Apple Removes Cloud Encryption Feature From UK After Backdoor Order 119
Apple is removing its most advanced, end-to-end encrypted security feature for cloud data in the United Kingdom [alternative source], in a stunning development after the government ordered the company to build a backdoor for accessing user data. From a report: The company said Friday that Advanced Data Protection, an optional feature that adds end-to-end encryption to a wide assortment of user data is no longer available in the UK for new users.
This layer of security covers iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders and text message backups. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said in a statement. "ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."
This layer of security covers iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders and text message backups. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said in a statement. "ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."
Data in the cloud is not secure (Score:1, Informative)
Re:Data in the cloud is not secure (Score:5, Insightful)
In what way is this caving? If it's local law, they have to comply or leave the market. They're obviously not going to just pull out of the UK as a market, so instead of making data insecure for all of their customers by building a backdoor, they chose to comply by removing that feature in the UK. That is clearly the lesser of two evils, and the only ones in the wrong here are the UK government.
Not Enough? (Score:5, Interesting)
Re: (Score:1, Interesting)
Re: (Score:3)
Why not offer those users American data at slower access speeds maintaining encryption?
Almost certainly because that would be against the law. The UK government has strange laws when it comes to encryption. When I was a kid growing up there I remember getting interested in a way to transmit digital data over the newly opened CB radio spectrum - this was in the pre-WIFi days - and then learning that it was technically illegal in the UK because it fell foul of laws banning any "encrypted" radio transmissions. I had no idea why the UK would have a law like that until my dad suggested that it pr
Re: (Score:2)
Unlicensed radio use in the US also has to be unencrypted, it kind of makes sense it's a public resource. It makes browsing the web via public radio difficult as you technically need to decrypt the https and send it plaintext including usernames and passwords etc
Re: (Score:2)
Re: Not Enough? (Score:2)
He overstated the case. AMATEUR radio use in the US must be unencrypted. Unlicensed use doesn't have to be. Amateur use is licensed. WiFi is unlicensed.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I suspect that will make the government unhappy
Sure. But if lets say the German government figures out that the UK government wants unlimited access to phones of German iPhones users, then they will secretly declare every UK MP to be a spy, and ask Apple to secretly supply all phone information of all UK spies. Plus the real spies at MI5, MI6 and so on.
Re:Data in the cloud is not secure (Score:5, Interesting)
Apple wouldn't have to voluntarily leave the market, they would probably face fines at first. If they just kept paying the fines and defying the government, that could force the UK government to decide if they need to kick them out. While the end result would be the same, members of the UK government depend on votes to keep their jobs and that would be difficult to maintain if UK citizens lose access to their precious iDevices.
Instead, Apple took the path of malicious compliance. The UK government wanted to have access their citizens' data and Apple provided that, albeit in a way very different from how the UK government intended. I feel bad for UK citizens since they're caught in the middle, but they elected the government that is pushing for this behavior and hopefully Apple can help the government realize how daft they're being.
Re: (Score:3)
Re: (Score:1)
Re: (Score:3)
Instead, Apple took the path of malicious compliance.
No they didn't. There's nothing malicious in the way they complied with this order. They are removing an encryption feature. That said Apple offered an alternative minimum token gesture which may not meet the requirements of the order at all so not only not malicious but may not even qualify as compliance.
The idea here is to show your willingness to comply while continuing to parrot the line they have used to governments all over the world "compliance is technically not possible in the way requested".
Compliance was malicious (Score:2)
This is going to create a nightmare for lawmakers, as they partially complied with the order in the only w
Re: (Score:2)
Re: (Score:3)
It's compliance, they did comply with the order by withdrawing a service that would have conflicted with it.
When you want to provide a service but the law interferes with your ability to provide the service, you have three options:
1) Comply, and don't provide the service.
2) Comply, and provide a modified version of the service that's legal
3) Do not comply, provide the service anyway unchanged and face the consequences
Apple chose (1). (2) was unacceptable to Apple, it would have compromised the security of t
Re: (Score:2)
What they did, was sound the canary in the coal mine
Sorry but this was an equally bad analogy. Just like what the parent called malicious compliance wasn't malicious complaince, what they did here wasn't sounding a canary. Sounding a canary is an attempt to state something secret through another means. This isn't the result of a national security letter. This isn't some secret court request that Apple wasn't allowed to disclose. What the UK government was asking for was not just publicly announced, but Apple publicly also stated they won't be able to comply
Re:Data in the cloud is not secure (Score:4, Interesting)
That's not how iCloud works. The data is almost never in the form of files which the user could encrypt.
Re: (Score:2)
Depends on what it is you're doing. If you're talking about backing up the contents of your photo gallery then sure it's done in the background without any opportunity to encrypt. But iCloud as with all cloud services allows you sync files individually as well. As long as they are encrypted on your phone they'll be encrypted on the cloud. It just requires effort on behalf of the user.
Re: (Score:2, Interesting)
Indeed, Apple appears to be saying that the poor security of iCloud is now putting UK users at risk.
It's interesting that it only applies to new users. The UK wants a backdoor into existing user's accounts as well, so Apple still hasn't complied with their demand. They could roll out a software update that sends the keys to Apple on request, which is doubtless what the UK government will want.
Re: (Score:1)
They could roll out a software update that sends the keys to Apple on request, which is doubtless what the UK government will want.
Finally, somebody gets it. Every time this discussion comes up, the majority of the comments are "but if you compromise the algorithm with a backdoor, the bad guys will get in too!" There is absolutely no need for a backdoor in the algorithm when you've got a $5 wrench law which requires a company to retain a copy of users' keys.
Yeah, it's still a security risk having the same entity holding your cloud data also having the keys to the kingdom, but that's always the risk when government starts swinging th
Re: (Score:2)
There is absolutely no need for a backdoor in the algorithm when you've got a $5 wrench law which requires a company to retain a copy of users' keys.
Yeah, it's still a security risk having the same entity holding your cloud data also having the keys to the kingdom, but that's always the risk when government starts swinging their $5 wrench.
...that's a backdoor. Literally, a backdoor. Perhaps not in code, but in policy, and equally dangerous.
Re: (Score:2)
...that's a backdoor. Literally, a backdoor. Perhaps not in code, but in policy, and equally dangerous.
Yes, in policy and that's what people here just keep overlooking. You can't win what is an argument over policy by disingenuously stating that what they want is not technically possible (the example most frequently given is that the algorithm itself would have to be compromised). Yes, it absolutely is possible to grant the government access to encrypted data without having to compromise the algorithm, you're just not going to like what it entails.
This is entirely the deeper meaning behind the XKCD comic s
Re: (Score:3)
You are seriously suggesting that Apple should keep a copy of every user's decryption key?
And somehow you think that this is not a back door?
Re: (Score:2)
You are seriously suggesting that Apple should keep a copy of every user's decryption key?
They could, if ordered to by law. That's not the same as saying I think they should, nor is pointing out that that it's a possible outcome an endorsement of a government that isn't protecting the privacy of its citizens. Damn, reading comprehension on this site has taken a nosedive post-Covid.
And somehow you think that this is not a back door?
It's a matter of perspective. I just posted the key to some random Bitcoin wallet in another discussion. You wouldn't say there's a backdoor to Bitcoin's encryption because people can sometimes be careless with the
Re: (Score:3)
It's not the security of the iCloud service. That stuff is, effectively, stored unencrypted on Apple's servers. It m
Re: (Score:2)
It's interesting that it only applies to new users
The reason is quite obvious. Apple has to make software changes and these are changes that you would want to be extremely reliable and safe. For new users, all that Apple has to do is disable a button or checkbox in the user interface so that users can't turn the feature on. For existing users, they have to develop a user interface that tells users the feature is gone at the right moment, and then they have to disable the feature.
In this case the security feature was not holding a copy of the encryption
Re:Data in the cloud is not secure (Score:5, Informative)
I imagine other countries will be looking to this too, seeing how easily Apple caved into the British Government.
Apple did the opposite of caving in to the British Government. When the British Government demanded a back door into encrypted systems, they stopped the service rather than insert a back door.
Re: (Score:1, Insightful)
Re: (Score:3)
Really what is happening here is they are saying "We will only allow our default encryption for which we hold the keys and can be forced to divulge information via court order" and removed the "We let our customer hold the keys and we have no way to comply with a court order" option. iCloud in either case is as secure as any other vendor in the space where the keys are held by the vendor (such as google).
Re: (Score:2)
iCloud in either case is as secure as any other vendor in the space where the keys are held by the vendor (such as google).
I thought Google passkeys mean that Google doesn't hold the key? Or is it that not everyone is using passkeys for Google services yet?
Re:Data in the cloud is not secure (Score:5, Insightful)
This isn't caving. This is them telling their UK customers that they shouldn't expect privacy in iCloud any more because their government won't allow it.
Cleaned out iCloud couple weeks ago (Score:2)
Backdoors are exploitable (Score:5, Informative)
You can't expect encryption of any kind to work if there's a built-in way to compromise it. Insert random hostile foreign state actor will be happy to demonstrate for the audience.
Re: (Score:2)
And theres implication that back doors are available to order.
Re:Backdoors are exploitable (Score:4, Insightful)
I give it a month or so before a similar order happens here. People are saying unkind things about dear leader. https://www.nbcnews.com/politi... [nbcnews.com]
Re: (Score:1)
Kamala didn't lose. All those in bred white misogynistic racist uneducated scumbags refused to vote for the superior candidate. They stole the election from her. Democracy is doomed. The candidate with more votes won. We must resist!
Re: (Score:1)
white misogynistic racist uneducated scumbags stole the election from her
I am blushing comrade Smart! Are you hot and bothered? I’m hot and bothered.
But, then again, you forgot “Nazi!” and “Christian Nationalist!” so I know you’re not a real democrat.
Apostate!
Re: (Score:1)
Yes, of course all those dumb gullible hicks are full of regret. You can see it in the polling data. That felon is going to get impeached soon. I can feel it in my bones.
Re: (Score:2)
Wait does that mean Joe Biden is Hitler?
Re: (Score:2)
Insert random hostile foreign state
Foreign states aren't really the concern for most people.
Re: (Score:2)
Is that so?
https://thehackernews.com/2025... [thehackernews.com]
Re: (Score:2)
Foreign states aren't really the concern for most people.
Until they get hit by a ransomware attack, no.
Re: (Score:2)
The foreign State a dozen miles south has always been my biggest worry. Between pressuring my government to remove freedoms and now declaring economic war, having a super power as a neighbour is a huge freedom risk.
Sounds like... (Score:3)
Re: (Score:2)
Why? They're not the ones running the country. Better to have the ones running the country having their accounts compromised. They also are more likely to have juicy stuff to find.
But, "man in the middle" isn't addrieressed (Score:2, Interesting)
Apple could have taken a couple of routes here. This is public, and because Apple is based in the United States, they are likely taking guidance from our intelligence on how to traverse this. My information suggests that Apple does in fact cooperate with United States intelligence on a similar ground, but data access is provided through sophisticated code and hardware routes, essentially 'man in the middle' -- they would not do this or show that capability to foreign countries, for obvious reasons.
Otherwis
Re: (Score:2)
Re: But, "man in the middle" isn't addrieressed (Score:1)
Re: (Score:2)
My information suggests that Apple does in fact cooperate with United States intelligence on a similar ground, but data access is provided through sophisticated code and hardware routes, essentially 'man in the middle' .
I'd like to see a citation.
There have been several cases in the news where Apple denied access to encrypted iPhones (e.g., https://www.wired.com/story/th... [wired.com] ). I don't know of any documented information that says it has inserted a backdoor, although there is evidence that various intelligence-related third parties have managed to drill in without Apple's help.
Re: But, "man in the middle" isn't addrieressed (Score:2)
Re: But, "man in the middle" isn't addrieressed (Score:2)
Citation fails [Re: But, "man in the middle" i...] (Score:2)
Also Lookup recent Kaspersky findings of undocumented hardware registers
And why don't you look up the meaning of the word "citation". Hint: it does not mean "go find a source yourself, I'll give you some ambiguously cryptic hints".
However, from your hint, here's the result: https://duckduckgo.com/?t=h_&q... [duckduckgo.com]
This shows that some actors have managed to break into Apple devices, but nothing in this states "that Apple does in fact cooperate with United States intelligence on a similar ground" (your assertion).
Re: (Score:1)
Congrats, you know how to use DDG.
<pats xxongo on the head>
You seem to be naive. There's undocumented hardware on Apple phones. No comment from Apple. Gee... I wonder why?
Try looking that up, and let me know what you find.
My actual aspersion on Apple is that they are part of PRISM. Look that one up too.
Re: (Score:2)
You're a troll.
Re: (Score:2)
Re: (Score:1)
"This is public, and because Apple is based in the United States, they are likely taking guidance from our intelligence on how to traverse this".
This is public, and because Apple is based in the United States, they are certainly taking instructions from our intelligence on how to traverse this.
FTFY.
So, let me get this straight... (Score:2)
Apple is no longer encrypting iCloud data because of a back door request?
The UK government shouldn't have one, sure, but it sounds like Apple's solution to "one too many people having a key" is "nobody needs a key". I don't like that my landlord has a key to my apartment, but I don't think the solution is to remove the lock on the doorknob and make the data that much more vulnerable.
It probably would make more sense for the iCloud screen to have a permanent yellow triangle in the UK, with a banner that says
Re: (Score:1)
Re: So, let me get this straight... (Score:2)
PP suggested "the government may be ...". Which does not suggest that a law enforcement request has been made so long as it is consistently applied to all accounts.
Re: (Score:2)
That is not how British law works, they have no bill of rights.
Re: So, let me get this straight... (Score:4, Informative)
"Bill of Rights 1689"
https://www.parliament.uk/abou... [parliament.uk]
Re: (Score:2)
Parliament has rights. The subjects not so much.
LThe Bill firmly established the principles of frequent parliaments, free elections and freedom of speech within Parliament – known today as Parliamentary Privilege. It also includes no right of taxation without Parliament's agreement, freedom from government interference, the right of petition and just treatment of people by courts."
Re: (Score:2)
Luckily the few subjects of the UK Crown have mostly died off and as generally they weren't UK citizens, it doesn't matter much. As a subject of the American Crown, perhaps you can think about how little your Constitution now matters.
Re: (Score:2)
I believe that is Canada [thecanadia...lopedia.ca] you are thinking of.
Trump will straighten that out once they gain statehood.
Re: (Score:2)
No, both the UK and Canada have "bills of rights":
https://laws-lois.justice.gc.c... [justice.gc.ca]
which was replaced by the Charter of Rights and Freedoms:
https://www.justice.gc.ca/eng/... [justice.gc.ca]
Both are also signatories to the many and varied UN human rights treaties.
Re: (Score:2)
Absolutely false. Many countries in the world have constitutional rights for their subjects including the UK. Incidentally UK has an actual document called Bill of Rights. The US constitution's bill of rights was modelled on the UK one.
Now if you want to talk about a specific right such as the right to bear arms then you're correct, outside the USA almost no country has a right to bear arms.
Re: (Score:1)
Thankfully, we are still citizens here, not subjects.
There is a difference.
Re: (Score:2)
Can you describe in practical terms what that difference is?
Re:So, let me get this straight... (Score:4, Funny)
The UK bans companies from telling people there is a request for access, so a banner saying the government is stealing your data would be against the law.
Thanks heaven we don't live in one of those horrid dictatorships where the government can do anything it pleases.
Re: (Score:2)
Re: (Score:2)
Apple is no longer encrypting iCloud data because of a back door request?
The UK government shouldn't have one, sure, but it sounds like Apple's solution to "one too many people having a key" is "nobody needs a key"..
Encryption where one or more people secretly have a key is not encryption at all. What Apple did was to explicitly call out that the data you might have thought was encrypted isn't. That doesn't mean you can't encrypt your data yourself.
We have just seen that the "secure" keys to secret government back doors get stolen by bad guys and are used to rifle through files.
don't like that my landlord has a key to my apartment, but I don't think the solution is to remove the lock on the doorknob and make the data that much more vulnerable.
In terms of your analogy, it means that you were told "if you want your apartment door to lock, you may install your own lock."
Re: (Score:2)
What Apple did was to explicitly call out that the data you might have thought was encrypted isn't. That doesn't mean you can't encrypt your data yourself.
Apple users do not have access to their data: (a) It's not in files they can get to, for example to encrypt/decrypt and (b) they do not control when it is uploaded. That's not how iCloud works. It is nothing at all like files on a hard drive; it is not a cloud drive like some other services.
So, No, they cannot encrypt their files.
(Well whatever is on the hard drive is automatically encrypted, until you log in, but that has nothing to do with anything on iCloud.)
Re:So, let me get this straight... (Score:4, Interesting)
It probably would make more sense for the iCloud screen to have a permanent yellow triangle in the UK, with a banner that says "warning: data stored here may be accessed by law enforcement at any time without your consent."
From what I understand the UK requested a backdoor allowing access to encrypted data globally, including to data of users outside the UK. If implemented, that warning would apply to every iCloud user regardless of location.
It's obviously an unrealistic option for Apple.
Re:So, let me get this straight... (Score:4, Informative)
They are no longer offering the ability for you to create your own encryption keys. iCloud is still encrypted with the keys controlled by Apple. AKA Apple can be forced to comply and give up your data.
"Standard data protection is the default setting for your account. Your iCloud data is encrypted in transit and stored in an encrypted format at rest. The encryption keys from your trusted devices are secured in Apple data centers, so Apple can decrypt your data on your behalf whenever you need it, such as when you sign in on a new device, restore from a backup, or recover your data after you’ve forgotten your password. As long as you can successfully sign in to your Apple Account, you can access your backups, photos, documents, notes, and more."
What is no longer an option in the UK is Advanced Data Encryption.
"Starting with iOS 16.2, iPadOS 16.2 and macOS 13.1, you can choose to enable Advanced Data Protection to protect the vast majority of your iCloud data, even in the case of a data breach in the cloud.
With Advanced Data Protection, the number of data categories that use end-to-end encryption rises to 25 and includes your iCloud Backup, Photos, Notes, and more. The table below lists the additional data categories that are protected by end-to-end encryption when you enable Advanced Data Protection.
If you enable Advanced Data Protection and then lose access to your account, Apple will not have the encryption keys to help you recover it — you’ll need to use your device passcode or password, a recovery contact, or a personal recovery key. Because the majority of your iCloud data will be protected by end-to-end encryption, you’ll be guided to set up at least one recovery contact or recovery key before you turn on Advanced Data Protection. You must also update all your Apple devices to a software version that supports this feature.
You can turn off Advanced Data Protection at any time. Your device will securely upload the required encryption keys to Apple servers, and your account will once again use standard data protection."
Most users never turn on ADE, but for those who do want more privacy and protection from Apple itself being compromised it is a nice option to have.
Nelson (Score:5, Insightful)
Haha!
Haha!
Haha!
*Any* backdoor is going to eventually become a front door. Technology ignorant farkwits lose again.
Re: (Score:3)
Sadly being scientifically and technologically ignorant seems to be a job requirement for western politicians who (here in the UK at least) seem to be arts, politics and law graduates with barely even any real world business experience.
Re: (Score:1)
It isn't just the UK. It's universal. You guys don't get to keep all the ignorant politicians to yourselves.
Re: (Score:2)
The law of unintended consequences. Again. (Score:3)
So now no one wins. The authorities might think this is a victory but any criminal with a brain will just store their data outside UK jurisdiction and encrypt it themselves. Meanwhile normal users data is slightly less safe (though one would hope the SSL connection from the device to apple during the upload is good enough and random people can't just break into iCloud).
Re: The law of unintended consequences. Again. (Score:3)
Fuckwit criminals will just find a first-year undergrad software student who will set them up with custom encryption software.
Re: (Score:2)
Fuckwit criminals will just find a first-year undergrad software student who will set them up with custom encryption software.
Most criminals are dumb. Seriously, watch any of the myriad "true crime" shows on TV to see how dumb the typical criminal is. Smart criminals use burner phones. Smart criminals indeed roll their own encryption. Smart criminals don't use social media, or cloud services.
Not that I am excusing the UKs excess here, but if they can't continue to catch the dumb criminals they probably won't get many at all.
I have a suggestion (Score:1, Troll)
Re: I have a suggestion (Score:3)
We get no "right to vote for this shit", mate. It's decided for us. We have the right to vote for our politicians, though, and we recently replaced the Tory government with the Labour party but this legislation was designed under the previous government.
Re: I have a suggestion (Score:2)
We are already a failed far left shithole. Unavoidable PC and minority rights left, right and centre.
Re: I have a suggestion (Score:1)
Re: I have a suggestion (Score:1)
Minority rights is a problem for you?
Re: (Score:2)
Re: (Score:1)
Depends. Why do minorities need or get rights that non-minorities don't get?
Why not just everyone get rights, period?
Equality, not equity.
Re: (Score:2, Informative)
Re: (Score:2)
Ironically, with their slim majority and dissenters within the party, the Conservatives wouldn't have been able to get this stupid law through parliament.
Re: (Score:2)
Can't wait for the Brit tabloids (Score:2)
Politicians are clueless (Score:2)
It's impossible to make a system secure against the bad guys and insecure for the good guys
It's also impossible to precisely define who the good guys are
The choice is binary, security or no security
City of London calling the shots (Score:2)
Unless King Charles takes them on like Philip IV took on the Knights Templar I fear the UK is fucked.
Apple Ecosystem Encryption Suggestions? (Score:2)
WIRED.com posted this on Bluesky today: The WIRED Guide to Protecting Yourself From Government Surveillance [wired.com], and it seems like some sound advice, but it's overly complicated for a non-technical user to implement.
Any and all suggestions on Apple Ecosystem Security would be greatly appreciated!
Re: (Score:2)
Privacy on Apple is already compromised with its client-side scanning technology. End-to-end encryption is meaningless because they just scan your content on your device before it gets uploaded to "the cloud." It's actually laughable that the UK government is even targeting end-to-end encryption since that's essentialy a marketing gimmick and not even relevant anymore. Apple can just scan your content in real-time for subversive activity. And since the Apple platform is so locked-down, non-technical users h
Interesting (Score:2)
I wonder how that works for current users then? Are they going to decrypt everything? Or just leave it encrypted but decrypt it on next access?