 |
|
|
| > you think Google didn't already sign up to this?
My understanding is that Android's Google Drive backup has had an E2E encryption option for many years (they blogged about it at https://security.googleblog.com/2018/10/google-and-android-h...), and that the key is only stored locally in the Titan Security Module. If they are complying with the IPA, wouldn't that mean that they must build a mechanism into Android to exfiltrate the key? And wouldn't this breach be discoverable by security research, which tends to be much simpler on Android than it is on iOS? |
|
| From where did you get both 'care' and 'illiterate' — words that I never used?
Not only have you misquoted me, but also you've attempted to distort what I actually said by changing its inference. |
|
| I agree with you, but these abstract technical systems have enough wiggle room for lawyers and marketers to bend the rules to get what they want |
|
| SO if google still has access in an E2E system, but you didnt know, is it still E2E?
What if google told you they also have a key? Does that change the above answer to the question? |
|
| There was no evidence of any of this on the website until recently (maybe 2 or 3 years ago?), and I did look at every page on there. Similarly, I searched on Google for a while and raised the question in more than a few forums. I dug through the business registration records, etc... and found none of the above.
Sure, now, they have staff photos and the actual names of people on their about page, but just a few years ago it was almost completely devoid of information: https://web.archive.org/web/20190906125729/https://chocolate... Look at it from the perspective of a paranoid sysadmin half way around the world raising a quizzical eyebrow when random Reddit posts mention how convenient it is, but it's distributing binaries to servers with absolutely no obvious links back to any organisations, people, or even a legitimate looking business building. |
|
| There were a lot of people working for the NSA besides snowden, but none of them blew the whistle even though some of the programs he exposed had been around for 12 years. There were a whole lot of people working at AT&T but employees weren't lining up to tell us about Room 641A (https://en.wikipedia.org/wiki/Room_641A) before Mark Klein. How did everyone else manage to be kept quiet? The details about MKUltra and the Manhattan Project were successfully kept a secret for decades before eventually being declassified.
It'd be a huge mistake to look at the instances where somebody did come forward and spill a secret and assume that it means secrets aren't possible to keep or that there are no secrets being kept right now. It's may not be easy to keep a secret, but governments and corporations are extremely well practiced and have many documented successes. |
|
| > Google left China when the government wanted all keys to the citizens data.
Google left China after China started hacking into Google's servers. > In January, Google said it would no longer cooperate with government censors after hackers based in China stole some of the company’s source code and even broke into the Gmail accounts of Chinese human rights advocates. https://www.nytimes.com/2010/03/23/technology/23google.html They were working to reenter the China market on China's terms many years later, when Google employees leaked the effort to the press. Google eventually backed down. |
|
| Android backups are encrypted at rest using the lockscreen PIN or passphrase: https://developer.android.com/privacy-and-security/risks/bac...
So not hugely secure for most people if they use 4-6 decimal digits, but possible to make secure if you set a longer passphrase. I don't know what Google's going to do about this UK business. edit: Ah it looks like they have a Titan HSM involved as well. Have to take Google's word for it, but an HSM would let you do rate limits and lockouts. If that's in place, it seems all right to me. |
|
| I wonder how hard it would be for the US government to force Google to just get the lockscreen pin off of your device or for them to just infect your device with something to capture it themselves. |
|
| This is why Apple, and more recently Google, create systems where they don't have access to your unencrypted data on their servers.
> Google Maps is changing the way it handles your location data. Instead of backing up your data to the cloud, Google will soon store it locally on your device. https://www.theverge.com/2024/6/5/24172204/google-maps-delet... You can't be forced to hand over data on your servers that you don't have access to, warrant or no. The UK wants to make this workaround illegal on an international basis. |
|
| > You can't be forced to hand over data on your servers that you don't have access to, warrant or no.
But you can be forced to record and store that data even if you don't want to. |
|
| Which is why Apple takes the stance that the users device shouldn't be sending data to the mothership at all, if it isn't absolutely necessary.
Compare Apple Maps and Google Maps. Google initially hoovered up all your location data and kept it forever. They learned from Waze that one use case for location data was keeping your map data updated. Apple figured out how to accomplish the goal of keeping map data updated without storing private user data that could be subject to a subpoena. > “We specifically don’t collect data, even from point A to point B,” notes Cue. “We collect data — when we do it — in an anonymous fashion, in subsections of the whole, so we couldn’t even say that there is a person that went from point A to point B. The segments that he is referring to are sliced out of any given person’s navigation session. Neither the beginning or the end of any trip is ever transmitted to Apple. Rotating identifiers, not personal information, are assigned to any data sent to Apple... Apple is working very hard here to not know anything about its users. https://techcrunch.com/2018/06/29/apple-is-rebuilding-maps-f... |
|
| Given that you can browse map data for any location, not just where you happen to be, I'm betting that triangulation data from your carrier would be more accurate. |
|
| Small correction.
Google had "created a system where they don't have access to your data on their servers" a couple of years BEFORE Apple. Android 10 introduced it in 2019. |
|
| > (where you don't even have the right to legal advice, or the right to remain silent)
A lot is posted about LEO's lying in the US, this seems worse. |
|
| Spot on, 727 comments, most probably by Americans, and only 2 (including yours) bringing up the CLOUD Act, the much worse US equivalent. Incredible ignorance. |
|
| It's all lip service, because the UK Govt wouldn't ask them that. WhatsApp messages are EE2E. They probably already handover all the metadata surrounding those messages. |
|
| I don't really understand your comment to be honest. Section 3 of the Regulation of Regulatory Powers Act 2000 allows for compelled key disclosure (disclosure of the information sought instead of the key is also possible). Schedule 7 of the Counter-Terrorism Act allows 9 hour detention, questioning and device search at the border. With these powers it isn't necessary to get access to iCloud backups, as you can get the device and/or the data.
I don't think the e2e icloud backup is problematic under existing legislation / before the TCN. While you can't disclose the key because it lives in the secure enclave, you can disclose the information that is requested because you can log into your apple account and retrieve it. IANAL, but I believe this to be sufficient (and refusing would mean jail). The Investigatory Powers Act allows for technical capability notices, and the TCN in this case says (as far as we know) "allow us a method to be able to get the contents of any iCloud backup that is protected by E2EE for any user worldwide". This means that there is no need to ask the target to disclose information and if implemented as asked, also means that any user worldwide could be a target of the order, even if they'd never been to the UK. Relevant info: - https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig... |
|
| > Apple is the only company audibly making a stand
Apples stand is false, they take with one hand and give with the other. There have been many times that Apple have been caught giving user data to governments at their request, lied about it, then later on admitted it once it had leaked from another source. This whole 'we will never make a backdoor' is a complete whitewash marketing stunt, why do they need to make a backdoor when they are providing any and all metadata to any government on request. https://www.macrumors.com/2023/12/06/apple-governments-surve... |
|
| Irrespective of political leanings, a lot of British people are saying this. They stand for it because they have to. It's a government that was voted in by a large margin only six months ago. Disquiet, if that's the word, is pretty much universal and I am not sure we've been quite in this position before. Keir Starmer's decline in approval ratings 'marks the most substantial post-election fall for any British prime minister in recent history'.
https://politicalpulse.net/uk-polls/keir-starmer-approval-ra... |
|
| Just make an airgapped Linux device on a DYI FPGA CPU. This part is not that difficult comparing to persuading commercial vendors let you use your own cloud and your own encryption/backup mechanisms. |
|
| Your smartphone cannot be considered a private device. You as the owner don’t have sufficient control over its operating system and applications to ever make that claim. |
|
| The real prescient threat in that movie was the predictive AI algorithm that tracked individual behaviors and identified potential threats to the regime. In the movie they had a big airship with guns that would kill them on sight, but a more realistic threat is the AI deciding to feed them individualized propaganda to curtail their behavior. This is the villain's plot in Metal Gear Solid 2, which is another great story.
This got me thinking about MGS2 again and rewatching the colonel's dialogue at the end of the game: https://www.youtube.com/watch?v=eKl6WjfDqYA > Your persona, experiences, triumphs, and defeats are nothing but byproducts. The real objective was ensuring that we could generate and manipulate them. It's really brilliant to use a video game to deliver the message of the effectiveness of propaganda. 'Game design' as a concept is just about manipulation and hijacking dopamine responses. I don't think another medium can as effectively demonstrate how systems can manipulate people's behavior. |
|
| Life is imitating too many dystopian books, movies, etc these days. I think we need to put an end to all creative works before the timeline becomes irrecoverably destroyed. |
|
| I suspect you’re being flippant, but destruction of and restrictions on creative works as an _antidote_ to dystopia is a take I haven’t seen before. |
|
| The government forced them to pull the feature. Would you rather they left a toggle-switch that doesn't actually do anything? Or are you thinking they should just pull out of the EU altogether? |
|
| No. Making a stand would be to threaten to leave and watch all those influential iPhone users scramble to get this law rolled back. Everything else is marketing and cowardice. |
|
| > Anyone who really wants to hide their files, can do so regardless of demands for backdoors.
The question isn't about "anyone who wants". It's about "anyone, regardless of their technical skill" |
|
| It's not literacy. They don't care. They need control, and if establishing control means increased risks for you, it's not something they see as a negative factor. It's your problem, not theirs. |
|
| > You literally tell them that. That's it. As prominent tech leaders have been doing.
As it's not working, QED not "that's it". > You are giving these people way too much of a benefit of the doubt. They're hurting their own interests in the process. If they were just hurting my interests, I'd agree with you. But this stuff increases the risk to themselves, directly. I may have even told them about https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 given the timing. |
|
| They shouldn’t be able to tap any device from a server. I’m guessing they would have to apply for a warrant and serve the warrant to Apple who review the warrant and provide the data. |
|
| |
|
| Sorry, but the FBI is part of the executive branch.
This is exactly like saying that President Trump has nothing to do with the actions of the executive branch agencies today. |
|
| it's true that the honour system only works when there's honour in the people in charge.
when a clown moves into a palace, the clown doesn't become the king - the palace becomes a circus. |
|
| "the other side is just as bad" isn't the justification that a lot of people seem to think it is. if you don't like what the other side has done, don't just copy them. do better. |
|
| what do you call US nukes in Europe? that's exactly what it was - Pax Americana, 70 years of peace and prosperity has come to an end for most countries. Now Russia has an ally in their old enemy. |
|
| > one UK head of state
What on earth are you talking about? Charles III is head of state, and before that, Liz II. The monarch absolutely does not get involved in politics. |
|
| Good Lord man! Where are you finding this rubbish!
The Members of Parliament choose the Prime Minister. The role of the monarch in confining them is purely ceremonial. |
|
| > technical literacy amongst the political establishment who consistently rely on the fallacy that having nothing to hide means you have nothing to fear.
That's an awfully generous assessment on your part. Kindly explain just what "technical literacy" has to do with the formulation you note. From here it reads like you are misdirecting and clouding the -intent- by the powerful here. Also does ERIC SCHMIDT an accomplished geek (who is an official member of MIC since (during?) his departure from Sun Microsystems) suffers from "technical literacy" issues: https://news.ycombinator.com/item?id=983717 Thank you in advance for clarifying your thought process here. Tech illiteracy -> what you got to hide there buddy? |
|
| I feel like the comment was clear, technical illiteracy leads politicians to believe that they'll be the only ones with access to this backdoor, which isn't true. |
|
| >> Kindly explain just what "technical literacy" has to do with the formulation you note.
>> Thank you in advance for clarifying your thought process here. > The comment's clarity was not questioned. |
|
| Many people might not be aware of it, but Apple publishes a breakdown of the number of government requests for data that it receives, broken down by country.
The number of UK requests has ballooned in recent years: https://www.apple.com/legal/transparency/gb.html#:~:text=77%... Much of this is likely related to the implementation and automation of the US-UK data access agreement pursuant to the CLOUD Act, which has streamlined this type of request by UK law enforcement and national security agencies. |
|
| I don't share your findings, EVERY six-month period between January 2014 - June 2017 shows bigger requests than any six-month period in the last 5 years. |
|
| Sad to see the home of the magna carta slowly spiraling down into fascism and 1984. The government should be required to have a specific warrant to get at your personal data. |
|
| Almost all iPhones are made in China. They cannot pull out without shutting down.
They make on average 60,000 ios devices there every hour, 24 hours a day, 365 days a year. |
|
| > In the tussle between regulators and companies, companies are disadvantaged.
When society once again properly separates governmental powers, it will restore balance, and then companies will no longer need to fear "regulators." In the US, businesses are supposed to be regulated by Congress. That way, if Congress does something foolish, we can vote them out. But in the last 100 years or so, "administrative law"– that is, binding regulations created by the Executive branch– has become a huge part of law-making [1]. Widespread use of Administrative Law allows Congress to wash its hands of any real decision making. It isn't supposed to be this way, and I think we will find our way out of it. Your statement that companies are disadvantaged only rings true because Executive-branch regulators are not held to account. Lower-level staff generally do not rotate from administration to administration, and so they make tons of binding rules without oversight. Fortunately, SCOTUS recently overturned some of this [2]. The fundamental problem is that the separation of powers, which is where America's strength comes from, has been upended. Power has been collected, by parties on all sides, within the Executive branch. It's supposed to be, Congress writes law, Judiciary interprets law, and the Executive enforces law. The Administrative State, however, combines all three powers into one under the Executive. It gives itself executive agencies that can bind citizens, and its own courts (ALJs) to determine their fate. See [1] for a comprehensive review. [1] https://press.uchicago.edu/ucp/books/book/chicago/I/bo174366... [2] https://www.supremecourt.gov/opinions/23pdf/22-451_7m58.pdf |
|
| When you disable ADP, your local encryption keys are uploaded to Apple's servers to be read by them.
Apple could just lock you out of iCloud until you do this. |
|
| That’s exactly the plan. Anyone with this enabled in the UK will need to manually disable it or they’ll get locked out of their iCloud account after a deadline. |
|
| The hardware will not allow this, at least not without modifications. The encryption keys are not exportable from the Secure Enclave, not even to Apple's own servers. |
|
| Behind the scenes, it'd probably decrypt it locally piece-by-piece with the key in the Secure Enclave, and then reencrypt it with a new key that Apple has a copy of when you disable ADP. |
|
| Are you gonna unlock that phone anytime soon?
Thanks for opening the enclave, don't mind if I ship these keys back home. No notification needed, Apple has root access. |
|
| We are told the encryption keys reside only on your device. But Apple control “your” device so they can just issue an update that causes your device to decrypt data and upload it. |
|
| Apple has already fought US government demands that they push an update that would allow the US governmrnt to break encryption on a user's device.
> In 2015 and 2016, Apple Inc. received and objected to or challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these seek to compel Apple "to use its existing capabilities to extract data like contacts, photos and calls from locked iPhones running on operating systems iOS 7 and older" in order to assist in criminal investigations and prosecutions. A few requests, however, involve phones with more extensive security protections, which Apple has no current ability to break. These orders would compel Apple to write new software that would let the government bypass these devices' security and unlock the phones. https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryption_... |
|
| From the Advanced Data Protection whitepaper [0], it appears the keys are stored in the iCloud Keychain domain, so not the Secure Enclave:
> Conceptually, Advanced Data Protection is simple: All CloudKit Service keys that were generated on device and later uploaded to the available-after-authentication iCloud Hardware Security Modules (HSMs) in Apple data centers are deleted from those HSMs and instead kept entirely within the account’s iCloud Keychain protection domain. They are handled like the existing end-to-end encrypted service keys, which means Apple can no longer read or access these keys. [0]: https://support.apple.com/guide/security/advanced-data-prote... |
|
| But customers. People keep saying they should just not be in that country. It is far better to have the choice of using an iPhone even if particular features are no longer available. |
|
| > Any solution Apple develops that enables "disable E2E for this account" makes it harder for them to claim that implementing that would be compelling work (or speech, if you prefer)
I think it’s really speech [0], which is why it’s important to user privacy and security that Apple widely advertises their entire product line and business as valuing privacy. That way, it’s a higher bar for a court to cross, on balance, when weighing whether to compel speech/code (& signing) to break E2EE. After all, if the CEO says privacy is unimportant [1], maybe compelling a code update to break E2EE is no big deal? (“The court is just asking you, Google, to say/code what you already believe”). Whereas if the company says they value privacy, then does the opposite without so much as a fight and then the stock price drops, maybe that’d be securities fraud? [2]. And so maybe that’d be harder to compel. [0]: https://news.ycombinator.com/item?id=43134235 [1]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid... [2]: https://www.bloomberg.com/opinion/articles/2019-06-26/everyt... |
|
| > the (US) doctrine that work cannot be compelled
Is this actually a thing? Telecoms in the US are compelled to provide wiretap facilities to the US and state and local governments. |
|
| >> Apple's defense against backdooring E2E is the (US) doctrine that [government can’t] be compelling work (or speech, if you prefer)
It’s really not "work” but speech. That’s why telecoms can be compelled to wiretap. But code is speech [2], signing that code is also speech, and speech is constitutionally protected (US). The tension is between the All Writs Act (requiring “third parties’ assistance to execute a prior order of the court”) and the First Amendment. [1] So Apple may be compelled to produce the iCloud drives the data is stored on. But they can’t be made to write and sign code to run locally in your iPhone to decrypt that E2EE data (even though obviously they technologically could). [1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-writ... [2]: https://www.eff.org/deeplinks/2015/04/remembering-case-estab... |
|
| That's why it's important to use apps like Signal where you can set the retention of your messages. I've got everybody I know using it now! |
|
| This isn't Amazon getting in trouble for implementation of a routine records retention policy. It's Amazon getting in trouble for violating a document retention mandate related to an ongoing lawsuit. |
|
| If signal doesn’t make a stand, the entire value prop of signal collapses and they cease to be a thing.
For Apple, privacy is one value prop. But seemingly smaller one than the UK market. |
|
| Many of us were very upset about Apple's slow-rolling this feature. There were many claims that they delayed the rollout due to government pressure [1] (note: that story is by the same reporter who broke today's news a couple of weeks ago.)
Rolling out encryption takes time, so the best I can say is "finally it arrived," and then it was immediately attacked by the U.K. government and has now been disabled over there. I imagine that Apple is also now intimidated to further advertise the feature even here in the U.S. To me this indicates we (technical folks) should be making a much bigger deal about this feature to our non-technical friends. [1] https://www.reuters.com/article/world/exclusive-apple-droppe... |
|
| You've always been able to perform encrypted backups to your own local PC or Mac out of the box, so people who do care about privacy have always had that option.
One thing I've found concerning is that Apple had encrypted cloud backups ready to roll out years ago, but delayed releasing the feature when the US government objected. > After years of delay under government pressure, Apple said Wednesday that it will offer fully encrypted backups of photos, chat histories and most other sensitive user data in its cloud storage system worldwide, putting them out of reach of most hackers, spies and law enforcement. https://www.washingtonpost.com/technology/2022/12/07/icloud-... So the UK government isn't the only government that has objected to users having real privacy protections. |
|
| Yes, I was mad before it existed and didn't use icloud backups. With the E2E and ADP I turned it on. If it gets nuked in the US I'll go back to encrypted local backups only. |
|
| Apple has been advertising security and privacy as a top feature for years now. It would make sense for people to get upset if those features were removed. |
|
| People were mad. Remember the Snowden leaks and PRISM program from NSA? [1]
In fact, Apple began to adopt “privacy” first marketing due to this fallout. Apple even doubled down on this by not assisting FBI with unlocking a terrorist suspects Apple device in 2016. [2] It was around that time I actually had _some_ respect for Apple. I was even a “Apple fanboy” for some time. But that respect and fanboi-ism was lost between 2019 and now. Between the deterioration of the Apple ecosystem (shitty macOS updates), pushing scanning of photos and uploading to central server (CSAM scanning scandal?), the god awful “Apple wall”, very poor interoperability, and very anti-repair stance of devices. [1] https://www.theguardian.com/world/2013/jun/06/us-tech-giants... [2] https://money.cnn.com/2016/03/28/news/companies/fbi-apple-ip... |
|
| iCloud did a lot less, in the past. Disabling it now gives you access to more data than it did a few years ago. And I also suspect it has far more users today than it did a few years ago. |
|
| In the case of the U.K., they can throw you in jail for not handing over your encryption key, so it’s a moot point. They’ve been slowly expanding this power for twenty years now. |
|
| IMO the only thing you can have a high level of trust in is your own *nix server. Backup those devices to it then encrypt there before being sent to the cloud. |
|
| > Our government is almost schizophrenic in its attitude to encryption.
Of course: it's not a monolithic entity. It's a composite of different parts that have different goals an interests. |
|
| And yet if I steal your money and refuse to give it back, or let you steal it back, you'll call that hypocritical. What does the size of an entity have to do with whether this is idiotic or not? |
|
| The law is that encrypted comms must be provided to the security services on request. This is not a problem for government agencies. It is not illegal per se. |
|
| Since 2018:
> Technical Capability Notices (TCNs): TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible. > It’s that final one that’s the real problem. The Australian government can force tech companies to build backdoors into their systems. https://www.schneier.com/blog/archives/2024/09/australia-thr... |
|
| Sorry? The UK has been an amazing place for me. It still is, when I focus locally, instead of being swept up by everything else.
Are you also an immigrant to the UK? I suggest you embrace it. |
|
| full control on everyone they deem as an opponent. in UK being dimmed and oponent is about posting the wrong meme or even standing in the wrong street at the wrong moment. |
|
| I'm sympathetic to the J.D. Vance angle, which is that European governments are increasingly scared of their own people. This is not doing a lot to change my mind. |
|
| Well put. It's pretty much impossible to sympathize with Vance saying this when the administration he is a part of is scaremongering about "the enemy within". |
|
| They have said all existing ADP enabled accounts will be disabled or deleted in time. They need to give people time to migrate their data out before they nuke it. |
|
| I can't imagine many here (UK) will really care, we've had multiple breeches of privacy imposed on us by the powers that be. - Removed incorrect assumption of this not being reported. |
|
| I just dont interact with the government or British society at all. I have turned my back on it.
If they ever come to my door I'll either go postal or leave the country. Its so bad here now. |
|
| You can pretty easily build / buy these. Look at Ukraine. Lots of their drones were just off the shelf. Jamming is super directional and easy to spot so fighting forces use it sparingly. |
|
| > where corporations are considered people,
People always get this wrong. Corporations are not people. They just have certain rights like owning property. Corporate personhood != full personhood. |
|
| Because while a business goal is to make money, it is not necessarily, unlike what you have 80% of the people here believe, to make the most money possible. Ethics can exist in businesses too. |
|
| > Why do pro-privacy tech folks on here act like Apple is some charity...
Because Apple marketing keeps relentlessly bashing their customers skull that privacy is their advantage? |
|
| I mean they could have tried not complying, and fighting a lawsuit at the ECHR (right of every person to a private life). Takes money and time but more attractive than the other options. |
|
| When UK demanded a backdoor to e2ee in iMessage, Apple told them they’d rather get out of UK. Why not do the same here? You’re posing a false dichotomy. |
|
| > Apple told them they’d rather get out of UK
To my knowledge, Apple has always said that their response would be to withdraw affected services rather than break encryption. > Apple has said planned changes to British surveillance laws could affect iPhone users’ privacy by forcing it to withdraw security features, which could ultimately lead to the closure of services such as FaceTime and iMessage in the UK. https://www.theguardian.com/technology/2023/jul/20/uk-survei... |
|
| > UK's other notoriously effective regulations like... checks clipboard ...TV licenses and the alcohol ban on public transport
I'm not quite sure what you are getting at with this, but I'd like to add some context for others. There is no blanket restriction on alcohol consumption on public transport in the UK. Individual transport operators are allowed to prohibit drinking as a contractual requirement (very common for bus companies); alternatively, local councils can establish a bylaw to restrict it more generally. However, people can and do drink on the majority of British trains; some even sell alcoholic drinks on-board. As for TV licences, the majority of households with residents who watch TV do indeed pay it. The evasion rate is estimated at around 10%: https://commonslibrary.parliament.uk/research-briefings/cbp-... |
|
| The current EU-UK adequacy decision[1] is up for review this 27 June [2] .
Aspects of the UK investigatory powers act is close enough to US FISA [2] that I think this might have some influence, if brought up. IPA 2016 was known at the time of the original adequacy decision, but IPA was amended in 2024 . While some things might be improvements, the changes to Technical Capability Notices warrant new scrutiny. Especially seeing this example where IPA leads to reduced security is of some concern, I should think. The fact that security can be subverted in secret might make it a bit tricky for the EU to monitor at all. [1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL... [2] ibid. Article 4 [3] FISA section 702 https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/... |
|
| How does a layover in Dublin put you in UK jurisdiction?
I have seen advice in big companies to only take a burner phone when going to China on business. Perhaps the same will apply to the UK. |
|
| States are not inherently good, they are just large organisations with a monopoly on certain social functions. All large organisations have the capacity to inflict terrible harm. |
|
| I'm on arch. Still, while I agree that Windows is becoming more closed, you are still free to create and distribute Windows app without asking anyone for permissions. |
|
| It's not an either-or, actually, even though the setting is worded like it is. But even if you have cloud backups enabled, you can still manually trigger a local backup. |
|
| I'm going to start purging anything I store on the cloud. I'm not doing anything illegal, but why does the government want to treat me like I am. |
|
| Why is there only one "iCloud" to backup your iPhone and store photos? Lots of ADP users would use a corporate or self-hosted solution instead. |
|
| What would you recommend as a DIY method?
I have a NAS that is accessible through VPN. But I don't trust its encryption, thought it is in my controlled location. |
|
| The simplest arrangement for me was to have the device back up to my Mac, and then said Mac has Time Machine set up to back up to the NAS. iOS and Mac local backups can be encrypted by the OS itself. |
|
| because Apple privacy is just marketing, they just want you to pay for it, they don't really care if it's possible to do better for free / by others |
|
| The reason is that Apple was never required by UK law to offer any alternative. I think the DSA intended to challenge that, but it would do nothing for UK residents. |
|
| But it would be up to him, wouldn't it? I think that's the main deal here: cart blanche access to your data, or giving into someone's bullshit fishing attempt because it's inconvenient. |
|
| Except no one has ever been jailed for simply refusing to unlock a phone unless there was heavy evidence there was something on the phone.
Stop spreading incorrect FUD |
|
| What the UK government achieved:
Lowering the data protection of it's citizens in comparison to the rest of the world. I was under the impression governments were supposed to protect their citizens. |
|
| > Apple
> freely release
If Apple can't get you to pay for it, it won't happen. They only pay as much lip service to privacy as they need for marketing purposes |
|
| They keep asking for more and more ridiculous powers, but then someone on a terrorist watchlist will go and stab a bunch of toddlers. They don’t need more powers, they need to just do their jobs. |
|
| I don't like Apple, nor do I use any of their products, but as someone from the UK, I do respect them for doing this.
Now if only the other companies who said they'd leave would grow a backbone... |
|
| If the UK wants the law to change, that’s up to the citizens of the UK. These are the people they elected.
Don’t expect Apple to rescue the UK citizens to from their own choices. |
|
| The FBI doesn’t create laws. If Congress had passed a law then you would have a good analogy.
Yes Apple follows the laws of every country it operates in just like any other company. |
|
| Then why subsequently say that they follow the laws of every country they operate in? They don't, so whether the FBI makes the laws is not relevant. |
|
| But Apple is not giving the UK Government anything they didn't already have. Now iCloud encryption will function in the UK just as it has for years (decades?) before the inception of ADP. |
|
| They will lock UK users out of iCloud until they manually disable ADP.
When a user turns off ADP in settings, their device uploads the encryption keys to Apple servers. |
|
| It's fine to continue providing the service as long as people know it's not encrypted. I am not worried about my photos being subpoenaed; I am worried about losing them. I'd rather have the service. |
|
| The only difference is Apple doesn't hold the encryption keys when you use ADP.
In both cases it's encrypted in transit and at rest. |
|
| Does this mean I should treat travel to the UK the same way as China and only bring a burner device with no information on it or on cloud backup accounts? |
|
| How will they enforce this?
They will have to send out messages 'You have 32465 hours before you account is deleted unless you decrypt' This is NOT a good look. |
|
| Yes, countries lacking in proportional representation and having obscure procedures like proroguing parliament are the best at listening to important but fairly obscure issues from their voters. |
|
| Labour Party was elected six months ago. It is doubling down on existing government surveillance policy as a cure-all weapon to investigate and chill opposition, and to humble foreign tech companies. |
|
| I always thought that metadata and circumstantial evidence is enough to incriminate someone. Do you really need plaintext data and communication to put criminals behind bars? |
|
| It _is_ equivalent to a back door, that's the point. The UK demand can be accessed more rapidly and properly by disabling the feature than by implementing a backdoor, since it is the same thing. |
|
| Ugh. Is this by App Store country? Anyone know what happens if I already have it configured? I’m actually in US App Store region and sometimes switch to UK… I wonder if that would disable it. |
|
| Reading all the comments here makes me sick. I really need to move to a remote place where people are not constantly bashing each other. |
|
| It's just a shame that Apple didn't include the contact details for the Home Office officials responsible as the place for inquires regarding the matter. |
|
| Yes and no. But Scottish politics have more progressive.
Ultimately Scotland is governed by the UK so any first party rounds are annulled before they get a chance by the UK. |
|
| At some point, we need to stop being surprised at authoritarian countries doing authoritarian things.
Here's hoping the inevitable regime change will be a peaceful one. |
|
| Are there non-icloud backup options? There used to be local encrypted backups through itunes, but I can't tell if that feature is still around. |
|
| Ok, I am not very technical. Can someone help me understand this. I don't have Advanced data Protection on. Does that mean UK Gov can see my data now? |
|
| No, EU is NOT "all for privacy". I don't know where this myth comes from but I see it repeated here often.
1. EU is pushing for mandatory on-device scanning of all your messages (chat control). The current proposal includes scanning of all videos and images all the time for all citizens. The proposal started with analyzing all text too. The discussions are happening behind close doors. EU Ombudsman has accused EU commission of "maladministration", no response. 2. EU is allowing US companies to scan your emails and messages (ePrivacy Derogation). Extended for 2025. 3. EU is pushing for expansion of data retention and to undermine encryption security (EU GoingDark). "The plan includes the reintroduction and expansion of the retention of citizens’ communications data as well as specific proposals to undermine the secure encryption of data on all connected devices, ranging from cars to smartphones, as well as data processed by service providers and data in transit." https://www.patrick-breyer.de/en/eugoingdark-surveillance-pl... 4. EU is pushing for mandatory age verification to use email, messengers and web applications. Citizens will be required to use EU approved verification providers. All accounts will be linked back to your real identity. 5. "Anonymity is not a fundamental right": experts disagree with Europol chief's request for encryption back door (January 22, 2025) https://www.techradar.com/computing/cyber-security/anonymity... ----- Do you still believe EU is all for privacy? EU's privacy is deteriorating faster than in any other developed country / bloc. Some of these proposals have been blocked by Germany for now but that is expected to change after the upcoming elections. |
|
| The EU is pushing for this. The EU "Going Dark" group is pushing for this as well as per https://edri.org/our-work/high-level-group-going-dark-outcom...
The fact of the matter is that if the EU was, as it's been said, for privacy this proposal would not have been on the table in the first place. It should have been stopped 3 years ago but here we are again fighting for our rights and our privacy. And it doesn't matter how many times it gets shot down by some of the countries in the EU, the commission changes a few words and starts the process all over again because they know that sooner or later they will get it through. You can't have it both ways. You either are for privacy or you are not. If you are then this proposal should never have seen the light of the day and the people pushing for it should have been given a warning that this was off-limits. Instead they are biding their time so that when the time is right they can come back with a slightly altered but still incredibly damaging proposal hoping that it will pass. The EU pro-privacy stance is joke. They want access to the same data as the US except they don't have the courage to come out and say it so they wrap it in a nice little gift bag with the words "protect the children" on it. This is hypocrisy in it's purest form. Then some governments in the EU have the gall to call out authoritarians regimes around the world when they crack down on dissent and free speech? Give me a break! |
|
| Really disappointed that our government decided to take such a stance.
What are people using when self-hosting services in the scope of iCloud nowadays? Nextcloud seems the closest comparable service. |
|
| ok so while being AI safety concerned.. uk politicians go ahead and remove humanity's single logical control tool that they have to keep AI in check.. encryption maths.
gg |
|
| Very disappointed with this, but I think will be finding alternatives.
Family sharing especially of Reminders is a hard one - we use lists for grocery shopping and it is extremely convenient. Has anyone tried out Ente https://ente.io/ for photos? |
|
| This is a good reminder that the one who cares about privacy and security cannot rely on closed-source products from commercial companies; don't be deceived by marketing slogans. |
|
| Are anyone of you lot getting the realisation onto why they are pushing Passkeys so hard?
They know they access 8 out of 10 phones they seize. DONT USE PASSKEYS |
|
| Ireland might be easy option.
UK citizens do not need a visa or residency permit to live and work in Ireland due to the Common Travel Area (CTA) agreement |
|
| Kremlin has full access to every service operating in Russia. If a service is banned in Russia, that's a service you should use. If it's not banned, it already has a backdoor. |
|
| Of the whole list, if the Investigatory Powers Act is what you didn't like, I'd pick Switzerland first, then Belgium/Netherlands.
Of course, that assumes you're fluent in the local languages. Hoe goed spreekt u Nederlands? I made a jump to Germany in 2018, and, thanks to learning a new language, have had a front-row seat to how flat the real Dunning Kruger effect really is: https://en.wikipedia.org/wiki/File:Dunning–Kruger_Effect2.sv... Dubai, even as an international hub where you may be able to get by with English — لا تضيع وقتك باستخدام دولينجو لتعلم اللغة العربية، لقد حاولت خلال الوباء وما زلت لا أعرف الأبجدية — is much more authoritarian than the UK. Similar for Singapore. If you're monolingual, and privacy is your concern, then the US is an improvement over Australia. But also consider Canada and Ireland. Ireland isn't in Five Eyes, Canada is, but also Canada is slightly further away from the madness of Trump etc. than any company still inside the USA. I'm not even sure what's going to happen with the US federal government given that DOGE cannot meet its stated goals even by deleting all discretionary-budget federal agencies like the NSA, CIA, FBI, all branches of the armed forces, etc. but on the other hand the private sector is busy doing a huge volume of spying anyway in the name of selling adverts… chaos is impossible to predict, and you should want to predict things at least a few years out if you're going to the trouble of relocating. |
|
| >Ireland isn't in Five Eyes,
That's true, and I suspect Ireland does not do as much surveillance as many other countries, but if I recall correctly, it does have a passphrase-or-prison law like the UK. I also get the sense that in a number of cases, it tends to view its laws as suggestions, for example, with the autism dossiers scandal [1], and in some sense, gets away with it in the way that a small country can. To me, it feels like a country where you don't need to worry about organized, systemic surveillance abuses, but do need to worry about departments or even individual employees who decide that they just don't like you. [1]: https://en.m.wikipedia.org/wiki/Department_of_Health_autism_... |
|
| This was done under the Investigatory Powers Act which was brought in in 2016. Saying that Labour weren't exactly against it at the time. Point being snooping isn't left or right - they all love it. |
|
| The Blairite wing of that party has always been extremely bad with this kind of thing (see Tony Blair's obsession with ID cards over the decades) so it's unsurprising they'd push something like this. |
|
| Lol so much for the privacy-first Apple BS everyone keeps touting
If they had any balls whatsoever they would've rejected this and pulled out of the UK, but of course money comes before anything else. |
|
| It’s not really end to end in that sense. They don’t get the key, they just store opaque data for you.
The only way apple could get your data is to push code to your device to steal the key. |
|
| Wow - how sad. To think the 2nd highest scoring post ever on hacker news is Apple's 2016 A Message to Our Customers. A display of intelligence, morality and courage under great pressure: https://hn.algolia.com
How things have changed. > In a statement Apple said it was "gravely disappointed" So are we, Apple. So are we. |
|
| Apple did the right thing.
I would much rather they were transparent, so that people can move services, rather than build a backdoor in secret, to appease the far-left Labour government. |
> The UK government's demand came through a "technical capability notice" under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally. The order would have compromised Apple's Advanced Data Protection feature, which provides end-to-end encryption for iCloud data including Photos, Notes, Messages backups, and device backups.
One scenario would be somebody in an airport and security officials are searching your device under the Counter Terrorism Act (where you don't even have the right to legal advice, or the right to remain silent). You maybe a British person, but you could also be a foreign person moving through the airport. There's no time limit on when you may be searched, so all people who ever travelled through British territory could be searched by officials.
Let that sink in for a moment. We're talking about the largest back door I've ever heard of.
What concerns me more is that Apple is the only company audibly making a stand. I have an Android device beside me that regularly asks me to back my device up to the cloud (and make it difficult to opt out), you think Google didn't already sign up to this? You think Microsoft didn't?
Then think for a moment that most 2FA directly goes via a large tech company or to your mobile. We're just outright handing over the keys to all of our accounts. Your accounts have never been less protected. The battle is being lost for privacy and security.