UK drops demand for backdoor into Apple encryption (opens in new tab)

> This wasn't an "Apple only" law -- it would have affected all platforms with data on customers that live outside the UK.

Yeah, the law still exists. Apple just successfully managed to refuse to comply with a request made under it.

Probably that it should be a generalization and apple should have fought for that and not apply just to one particular operator.

As far as I know, the blue/green mentality is a cultural issue for Apple. They would be fine if Android users had their data read by the government, because that injustice is a market differentiator for them they can then sell.

I'm not saying they shouldn't lobby for what they believe in, but Apple always stops short of making the world a better place and seems to care only if their walled garden is secure.

It's not their fault. They did the right thing, which luckily coincided with what is best for their bottom line this one time.

It's Apple's fault. They abandoned principled security a long, long time ago if you were paying attention. Chinese iCloud users have no protection against state-authorized backdoors since Apple removed the hardware security modules[0] that protect user encryption keys (at the PRC's request). Apple doesn't care about protecting their users above and beyond the reach of the state, state surveillance is an inevitability.

When you start down a slippery slope like this, you burn trust and make people demand transparency. It's impossible for me to say that I'm any more secure as an American user - no trusted third-parties actually audit Apple's American iCloud servers for such backdoors. Users trusting Apple for security are (unfortunately) fish in a barrel, same as ever.

[0] https://www.nytimes.com/2017/07/12/business/apple-china-data...

Doesn't the UK law already apply to all those others ?

I am a human being, but I have been training on ChatGPT conversations for a few years, is it starting to show?

Do we really think an account that's been here since 2009 and claims to be a software developer is using ChatGPT to write comments on Hacker News?

I checked; their post has good ol' fashioned hyphens, no em-dashes, so it's less likely to be slop.

There was once an idea that elected politicians should champion the interests of their constituents.

See this is the kind of lying I expect from politicians - misleading people about their policy decisions. Not the constant challenging of recorded fact.

Well, Google and Co. are trying to push it worldwide anyway under the ruse of UK law, regardless of administration. I don't see them countering all this AI ID stuff.

I feel this is more of an "Earth isn't yours to conquer" move rather than one really aimed at protecting US Citizen's data. Governments is simply fighting over who can control how we navigate our tech.

How is this an example of spinelessness?

The real target: journalists, activists and whistleblowers

I think the problem with terrorism is it's simultaneously more and less than they think. More from the groups they don't expect, and less from the ones they expect it to come from and are surveillance and infiltrating.

For example, looking back over the history from what has been declassified in my country, the intelligence services spent a huge amount of time and resources infiltrating and surveillance communist groups and university socialist clubs, and then seemed to be completely blind-sided by the rise of Islamic terrorism when 9/11 rolled around... In a similar vein I think to how the UK is spending all this time going after people waving signs supporting Palestinians - they probably honestly think there's a real threat there, and it will turn out to be a huge waste of time and the next real terror threat will come out of some other unexpected group.

As for assault - yes, it's usually someone they know. Which is why it's ridiculous the resources they spend trying to backdoor private messaging etc. in the name of "protecting the children" when much of it's happening in person...

>If you're an American, on your first day in high school, by your second class you have more than even odds of having met a pupil who had already been assaulted, most likely by someone close to the victim such as a relative.

You're saying that the rate of sexual assault is.. a few percent?

Too high! I agree. But it's bad form to give convoluted examples in order to give the impression that the actual number is worse than it is.

> Unfortunately, I'm highly confident that 90% of the intelligence community looks at us insisting that crypto standards be inviolable, and thinks we're all as infuriatingly naïve as a ChatGPT comment

Until they can prove this is the case, and not just fear mongering to justify their massive budgets, overreach and assaults on civil liberties, I am happy to continue being considered naïve by them.

> If "protecting children" requires sacrificing freedom for everyone, then children should not be protected.

Agreed. It all goes back to the famous quote "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." (granted, the quote was about taxation but the principle applies here)

Much like cybersecurity, it's always a trade off between absolute freedom and absolute safety. You don't get both. Every "safety" measure that gets put in place reduces your level of individual freedom. Go to far in the safety direction and you lose all your freedoms, and that trade off IMO is not worth it.

> I am very much against laws designed to protect children and stop terrorism.

This can't be true. You're against a law that says a convicted child rapist cannot work in schools? You're against a law that says people can't take bombs onto planes?

I think you're being dishonest in your statements, or do not care about anyone else in society.

Cold logic dictates otherwise. The UK is part of Five Eyes: total data sharing between intelligence agencies. If that were the case, why would the UK need a law to get data it already has?

It’s not really a secret; it’s by design and it’s public. iCloud is not end to end encrypted by default. Apple and the state can read the on-by-default iCloud Backup which contains your iMessage sync keys and all your historical iMessages and attachments. iCloud Photos, Contacts, and Mail are all similarly not e2ee and trivially readable by Apple, DHS/FBI, and anyone else under FAA702 (aka PRISM, aka the #1 most used US intel source) without a warrant.

https://www.reuters.com/article/world/exclusive-apple-droppe...

Apple processes FAA702 orders on upwards of 80,000 Apple IDs per year per their own annual transparency report.

Snowden himself said that they see so many nudes that they got desensitized to it.

This clever setup allows them to claim iMessage is e2ee while still escrowing keys in effective plaintext to Apple in the iCloud Backup, rendering the e2ee totally ineffective.

I think “backdoor” is probably an appropriate term for it, but they have made no secret whatsoever of it.

It’s terrifying to think that the US federal government can read every iMessage in the entire world across a billion devices (except China, where the CCP can do the same) in effectively realtime. The power that that enables (if only in blackmail ability) is staggering.

Hopefully no one, in services available globally (i.e. not US-specific), just to be sure.

Why litigate it when you can buy it from the NSO / IDF?

Even if they did, it'd be like the proposed chat control, where there are carve outs for politicians.

Rules for thee, not for me.