Apple pulled end-to-end encrypted backups in the UK after request for backdoor
(www.bbc.com)
from Strawberry@sh.itjust.works to privacy@lemmy.ml on 21 Feb 16:24
https://sh.itjust.works/post/33197558
from Strawberry@sh.itjust.works to privacy@lemmy.ml on 21 Feb 16:24
https://sh.itjust.works/post/33197558
BBC News - Apple pulls data protection tool after UK government security row
- "In a statement Apple said it was “gravely disappointed” that the security feature would no longer be available to British customers."
Washington post - Apple yanks encrypted storage in U.K. instead of allowing backdoor access
I guess removing access for the uk is better than backdooring it in silence. But still, not great.
Also, it is interesting comparing compliance on this with complying with the EU on sideloading apps.
Original title: ‘Apple caved and pulled end-to-end encrypted backups in the uk’ - record of bad take title
threaded - newest
This isn’t caving, is it? This is not making a backdoor.
Arguably it is making a front door / cutting one’s nose to spite the face, but I don’t think it’s caving.
Apple has three realistic options:
They went with #2, which is probably the least user-hostile option available.
I am very interested in seeing what the UX around this will be. Ideally, they should give users direct notice well in advance, so they have time to plan a migration or mitigation. Of course, Apple makes it basically impossible to perform a full backup through any mechanism except iCloud, so…one more example of how vendor lock-in is inherently a security and privacy risk.
<img alt="" src="https://lemmy.uhhoh.com/pictrs/image/8e79e645-a263-46c2-8d81-5ab1884aa9ae.png">
:(
A better title would be “Apple helps the US government bypass the 4th amendment”.
I know Apple is an American company but what does this have to do with the US?
America can’t legally spy on its own people
The UK can
And the UK is in an intelligence cooperation with America
America does it anyways. Have you not heard from Snowden? Or Wikileaks?
I agree that I was confused at first, until I remembered that any of the coalition countries (7 eyes?) has access to anything secret, they share with others that don’t.
But then wouldn’t this be “Apple prevents UK and 7 Eyes nations from spying on citizens?”
People in the UK are out of luck but the whole reason they’re turning off encryption there is to prevent governments from having a backdoor into their service.
WE ARE FUCKED
I’ve got an android
I also have an Android and iPhone. It seems like I’ll have to switch from iCloud to self-hosting.
And that helps how exactly?
The UK government’s obsession with being a Big Brother is so damn frustrating. A preview of what other governments will try and become in the near future, unfortunately.
That’s not caving. That’s standing up and saying fuck you, your people don’t matter as much as the rest of the world because you’re lunatics.
yea, its a blow to uk user’s privacy & security but not caving. Caving would be implimenting a backdoor. Title was a bit of an annoyed initial reaction, sorry there… maybe best to improve it, i’m not sure?
Saying “fuck you” would be more like “we’re no longer selling devices in uk and iCloud won’t work anymore”
Yes, and that ultimately may happen, but Tim Cook is a capitalist and wants to keep selling devices there if he can. We’ll see how the UK gov responds before we find out the end outcome.
Apple Caved. I’m no apple fan but what exactly would not caving have been here? Make the backdoor? Pull out of the UK ? Fund an expensive legal battle against the laws of a democratically elected government?
Apple did not cave
End to end encryption is MEANINGLESS if someone else also has a key
They removed a feature in the region to avoid setting a precedent that they would backdoor their feature on the whims of a shitty government
Now Apple gets to tell the UK that they would love to give fully encrypted backups but the UK government does not like encryption and security
yeah I admit ‘apple caved’ was kinda just a gut reaction ‘apple bad - encrypted backup good’.
If they fully caved we likely wouldn’t have known about it, they’d have just put in a backdoor and given themselves and/or the uk encryption keys. Denying encrypted backups because of this is probably best.
You could argue apple does have the resources for a a legal battle, but you also can’t really expect them to do that. They’re not liberty or big brother watch. I doubt that would go well in domestic courts anyway, after that, the ECHR could be sympathetic on proportionallity & art.8 grounds but its a lot of effort.
maybe I should edit the title?
I would leave the title. It’s important that people be critical but willing to adjust opinion.
Apple has fought these in the past (San Bernardino shooting / Phone unlock). It is honestly best for them to never take a case on this issue that they could lose.
…edited but kept a note, it was bugging me.
I remember that case, yeah apple does some good here. I remember 404media running a story about iphones rebooting preventing unlock by police recently( 1 and 2 ). I guess you/they really don’t want any present established for that.
I want to say I agree that Apple was put in a Lose Lose here. Building a backdoor would be detrimental, but removing the obstacle does no better. Now other countries can say “well shoot if we just force them to put a backdoor in they’ll just remove the issue entirely”. The main issue that the EU had with e2e is that they lacked the capability of accessing the data, Apple removing e2e in the EU moreorless said “yea sure whatever you can access the data, we just don’t want you to access the rest of the worlds data”
But whats the next step for when the next country (say the US) also decides they want a piece of that action. “Oh let me remove e2e in the US as a whole as well”.
This was an L across the entire board privacy and reputation wise. Apple has set the precedent that they will cave and cater to big brother corporations if it means they can stay in operation in that country. It completely destroyed all the trust that they got from the previous fight vs the US government as a result.
I don’t really know what they could have done differently then fight it though.
Curious what happens if you were someone who had opted in to ADP. If your data is fully encrypted, do you just get to keep using it that way? Does this only impact new users? Or, is Apple going to somehow capture users encryption keys and revert ADP?
The BBC article clarifies (not sure if NYT does as well, I can’t read it)
Users will have a grace period to opt out of encryption before their data is deleted. Apple states they do not have the ability to automatically unencrypt the data.
.
Here in the UK, many typical phone users already assume that their data is shared anyway. Every person that i spoke to about this today asked why I think it’s a problem as they have nothing to hide. A worrying position.
Exactly why we must shift from privacy to control, power.
Here’s my response to this line of thinking:
“Would you be okay if I fucked your spouse/partner/etc? No? Why not? You’re already having sex with them. What’s the difference?”
Consent. That’s the difference.
.
You’re right. I could never convince my mates. Their typical response “I have nothing to hide, they already have my data”
What if you ask if you can borrow their phone and password for an hour? They have nothing to hide?
😂 they would never do that.
That’s the point isn’t it?
They would say “that’s different” without elaborating why exactly.
Ask them why they don’t keep their toilet in their living room. 😆
Because it would stink. I get your point but there are better ways of demonstrating it.
“If you have nothing to hide you have nothing to say” -Edward Snowden
Wasn’t it something more similar to “saying that you don’t care about privacy because you have nothing to hide is like saying that you don’t care about free speech because you have nothing to say”?
Yes that’s it. Thanks for clarifying
Copy of my comment in c/apple:
Honestly I think this is the right move.
Pull the feature and tell the public that the government won’t permit the public to secure their own data.
“I have security and privacy features for you, but your government won’t let you use them”
Set the public against this overreach.
If your government wants to look, we want to look as well
I think it’s the right move by Apple.
I don’t think it’s the right move by my Government to be ordering this.
Like most governments, the UK’s has a poor record on understanding technical standards (They’re still trying to implement age-restriction on porn sites, something that’s been ongoing for a decade) Backdoor or lack of encryption - both make data security impossible and make the lives of criminals a whole lot easier. We simply cannot have safe data this way.
Apple does not allow other competing security and privacy features. If apple was opening up, the gov couldn’t do anything in the first place
@Strawberry Governments and corporations are powerless to E2EE employed by the users themselves, such as GPG/GnuPG/PGP. What could/will UK gov do against GPG and similar tools, especially those which are open-source and freely available?
I'm rooting for British people to defy their government and create their own pair of public and private keys using GPG/PGP or similar suite (preferably open-source, because they can be easily forked, adapted to easier UX/UI to any end-user, etc), sharing their public keys with each other so they can send enciphered messages, rendering useless such anti-E2EE British law.
British people don’t even know what signal is, and if they do, they will name it a terrorist tool
When the corporation controls the hardware and the OS it can easily break any encryption running there. Just include key loggers, break RNG entropy, extract keys from memory, or just capture any data before they are encrypted. Or just let the governments into the OS so they can do all that.
In the West, we’re told our system is superior even if it fails to deliver any tangible progress, because we have free speech and privacy. Yet, while people in China flourish as our standard of living continues to decline, turns out the whole free speech argument was hollow all along. Irony, anyone?
Yah I don’t know which is better but I do know China can pick a direction and achieve it. Where the west recently is a floundering fish.
You’re mixing correlation and causation. It’s not irony, it’s fallacious thinking. Both may be poor approaches. You’re also only comparing two countries out of all of them. This is just a ridiculous comment.
I’m not mixing anything up. You just wrote meaningless word salad. This is just a ridiculous comment.
I guarantee the politicians who desperately wanted an end to e2e definitely learned from the communists of the east.
Sees something a capitalist regime does under capitalism, start talking about communism. 🤣
Well, the type of policies like that typically come from one of 2 types of people: communists and fascists.
As much as I hate capitalism, I hate communism even more.
Edit:
Forgot and didn’t notice this was one of the .ml communities. Not gonna continue the conversation because I have the strongest feeling neither of us will argue in good faith.
Bye!
This is frightening.
They do not have the ability to just remove e2e back-ups in the UK alone and walk away from this, that’s not how the law is written as I understand it.
The snooper’s charter gives the UK government the RIGHT to DEMAND access to encryption keys of any user GLOBALLY. The law is that they can force the cooperation of Apple to decrypt the account of an American user, of a German user, of a Russian user, of a South African user, of a Brazilian user, of a Japanese user who have never stepped foot in the UK.
So they’re claiming that this protects their users, that they haven’t complied but the only way to avoid complying with these secret gag orders for compromising encryption GLOBALLY at the demand of the UK government is to remove themselves entirely from the jurisdiction of the UK. Is to remove all executives and technical personnel from UK soil, to not hire such people who live in or are citizens of the UK as technical personnel as they could be gag ordered and compelled to cooperate. To basically entirely pull out of any presence but maybe storefronts in the UK and take steps to prevent the arrest and pressuring of their executives and key technical people with access from being subject to UK coercion.
That they haven’t done that means all users globally are still at risk. This may be a big PR stunt to convince people they haven’t caved when in fact they have in secret and will hand over data of global users to the UK which shares it via eyes agreements with the US, with France, Australia, etc. This has the added benefit of allowing the UK to keep such access secret by acting annoyed with Apple but not actually pressing any case. If they try and actually prosecute or pressure Apple that’s a sign that they haven’t cooperated globally, if they only offer angry words to the press IMO that’s a sign that in secret they’ve given access globally and only informed UK users that their cloud data isn’t protected.
They’re not handing over keys though. They’re just not offering ADP in that region anymore(?) I doubt they would be allowed to hand out keys (which they do not hold) to another government that would compromise American businesses, agencies, etc. The US was already noticing the dangers in this demand and I’m hoping that this was an attempt at a compromise. I guess we’ll never know though, since this included a gag order as well
Still good to keep in mind: not your keys, not your data.
Um, yes they would. The very point of eyes agreements is they allow countries intelligence agencies which aren’t allowed to spy on their own people to spy on each other’s people then pass each other the data. Snowden revealed this all a decade ago.
The CIA and FBI do not store classified sensitive info on iPhones that are backed up anywhere. At least not anything that would come as a surprise to the British or be a risk. Nothing they wouldn’t have access to via the existing intelligence sharing.
The UK and the US are thick as thieves and have been since the end of WW2.
Pretty sure Apple has a few lawyers
They are not allowed to just share data from users in other countries where privacy laws exist. It depends a bit on how GDPR is written in the specific country you reside and it it is enough, but generally they should be asking for censent if they try and access it.
Sadly we won’t have any idea when they try and access it, but this is the exact reason why businesses in NL like accounting firms (not bookkeeping firms) need to have their data in datacenter in NL to precent morons like this to access your data.
Pretty sure either Google E2E is non existent or it is alreayd opened up for the UK government or it is being opened in the future. I wonder if Proton is going to need to comply with this.
Oh now that does it, of course local storage is superior!
Gentlemen, set up your
Z3JhcGhlbmVPUw==duress passwordskinda horrible to read all these “this big tech company is a rebel and my best friend” comments.
apple allowed this for the usa before many times. this time it had to be publicly announced, cause the orange sleeper agent told them to undermine the uk gov in order to allign the MEGA endeavour.
In the process of self hosting everything anyways. This just sped things up for me
The UK government has you that way too - you are legally compelled to reveal any passcodes if ordered by a court, and you’ll stay in prison until you do. (Regulation of Investigatory Powers Act 2000)
But it at least does remove them from third party exposure (phone company, their AI, massive breaches etc), you just have to be sure your own security is good.
Apple can claim that they never built backdoor. But talk is cheap without showing the code for people to audit.
Basically every phone manufacturer has its own layer on top of AOSP that is closed source so…
So what’s Google doing? I assume they’re impacted by the same regulation.
Go all the way, remove ALL iPhone services from the UK saying the government will not allow users to have privacy. The government will go back on it within a week.