In its latest attempt to erode the protections of strong encryption, the U.K. government has reportedly secretly ordered Apple to build a backdoor that would allow British security officials to access the encrypted cloud storage data of Apple customers anywhere in the world.
The secret order — issued under the U.K.’s Investigatory Powers Act 2016 (known as the Snoopers’ Charter) — aims to undermine an opt-in Apple feature that provides end-to-end encryption (E2EE) for iCloud backups, called Advanced Data Protection. The encrypted backup feature only allows Apple customers to access their device’s information stored on iCloud — not even Apple can access it.
While the U.K. government declined to comment to TechCrunch on the report, British officials have long argued that E2EE makes it more difficult to gather digital evidence for criminal prosecutions and collect intelligence for national security.
Apple’s encrypted backup feature, once enabled, closes a loophole that law enforcement has used to gain access to cloud-stored data. This data was otherwise impossible to unscramble on most modern iPhones that have device encryption enabled.
The Washington Post, which first reported the story, said Apple will likely stop offering the iCloud encryption feature to users in the United Kingdom in response to the secret order, rather than break the encryption of users globally.
Apple previously warned that its encrypted communication services, FaceTime and iMessage, could be at risk in the U.K., responding to plans to increase government surveillance powers.
Worldwide ramifications
If Apple stripped its U.K. customers of its advanced iCloud encryption, the fallout would not stop at the country’s borders.
Rebecca Vincent, who heads the privacy and civil liberties campaign group Big Brother Watch, warned that the U.K. government’s “draconian” order would not make citizens safer, but would instead “erode the fundamental rights and civil liberties of the entire population.”
While it’s not yet clear how the U.K. order works in practice — removing Advanced Data Protection would only make the cloud data of U.K. citizens available to law enforcement — news of the order sparked concerns that the security for millions of Apple device owners all over the world could be weakened.
Security and privacy advocates also say that the U.K. could set a dangerous global precedent that authoritarian regimes and cybercriminals will be eager to exploit — any backdoor developed for government use would inevitably be exploited by hackers and other governments.
Thorin Klosowski, a privacy activist at the U.S.-based Electronic Frontier Foundation, also warned in a blog post that the U.K.’s demands will have global ramifications that make the secret order an “emergency for us all.” James Baker at the Open Rights Group said last week that the plans are “frightening… and would make everyone less safe.”
A security lesson not learned
The knock-on effect that the U.K. government’s order could have on citizens around the world has sparked criticisms amid fears that it could put the U.K. at odds with some of its closest allies.
The news comes just weeks after U.S. security authorities urged Americans to use encrypted messaging apps to avoid having their communications intercepted by adversarial nations. The advisory followed reports of a years-long stealthy hacking campaign by Chinese government spies aimed at hacking into critical U.S. infrastructure, as well as phone and internet giants.
The Computer & Communications Industry Association, a U.S. tech industry group that represents the IT and telecoms industries, said the hacks carried out by the so-called “Typhoon” group of Chinese-backed hackers makes it clear that “end-to-end encryption may be the only safeguard standing between Americans’ sensitive personal and business data and foreign adversaries.”
“Decisions about Americans’ privacy and security should be made in America, in an open and transparent fashion, not through secret orders from abroad requiring keys be left under doormats,” the CCIA said.
Chris Mohr, president of U.S.-based Software & Information Industry Association, also issued a similar warning, calling the U.K. order “both ill-advised and dangerous.”
“Particularly in the wake of Salt Typhoon, we need policies to make information more (not less) secure,” said Mohr, referring to the China-backed group that targeted phone companies. “We call on the Trump Administration and the U.S. Congress to take a firm stand against this troubling development.”
The Chinese hacks that targeted phone and internet giants — including AT&T and Verizon — is the most recent example of why the U.K. government’s backdoor demands on Apple are flawed.
Salt Typhoon carried out the telco breaches, said to be one of the biggest hacks in recent history, by abusing a legally mandated backdoor required by telecom firms to give law enforcement and intelligence agencies access to their customers’ data on request.
“The lesson will be repeated until it is learned: there is no backdoor that only lets in good guys and keeps out bad guys,” according to the Electronic Frontier Foundation. “It’s time for all of us to recognize this, and take steps to ensure real security and privacy for all of us.”
