UK spying on iPhone
iOS/iPadOS macOS

UK government secretly demands Apple to let it spy on EVERY user

Updated on 3 Comments on UK government secretly demands Apple to let it spy on EVERY user

The Washington Post was the first to break this story a couple of days ago,

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud…

The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies.

Now, this story is all over the Internet and social media. In the days to weeks to come, everyone will be talking about it.

Make no mistake, this order from the UK government is outrageous!

What does this order allow the UK government to do?

All end-to-end-encrypted (E2EE) files stored in iCloud can be viewed by the UK government

Apple released a feature for iCloud called Advanced Data Protection (ADP) in December 2022. I mentioned ADP before in this article: What new cybersecurity features has Apple released for iOS/iPadOS 16.2 and macOS 13.1?.

As I wrote then, ADP means that:

Apple does not have the decryption keys to your encrypted data stored on iCloud. As a result, it will be technically impossible for Apple to see what you store on iCloud, even if they are compelled by the government. That means even if hackers breach Apple’s servers, they will not be able to steal your data stored on iCloud because only your devices hold the decryption keys.

The UK government’s order will mean that Apple has to engineer a secret backdoor to allow it access to all files secured with ADP. Complying with the order requires serious re-engineering of the operating systems in Apple devices and iCloud servers. This is going to take some time.

EVERYONE will be affected

The first reason why this order is so outrageous is that it will affect EVERY Apple users globally. As the Washington Post article reported,

The person deemed it shocking that the U.K. government was demanding Apple’s help to spy on non-British users without their governments’ knowledge.

Even if you are a non-UK citizen residing outside of the UK, your supposedly E2EE iCloud files can be viewed by the UK government.

The UK government is secretive about this order

Apple cannot reveal that they are served with an order

This order was issued last month and, as reported by the Washington Post, undisclosed. Apple is not legally allowed to reveal that it has been served with such an order:

The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand. An Apple spokesman declined to comment.

We are hearing about it publicly today because someone must have leaked it to the press.

Apple must comply while waiting for the outcome of an appeal

As this Washington Post article reported,

Apple can appeal the U.K. capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government’s needs. But the law does not permit Apple to delay complying during an appeal.

That means that while Apple is embroiled in an appeal process with the secret technical panel, they must work on complying with the order in the meantime.

If you are targeted by the UK government, Apple is legally forbidden to inform you

As the Washington Post article reported,

One of the people briefed on the situation, a consultant advising the United States on encryption matters, said Apple would be barred from warning its users that its most advanced encryption no longer provided full security.

In other words, you will have no idea if you are spied on by the UK government, even if you are a non-UK citizen residing outside of the UK.

What can Apple do?

No doubt, this order by the UK government is extremely bad for Apple’s business. Apple’s brand relies on keeping the promise of protecting the privacy of its users. If they are forced to abandon this promise by the UK government, then that is the end of their brand.

One option is for Apple to withdraw the ADP feature for their UK users. This will make it clear to their UK users that their files stored in iCloud will not have the protection of E2EE. But even that is problematic because the UK government can still spy on non-UK users residing outside of the UK.

If Apple does not want to comply with the order, they can take the nuclear option of withdrawing entirely from the UK market. When every UK user finds their beloved Apple devices not working, they will be sure to send a message to whatever UK government through the ballot boxes.

What are the implications?

I can think of these major implications:

The UK government can spy on behalf of foreign governments

For foreign governments that still cannot legally spy on their citizens, they can ask the UK government to spy on their behalf. This provides a loophole for foreign governments to spy on their own citizens.

Other governments can demand the same

Once Apple creates a backdoor to allow the UK government to spy on EVERY user, it will set a precedent for every other government to demand the same access to the backdoor. At the very least, Apple may have to withdraw the ADP feature from all of its products.

Other Big Tech will suffer the same fate

If governments can demand Apple to backdoor their products, what about Google, Microsoft, Signal, and other tech companies’ products? Which other tech companies will fold?

What are your options?

You will have to assume that all your data stored on the cloud is vulnerable. That means you will have to expunge all your data stored on all cloud storage providers.

If you need the use the cloud, then you will have to run your own cloud servers (e.g. NextCloud). This will require technical knowledge to ensure the security of your cloud.

Next, you may have to expunge all Big Tech from your phone. This may mean you have to use a phone that runs an open-sourced GrapheneOS, which is a project/organisation. They have made it a point not to be a company so that they cannot be forced with a legal order.

All these take a significant amount of effort, change of habits, technical knowledge and sacrifice of convenience to implement. There is going to be significant teething problems. Not all your favourite apps are going to be compatible with GrapheneOS.

Not everyone can go that far. It may not be a practical option for most people, except for the most extreme of technical geeks who have the determination, time and inclination to perform troubleshooting and workarounds. Hence, it may just be easier to simply try the next option…

Use Huawei phones?

The whole argument of why we should not be using Chinese technology is because Western technologies and governments respect our privacy and security.

So this secretive and outrageous order by the UK government (and its implications going forward) undermines the entire argument.

In that case, if we are going to lose our privacy, we may as well use Huawei phones. At least our data will be stored in servers in China free from the prying eyes of Western governments. We can be sure that China will not be cooperative with any Western government’s request for Huawei phone users’ data. We can also be sure that Huawei will not entertain any requests by the Western governments to backdoor their phones.

It is of great irony that it has to come the day that this option even has to be seriously considered.

DON'T GET HACKED!

Related Post

Apple cracked open

Apple colluding with NSA?

iPhone thief

How to prevent an iPhone thief from outsmarting Find My?

iOS-iPadOS side-loading alternative app store

Apple to allow side-loading for iOS/iPadOS in EU

Apple Pay

How did hackers break into Apple Pay to steal your money?

Update iPhone

Apple released emergency cybersecurity update for iOS, iPadOS, macOS and watchOS

Facebook app tracking

Can Facebook/Google still track you even if you turn on App Tracking Transparency (ATT)?

3 Comments

  1. Following the UK government’s outrageous and secret order to Apple, US lawmakers are doing something about it. As reported in the Washington Post:

    Ron Wyden, an Oregon Democrat on the Senate Intelligence Committee, and Andy Biggs, an Arizona Republican on the House Judiciary Committee, wrote to National Intelligence Director Tulsi Gabbard and asked her to demand that the United Kingdom retract its order.

    What is not clear are the measures the US government will take to thwart the UK government’s order. Depending on what the measures are, the question is this: will they only protect Americans? Or will it benefits all Apple users regardless of nationality?

  2. Starting today, the new Advanced Data Protection (ADP) feature that Apple added in December 2022 won’t be available for new users in the U.K.

    While Apple can’t turn off ADP for folks who already have it set up in the U.K. But they’ll have to do it soon, like in the next few weeks or days. Apple’s given them some guidance on how to do it.

    Source: BleepingComputer (https://www.bleepingcomputer.com/news/security/apple-pulls-icloud-end-to-end-encryption-feature-in-the-uk/)

  3. Google is probably issued with the secret order too:

    https://therecord.media/google-refuses-to-deny-it-received-uk-tcn

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading