a backdoor in its GPU silicon with full memory access.

Sounds like UK is mad they don't get the keys.

https://www.xstore.co.za/stuff... [xstore.co.za]

Re:Already Exists

[Valgrus Thunderaxe]

NSA already has total access. We know this for a fact thanks to the Snowden leaks.

Re:

[Cajun Hell]

It wouldn't be surprising if NSA still has access, but we should always keep in mind that Snowden is over a decade out-of-date now. Not that NSA has likely scaled down, but it's at least possible that defenders have successfully tightened up since then.

Re: Already Exists

[drinkypoo]

In that case the UK already has access. That's what five eyes IS.

Re:Already Exists

[Dru Nemeton]

Out dated news. This was patched years ago! "CVE-2023-38606" has been patched by Apple and is considered fixed in macOS Monterey 12.6.8, iOS 15.7.8, iPadOS 15.7.8, iOS 16.6, iPadOS 16.6, and tvOS 16.6; Apple has stated they are aware of reports that this vulnerability may have been actively exploited in versions of iOS prior to iOS 15.7."

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ [securelist.com] and https://nvd.nist.gov/vuln/detail/cve-2023-38606 [nist.gov]

Hmmm... really?

[Petersko]

It's a dramatic overreach. Access to a specific account under specified terms, obtained through legal means, is defensible. Blanket access is not, unless you embrace authoritarianism, in which case your value system shifts to make it okay. But that's not what the UK purports to be. And "worldwide"? For any users?

You know... now that I followed the link, I suspect that the reality may not resemble the summary or the article. I would expect the article to contain more meat. It does not. It barely has the same content as the summary. Something's amiss. I don't believe it's accurate.

Re:

[gillbates]

But that's not what the UK purports to be.

You mean the same UK that imprisoned more people for social media posts that Russia?

Yes, imprisoned. People have been sentenced to two years in prison for making posts on social media.

And they just cancelled local elections last week.

If you think the UK is still a functional democracy, you haven't been paying attention.

Re:

[XXongo]

would like a citation here.

Re:

[karmawarrior]

Yeah the SFF site seems a tad... partisan? I can't imagine any of the examples even lead to staying overnight in a holding cell let alone prosecution and imprisonment, that's just not how things are done in the UK. Almost certainly an interview, possibly a caution, and that's it.

Yes, people have been jailed for "social media posts", but the SFF doesn't actually mention those because they involved inciting violence. And just because it's social media doesn't mean you can suddenly incite violence.

It's also wo

Re: Hmmm... really?

[newcastlejon]

Yes, imprisoned. People have been sentenced to two years in prison for making posts on social media.

Some of those were incitement to riot. One that comes to mind [cps.gov.uk] was literally a call to burn down a hotel housing refugees. We have laws about that sort of thing.

And they just cancelled local elections last week.

In areas where councils are about to be merged, split or absorbed into another body. [bbc.co.uk] There's not much point in holding elections for positions that are about to cease to exist.

Don't get your news from Twitter.

Re:

[Tablizer]

a call to burn down a hotel housing refugees. We have laws about that sort of thing.

Unless you are US President. Thanks Alito!

Re:

[ArchieBunker]

I give it another month before it starts happening in the USA.

https://www.reuters.com/world/... [reuters.com]

He vowed his attorney general would work to "fully prosecute anti-Christian violence and vandalism in our society and to move heaven and earth to defend the rights of Christians and religious believers nationwide."

Looks like we're at Iran in 1979.

Re:

[Zocalo]

Genuine question since I've not seen it from the UK, but has there actually *been* any specifically anti-Christian violence and vandalism in sufficient volume to require this? A rise in anti-semitism and anti-islam due to Israel & Gaza, sure, many countries have seen that since October 2023 (and often being perpertrated by Christians), but he's not saying the more generic "religious violence", he's being quite specific. Or is it what I suspect it is, he's really doing this to put a preemptive shield a

Re:

[Anonymous Coward]

No, there hasn't, and in fact it's the other way around, the so-called """christians""" in this country are the ones who are guilty of committing violent acts against people who don't conform to their fucked-up ideologies. Note that the 'violence' I'm alluding to includes the mass shootings in schools and public places, violence against non-CIS people, anti-abortion """laws""" that have caused harm or death to women, and so on, and so forth.

Re:

[ArchieBunker]

This is a thinly veiled attempt to go after pro choice protesters.

Re:

[Sloppy]

has there actually *been* any specifically anti-Christian violence and vandalism in sufficient volume to require this?

Not yet, but they are planning on Christians initiating violence against others, which will invite self-defense, retaliation, etc.

You don't launch HARMs at enemy radar because they already shot down your plane. You launch HARMs at enemy radar because your bombers are about to go in.

Re:

[Zocalo]

Yeah, that's pretty much what I thought it was - protecting the violent so-called-christians in his base from reprisals. That has to make you wonder what he's planning on inciting the more violent useful idiots in the congregation to do in order to provoke those reprisals (it probably won't just be one thing, either), or if it's just another charge they can add to the rapsheet on the flimsiest pretext to keep opponents locked up and unable to vote for longer. Either way, welcome to the new normal.

Thank

Re:

[ArchieBunker]

When he finds a way to sidestep the 14th amendment on citizen birth rights its going to get interesting. They haven't thought far enough ahead to realize that logic also works on the 2nd amendment.

Re: Hmmm... really?

[drinkypoo]

In Russia they just mysteriously fall out of a window.

Take that into account in your analysis.

Re:Hmmm... really?

[AmiMoJo]

If Apple's claims about how it works are true, they they would have to backdoor the devices to get the keys. But they have said they won't do that, and will instead withdraw those features from the UK market. So presumably UK users will find that they cannot encrypt iCloud data anymore.

Re:

[ctilsie242]

The devil's in the details:

If the UK is asking for a backdoor into EVERYONE's iCloud account and phone, that is one thing, and almost laughable.

If the UK is asking for a backdoor into stuff under the Crown, then Apple probably will force-disable Advanced Data Protection for UK people, add a master decryption key (or maybe some type of API call to let forensic software into SepOS somehow) that goes onto products, and call it done. Or they just don't bother playing in the UK and if people want Apple stuff, g

Re:Hmmm... really?

[jenningsthecat]

You know... now that I followed the link, I suspect that the reality may not resemble the summary or the article. I would expect the article to contain more meat. It does not. It barely has the same content as the summary. Something's amiss. I don't believe it's accurate.

I found several credible sources reporting on this, so I think it's real and accurate. Here's one alternate report:

https://www.bbc.com/news/articles/c20g288yldko

I think the lack of detail stems from the fact that "Legally, the notice, served by the Home Office under the Investigatory Powers Act, cannot be made public, and Apple declined to comment.". So basically, an increasingly authoritarian government is doing what authoritarian governments do.

Re: Hmmm... really?

[newcastlejon]

So basically, an increasingly authoritarian government is doing what authoritarian governments do.

From your own link:

But the government notice does not mean the authorities are suddenly going to start combing through everybody's data.

They would still have to follow a legal process, have a good reason and request permission for a specific account in order to access data - just as they do now with unencrypted data.

Authoritarian governments seldom bother with due process and, unlike certain other countries, the UK government can't appoint whatever beer-swilling rando they want to the Supreme Court.

Re: Hmmm... really?

[sinij]

Yo confusing due process and process as a punishment. When cops investigate and arrest you for online speech like in UK, it is process as a punishment.

Re: Hmmm... really?

[drinkypoo]

They rarely bother with due process, but they might put some due process they don't intend to follow into the law. They can always come up with excuses to make exceptions, meanwhile if their opposition is scrupulous (or just not in control of the courts) they are hamstrung by the laws.

Re:

[SumDog]

We're talking about a country that is literally arresting people for social media posts and making jokes. Count Dankula fought for years because he did a comedy bit where his dog raised a pay whenever he said "gas the Jews" and still ended up having to pay £800. The UK is everything Orwell warned us about (and America isn't far behind).

Re:

[fropenn]

America isn't far behind

Well, America is in an odd place. We are free to say "gas the Jews" as much as we want, but try nicely asking a school teacher to call you "he" rather than "she" and all hell breaks loose.

Re:

[Wheres the kaboom]

That's a deliberately false reframe. "All hell breaks loose" only when forcing use of pronouns by threat - not when there's an "ask nicely".

In fact, the vast majority of conservatives are fine with "ask nicely" and will politely go along as long as the parents aren't secretly being kept out of the loop by the oh so "nice" teachers, and the oh so "nice" teachers aren't using extremely adult materials to try encourage "exploration" by young children.

https://www.newsweek.com/do-these-books-belong-public-school

Re: Hmmm... really?

[drinkypoo]

"In fact, the vast majority of conservatives are fine with "ask nicely" and will politely go along"

[citation needed]

Re:

[Wheres the kaboom]

Cheap shot. I am sure it's a big hit at upper east side cocktail parties.

Citation: Stop watching MSNBC and Fox - and - assuming you're not in a hive city - simply get to know your neighbors.

Re:

[SumDog]

You cannot define what is in someone else's head. I will call someone what they look like. If they pass, I'll use the word that has the least cognitive load for me to use. Words have to mean things. The pronoun people who demand such things are entirely dependent on people lying to them. I wrote about this in 2019:

https://battlepenguin.com/phil... [battlepenguin.com]

There is free speech and then there is compelled speech. If you get angry about someone not using the right pronouns, and work towards changing rules and law

Re:

[sabbede]

Don't worry. We aren't going to war. The statement was intended to force other nations, particularly Egypt and Jordan, to take action. He just now came out to say we aren't sending troops or spending money.

It's how he approaches negotiations. Shout while carrying a big stick. And it works.

Re:

[sabbede]

We are free to say such nasty things but have to bear the consequences. What we can't do is demand someone else ignore their own perceptions and use specific speech just for you. Self-identification is meaningless. It doesn't matter one bit what you think you are when other people are observing you. They see what they see, not what you want them to say they see.

Problem for LE is Apple doesn't have keys

[drnb]

Access to a specific account under specified terms, obtained through legal means, is defensible.

The problem for law enforcement is that Apple is designing their systems so that they, Apple, could not decrypt user data if they wanted to, or had to. For example Apple not having a copy of your decryption keys. These keys never leaving your personal Apple device, never sent to Apple. So Apple has nothing to pass on to law enforcement.

Adding your decryption keys to your iCloud account is strictly opt-in. You have to authorize it.

Apple told the US Government to pound sand...

[alispguru]

when they made a similar request (special decryption tools for iPhones).

You think they'll acquiesce to the UK? Apple, a US company?

Re:

[DeanonymizedCoward]

They *publicly* told the government to pound sand, but of course that's what both sides would want. Apple gets to make a show of defending privacy, and the government gets plausible deniability for whatever resources they gain.

Given a couple recent public examples, I've kind of lost any faith I had in Apple's privacy chest-beating, anyway. Sure, perhaps less flagrant malware slips through their store screening process than Google's (I'm not even considering sideloading, most folks doing that either are or

People Are Not Free in the UK

[Vandil X]

When a social media post can land you in jail, you know the regime is bad.

I guess Apple will pull the iPhone from the UK.

Re:

[sabbede]

Yeah, something has gone horribly wrong over there.

Didn't anyone tell them math doesn't work that way

[LindleyF]

An encryption scheme with a backdoor is fundamentally insecure. You can't give one entity access without opening an attack vector for others.

Re:Didn't anyone tell them math doesn't work that

[MNNorske]

Just ask how that wiretapping backdoor the US mandated in our phone networks worked out. The Chinese found it and have infiltrated nearly our entire cell network. If you have a back door on a building you can post a guard and watch who comes and goes. If you create a back door on a distributed system you have no control over who can use it. Once it is known a bad actor can throw their entire effort into compromising it, and they will.

It's funny how we compartmentalize things

[rsilvergun]

The same folks who will yell in my face blue lives matters get real freaked out when those same cops want their encryption keys. I mean you're not doing anything wrong right? Why would you care if the cops have your encryption keys?

You can't militarize your police to go after people you don't like and not have them come back around for you. That's not how a militarized police force works.

And that's why doublethink was invented. So that those two contradictory ideas could be held at the same time buy

Re:

[sinij]

The same folks who will yell in my face blue lives matters get real freaked out when those same cops want their encryption keys.

What do you find inconsistent about that? People who support law enforcement, or more accurately oppose 'defund the police' idiocy, also are likely to oppose police overreach into civil liberties. That is, outside of extreme anarcho-libertarian views on one side and extreme BLM views on other side, law&order agenda is perfectly compatible with civil liberties.

TL;DR We want people to follow laws, this includes cops.

Re:

[burtosis]

That is, outside of extreme anarcho-libertarian views on one side and extreme BLM views on other side, law&order agenda is perfectly compatible with civil liberties.

False, civil liberties can be taken indirectly such as creating a system where entire populations have their wealth stolen through seizing the land and paying a penny on each dollar or red lining or being denied banking or having their businesses firebombed because they were doing too well. Then after all the wealth and future possibilities of wealth are removed and starvation sits in go ahead and cut the hand off for feeding itself in the situation your thinking caused. Demonize and blame and purge all no

Re:

[sabbede]

So, law and order are incompatible with civil liberties because people might commit crimes like theft and arson? I think you missed something very important. Like, laws that ban the things you're talking about being enforced, which requires police.

Re:

[burtosis]

And that's why doublethink was invented. So that those two contradictory ideas could be held at the same time buy enough people to win elections.

Double think has undoubtedly been around longer than religion, rational agency only resides atop those with at least some gift of thought and language and who have been raised to think critically, or less commonly they realize it later in life. A good 1/3 of the population has always been mentally a broken patchwork of anecdotes that can’t simultaneously be true, for they believe first and try to impart on reality second when tautologically living in a physical universe demands the reverse. In Ameri

Re:

[bussdriver]

doublethink and other techniques were never formally documented until modern times where it became a whole area in itself "propaganda" then "P.R." and of course marketing. It's found it's way into many other areas as well. Instead of 1 con man who perfected a few techniques and created a religion (some which lasted) or became king, it's something anybody who can read can figure out the collective tactics of generations.

What if I encrypt using my own key

[bobby]

What if I encrypt something, using my own key, and upload that to Apple's cloud? IE, not using built-in Apple encryption, but maybe even just 7-zip and a 4096 bit key? I don't know, curious what others think.

Re: What if I encrypt using my own key

[newcastlejon]

A judge would order you to produce the encryption key, just as they might order you to hand over the key to a safe if there was a warrant for the contents.

Where I agree with some people I'd otherwise discount as uninformed gobshites is the murky situation where you might have genuinely lost the key rather than merely claim to. Given enough time with a gas axe any physical safe can eventually be opened, which is probably why the MoJ is pushing for this backdoor. I'm not in favour myself, but that's because s

Re:

[bobby]

Thanks. But I think my point stands: the jackboot thugs won't have access to my data unless and until a judge signs a warrant for it. I'm in the US. Sorry to hear that UK is ahead of us in becoming a full-on police state.

Re:

[newcastlejon]

What point? You were asking a question. The answer is that a judge would order you to provide the key, physical or otherwise. The "jackboot thugs" need a warrant here just as much as they do in the US.
Tell me, what would happen in the US if a judge wrote a warrant for the contents of an encrypted volume and you claimed to have forgotten the key? I doubt it would be that different to what happens here.

Sorry to hear that UK is ahead of us in becoming a full-on police state.

No need to be like that; I wasn't calling you an uninformed gobshite. But, since you bring it up, we don't h

Re:

[Big Hairy Gorilla]

the rule of thumb is whoever holds the keys has control over the data
so you could definitely encrypt your own files and move them wherever you want with a fairly high degree of confidence they are unreadable
I recommend doing just that to my clients
that way whatever they upload into their private cloud is also not readable by me
that puts the liability in the right places
you are liable for your own data and I can provide a private service (vpn and private cloud)
the fuzz can show up and ask me to provide your

Re:

[grep -v '.*' *]

"...you might have genuinely lost the key."

There was a guy (in UK?) maybe 5 years ago who had evidence of a crime he committed. (I think it was jaywalking.) He encrypted the file, printed out the keys, erased the encryption computer, then burned the keys on camera, suggesting the police then arrest him for not being able to decrypt the incriminating video.

I probably got parts wrong, but the thing is that he "wanted" to be arrested for not being able to produce the decryption key.

Re:

[itsme1234]

Obviously whatever encrypted 7zip or pgp or whatever file you upload will be encrypted with that key which most likely they don't have unless they go for a targeted attack (and you use a machine under their control in the first place). Everything is about Apple native backups, and most importantly you can't reach most app data on the iPhone to somehow encrypt it and back it up yourself.

Re:

[Big Hairy Gorilla]

there is a way to mitigate that: plausible deniability
Veracrypt has a fairly simple procedure where you .... create encrypted volumes within encrypted volumes... actually I can't recall the exact steps, it's on the veracrypt website.... but in the end what you end up with is areas of your storage that are randomized/encrypted but it's not provable that it is encrypted data.

So you deny it's encrypted and nobody knows for sure... except you
That would be the way to go if you really want that level of privacy

Re:

[CommunityMember]

Obligatory xkcd: https://xkcd.com/538/ [xkcd.com]

Rank hypocrisy

[shilly]

There are many problems with this, but the things that stick in my craw the most are
1. that HMG values privacy for itself so much that it wants the fact that it’s ordering Apple to do this to be kept private, but wants no individual to have privacy
2. The stupid fucking NSPCC is focused entirely on abusers abusing this privacy, without once acknowledging that victims of abuse rely on privacy too, and that backdoors get discovered by bad actors every fucking time

That said, it’s also important to n

Same Old Shit

[necro81]

I'll keep trotting this one out in response to all such backdoor requests:

From CGPGray's excellent video [youtube.com] summarizing the topic "The nature of a keyhole is to be cracked, and the nature of the Internet is to bring demons to the door. No matter how much we might wish it, there's no way to build a digital lock that only angels can open and demons cannot. Anyone saying otherwise is either ignorant of the mathematics, or less of an angel than they appear."

Hardware, software, and service: be independent

[Sloppy]

Your hardware, software, and services should all be independent from one another. (Consider that nearly all examples of "enshittification" are simply cases of this basic principle being violated, in order to lock you into something that you don't want.)

If you run iOS, you are particularly screwed because you get all three from the same company, so you are particularly vulnerable to coercion (or any of a long, long list of other conflicts of interest).

(Other mobile OS' aren't much better. When we started using handheld PCs, we threw all our common sense and decades of experience out the window.)

Imagine you had a normal Linux desktop PC backing up to your VPS, and the UK wanted access to your backups. Who would they coerce? Your hardware manufacturer? Your backup application maker? Your backup storage service? They would have to coerce all of them, and if your backup application forks to fix the security issue, they'd have to add that fork's maintainer to their coercion list too.

And if you are that fork's maintainer (e.g. you took the deliberate bugs out of the code and recompiled) then they'd have to ask you for the keys to your data.

That last example amuses me most. I'm always disappointed when people cite the $5 wrench xkcd [xkcd.com] as an argument that cryptography doesn't help. Let me ask you this: can someone threaten you with a $5 wrench without you knowing?

This UK law sounds a lot like US' NSLs, in that the defender isn't allowed to be told they're under attack. Enemies of privacy want privacy for themselves! But if you are your own keeper, then they can't have it. Oh, they can still use the wrench to get the data, but they can't have privacy as they do it, and now your lawyers (or whatever other countermeasures you have) are on the case.