Apple Threatens to Pull FaceTime and iMessage in the UK Over Proposed Surveillance Law Changes

B

bnew

Veteran
Joined
Nov 1, 2015
Messages
65,828
Reputation
10,162
Daps
178,294
www.eff.org

The U.K. Government Is Very Close To Eroding Encryption Worldwide

The U.K. Parliament is pushing ahead with a sprawling internet regulation bill that will, among other things, undermine the privacy of people around the world. The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force...
www.eff.org www.eff.org


The U.K. Government Is Very Close To Eroding Encryption Worldwide​


BY JOE MULLIN

JULY 26, 2023

defend-encryption-cyan-1_0.png



The U.K. Parliament is pushing ahead with a sprawling internet regulation bill that will, among other things, undermine the privacy of people around the world. The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption. No amendments have been accepted that would mitigate the bill’s most dangerous elements.

TAKE ACTION

TELL THE U.K. PARLIAMENT: DON'T BREAK ENCRYPTION

If it passes, the Online Safety Bill will be a huge step backwards for global privacy, and democracy itself. Requiring government-approved software in peoples’ messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.

The sprawling bill, which originated in a white paper on “online harms” that’s now more than four years old, would be the most wide-ranging internet regulation ever passed. At EFF, we’ve been clearly speaking about its disastrous effects for more than a year now.

It would require content filtering, as well as age checks to access erotic content. The bill also requires detailed reports about online activity to be sent to the government. Here, we’re discussing just one fatally flawed aspect of OSB—how it will break encryption.

An Obvious Threat To Human Rights


It’s a basic human right to have a private conversation. To have those rights realized in the digital world, the best technology we have is end-to-end encryption. And it’s utterly incompatible with the government-approved message-scanning technology required in the Online Safety Bill.

This is because of something that EFF has been saying for years—there is no backdoor to encryption that only gets used by the “good guys.” Undermining encryption, whether by banning it, pressuring companies away from it, or requiring client side scanning, will be a boon to bad actors and authoritarian states.

The U.K. government wants to grant itself the right to scan every message online for content related to child abuse or terrorism—and says it will still, somehow, magically, protect peoples’ privacy. That’s simply impossible. U.K. civil society groups have condemned the bill, as have technical experts and human rights groups around the world.

The companies that provide encrypted messaging—such as WhatsApp, Signal, and the UK-based Element—have also explained the bill’s danger. In an open letter published in April, they explained that OSB “could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages of friends, family members, employees, executives, journalists, human rights activists and even politicians themselves.” Apple joined this group in June, stating publicly that the bill threatens encryption and “could put U.K. citizens at greater risk.”

U.K. Government Says: Nerd Harder


In response to this outpouring of resistance, the U.K. government’s response has been to wave its hands and deny reality. In a response letter to the House of Lords seen by EFF, the U.K.’s Minister for Culture, Media and Sport simply re-hashes an imaginary world in which messages can be scanned while user privacy is maintained. “We have seen companies develop such solutions for platforms with end-to-end encryption before,” the letter states, a reference to client-side scanning. “Ofcom should be able to require” the use of such technologies, and where “off-the-shelf solutions” are not available, “it is right that the Government has led the way in exploring these technologies.”

The letter refers to the Safety Tech Challenge Fund, a program in which the U.K. gave small grants to companies to develop software that would allegedly protect user privacy while scanning files. But of course, they couldn’t square the circle. The grant winners’ descriptions of their own prototypes clearly describe different forms of client-side scanning, in which user files are scoped out with AI before they’re allowed to be sent in an encrypted channel.

The Minister completes his response on encryption by writing:

We expect the industry to use its extensive expertise and resources to innovate and build robust solutions for individual platforms/services that ensure both privacy and child safety by preventing child abuse content from being freely shared on public and private channels.
Click to expand...

This is just repeating a fallacy that we’ve heard for years: that if tech companies can’t create a backdoor that magically defends users, they must simply “nerd harder.”

British Lawmakers Still Can And Should Protect Our Privacy​


U.K. lawmakers still have a chance to stop their nation from taking this shameful leap forward towards mass surveillance. End-to-end encryption was not fully considered and voted on during either committee or report stage in the House of Lords. The Lords can still add a simple amendment that would protect private messaging, and specify that end-to-end encryption won’t be weakened or removed.

Earlier this month, EFF joined U.K. civil society groups and sent a briefing explaining our position to the House of Lords. The briefing explains the encryption-related problems with the current bill, and proposes the adoption of an amendment that will protect end-to-end encryption. If such an amendment is not adopted, those who pay the price will be “human rights defenders and journalists who rely on private messaging to do their jobs in hostile environments; and … those who depend on privacy to be able to express themselves freely, like LGBTQ+ people.”

It’s a remarkable failure that the House of Lords has not even taken up a serious debate over protecting encryption and privacy, despite ample time to review every every section of the bill.

TAKE ACTION

TELL THE U.K. PARLIAMENT: PROTECT ENCRYPTION—AND OUR PRIVACY

Finally, Parliament should reject this bill because universal scanning and surveillance is abhorrent to their own constituents. It is not what the British people want. A recent survey of U.K. citizens showed that 83% wanted the highest level of security and privacy available on messaging apps like Signal, WhatsApp, and Element.

Documents related to the U.K. Online Safety Bill:

 
  • Dap
Reactions: tgu
B

bnew

Veteran
Joined
Nov 1, 2015
Messages
65,828
Reputation
10,162
Daps
178,294

UK pulls back from clash with Big Tech over private messaging | Financial Times

Ministers will not immediately enforce online safety bill powers to scan apps after WhatsApp threatened shutdown
www.ft.com www.ft.com

UK pulls back from clash with Big Tech over private messaging​

Ministers will not immediately enforce online safety bill powers to scan apps after WhatsApp threatened shutdown

Close-up of a smartphone in someone’s hands

The online safety bill is one of the toughest attempts by any government to make tech companies responsible for the content shared on their networks © Getty Images/iStockphoto

Cristina Criddle and Anna Gross in London 4 HOURS AGO


The UK government will concede it will not use controversial powers in the online safety bill to scan messaging apps for harmful content until it is “technically feasible” to do so, postponing measures that critics say threaten users’ privacy.


A planned statement to the House of Lords on Wednesday afternoon will mark an eleventh-hour effort by ministers to end a stand-off with tech companies, including WhatsApp, that have threatened to pull their services from the UK over what they claimed was an intolerable threat to millions of users’ security.


The statement is set to outline that Ofcom, the tech regulator, will only require companies to scan their networks when a technology is developed that is capable of doing so, according to people briefed on the plan. Many security experts believe it could be years before any such technology is developed, if ever.

“A notice can only be issued where technically feasible and where technology has been accredited as meeting minimum standards of accuracy in detecting only child sexual abuse and exploitation content,” the statement will say.


The online safety bill, which has been in development for several years and is now in its final stages in parliament, is one of the toughest attempts by any government to make Big Tech companies responsible for the content that is shared on their networks.


Social media platforms have railed against provisions in the bill that would allow the UK regulator to force them to allow their encrypted messages to be monitored for harmful content, including child sexual exploitation material.


WhatsApp, owned by Facebook parent Meta, and Signal, another popular encrypted messaging app, are among those that have threatened to exit the UK market should they be ordered to weaken encryption, a widely used security technology that allows only the sender and recipient of messages to view a message’s contents.


Officials have now privately acknowledged to tech companies that there is no current technology able to scan end-to-end encrypted messages that would not also undermine users’ privacy, according to several people briefed on the government’s thinking.


However, the statute will still give Ofcom powers to require platforms to develop or source new technology, the people said.

Critics have long argued such a technology does not exist and that current scanning technologies have been found to make errors, wrongly identifying safe content as harmful, and requiring flagged material to be checked by human monitors, therefore exposing private content.

The government said on Wednesday that its position on the issue “has not changed”.
“As has always been the case, as a last resort, on a case-by-case basis and only when stringent privacy safeguards have been met, [the legislation] will enable Ofcom to direct companies to either use, or make best efforts to develop or source, technology to identify and remove illegal child sexual abuse content — which we know can be developed,” the government said.

Child safety campaigners have spent years pushing the government to be tougher on tech companies over abuse material that is shared on their apps.

Richard Collard, head of child safety online policy at the National Society for the Prevention of Cruelty to Children, said: “Our polling shows the UK public overwhelmingly support measures to tackle child abuse in end-to-end encrypted environments. Tech firms can show industry leadership by listening to the public and investing in technology that protects both the safety and privacy rights of all users.”

Additional reporting by John Thornhill
 
B

bnew

Veteran
Joined
Nov 1, 2015
Messages
65,828
Reputation
10,162
Daps
178,294



Open Rights Group (@openrightsgroup@social.openrightsgroup.org)

🚨 BREAKING: The UK government has confirmed it is rowing back on its plans to scan private messages. They've finally back down with an announcement that Ofcom won't use powers in the spy clause contained in the Online Safety Bill until it's 'technically feasible' to do so. They've conceded...
social.openrightsgroup.org social.openrightsgroup.org


 
Amestafuu (Emeritus)

Amestafuu (Emeritus)

Veteran
Supporter
Joined
May 8, 2012
Messages
72,096
Reputation
14,486
Daps
304,715
Reppin
Toronto
Damn it's like having Indian c00ns in power over there has consequences. From deporting African immigrants to heavy surveillance. It used to be counties like India and Saudi forcing BBM to try and break encryption back in the day. This should come as no surprise to anyone and it looks funny now when the tables flipped because back then the west looked at those trying this heavy handed shyt as undemocratic
 
B

bnew

Veteran
Joined
Nov 1, 2015
Messages
65,828
Reputation
10,162
Daps
178,294
B

bnew

Veteran
Joined
Nov 1, 2015
Messages
65,828
Reputation
10,162
Daps
178,294



Apple pulls data protection feature in UK amid government demands​


By Aditya Soni and Stephen Nellis

February 21, 20254:30 PM ESTUpdated 8 hours ago

People walk past an Apple store in London


People walk past an Apple store in London, Britain, January 13, 2025. REUTERS/Isabel Infantes/File Photo Purchase Licensing Rights

, opens new tab

  • Summary
  • Companies

  • Apple iCloud backups can no longer be end-to-end encrypted in UK
  • Apple says other encrypted services such as iMessage unaffected
  • Experts say move weakens cybersecurity of UK users
  • Showdown is latest in decades-long encryption tussle between tech firms and governments

Feb 21 (Reuters) - Apple (AAPL.O)

, opens new tab is scrapping its most advanced security encryption feature for cloud data in Britain, the company said on Friday, an unprecedented response to government demands for access to user data.

The change affects a feature called Advanced Data Protection (ADP), which extends end-to-end encryption across a wide range of cloud data. Apple said it is no longer available in Britain for new users, with those who try to turn it on receiving an error message starting Friday, and that current users will eventually need to disable this security feature.

The move means iCloud backups in Britain will no longer have that level of encryption, allowing Apple to access in certain cases user data that it otherwise could not, such as copies of iMessages, and hand it over to authorities if legally compelled. With end-to-end encryption enabled, even Apple cannot access the data.

"Apple's decision to disable the feature for UK users could well be the only reasonable response at this point, but it leaves those people at the mercy of bad actors and deprives them of a key privacy-preserving technology," said Andrew Crocker, surveillance litigation director at the Electronic Frontier Foundation.

Governments and tech giants have long been locked in a battle over strong encryption to protect consumers' communications, which the authorities view as a mettlesome obstacle to mass surveillance and crime fighting programs. But such a demand from Britain would be particularly sweeping.

Early plans to let Apple users fully encrypt backups of their devices to the company's iCloud service were dropped in or around 2018 after the FBI privately complained, Reuters has previously reported, but the company eventually went forward with the plan in 2022.

"Lawful access to digital evidence and threat information is rapidly eroding," the U.S. Federal Bureau of Investigation says on its website, citing "warrant-proof encryption".

Apple has long said that it would never build a so-called backdoor into its encrypted services or devices, because once one is created, it could be exploited by hackers in addition to governments, a sentiment echoed by security experts.

"Ultimately, once a door exists, it's only a matter of time before it's found and used maliciously. Removing ADP is not just a symbolic concession but a practical weakening of iCloud security for UK users," said Professor Oli Buckley, a professor in cybersecurity at Loughborough University in Britain.

Data that was encrypted before Apple launched its protection service in late 2022, such as passwords and iMessage and FaceTime messaging services, will remain encrypted.

"We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," Apple said in a statement.

The change does not affect encryption of data stored directly on its devices, but in the era of large photo collections, huge messaging histories and regular phone upgrades, many users find it impractical to store all their data on their device alone.

Device-only storage also means that if the device is lost or damaged, all of a user's data could disappear, which drives many if not most consumers to opt for some form of cloud backup that now will be easier for British authorities to access.



SECURITY CONCERNS​


Law enforcement agencies have frequently targeted Apple services including iMessage through iCloud backups, which were not end-to-end encrypted before Apple offered Advanced Data Protection.

Those backups - which can contain photos and other sensitive information and are widely used - can no longer be end-to-end encrypted for UK users, Apple said.

While Apple cannot disable ADP for existing users as it does not hold encryption keys, it will prompt users to turn off the feature themselves.

A spokesperson for Britain's Home Office declined to comment on whether such an order had been issued. "We do not comment on operational matters, including for example confirming or denying the existence of any such notices," the spokesperson said.

The Washington Post reported this month that Britain issued Apple a Technical Capability Notice, requiring access under the broad Investigatory Powers Act of 2016, which allows law enforcement to compel firms to assist in evidence collection.

Technical Capability Notices (TCNs) do not grant blanket access to users' personal data, according to the government's website. Even with a TCN in place, separate authorizations are still required to allow access to data.

Australia has a similar law, and could follow Britain's lead, said Joseph Lorenzo Hall, a distinguished technologist with nonprofit group Internet Society.

"The one thing we see with Commonwealth countries is the second one does something, the others tend to do that. And so I would expect Australia to issue a Technical Capability Notice that probably mirrors this, given their own laws."

Hall also noted that Alphabet's (GOOGL.O)

, opens new tab Android operating system also offers encrypted backups.

Apple shares ended largely unchanged on Friday.

The company has long resisted government efforts to weaken encryption, including in 2016 when U.S. authorities tried to compel it to unlock the iPhone of a San Bernardino shooter.

Efforts to subvert it date back to the 1990s, when former U.S. President Bill Clinton's administration first proposed adding a physical chip to computer hardware that would give cops and spies a way of eavesdropping on encrypted communications.

The effort foundered, and strong encryption has since made its way into an increasing number of consumer services, including Apple's iMessage, Zoom meetings, Meta's (META.O)

, opens new tab WhatsApp and the privacy-focused app Signal.

Some U.S. officials have encouraged the use of encrypted services in the wake of December's widespread Salt Typhoon hack on U.S. telecommunications firms.

Meredith Whittaker, president of Signal, which has previously threatened to leave Britain over similar concerns, called Britain's move "technically illiterate" and said that it would hurt the country's efforts to cultivate its tech sector.

"You can’t be tech-friendly while eroding the foundation of cybersecurity on which robust tech depends. Encryption is not a luxury - it is a fundamental human right essential to a free society that also happens to underpin the global economy," Whittaker said.
 
You must log in or register to reply here.
Top