February 07, 2025
There is, for whatever reason, little online echo so far to this new Washington Post story:
U.K. orders Apple to let it spy on users’ encrypted accounts (archived)
Secret order requires blanket access to protected cloud backups around the world, which if implemented would undermine Apple’s privacy pledge to its users.
Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.
The sole story author, Joseph Menn, is stationed in San Francisco and 'specializing on hacking, privacy and surveillance.' The 'people familiar with the matter' who talk through Menn are likely from the same wider area, i.e. from Apple in Cupertino.
The British demand is of course outrageous and will not be followed. But I wonder why the Brits would even try to go this way.
We know thanks to Edward Snowden's revelations that the British signal intelligence agency GCHQ is a mere offshoot of the U.S. National Security Agency. It may thus be that the real people trying to get access to Apple users' encrypted archives are sitting on the west coast of the Atlantic.
Or is it request coming from other structures?
The office of the Home Secretary has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidence, the people said.The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand. An Apple spokesman declined to comment.
Apple had been warned that such an order was coming and did protest to no avail.
Neither the Biden nor the Trump administration seem to support Apple:
Senior national security officials in the Biden administration had been tracking the matter since the United Kingdom first told the company it might demand access and Apple said it would refuse. It could not be determined whether they raised objections to Britain. Trump White House and intelligence officials declined to comment.One of the people briefed on the situation, a consultant advising the United States on encryption matters, said Apple would be barred from warning its users that its most advanced encryption no longer provided full security. The person deemed it shocking that the U.K. government was demanding Apple’s help to spy on non-British users without their governments’ knowledge. A former White House security adviser confirmed the existence of the British order.
Since the early days of the Internet government agencies all over the world have demanded open access to all data transferred by it. End-to-end encryption, as deployed by Apple, makes that impossible.
Backdoors, as the one the British demand, are a inherently dangerous. The 2024 hack of U.S. communication systems, allegedly by Chinese actors, had used a backdoorthe U.S. and other governments had demanded:
This isn't the first time that CALEA-mandated wiretapping backdoors have been exploited by hackers. As computer security expert Nicholas Weaver pointed out for Lawfare in 2015, "any phone switch sold in the US must include the ability to efficiently tap a large number of calls. And since the US represents such a major market, this means virtually every phone switch sold worldwide contains 'lawful intercept' functionality."Two decades ago, that mandatory wiretapping capability was subverted by hackers targeting Vodafone Greece. They intercepted phone conversations of the country's prime minister and high political, law enforcement, and military officials, among others.
Which is to say that nobody appears to have learned anything between the 2004 hacking of government-mandated wiretapping capabilities at a Greek telecom and the 2024 hacking of government-mandated wiretapping capabilities at U.S. internet service providers. Well, unless we're counting the Chinese hackers. They seem to have learned quite a bit from the earlier experience.
If there is a backdoor to any system it WILL be abused. Not only by the government that demands its installation but also by others.
Since the 'Chinese' hack has become known U.S. officials have urged everyone to use end-to-end encryption:
In a joint December press briefing on the case with FBI leaders, a Department of Homeland Security official urged Americans not to rely on standard phone service for privacy and to use encrypted services when possible.Also that month, the FBI, National Security Agency and the Cybersecurity and Infrastructure Security Agency joined in recommending dozens of steps to counter the Chinese hacking spree, including “Ensure that traffic is end-to-end encrypted to the maximum extent possible.”
Officials in Canada, New Zealand and Australia endorsed the recommendations. Those in the United Kingdom did not.
The best way to prevent snooping access requests is to liberate the data of those people who demand it. Some Apple engineer might want to think about that.
Posted by b on February 7, 2025 at 16:32 UTC | Permalink