U.K. Orders Apple to Backdoor iCloud Data Protected by End-to-End Encryption Worldwide ⇥ washingtonpost.com

Joseph Menn, Washington Post:

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.

The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users, the people said, speaking under the condition of anonymity to discuss legally and politically sensitive issues.

This order was based on capabilities granted by the Investigatory Powers Act of 2016, though the Online Safety Act, passed in 2023, allows the U.K. government to make similarly broad access demands. That there are at least two wide-ranging laws that compel technical workarounds to end-to-end encryption belies the government’s claim of supporting users’ privacy.

I want to nitpick the final sentence I quoted above from Menn’s article:

[…] Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users, the people said, speaking under the condition of anonymity to discuss legally and politically sensitive issues.

Based on its wording, it is possible this is a rephrasing of something Menn was told by a source, so I do not want to put too much weight on it. Menn also discusses the privacy implications to users later in the article. But it does not make sense to think of this as a “defeat for tech companies”. It poisons the well. Tech companies are — correctly — facing more of the kind of scrutiny expected of any world-dominating market leaders. It is not just industry giants and criminals who are concerned about such extraordinary access.

Tim Bradshaw, Lucy Fisher, and John Paul Rathbone, Financial Times, confirmed Menn’s reporting, adding:

The UK Investigatory Powers Act, dubbed the “Snoopers’ Charter” by critics when it was passed in 2016, was updated last year in the final weeks of the Conservative government before July’s election.

Under the legislation, which has been widely criticised by human rights campaigners and privacy activists as well as Silicon Valley tech companies, recipients of technical capability notices are not allowed to acknowledge their existence or warn users that their security had been weakened, unless the Secretary of State grants permission to do so.

Establishing this as a fight between tech companies and governments minimizes the widespread opposition from experts in privacy and security. In turn, that minimizes the effects it will have on actual users. We should expect our information is secured against third-party access. Given the number of companies involved in storing and transmitting user data, there ought to be no difference between a warrant to access someone’s personal data on a drive in their physical possession and one for a server in a data centre. Those legal protections ought to be similarly strong.

However, I wonder if there is any room for compromise. Maybe I will regret writing this. Here is the thing: the higher security offered by Advanced Data Protection only applies to collaborative features in limited cases, but one of those is Notes, which has a substantial feature set these days — a user can embed pictures and attach documents. I think it makes sense if Advanced Data Protection could apply to documents shared with all users within, say, the same iCloud Family. I do not know that it makes sense to extend those protections to a larger and less connected group. I expect there are some limits to the number of users a note can be shared between, given limits on similar iCloud features and Shared Albums, though I could not find any relevant documentation. There are good reasons a group of otherwise disconnected people might want shared access to a very secure document; I can think of use cases among dissidents, activists, and journalists, for example. But I can also see how sharing could lead to abuse.

In any case, the reported demands by the U.K. government are an extraordinary abuse of their own. It has global implications for both U.K. access and, I would venture, access by its allies. As a reminder, U.S. and U.K. spy agencies routinely shared collected data while avoiding domestic legal protections. This order explicitly revives the bad old days of constant access.