A Different Interpretation of U.K. iCloud Data Access ⇥ bbc.com
Last week, the Washington Post broke the news that the U.K. government is demanding access to iCloud accounts with Advanced Data Protection enabled. Joseph Menn, the Post:
Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.
The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. […]
This phrasing is, it turns out, somewhat ambiguous, as Myke Hurley points out in the latest episode of “Upgrade”, starting at about 39:15; this transcript is adapted from David Smith’s:
The BBC is the only outlet that, from what I can see, has done their own reporting on this. I’ve been reading a bunch of them, and everybody’s reporting the same thing. The BBC’s reporting is different. They are saying that the U.K. wants to have access to the data in Advanced Data Protection if it was needed in the same way that a law enforcement agency can request iCloud data from anyone where needed.
Zoe Kleinman, in the BBC News article Hurley references:
It’s also important to note that the government notice does not mean the authorities are suddenly going to start combing through everybody’s data.
It is believed that the government would want to access this data if there were a risk to national security – in other words, it would be targeting an individual, rather than using it for mass surveillance.
Authorities would still have to follow a legal process, have a good reason and request permission for a specific account in order to access data – just as they do now with unencrypted data.
A small point of correction to Hurley: the Financial Times story also relies on its own reporting. The Times plays it down the middle and without reference to either mass surveillance nor targeted unlocking.
Reading all three stories is actually a good exercise in interpreting what each outlet’s sources disclosed and was deemed important. Yet the varying interpretations strike me as a distinction without much difference. Hurley is likely correct in understanding the BBC story as more accurate, but to comply with those demands is to create the “blanket capability” necessarily. What I believe to be the case — reading between the lines and without a copy of the technical capability notice — is that the U.K. government is asking Apple to create a back door in the Advanced Data Protection process and then, if it has a warrant for one of those accounts, it can ask Apple to decrypt this data. This is both technically a “blanket capability” and still, in policy, individually targeted.
Regardless of specifics, this demand — as noted by both Hurley and co-host Jason Snell — is still very bad. It applies to global data demands, meaning Apple cannot simply turn off Advanced Data Protection for U.K. users, and there is a narrow path by which Apple may dispute it.
Mike Masnick, Techdirt:
The UK government’s approach here is particularly insidious. While Apple can appeal the order, their appeal rights are bizarrely limited: They can only argue about the cost of implementing the backdoor, not the catastrophic privacy and security implications for billions of users worldwide. This reveals the UK government’s complete indifference to the fundamental right to privacy.
The best case scenario is for the U.K. government to drop this demand. But these demands for encrypted data will keep coming. I expect the businesses I entrust with my data — like Apple and Backblaze — to stand by their end-to-end encryption promises. In this case, however, I am not sure what that looks like. It is hard to imagine arguing anything is too costly for one of the richest companies in the world.