_______               __                   _______
       |   |   |.---.-..----.|  |--..-----..----. |    |  |.-----..--.--.--..-----.
       |       ||  _  ||  __||    < |  -__||   _| |       ||  -__||  |  |  ||__ --|
       |___|___||___._||____||__|__||_____||__|   |__|____||_____||________||_____|
                                                             on Gopher (inofficial)
   URI Visit Hacker News on the Web
       
       
       COMMENT PAGE FOR:
   URI   Apple pulls data protection tool after UK government security row
       
       
        justinclift wrote 1 hour 3 min ago:
        > "Apple saw this as a point of principle - if they were going to
        concede this to the UK then every other government around the world
        would want this."
        
        How is withdrawing the full encryption capability from UK users not
        condeding to the UK government?
       
        vednig wrote 1 day ago:
        we need something that's quantum safe
       
        mrkramer wrote 2 days ago:
        I always thought that metadata and circumstantial evidence is enough to
        incriminate someone. Do you really need plaintext data and
        communication to put criminals behind bars?
       
        holoduke wrote 2 days ago:
        Reading all the comments here makes me sick. I really need to move to a
        remote place where people are not constantly bashing each other.
       
        ej1 wrote 2 days ago:
        This is a great article!
       
        quitit wrote 2 days ago:
        What's stopping Apple from launching an AppleTV-esque device that
        functions as personal iCloud storage?
        
        The design of ADP is that even taking control of the data centre won't
        allow access to the information held within. Decentralising the service
        makes it significantly harder to write ham-fisted legislation that aims
        to prevent tech companies from offering secure products.
        
        Additionally there isn't a technical need for ADP to interface with
        iCloud. Apple could feasibly release free software for DIY ADP.
        
        My expectation is that either the UK will alter the law, or Apple will
        work around it. I don't think we're looking at the end of this.
       
          arccy wrote 2 days ago:
          > Apple
          > freely release
          
          If Apple can't get you to pay for it, it won't happen.
          They only pay as much lip service to privacy as they need for
          marketing purposes
       
          nobankai wrote 2 days ago:
          Commercial security is pure theatre at the end of the day. Apple
          could pretend to make a big stink, release a new encrypted Time
          Machine or leave the UK... but why? None of that makes them money.
          It's a band-aid for the user freedom that was amputated decades ago.
          
          I don't expect Apple to fight this like, say, the EU regulations.
          Without a profit incentive, it's hard to mobilize Apple to seek a
          solution.
       
            quitit wrote 2 days ago:
            >release a new encrypted Time Machine or leave the UK... but why?
            None of that makes them money.
            
            Would this device be free?
       
        UnreachableCode wrote 2 days ago:
        What is stopping me from using something like Proton in the same way?
        Why does the UK government simply make an example out of Apple on this
        one?
       
        giorgioz wrote 2 days ago:
        > Caro Robson said she believed it was "unprecedented" for a company
        "simply to withdraw a product rather than cooperate with a government".
        
        She believes wrong. Google retreated from the Chinese market to not
        give in. Apple stayed in China and also banned VPNs on App Stores for
        Chinese customers. Kudos to Apple to not giving in to a backdoor in
        this case but some there companies took a even higher moral stand in
        some other situations, so there is precedent indeed.
       
        MrCroxx wrote 2 days ago:
        I'm drunk. No offense. Why our world ends up like this.
       
          Ylpertnodi wrote 1 day ago:
          Well, it usually starts with one...socially, like.
       
        oddb0d wrote 2 days ago:
        Hopefully it'll spur growth of decentralised, distributed peer to peer
        mobiles like the new Holochain-based Volla Phone
        
   URI  [1]: https://volla.online/en/
       
        rhubarbtree wrote 2 days ago:
        As a British citizen I am amazed at how much the government has invaded
        our privacy. I think it started after 9/11 when they first introduced
        terrorism laws and saw they could get away with it. I wonder if the
        ruling classes are nervous, given the state and direction of our
        economy and the inequality, as well as the iron grip a small part of
        the country has maintained on society. They are perhaps making
        preparations for a class revolt.
        
        Having said that, in practice to date the extraordinary powers the
        government has acquired are rarely used, eg to quell the race riots
        last year. It feels more like a risk for the future and that makes it
        harder to argue against now. One day this will hit the fan.
        
        I’m very curious, however, to see Americans criticise our government
        for its (mostly theoretical) overreach, whilst simultaneously the
        constitution of America is being torn to shreds by the actions of Musk
        and Trump, with some in the tech community even cheering on DOGE.
       
          yew wrote 2 days ago:
          Hm. I see them as connected - "we must confront our problems
          domestically before we fight them abroad."
       
            rhubarbtree wrote 2 days ago:
            Please could you expand? I'm very confused by what's going on in
            the states, particular the attitude in the tech community, so any
            clarity would be appreciated!
       
              yew wrote 2 days ago:
              Not particularly. The matter is no longer up for discussion.
              Silence and action are best.
       
                yew wrote 2 days ago:
                (Unsafety and fear always motivate silence and action. You
                might expect certain people to understand that better than
                most.)
       
        uni_baconcat wrote 2 days ago:
        Write to local MP and Home Office. This is totally unacceptable.
       
        MagicMoonlight wrote 2 days ago:
        They keep asking for more and more ridiculous powers, but then someone
        on a terrorist watchlist will go and stab a bunch of toddlers. They
        don’t need more powers, they need to just do their jobs.
       
        QuiEgo wrote 2 days ago:
        The cloud is just someone else’s computer. If you really, really care
        about privacy, self host.
       
          AlgebraFox wrote 2 days ago:
          That works for nerds like us. But my sister or my non tech friends
          don't have knowledge to self host. It is like asking a person to do a
          surgery on themselves when they don't have medical knowledge. E2E
          services are very crucial for such normal people.
          
          How long do you think for governments to make it illegal to self host
          or backdoor Linux builds? They have already went too far by just
          asking backdoor to data of every single person on the planet. We
          should oppose such unethical laws rather than finding workarounds.
       
            QuiEgo wrote 2 days ago:
            > How long do you think for governments to make it illegal to self
            host or backdoor Linux builds?
            
            Probably never, it won't be worth the trouble because it's always
            going to be a fringe thing for the reasons you say :). One can hope
            anyways.
            
            Also, if the government decides I'm a baddie, they can always just
            show probable cause to a judge and come physically get my hardware,
            so they have a more traditional path there to handle weirdos like
            me already :).
            
            FWIW, I agree completely strong encryption in SAAS is necessary for
            privacy. But pragmatically, there's little hope laws like this
            won't eventually take root in more places. So the statement stands
            irregardless of the challenges: the cloud is just someone else's
            computer.
            
            One final note: I don't think E2E means what most people think it
            means unfortunately - lots of companies imply that you're the only
            one with access to the encryption keys when E2E is on, but if you
            read the fine print, it often really just says is the data is
            encrypted in flight, not what the policy is for protecting the data
            on the other "end."
            
            This is the awesome thing about ADP - they spell out the full
            policy in glorious detail.
       
          Aachen wrote 2 days ago:
          For those to whom that sounds scary: buy a regular consumer NAS. They
          run quite a few applications nowadays (besides being file storage as
          a base feature) and are meant to be setuppable by an average person
       
        vegabook wrote 2 days ago:
        I live between France and the UK. How do I move my iCloud account out
        of Britain?
       
        retinaros wrote 2 days ago:
        concessions afer concessions we gave away our freedom. the axis of good
        is mostly responsible for this but the opposition also wanted to remove
        anonymity and freedom from the web.
        
        no one fought when the democrats called snowden or assange russian spys
        for revealing clinton corruption. they just blindly sided with their
        own corrupt political party and gave away freedom. just like previous
        govs censored trump, banned political opponents they created a
        precedent and opened the door to the end of freedom. its now beyond
        politics, we should fight for the last moments of freedom we have
        before its too late.
       
          Ylpertnodi wrote 2 days ago:
          ...you go first. I'll applaud, and call everyone else over, if
          anything interesting happens.
       
        blufish wrote 2 days ago:
        its a shame
       
        aryan14 wrote 2 days ago:
        Absolutely mental the kind of people that have power. Dealing with this
        like immature children.
        
        “We don’t get what we want? We ruin it for everyone.”
        
        Trying to backdoor a privacy feature for no real reason, just for the
        sake of having a backdoor. Pathetic
       
        sholladay wrote 2 days ago:
        So many questions around this that need answering, such as:
        
        1. What happens if I have ADP enabled and then visit the UK? Will
        photos I take there still be E2E encrypted? If not, will I be notified?
        I realize that at the moment the answer is yes, that for now, they are
        only disabling ADP enrollment. But they are planning to turn it off for
        everyone in the UK in the future. So what happens then?
        
        2. If they make an exception for visitors, such as by checking the
        account region, then obviously anyone in the UK who cares about
        security will just change their account region - a small inconvenience.
        Maybe this will be a small enough group that the UK government
        doesn’t really care, but it could catch on.
        
        3. Is this going to be retroactive? It’s one thing to disallow E2E
        encryption for new content going forward, where people can at least
        start making different decisions about what they store in the cloud.
        It’s an entirely different thing for them to remove the protection
        from existing content that was previously promised to be E2E encrypted.
        When they turn off ADP for people who were already enrolled, how is
        their existing data going to be handled?
        
        This is bad news and it is going to be messy.
       
          sureIy wrote 2 days ago:
          These are important questions, particularly 2 because even a layover
          in London or Dublin puts you under UK jurisdiction. So now you have
          to put that into account when traveling.
          
          The precedent here is China. I spent a few days in China and, as far
          as I know, my region is still  and ADP is still active.
       
            biztos wrote 2 days ago:
            How does a layover in Dublin put you in UK jurisdiction?
            
            I have seen advice in big companies to only take a burner phone
            when going to China on business.  Perhaps the same will apply to
            the UK.
       
              sureIy wrote 1 day ago:
              > How does a layover in Dublin put you in UK jurisdiction?
              
              Heh that's embarrassing. Scratch that part.
       
        6510 wrote 2 days ago:
        Being locked into an ecosystem seems really nice.
        
        The problem is that you don't really know your future jailer.
       
        codedokode wrote 2 days ago:
        This is a good reminder that the one who cares about privacy and
        security cannot rely on closed-source products from commercial
        companies; don't be deceived by marketing slogans.
       
        bigfatkitten wrote 2 days ago:
        It's just a shame that Apple didn't  include the contact details for
        the Home Office officials responsible as the place for inquires
        regarding the matter.
       
        LAC-Tech wrote 2 days ago:
        At some point, we need to stop being surprised at authoritarian
        countries doing authoritarian things.
        
        Here's hoping the inevitable regime change will be a peaceful one.
       
        willtemperley wrote 2 days ago:
        What the UK government achieved:
        
        Lowering the data protection of it's citizens in comparison to the rest
        of the world.
        
        I was under the impression governments were supposed to protect their
        citizens.
       
          arccy wrote 2 days ago:
          the government's monopoly on force just means they're thugs most
          people tolerate...
       
          bruce511 wrote 2 days ago:
          >> Lowering the data protection of it's citizens in comparison to the
          rest of the world. I was under the impression governments were
          supposed to protect their citizens.
          
          This depends on whether you see "citizens" as individuals or as a
          group.
          In other words it's possible that to improve the security (and thus
          protect) the majority, the rights of individual citizens need to be
          eroded.
          
          For example, to protect vulnerable citizens from crime (the cliche of
          child porn is useful here, but it extends to most-all crime) it's
          useful for prosecutors to be able to collect evidence against guilty
          parties. This means that the erosion of some privacy of those
          parties.
          
          Thus the govt balances "group security" with "individual privacy". It
          has always been so. So to return to your original hypothesis;
          
          >> Lowering the data protection of it's citizens in comparison to the
          rest of the world.
          ... and also, making it easier to detect and prosecute criminals, and
          thus protect the citizens from physical harm.
          
          Now, of course, whenever it comes to balancing one thing against
          another, there's no easy way to make everyone happy. We all want
          perfect privacy, coupled with perfect security. Some will say that
          they'll take more privacy, less security - others will take more
          security and less privacy. Where you stand on this issue of course
          depends on which side you lean.
          
          More fundamentally though there's a trust issue. Citizens (currently)
          do not trust governments. They assume that these tools can be used to
          harm more than just criminals. (They're not wrong.) If you don't
          trust the govt to act in good faith then naturally you choose privacy
          over security.
       
            willtemperley wrote 1 day ago:
            You restate my hypothesis adding your own words:
            
            "also, making it easier to detect and prosecute criminals, and thus
            protect the citizens from physical harm."
            
            Did this happen though? Whilst I agree with your philosophy, in
            reality the UK government are no closer to lawfully accessing our
            data, but our data are less protected from potential other threats
            (e.g. unlawful access to a data centre, rogue Apple employees).
            
            It's what actually happened as opposed to the government intention
            that matters to the people affected.
            
            So my statement "Lowering the data protection of it's citizens in
            comparison to the rest of the world" still stands, and I'd add
            "whilst the UK government achieved absolutely zero in its quest to
            lawfully access individual's data".
       
        ajdude wrote 3 days ago:
        Related discussion:
        
        U.K. orders Apple to let it spy on users’ encrypted accounts
        (washingtonpost.com)
        762 points by Despegar 14 days ago | 1070 comments
        
   URI  [1]: https://news.ycombinator.com/item?id=42970412
       
        dk1138 wrote 3 days ago:
        The more I live I’m less concerned about what are often described as
        “bad actors”. The bad actors are often the state, and this kind of
        information is collected without thought to the risk of future
        politicians who don’t follow the rules or who don’t have any
        respect for the laws.
       
          IceHegel wrote 2 days ago:
          Through all history state security has been a thing. The Stasi and
          KGB are transparently state security forces to the West, but the CIA
          and MI5/6 are... what exactly?
          
          The primary purpose of these agencies, despite what has been written
          down on paper, is NOT to protect the citizens of the countries that
          fund them. It is to protect the system that taxes those citizens.
       
          wcerfgba wrote 3 days ago:
          States are not inherently good, they are just large organisations
          with a monopoly on certain social functions. All large organisations
          have the capacity to inflict terrible harm.
       
        nisten wrote 3 days ago:
        ok so while being AI safety concerned.. uk politicians go ahead and
        remove humanity's single logical control tool that they have to keep AI
        in check.. encryption maths.
        
        gg
       
        sneak wrote 3 days ago:
        This is almost the status quo in the USA, given that nobody turns on
        the optional e2ee anyway.
       
        reader9274 wrote 3 days ago:
        "Existing users' access will be disabled at a later date."
        
        Hmmm how? How can they decrypt your already end-to-end encrypted and
        uploaded data without you entering the passphrase to do so? I can
        understand them removing the data from iCloud completely, or asking you
        to send the keys to Apple, but I don't understand how they can disable
        the feature for already uploaded data.
       
          Aloisius wrote 3 days ago:
          They will lock UK users out of iCloud until they manually disable
          ADP.
          
          When a user turns off ADP in settings, their device uploads the
          encryption keys to Apple servers.
       
            reader9274 wrote 2 days ago:
            What if the users don't agree to disable ADP? So if one pays for
            iCloud+, they'll be refunded? And what happens to their already
            uploaded data? Is it deleted?
       
              Aloisius wrote 2 days ago:
              I imagine if you choose to ignore the warning that iCloud syncing
              will cease to work unless you disable ADP, then at some point,
              the warning turns into an error and iCloud syncing will cease to
              work.
              
              I can't imagine they'll cancel your iCloud+ subscription. ADP is
              not a feature of iCloud+ and iCloud+ has features beyond extra
              storage space. Nor can I imagine they'll delete your data
              preemptively as long as there's space to store it.
              
              Hopefully they'll provide instructions on how to manually delete
              your iCloud data in case you don't want to use it any longer (I
              think you just turn off iCloud on all your devices).
       
          mu53 wrote 3 days ago:
          I am going to say something a bit controversial around here, but all
          of this E2E and security stuff is just lip service for marketing to
          consumers.
          
          These companies have to comply with so many laws and want cozy
          relationships with governments, so they play both sides. It likely
          does things differently, but if the keys are not secure, then its not
          secured
       
        keepamovin wrote 3 days ago:
        They are not the first country to do this. Apples advanced security
        features are rolled out non-uniformly across global markets. You get
        different capabilities, depending on where you are and where your
        account is resident, it would be great if there was a website that
        listed the countries and the security protections Apple provides in
        those countries.
       
        1vuio0pswjnm7 wrote 3 days ago:
        This provides an incentive for Apple computer users to do the right
        thing: Stop storing sensitive data on Apple servers.  Unfortunately,
        due to Apple's pre-installed proprietary operating systems that phone
        home incessantly, that may be more challenging than it should be.
       
        sensanaty wrote 3 days ago:
        Lol so much for the privacy-first Apple BS everyone keeps touting
        
        If they had any balls whatsoever they would've rejected this and pulled
        out of the UK, but of course money comes before anything else.
       
        EGreg wrote 3 days ago:
        Why can't governments simply compel every software developer to create
        a backdoor, or go to jail?
        
        If even one government does it, then the backdoors exist globally. Here
        is an overview of the global situation:
        
   URI  [1]: https://community.qbix.com/t/the-global-war-on-end-to-end-encr...
       
        ein0p wrote 3 days ago:
        How do you like your "liberal democracy", UK-ians? Is that democratic
        enough for you yet? Do you feel in control?
       
        mattfrommars wrote 3 days ago:
        Could this be the catalyst for the rise of third party encryption
        companies that operate in UK? 
        Or perhaps, rise to third party self host E2E cloud solution?
        
        Only time will tell.
        
        I've already invested in USB storage :)
       
        edge17 wrote 3 days ago:
        Are there non-icloud backup options? There used to be local encrypted
        backups through itunes, but I can't tell if that feature is still
        around.
       
          commandersaki wrote 2 days ago:
          Still exists but now backup is integrated into Finder. You can also
          do encrypted backup on Windows but I forgot what the app is called
          (from Apple).
       
          aqueueaqueue wrote 3 days ago:
          ITunes but it is a PITA. Do a test backup restore too. It may not
          restore if the phone was nearly full (maybe 80%) when backed up.
       
        Zufriedenheit wrote 3 days ago:
        Does Apple offer this type of encryption in China?
       
        ancorevard wrote 3 days ago:
        Deep betrayal by Apple.
        
        "privacy is a fundamental human right" - Tim Cook.
       
        mmaunder wrote 3 days ago:
        Not relevant to the Apple story but as a general comment on UK
        surveillance/search/detainment laws: Five Eyes means the US just needs
        to get their citizen into the UK for their partner to gain access that
        the US doesn't have to their citizen. The reciprocity possibilities are
        endless.
       
        SirMaster wrote 3 days ago:
        Well this is double plus ungood...
       
        AutistiCoder wrote 3 days ago:
        How many UK people who haven't heard of ADP will now enable it?
       
        anoncow wrote 3 days ago:
        >Online privacy expert Caro Robson said she believed it was
        "unprecedented" for a company "simply to withdraw a product rather than
        cooperate with a government.
        
        That is such a self serving comment. If Apple provides UK a backdoor,
        it weakens all users globally. With this they are following the local
        law and the country deserves what the rulers of the country want. These
        experts are a bit much. In the next paragraph they say something
        ominous.
        
            >"It would be a very, very worrying precedent if other
        communications operators felt they simply could withdraw products and
        not be held accountable by governments," she told the BBC.
       
          rapjr9 wrote 2 days ago:
          This is actually an increasing concern, that large multinational
          companies are so powerful that they don't have to obey governments
          any more, and can instead blackmail them by withdrawing products. 
          Pornhub has done this in US states.  Meta has threatened to do it in
          various countries.  There has always been pushback to regulation from
          powerful companies, but punishing countries by withdrawing products
          seems to be used as a tactic more often recently.  There are other
          tools of power companies use as well, like deciding where to create
          jobs and build facilities.  Musk has used that, moving from
          California to Texas.  Defence and oil companies use these tactics
          also.
       
            anoncow wrote 2 days ago:
            I disagree but respect your opinion. Companies have the right to
            free speech. In the tussle between regulators and companies,
            companies are disadvantaged. If we can force companies to do the
            regulators bidding and not allow them to use free speech to act in
            their best interests, we would have global tyranny. The regulators
            and companies both acting towards their own goals with freedom
            allows us to have a world with balance.
            
            I believe in this however I think we are testing limits of this
            approach with scenarios like the one with encryption. Ideally
            privacy needs E2E encryption. But concerns on misuse of such
            technology that governments raise are also not without merit. I
            wonder if this tussle between regulators and companies can end in
            any way in which privacy is not compromised. Mathematically it
            doesn't seem that there is a way to be safe and private.
       
              rhaksw wrote 2 days ago:
              > In the tussle between regulators and companies, companies are
              disadvantaged.
              
              When society once again properly separates governmental powers,
              it will restore balance, and then companies will no longer need
              to fear "regulators."
              
              In the US, businesses are supposed to be regulated by Congress.
              That way, if Congress does something foolish, we can vote them
              out.
              
              But in the last 100 years or so, "administrative law"– that is,
              binding regulations created by the Executive branch– has become
              a huge part of law-making [1]. Widespread use of Administrative
              Law allows Congress to wash its hands of any real decision
              making.
              
              It isn't supposed to be this way, and I think we will find our
              way out of it.
              
              Your statement that companies are disadvantaged only rings true
              because Executive-branch regulators are not held to account.
              Lower-level staff generally do not rotate from administration to
              administration, and so they make tons of binding rules without
              oversight. Fortunately, SCOTUS recently overturned some of this
              [2].
              
              The fundamental problem is that the separation of powers, which
              is where America's strength comes from, has been upended. Power
              has been collected, by parties on all sides, within the Executive
              branch. It's supposed to be, Congress writes law, Judiciary
              interprets law, and the Executive enforces law. The
              Administrative State, however, combines all three powers into one
              under the Executive. It gives itself executive agencies that can
              bind citizens, and its own courts (ALJs) to determine their fate.
              See [1] for a comprehensive review. [1]
              
   URI        [1]: https://press.uchicago.edu/ucp/books/book/chicago/I/bo17...
   URI        [2]: https://www.supremecourt.gov/opinions/23pdf/22-451_7m58....
       
            adultSwim wrote 2 days ago:
            Google News pulling out of Spain..
       
          throwaway106382 wrote 3 days ago:
          >"It would be a very, very worrying precedent if other communications
          operators felt they simply could withdraw products and not be held
          accountable by governments,"
          
          This would actually be a very very very very VERY GOOD precedent if
          you ask me.
          
          Facebook pulled something similar when Canada passed the Online News
          Act and instead of extorting facebook to pay the media companies for
          providing a service to them (completely backasswards way to do
          things), they just pulled news out of Canada.    I despise Meta as a
          company, but I had to give them credit for not just letting the
          government shake them down.
          
          Good riddance.    Governments need to be reminded from time to time
          that they are, in fact, not Gods.  We can and should, just take our
          ball and go play in a different park or just go home rather than obey
          insane unjust laws.
       
            donbox wrote 2 days ago:
            I love their products: whatsapp and facebook
       
              sandblast wrote 2 days ago:
              Why?
       
          StanislavPetrov wrote 3 days ago:
          >Online privacy expert Caro Robson
          
          Ironic to refer to her as a "privacy expert" given her open hostility
          to privacy.
       
          aqueueaqueue wrote 3 days ago:
          "a product" and "cooperate" are doing so much work in that statement
          that they collapsed and look like ________ and ________
          
          They re-emerged as "security feature" "add vulns to security features
          to make it an insecurity feature"
       
          kelnos wrote 3 days ago:
          It's also just false. Google pulled out of China many years ago
          because they didn't want to bow to the Chinese government's demands.
          
          And they didn't just withdraw a product, they withdraw their entire
          business.
       
            kshacker wrote 3 days ago:
            I wonder what the impact of Apple withdrawing from China will be. I
            know we are talking about UK, but this made me think.
            
            Not only their sales will reduce, but hey Chinese manufacturing
            cuts down. By how much? Will it be impactful? I would think so but
            wonder if it is quantifiable.
       
              sneak wrote 3 days ago:
              Almost all iPhones are made in China.  They cannot pull out
              without shutting down.
              
              They make on average 60,000 ios devices there every hour, 24
              hours a day, 365 days a year.
       
                mianos wrote 2 days ago:
                Google pulled out but their phones are made in China. When push
                comes to shove money always wins still in China.
       
                  aswegs8 wrote 1 day ago:
                  Classic communism am I right?
       
                samldev wrote 2 days ago:
                Your math adds up to 525,600,000 iOS devices per year. That
                can't possibly be right
       
                  helloplanets wrote 2 days ago:
                  > In 2023, Apple shipped 234.6 million iPhones, capturing
                  20.1% market share and growing 3.7% year over year, according
                  to IDC data. [0]
                  
                  So, probably not 525.6 million iOS devices a year, but safe
                  to assume it's going to be 300+ million for 2025.
                  
                  35k devices an hour, give or take.
                  
                  [0]:
                  
   URI            [1]: https://www.forbes.com/sites/johnkoetsier/2024/01/16...
       
                    sneak wrote 1 day ago:
                    As medwezys pointed out, you forgot iPads.  That’s
                    another 40-70M units per year.
                    
                    My numbers are a rough estimate from memory, but they’re
                    not wildly off.
                    
                    300M or 500M, the point remains: it’s an absolutely
                    staggering scale and cannot be moved elsewhere in any short
                    period of time.  Setting up comparable production would
                    take many years, just as it did the first time.
                    
                    I imagine Apple/Foxconn have already begun this work.  The
                    unexpected shutdown or impediment of US/CN trade is a risk
                    that must be accounted for, given the situation with
                    Taiwan.
       
                    medwezys wrote 2 days ago:
                    Apple has more devices than iPhones, so the OPs numbers are
                    not unbelievable
       
          boxed wrote 3 days ago:
          Governments forcing companies from other countries to do business in
          their country seems like the worrying precedent to me.
       
          yunesj wrote 3 days ago:
          Fake privacy experts like Caro Robson need to be held accountable.
       
            Aachen wrote 2 days ago:
            I often notice journalistic pieces interview people and then use
            maybe 30 seconds' worth of material from a 20-minute interview. The
            "expert" could have condemned it in any number of ways until the
            topic of applying data protection laws came up and she said that
            companies need to be held accountable (could be about GDPR, could
            be about snooping laws) which the journalist then quoted, not out
            of malice but because everyone already condemns it and this is the
            most interesting statement of the interview
            
            Anyway, so while I don't think we should condemn people based on
            such a single quoted sentence... I took a look at her website and
            the latest video reveals at 00:38 that she worked for the UK crime
            agency, which does sound like the one of the greatest possible
            conflicts of interest for someone called upon for privacy matters
            rather than crime fighting. Watching the rest of that interview,
            she approaches it fairly objectively but (my interpretation of) her
            point of view seems to be on the side of "even with this backdoor,
            a warrant needs issuing every time they use it and so there's
            adequate safeguards and the UK crime fighters and national security
            people should just get access to anything they can get a warrant
            for"
       
              mistercow wrote 2 days ago:
              Assuming you’ve framed it fairly, that’s a pretty atrocious
              point of view for someone calling themselves a privacy expert to
              hold. A privacy expert should know that backdoors are dangerous
              to privacy even if you trust the people who are supposed to have
              the keys.
       
        cluckindan wrote 3 days ago:
        The UK backdoor means US and other FVEY states are able to freely
        request any person’s private data from GCHQ.
       
        ianopolous wrote 3 days ago:
        If anyone’s looking for open-source, self-hostable, E2EE storage then
        checkout Peergos (disclaimer: lead here):
        
   URI  [1]: https://peergos.org
       
        -__---____-ZXyw wrote 3 days ago:
        Workers in tech jobs over the past few decades are the ones who are
        primarily to blame for the total degradation of the very notion of
        privacy, and our societies are, I think, reaping the consequences of
        this now in many ways.
        
        This story didn't spring up out of nowhere, like a monster from under
        the bed. It's been a gradual decline since, let's say, the 90s or so.
        
        I don't want to be vulgar, but the people who understood the best what
        was happening were mostly too busy taking large paychecks to get too
        upset about the whole thing. It got explained away, rationalised, joked
        about, and here we are.
       
          mihaaly wrote 3 days ago:
          Easier to push away the blame for a foot soldier, claiming to do
          things on orders or claiming to be absolutely f clueless where it
          leads, one is worse than the other. Thousands had to make this work
          and function as it is.
          
          Still, this is a different topic than the government use of law
          enforcement for preserving the shity situation that was built by the
          industry and its actors just when the trend becomes of fixing what
          was made to be crap, just when people want to correct the f up of the
          ignorant collaborants.
       
        butterknife wrote 3 days ago:
        If you're in the UK, please consider signing the below petition.
        Thanks.
        
   URI  [1]: https://you.38degrees.org.uk/petitions/keep-our-apple-data-enc...
       
          wrboyce wrote 2 days ago:
          I never understand why people create petitions (targeted at the gov)
          on a non-official site.
       
            Aachen wrote 2 days ago:
            I'm not familiar with UK law, but what's the matter? They're
            equally valid in jurisdictions that I know of, a signature is a
            signature no matter where it was put
            
            I'd personally just trust the government variant more with my
            government ID data than a third party but that's up to the
            petitioners to weigh and decide
       
              ljn wrote 1 day ago:
              In the UK, there's an official gov site for petitions, such that
              when a petition has >10k signatures, a government minister is
              required to write a response, and >100k triggers a parliamentary
              debate, iirc.
              
              Whether the responses/parliamentary debates the person triggers
              end up being useful is up for debate.
       
        fdb345 wrote 3 days ago:
        Are anyone of you lot getting the realisation onto why they are pushing
        Passkeys so hard?
        
        They know they access 8 out of 10 phones they seize.
        
        DONT USE PASSKEYS
       
        AlanYx wrote 3 days ago:
        Many people might not be aware of it, but Apple publishes a breakdown
        of the number of government requests for data that it receives, broken
        down by country.
        
        The number of UK requests has ballooned in recent years: [1] Much of
        this is likely related to the implementation and automation of the
        US-UK data access agreement pursuant to the CLOUD Act, which has
        streamlined this type of request by UK law enforcement and national
        security agencies.
        
   URI  [1]: https://www.apple.com/legal/transparency/gb.html#:~:text=77%25...
       
          EasyMark wrote 2 days ago:
          Sad to see the home of the magna carta slowly spiraling down into
          fascism and 1984. The government should be required to have a
          specific warrant to get at your personal data.
       
          HaZeust wrote 3 days ago:
          I don't share your findings, EVERY six-month period between January
          2014 - June 2017 shows bigger requests than any six-month period in
          the last 5 years.
       
          dvtkrlbs wrote 3 days ago:
          The problem is AFAIK this act is a lot different and Apple or any
          party that gets this order is completely forbidden to talk about it.
          So these kind of requests would not show up in this transparency
          requests. It is IMHO fair to assume Apple will UK this backdoor given
          they chose to disable Advanced Data Encryption and public would have
          no insight to amount and reasons to the backdoor usage. It is really
          troubling.
       
          sva_ wrote 3 days ago:
          Looking at the ones for Germany, those seem like rookie numbers
          
   URI    [1]: https://www.apple.com/legal/transparency/de.html#:~:text=77%...
       
            AlanYx wrote 3 days ago:
            It's also comparatively worse than the raw numbers suggest because
            the customer base of Apple phones in Germany is much smaller than
            in the UK.
       
              crossroadsguy wrote 2 days ago:
              I see numbers for USA and China very low as well.
              
              Maybe they don't have/need to request? ;-) Just saying.
       
                Synaesthesia wrote 1 day ago:
                In the UK and Germany people get arrested for social media
                posts. This doesn't really happen in the USA (or China, to my
                knowledge)
       
        mrandish wrote 3 days ago:
        > Online privacy expert Caro Robson said she believed it was
        "unprecedented" for a company "simply to withdraw a product rather than
        cooperate with a government".
        
        > "It would be a very, very worrying precedent if other communications
        operators felt they simply could withdraw products and not be held
        accountable by governments," she told the BBC.
        
        Attributing this shockingly pro-UK-spy-agencies quote to an "online
        privacy expert" without pointing out she consults for the UN, EU and
        international military agencies is typical BBC pro-government spin. In
        fact, Caro, it would be "very, very worrying" if communications
        operators didn't withdraw a product rather than be forced to make it
        deceptive and defective by design.
       
        als0 wrote 3 days ago:
        Is there a way for a UK iPhone to circumvent the warning and enable
        ADP? Like connecting through a VPN?
       
        IceHegel wrote 3 days ago:
        I'm sympathetic to the J.D. Vance angle, which is that European
        governments are increasingly scared of their own people. This is not
        doing a lot to change my mind.
       
          retinaros wrote 2 days ago:
          lol. ask JD Vance what he thinks about Assange or Snowden.
       
          blitzar wrote 2 days ago:
          I am unsympathetic to those that lecture others on not doing the very
          thing they are doing.
       
          randunel wrote 2 days ago:
          You might be unaware of FATCA, then.
       
          odiroot wrote 3 days ago:
          On our continent, the obvious solution to every problem under the sun
          is "more state".
       
          bongodongobob wrote 3 days ago:
          What the fuck? They should be. They absolutely aren't right now and
          that's a major problem.
       
          dtquad wrote 3 days ago:
          J.D. Vance's problem with Europe is that we have too many brown
          people.
          
          As a very privacy-oriented European I don't need American alt-right
          populists to concern troll about surveillance and privacy in Europe.
       
          gnfargbl wrote 3 days ago:
          To give you a counterpoint: from this side of the pond it is
          extremely surprising to see how effective Vance's speech has been in
          distracting a good proportion of the American public. Which, I have
          to suspect, was the real point.
       
          kelnos wrote 3 days ago:
          Governments should be scared of their people, though not in the way
          that I expect Vance means.
          
          It's certainly better than the opposite, where citizens and residents
          are scared of their government, which wields the power to deprive
          them of their freedom, possessions, and life.
       
            dennis_jeeves2 wrote 3 days ago:
            >Governments should be scared of their people, though not in the
            way that I expect Vance means.
            
            A guillotine once in a while for some politicians/bureaucrats will
            do some good. There is a rich history of the French doing it.  I'm
            not even trying to be funny.
       
          mihaaly wrote 3 days ago:
          Very wrong conclusions.
          
          They are not scared of people, but of working, doing their job,
          especially when it is difficult (catching criminals). They expect the
          job to be done for them by others, on the expense of everyone, while
          they collecting all the praise.
          
          On sympathetic to Vance I did not really found a presentable
          reaction, would not find on any other accidentally agreeable sentence
          leaving his mouth (very low chance btw.). Talking a lot about all
          kind of things sooner or later will hit something acceptable, which
          will not yield an unacceptable and destructive to society figure
          sympathetic.
          
          You also should be aware of practices and conducts the various US
          security services practice (and probably all governemnts out there),
          if not from news or law but at least from the movies. When we come to
          the topic of who is afraid of their own.
       
            rdm_blackhole wrote 3 days ago:
            Exactly, it's the same thing with the Chat Control law in the EU
            and it reminds me of the scene in the movie Office Space where the
            consultants are trying to figure out who is doing what in the
            company.
            
            Basically instead of doing their jobs, the cops expect Apple, Meta
            et al to intercept all the data, then feed it into some kind of AI
            black box (not done by them but contracted out to someone else at
            the taxpayer's expense) that will then decide if you get arrested
            within the next 48H (I am exaggerating but only slightly)
            
            What are the cops doing instead of doing their jobs? That's my
            question. Aren't they paid to go out and catch the criminals or do
            they simply expect to get the identity of people each day that need
            to be investigated?
       
            RIMR wrote 3 days ago:
            Well put. It's pretty much impossible to sympathize with Vance
            saying this when the administration he is a part of is
            scaremongering about "the enemy within".
       
          deelowe wrote 3 days ago:
          Then Vance should do something about the 5 eyes which is likely the
          source of this sort of thing.
       
          duxup wrote 3 days ago:
          I think the US government has made these kinds of requests too,
          similar tactics such as mass data collection without a warrant and so
          on.
          
          I don't think it is "scared" as much as just the usual human desire
          to do whatever the task is ... without thinking of the consequences.
       
          Cornbilly wrote 3 days ago:
          The unspoken part of that is Vance likely thinks that the people
          should fear their government.
       
            bilbo0s wrote 3 days ago:
            True.
            
            It's a very unwise position Vance takes.
            
            The world would clearly be better run if all governments feared
            their people, than it would if all people fear their governments.
            
            The UK can pull this kind of stuff precisely because they do not
            fear any consequences from their people.
       
          pathless wrote 3 days ago:
          This unexpected news really cemented that point for him.
       
        leonewton253 wrote 3 days ago:
        They should of forced ADP on by default and this would of never
        happened.
       
          int_19h wrote 3 days ago:
          The problem with that is that if the user loses their key, their
          account is no longer recoverable. As things are with ADP, enabling it
          comes with a bunch of warnings about that, and IIRC it also forces
          you to print out the recovery key for safe storage.
       
          commandersaki wrote 3 days ago:
          That would alienate users due to key management complexity. Apple is
          about having a smooth user experience.
       
            blitzar wrote 2 days ago:
            Apple processes multiple orders of magnitude more account
            recoveries for customers each day than receive government requests.
       
        adfm wrote 3 days ago:
        It's a drag that we're seeing this crap happen, but authoritarians will
        be authoritarians. What's the general opinion of tools like
        Cryptomator? [^1]
        
        [^1]:
        
   URI  [1]: https://cryptomator.org
       
        cynicalsecurity wrote 3 days ago:
        Could this have been a reason UK pushed to separation from the EU?
        
        EU is all for privacy while UK is slowly drifting towards becoming a
        Stasi state.
       
          rdm_blackhole wrote 3 days ago:
          This is blatantly false.
          
          The EU has been pushing to pass the Chat Control law for the last 3
          years which is even worse because at least in the UK the government
          would still need to get a warrant for the data they want whereas the
          EU wants to analyze your chat messages, emails and pictures in real
          time without cause or need to justify themselves.
       
            dumbledoren wrote 2 days ago:
            > Again and again, 'Eu' is not pushing anything like that. A few
            Euparl MPs backed by those like Ashton Kutcher did.
       
              rdm_blackhole wrote 2 days ago:
              The EU is pushing for this. The EU "Going Dark" group is pushing
              for this as well as per [1] The fact of the matter is that if the
              EU was, as it's been said, for privacy this proposal would not
              have been on the table in the first place. It should have been
              stopped 3 years ago but here we are again fighting for our rights
              and our privacy.
              
              And it doesn't matter how many times it gets shot down by some of
              the countries in the EU, the commission changes a few words and
              starts the process all over again because they know that sooner
              or later they will get it through.
              
              You can't have it both ways. You either are for privacy or you
              are not. If you are then this proposal should never have seen the
              light of the day and the people pushing for it should have been
              given a warning that this was off-limits.
              
              Instead they are biding their time so that when the time is right
              they can come back with a slightly altered but still incredibly
              damaging proposal hoping that it will pass.
              
              The EU pro-privacy stance is joke. They want access to the same
              data as the US except they don't have the courage to come out and
              say it so they wrap it in a nice little gift bag with the words
              "protect the children" on it.
              
              This is hypocrisy in it's purest form. Then some governments in
              the EU have the gall to call out authoritarians regimes around
              the world when they crack down on dissent and free speech? Give
              me a break!
              
   URI        [1]: https://edri.org/our-work/high-level-group-going-dark-ou...
       
                dumbledoren wrote 1 day ago:
                > The EU is pushing for this. The EU "Going Dark"
                
                There is no official effort from the Eu related to this. Where
                are you pulling that out from. A proposal by a few MPs in the
                Euparl is not 'Eu pushing someting'. And that "Eu Going dark"
                group is not an official Eu organ.
       
            izacus wrote 3 days ago:
            The Chat Control law was voted down and it would not apply for UK
            if they'd still be in EU.
       
              nickslaughter02 wrote 2 days ago:
              It has been voted down twice now. Guess what? That doesn't mean
              it's dead. It's being worked on as we speak. The last meeting was
              just a few weeks ago.
              
   URI        [1]: https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfn...
       
              rdm_blackhole wrote 2 days ago:
              See my comment above, it doesn't matter that it was voted down.
              The point is that it was allowed to go to a vote in the first
              place.
              
              How do you square being pro privacy but at the same time
              demanding to have unlimited access to all chat messages, emails,
              pictures and so on of all your citizens without the need for a
              warrant, without justification and without the citizens having
              any say on the matter?
              
              The answer is that you can't. You either are for privacy or you
              are not.
              
              As for not applying to the UK, that is a moot point because as
              soon as the EU gets it's wish then the UK will demand the same
              kind of access. Why would the UK government turn down such an
              opportunity?
       
          nickslaughter02 wrote 3 days ago:
          No, EU is NOT "all for privacy". I don't know where this myth comes
          from but I see it repeated here often.
          
          1. EU is pushing for mandatory on-device scanning of all your
          messages (chat control). The current proposal includes scanning of
          all videos and images all the time for all citizens. The proposal
          started with analyzing all text too. The discussions are happening
          behind close doors. EU Ombudsman has accused EU commission of
          "maladministration", no response.
          
          2. EU is allowing US companies to scan your emails and messages
          (ePrivacy Derogation). Extended for 2025.
          
          3. EU is pushing for expansion of data retention and to undermine
          encryption security (EU GoingDark).
          
          "The plan includes the reintroduction and expansion of the retention
          of citizens’ communications data as well as specific proposals to
          undermine the secure encryption of data on all connected devices,
          ranging from cars to smartphones, as well as data processed by
          service providers and data in transit." [1] 4. EU is pushing for
          mandatory age verification to use email, messengers and web
          applications. Citizens will be required to use EU approved
          verification providers. All accounts will be linked back to your real
          identity.
          
          5. "Anonymity is not a fundamental right": experts disagree with
          Europol chief's request for encryption back door (January 22, 2025)
          [2] -----
          
          Do you still believe EU is all for privacy? EU's privacy is
          deteriorating faster than in any other developed country / bloc. Some
          of these proposals have been blocked by Germany for now but that is
          expected to change after the upcoming elections.
          
   URI    [1]: https://www.patrick-breyer.de/en/eugoingdark-surveillance-pl...
   URI    [2]: https://www.techradar.com/computing/cyber-security/anonymity...
       
            dumbledoren wrote 2 days ago:
            <  EU is pushing for mandatory on-device scanning of all your
            messages (chat control)
            
            Again and again, 'Eu' is not pushing anything like that. A few
            Euparl MPs backed by those like Ashton Kutcher did.
            
            > Eu isnt 'planning' anything like that. Some Euparl MPs backed by
            people like Ashton Kutcher tried to push a law to spy on all chat
            apps. Then when the dirty web of American-style regulatory
            manipulation was exposed, they backed off. It was a proposal for a
            law by some MPs. Not something 'Eu' did.
       
              nickslaughter02 wrote 2 days ago:
              How can you say EU isn't planning anything like that when the
              last meeting to introduce just that was a few weeks ago? [1]
              Nobody backed off, it's still on the agenda. You are right
              however that the main lobby comes from US NGOs as exposed by
              documents coming from EU Commission.
              
   URI        [1]: https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfn...
       
                dumbledoren wrote 1 day ago:
                > How can you say EU isn't planning anything like that when the
                last meeting to introduce just that was a few weeks ago?
                
                I can say that because that PROPOSAL at the European PARLIAMENT
                was brought by a number of MPs. Its not an official Eu thing,
                it is not pushed by any official Eu organ. Any MP can bring ANY
                proposal to Euparl. It does not mean that Eu is 'pushing
                something'.
                
                > Nobody backed off, it's still on the agenda
                
                Its not on 'the agenda'. The MPs who pushed it backed off after
                their links to the American 'NGOs' were exposed. They said that
                they would bring it up again at a later time. That doesn't mean
                that its on 'the agenda'. Any MP in the Euparl can bring any
                proposal at any time. That does not mean that Euparl is doing
                it and there is notable support behind it.
       
        Kim_Bruning wrote 3 days ago:
        The current EU-UK adequacy decision[1] is up for review this 27 June
        [2] .
        
        Aspects of the UK investigatory powers act is close enough to US FISA
        [2] that I think this might have some influence, if brought up. IPA
        2016 was known at the time of the original adequacy decision, but IPA
        was amended in 2024 . While some things might be improvements, the
        changes to Technical Capability Notices warrant new scrutiny.
        
        Especially seeing this example where IPA leads to reduced security is
        of some concern, I should think. The fact that security can be
        subverted in secret might make it a bit tricky for the EU to monitor at
        all. [1] [2] ibid. Article 4
        
        [3] FISA section 702
        
   URI  [1]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX...
   URI  [2]: https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/BI...
       
        smashah wrote 3 days ago:
        Notice all the undemocratic dictatorships that did not require this of
        apple. The UK is in decline completely.
       
        nomilk wrote 3 days ago:
        Wonder what the cost/benefit looks like from Apple's perspective.
        
        If this requirement increases the proportion of data on Apple's servers
        that is now unencrypted (or encrypted but which can be trivially
        unencrypted), that could be a huge plus to Apple; more data to use for
        ad targeting (or to sell to third parties), and more data to train AI
        models on.
       
        freedomben wrote 3 days ago:
        Devil's Advocate (meaning I don't agree with this, in fact I disagree
        with it, but I don't see this argument being made anywhere and think it
        would be interesting.  If you're one of the people who are offended by
        this practice of people steel-manning "the other side" and only want to
        read comments that affirm your position, please don't read this
        comment).
        
        Question: Wouldn't it be better for Apple to build a UK-only encryption
        that is backdoored but is at least better than nothing?  If Apple
        really cared about people's privacy, why just abandon them?
        
        My position:  No because this is a war, not a battle.  Creating a
        backdoored encryption would immediately trigger every government on the
        planet passing laws banning use of non-back-doored encryption, which
        would ultimately lead us to a much, much worse world.  Refusing to do
        it is the right thing IMHO.
       
          everfree wrote 3 days ago:
          Without Advanced Data Protection, your data is still encrypted at
          rest, it's just that Apple safeguards the encryption key. The purpose
          of ADP is to remove control of this key from Apple, so that it's
          impossible for Apple to leak your data to any third party, even if
          they are compelled to.
          
          So to me, backdoor encryption seems like it defeats the whole point
          of ADP, no? But if not - even if there is some tiny marginal benefit
          - cryptography is extremely expensive to get right. It's doubtful
          that it makes financial sense to Apple to develop a new encryption
          workflow for a single country for very slight security benefits.
          
          And it still wouldn't be complying with the UK's demands anyways. The
          UK demanded access to accounts worldwide. If Apple is going to be
          non-compliant, then they might as well be non-compliant the easy way.
       
          cat_meowpspsps wrote 3 days ago:
          The UK's law here is specifically targetting encrypted data globally.
          
          > The UK government's demand came through a "technical capability
          notice" under the Investigatory Powers Act (IPA), requiring Apple to
          create a backdoor that would allow British security officials to
          access encrypted user data globally.
       
        ljm wrote 3 days ago:
        Fundamentally, I think the issue is more about technical literacy
        amongst the political establishment who consistently rely on the
        fallacy that having nothing to hide means you have nothing to fear.
        Especially in the UK which operates as a paternalistic state and enjoys
        authoritarian support across all parties.
        
        On the authoritarianism: these laws are always worded in such a way
        that they can be applied or targeted vaguely, basically to work around
        other legislation. They will stop thinking of the children as soon as
        the law is put into play, and it's hardly likely that pedo rings or
        rape gangs will be top of the list of priorities.
        
        On the technical literacy: the government has the mistaken belief that
        their back door will know the difference between the good guys
        (presumably them) and the bad guys, and the bad guys will be locked
        out. However, the only real protection is security by obscurity: it's
        illegal to reveal that this backdoor exists or was even requested. Any
        bad guy can make a reasonable assumption that a multinational tech
        company offering cloud services has been compromised, so this just
        paints another target on their backs.
        
        I've said it before, but I guarantee that the monkey's paw has been
        infinitely curling with this, and it's a dream come true for any black
        or grey hat hacker who wants to try and compromise the government
        through a backdoor like this.
       
          elAhmo wrote 2 days ago:
          > the government has the mistaken belief that their back door will
          know the difference between the good guys (presumably them) and the
          bad guys
          
          This is a very good point, and in the recent months we have been
          witnessing that people in government, or aiming to become the
          government, are definitely not the good guys. So, even if what they
          are asking would be limited to just governments (which it wouldn't),
          they can't claim they are the good guys anymore.
       
          gerdesj wrote 3 days ago:
          "Especially in the UK which operates as a paternalistic state and
          enjoys authoritarian support across all parties."
          
          What is a "paternalistic state".  I studied Latin so obviously I
          understand pater == father but what is a father-like state?
          
          What on earth is: "authoritarian support across all parties".
          
          The UK has one Parliament, four Executives (England, Northern
          Ireland, Scotland, Wales) and a Monarch (he's actually quite a few
          Monarchs).
          
          Anyway, I do agree with you that destroying routine encryption is a
          bloody daft idea.  It's a bit sad that Apple sold it as an extra add
          on.  It does not cost much to run openssl - its proper open source.
       
            switch007 wrote 1 day ago:
            Are you trying to disagree with them by pretending that they're
            speaking rubbish? As a Brit, their comment made complete sense to
            me.
            
            By the way, there is no 'England' executive; it's the government of
            the United Kingdom, which handles all matters not devolved, in
            England and the rest of the UK.
       
            ljm wrote 2 days ago:
            Government knows what’s best for the people (colloquially we call
            it the nanny state).
            
            All our main political parties have an authoritarian slant so these
            policies have rarely received long-lasting opposition. Literally
            every government in office for the past 30-odd years has presented
            legislation like this.
       
            walthamstow wrote 2 days ago:
            Paternalism, unless I'm mistaken, is a belief among those in power
            that they what's best for you, better than you do, and will
            exercise power on your behalf in that manner. Just like your
            parents do when you're a child.
       
            catlikesshrimp wrote 3 days ago:
            In medicine, a paternalistic attitude towards the patient from a
            point of authority  (like a father)
            The doctor acts as if he knows more and knows what is better. The
            patient has his own preferences and priorities, but they don't
            necessarily match with what the doctor does.
            
            I suppose a paternalistic state functions to satisfy the needs of
            the people, and to define those needs. The people get what the
            state says is best for them.
       
          EchoReflection wrote 3 days ago:
          "it's hardly likely that pedo rings or rape gangs will be top of the
          list of priorities".... is this not one of the most disturbing,
          disgusting, psychologically troubling and damning ideas ever to be
          put to words/brought to awareness? . Right up there "let's
          meticulously plan out this horrific, atrocious, dehumanizing act and
          meditate upon the consequences, and then choose the most brutal and
          villainous option".  Dear Lord....
       
            dsign wrote 2 days ago:
            >  is this not one of the most disturbing, disgusting,
            psychologically troubling and damning ideas ever to be put to
            words/brought to awareness? .
            
            Hmm? Hell has depths. Your yard might be a little too short to
            measure them? In that case, just think about this: rape is probably
            most common in prisons, where you will send innocents the moment
            this dragnet thing glitches.
       
            AnthonyMouse wrote 3 days ago:
            People are extremely opposed to pedos, so they're a primary
            rationalization for oppressive technology. But then you have two
            problems.
            
            First, pedos know everybody hates them, so they take measures
            normal people wouldn't in order to avoid detection, and then
            backdooring the tech used by everybody else doesn't work against
            them because they'll use something else. But it does impair the
            security of normal people.
            
            Second, there aren't actually that many pedos and the easy to catch
            ones get caught regardless and the hard to catch ones get away with
            it regardless, which leaves the intersection of "easy enough to
            catch but wouldn't have been caught without this" as a set
            plausibly containing zero suspects. Not that they won't use it
            against the ones who would have been caught anyway and then declare
            victory, but it's the sort of thing that's pretty useless against
            the ones it's claimed to exist in order to catch, and therefore not
            something it can be used effectively in order to do.
            
            Whereas industrial espionage or LOVEINT or draining grandma's
            retirement account or manipulating ordinary people who don't
            realize they should be taking countermeasures -- the abuses of the
            system -- those are the things it's effective at bringing about,
            because ordinary people don't expect themselves to be targets.
       
          smsm42 wrote 3 days ago:
          It's not literacy. They don't care. They need control, and if
          establishing control means increased risks for you, it's not
          something they see as a negative factor. It's your problem, not
          theirs.
       
            kypro wrote 3 days ago:
            Agreed.
            
            I used to think it was illiteracy, but when you hear politicians
            talk about this you realise more often than not they're not
            completely naive and can speak to the concerns people have, but
            fundamentally their calculation here is that privacy doesn't really
            matter that much and when your argument for not breaking encryption
            based around the right to privacy you're not going to convince them
            to care.
            
            You see a similar thing in the UK (and Europe generally) with
            freedom of speech. Politicians here understand why freedom of
            speech is important and why people some oppose blasphemy laws, but
            that doesn't mean you can just burn a bible in the UK without being
            arrested for a hate crime because fundamentally our politicians
            (and most people in the UK) believe freedom from offence is more
            important than freedom of speech.
            
            When values are misaligned (safety > privacy) you can't win
            arguments by simply appealing to the importance of privacy or
            freedom of speech. UK values are very authoritarian these days.
       
            cryptonector wrote 3 days ago:
            They don't even need control.  They want control.  Why?  Either
            they're idiots who think they need control or they are tyrants who
            know they'll need control later on when they start doing seriously
            tyrannical things.
       
              jamil7 wrote 2 days ago:
              > Why? Either they're idiots who think they need control or they
              are tyrants
              
              Many politicians are individuals without any talent who desire
              power and control, politics is the only avenue open to people
              like that.
       
                cryptonector wrote 2 days ago:
                And many are sociopaths and psychopaths who love to wield power
                over others.  Some of those sociopaths and psychopaths are very
                very smart.
       
              smsm42 wrote 2 days ago:
              It's natural for the government to want control. It's literally
              what it is optimized for - control. More control is always better
              than less control. More data about subjects always better than
              less data. What if they do something that we don't want them
              doing and we don't know? It's scary. We need more control.
              
              > they'll need control later on when they start doing seriously
              tyrannical things.
              
              You mean like when they start jailing people for social media
              posts? Or when they are going to ban kitchen knives? Or when
              they're going to hide a massive gang rape scandal because it
              makes them look bad? Or when they would convict 900+ people on
              false charges of fraud because they couldn't admit their computer
              system was broken? Come on, we all know this is not possible.
       
                zarathustreal wrote 1 day ago:
                I’d upvote this a thousand times if I could, so many people
                holding opinions on purely selfish grounds
       
              hackernoops wrote 3 days ago:
              It's the latter.
       
                cryptonector wrote 3 days ago:
                Of course it is.
       
            redeeman wrote 3 days ago:
            opinion: any government that "needs" such control, is an enemy of
            the people and must be abolished, and anyone can morally and
            ethically do so
       
              jbjbjbjb wrote 3 days ago:
              Well it’s important that the argument is correct. They view
              ending end-to-end encryption as a way to restore the
              effectiveness of traditional warrants. It isn’t necessarily
              about mass surveillance and the implementation could prevent mass
              surveillance but allow warrants.
              
              I oppose that because end to end encryption is still possible by
              anyone with something to hide, it is trivial to implement. I
              think governments should just take the L in the interest of
              freedom.
       
                staplers wrote 3 days ago:
                governments should just take the L in the interest of freedom
                
                This was written into the US constitution. Unfortunately, most
                either don't know or care that it's all but ignored in
                practice.
       
                AnthonyMouse wrote 3 days ago:
                > They view ending end-to-end encryption as a way to restore
                the effectiveness of traditional warrants.
                
                Traditional warrants couldn't retroactively capture historical
                realtime communications because that stuff wasn't traditionally
                recorded to begin with.
                
                > It isn’t necessarily about mass surveillance and the
                implementation could prevent mass surveillance but allow
                warrants.
                
                The implementation that allows this is the one where executing
                a warrant has a high inherent cost, e.g. because they have to
                physically plant a bug on the device. If you can tap any device
                from the server then you can tap every device from the server
                (and so can anyone who can compromise the server).
       
                  jbjbjbjb wrote 3 days ago:
                  They shouldn’t be able to tap any device from a server.
                  I’m guessing they would have to apply for a warrant and
                  serve the warrant to Apple who review the warrant and provide
                  the data.
       
                    AnthonyMouse wrote 3 days ago:
                    Putting the panopticon server in a building that says Apple
                    or Microsoft at the entrance hasn't solved anything.
                    Corporations are hardly more trustworthy than the
                    government, can be coerced into doing the mass surveillance
                    under gag orders, could be doing it for themselves without
                    telling anyone, and would still be maintaining servers with
                    access to everything that could be compromised by organized
                    crime or foreign governments.
                    
                    Which is why the clients have to be doing the encryption
                    themselves in a documented way that establishes the server
                    can't be doing that.
       
            ben_w wrote 3 days ago:
            The government put in restrictions against using certain powers in
            the Investigatory Powers Act to spy on members of parliament
            (unless the Prime Minister says so, section 26), so I think they're
            just oblivious to the risk model of "when hackers are involved, the
            computer isn't capable of knowing the order wasn't legal".
            
   URI      [1]: https://www.legislation.gov.uk/ukpga/2016/25/section/26
       
              tehwebguy wrote 2 days ago:
              Absolutely not, MPs are not too stupid to process the concept of
              “a back door is a back door” they simply want this power and
              do not care about security or privacy if non-MPs. Everyone who
              voted for this needs to be thrown out of politics, but that will
              obviously not happen.
       
              lozenge wrote 3 days ago:
              That actually shows they understand and care because they don't
              want the law to apply to them. They don't care about its effects
              on other people.
       
                ben_w wrote 3 days ago:
                No, it shows they're thinking of computers like they think of
                police officers.
                
                Computer literacy 101: to err is human, to really foul up
                requires a computer.
                
                They don't understand that by requiring the capability for
                going after domestic criminals, they've given a huge gift to
                their international adversaries' intelligence agencies. (And
                given this is about a computer vulnerability, "international
                adversaries" includes terrorists, and possibly disgruntled
                teenagers, not just governments).
       
                  soulofmischief wrote 2 days ago:
                  They understand. Signal Foundation's president, Meredith
                  Whittaker, among many other tech leaders, have made it
                  abundantly clear to both the UK and the EU. [1] If
                  politicians don't understand after such campaigning, it's a
                  choice in willful ignorance, not bad computer literacy.
                  
   URI            [1]: https://techcrunch.com/2023/09/21/meredith-whittaker...
       
                    ben_w wrote 2 days ago:
                    I personally campaigned at the time the law was being
                    debated. Met my local MP, even.
                    
                    If I'd known about the idea of "inferential gap" at the
                    time, my own effort might not have been completely
                    ignored… though probably still wouldn't have changed the
                    end result as I still don't know how to show lawmakers that
                    their model of how computers and software functions has led
                    to a law that exposed them, personally, to hostile actors.
                    
                    How even do you explain to people with zero computer
                    lessons that adding a new access mechanism increases the
                    attack surface and makes hacking easier?
                    
                    The politicians seem to see computers as magic boxes,
                    presumably in much the same way and for much the same
                    reason that I see Westminster debates and PMQs as 650
                    people who never grew out of tipsy university debating
                    society life.
                    
                    (And regardless of if it is fair for me to see them that
                    way, that makes it hard to find the right combination of
                    words to change their minds).
       
                      soulofmischief wrote 2 days ago:
                      > How even do you explain to people with zero computer
                      lessons that adding a new access mechanism increases the
                      attack surface and makes hacking easier?
                      
                      You literally tell them that. That's it. As prominent
                      tech leaders have been doing. They either choose to
                      believe experts, or disbelieve them. Or they could get a
                      CS major. They chose option #2. They ostensibly
                      disbelieve experts because what they're hearing does not
                      mesh with what they want.
                      
                      But let's be honest with ourselves; it's not that they
                      disbelieve them, or don't understand. It's that they
                      don't care. You are giving these people way too much of a
                      benefit of the doubt. They have the tools at their
                      disposal to remove any ignorance.
       
                        ben_w wrote 2 days ago:
                        > You literally tell them that. That's it. As prominent
                        tech leaders have been doing.
                        
                        As it's not working, QED not "that's it".
                        
                        > You are giving these people way too much of a benefit
                        of the doubt.
                        
                        They're hurting their own interests in the process. If
                        they were just hurting my interests, I'd agree with
                        you. But this stuff increases the risk to themselves,
                        directly. I may have even told them about [1] given the
                        timing.
                        
   URI                  [1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name...
       
                          soulofmischief wrote 1 day ago:
                          > As it's not working, QED not "that's it".
                          
                          Neither is underestimating your enemy or making
                          excuses for their behavior.
       
                  newdee wrote 2 days ago:
                  I think it could be for both reasons
       
          yubblegum wrote 3 days ago:
          > technical literacy amongst the political establishment who
          consistently rely on the fallacy that having nothing to hide means
          you have nothing to fear.
          
          That's an awfully generous assessment on your part. Kindly explain
          just what "technical literacy" has to do with the formulation you
          note. From here it reads like you are misdirecting and clouding the
          -intent- by the powerful here.
          
          Also does ERIC SCHMIDT an accomplished geek (who is an official
          member of MIC since (during?) his departure from Sun Microsystems)
          suffers from "technical literacy" issues: [1] Thank you in advance
          for clarifying your thought process here. Tech illiteracy -> what you
          got to hide there buddy?
          
   URI    [1]: https://news.ycombinator.com/item?id=983717
       
            bunderbunder wrote 3 days ago:
            Let me offer a possible example that might be more in line with the
            HN commenting guideline about interpreting people's comments as
            charitably as reasonably possible:
            
            My password manager vault isn't exactly something to hide in the
            political sense, but it's definitely something I would fear is
            exposed to heightened risk of compromise if there were a backdoor,
            even one for government surveillance purposes. And it's a
            reasonable concern that I think a lot of people aren't taking
            seriously enough due, in part, to a lack of technical literacy.
            Both in terms of not realizing how it materially impacts everyday
            people regardless of whether they're up to no good, and in terms of
            not realizing just how juicy a target this would be for agents up
            to and including state-level adversaries.
            
            As for Eric Schmidt, he's something of a peculiar case. I don't
            doubt his technical literacy, but the dude is still the head of one
            of the world's largest surveillance capitalist enterprises, and, as
            the saying goes, "It is difficult to get a man to understand
            something when his salary depends on his not understanding it."
       
            stavros wrote 3 days ago:
            I feel like the comment was clear, technical illiteracy leads
            politicians to believe that they'll be the only ones with access to
            this backdoor, which isn't true.
       
              yubblegum wrote 3 days ago:
              The comment's clarity was not questioned. You are passing around
              the same tired line that because politicians do not understand
              technology and how it can be used against anyone. Sure computers
              are new but communication technology is not. All a politician
              needs to understand is "capability". That is it. "We can read
              their communications", no degree in CS required. Also, they have
              power geeks advising them left and right. They know
              "capabilities" can be misused. They know this.
              
              Is this clear?
       
                stavros wrote 3 days ago:
                >> Kindly explain just what "technical literacy" has to do with
                the formulation you note.
                
                >> Thank you in advance for clarifying your thought process
                here.
                
                > The comment's clarity was not questioned.
       
              trinsic2 wrote 3 days ago:
              Yeah. Not buying it. They know, or someone smart enough told them
              that backdoors can be accessed by anyone with enough skill. They
              just don't care because the people that are asking for this are
              criminals already and wanting profit off of other people's data.
       
              ninalanyon wrote 3 days ago:
              It isn't necessarily the case that they all care if criminals can
              get in to the average person's data so long as the authorities
              also can.
       
          miohtama wrote 3 days ago:
          Furthermore, one UK head of state call everyone supporting encryption
          pedophiles
          
   URI    [1]: https://x.com/BenWallace70/status/1892972120818299199
       
            hackernoops wrote 3 days ago:
            Ironic.
       
            GJim wrote 3 days ago:
            > one UK head of state
            
            What on earth are you talking about?
            
            Charles III is head of state, and before that, Liz II.    The monarch
            absolutely does not get involved in politics.
       
              sib wrote 2 days ago:
              >> The monarch absolutely does not get involved in politics.
              
              The monarch picks the Prime Minister, no? That seems pretty
              involved.
       
                GJim wrote 17 hours 30 min ago:
                Good Lord man! Where are you finding this rubbish!
                
                The Members of Parliament choose the Prime Minister. The role
                of the monarch in confining them is purely ceremonial.
       
                polshaw wrote 2 days ago:
                No, the monarch does not pick the Prime Minister. At all.
                
                They have a ceremonial role in confirming them. Like they do
                with every law that Parliament creates. If they ever actually
                practically exercised this theoretical power it would be the
                end of the monarchy.
       
            mschuster91 wrote 3 days ago:
            And that's why it is so important to nip this "pedo" / "think of
            the children" crap right in the bud.
            
            Obviously pedos on the interwebs are bad, but hey as long as it's
            just anime they're whacking off to I don't care too much. But the
            real abuse, that's done by - especially in the UK - rich and famous
            people like Jimmy Savile. And you're not gonna catch these pedos
            with banning encryption, that's a fucking smokescreen if I ever saw
            one, you're gonna catch them with police legwork and by actually
            teaching young children about their bodies!
       
              worik wrote 3 days ago:
              > But the real abuse, that's done by - especially in the UK -
              rich and famous people like Jimmy Savile
              
              Jimmy Savile was a vile predator.  He was protected by the inane
              customs of the British ruling class.
              
              He was not alone among the toffs of England.
              
              But do not be mistaken.  It is not just the rich and powerful
              where you find sexual predators.  They exist at all levels of
              society, all genders, most ages (I will except infants and the
              aged infirm....)
              
              Jimmy Savile was a symptom of something much darker, much worse
              and widespread.
       
                kypro wrote 3 days ago:
                Honestly if the UK wants to reduce sexual crimes against
                children and adults one of the easiest ways to achieve that
                would be to reform UK liable law.
                
                In the UK if you're raped by someone famous you'd be an utter
                idiot to say anything unless you're loaded or have a massive
                amount of hard evidence. You couldn't have a me to movement in
                the UK because everyone who came forward would be sued into
                bankruptcy. This is why so many people knew about Savile but no
                one said anything.
       
                  worik wrote 3 days ago:
                  The rules of evidence in court are important too.
                  
                  It is the victim on trial, many times.
       
                bigfudge wrote 3 days ago:
                Jimmy Saville was many things, but I don’t think he was a
                toff. His ability to abuse was about power, and perhaps gender,
                but not class.
       
                mschuster91 wrote 3 days ago:
                Yeah but if you sell the populace on the idea that pedos are
                only something that's a threat on the interwebs the populace
                won't care about all the other pedos, and if there is a pedo
                scandal like the next Savile the government can just go and
                shrug and say "we did all we could". And that is the point
                behind all that pedo scare.
       
            ThePowerOfFuet wrote 3 days ago:
            
            
   URI      [1]: https://xcancel.com/BenWallace70/status/189297212081829919...
       
              doublerabbit wrote 3 days ago:
              Thank you.
       
            scott_w wrote 3 days ago:
            Just to be clear: Wallace is not a head of state, or even an MP any
            more. At one point, he was Secretary of State for Defence, a
            Cabinet position, however he resigned this in 2023.
            
            This doesn’t justify his position (it’s stupid) but he
            doesn’t speak for the current government.
       
              onei wrote 3 days ago:
              To clarify a bit further, the UK head of state is King Charles
              III, as he is for a bunch of other countries in the Commonwealth.
              
              Head of state in the UK is a bit weird compared to countries that
              abolished or never had a monarchy.
       
                ttepasse wrote 3 days ago:
                The vast majority of democracies separated the roles of head of
                state and head of government.
       
                ojhp wrote 3 days ago:
                Technically we did abolish the monarchy back in the 17th
                century, but the replacement was so bad we brought them back
                about 10 years later, which I think makes us a minority of one
                and even more weird.
                
                Anyway, back on topic: this is a ridiculous law that is forcing
                services to erode their security while smart criminals can just
                use some nice free open-source software somewhere else for E2E
                communication. And a lot of this is definitely down to
                lawmakers not understanding technology.
       
                scott_w wrote 3 days ago:
                You’re correct, however I gave GP the benefit of the doubt
                and assumed they meant Secretary of State ;-)
                
                And, to be fair, while I’m generally a small r republican,
                I’m seeing benefits of having a non politically aligned head
                of state after J6. While the monarch has limited power, booting
                out a PM that can’t command the confidence of Parliament is
                one of them. The question of whether Johnson would accept being
                dethroned a la Trump was always silly given his consent was
                never needed.
       
                  worik wrote 3 days ago:
                  > And, to be fair, while I’m generally a small r
                  republican, I’m seeing benefits of having a non politically
                  aligned head of state
                  
                  One of the benefits of a constitutional monarchy is the head
                  of state did not campaign for the position.
       
                    c0ndu17 wrote 2 days ago:
                    I’ve become a bit of fan of it over the last few years.
                    That said, I don’t think the UK can be replicated.
                    
                    It wraps ultimate power up in a contradiction, you have it
                    but you can’t use it. Sure, technically you could but it
                    would be your last act.
                    
                    Another important aspect, the for and against is currently
                    split between parties, so there’s somewhat of unification
                    factor between parties on that divide as well.
                    
                    It gets a lot of hate, because it is imperfect, but I
                    don’t think it gets its fair shake. My views more of, if
                    it ain’t broke is it really worth the risk changing it.
       
                      worik wrote 2 days ago:
                      > Sure, technically you could but it would be your last
                      act.
                      
                      It was used in Australia in the 1970s
       
                  onei wrote 3 days ago:
                  The UK monarch's power is largely based on convention more
                  than active decision making. For example, a government is
                  formed at the invitation of the monarch, but that's long
                  reflected the results of an election. Getting rid of a PM
                  generally happens when they run out of luck. That sometimes
                  coincides with the ruling party/coalition imploding. The next
                  PM is then shortlisted by MPs and selected by a minority of
                  the electorate.
                  
                  I guess the US equivalent is the leader of the house being
                  unable to hold their majority together. In some ways the
                  presidential election feels more democratic if a relative
                  outsider (like Trump was) can win. But a 2 year lead up is
                  crazy.
       
          exe34 wrote 3 days ago:
          > that having nothing to hide means you have nothing to fear
          
          hopefully the US turning from leader of the free world to Russia's
          tool will give them the kick they need to realise that just because
          you trust the government now doesn't mean you trust the next
          government or the one after it.
       
            isaacremuant wrote 3 days ago:
            > hopefully the US turning from leader of the free world to
            Russia's tool
            
            So much humour in one short phrase.
            
            Do you really believe your propaganda or is it just absentmindedly
            parroting pro permanent war talking points?
       
              bspammer wrote 2 days ago:
              What would you call the ridiculous claim that Ukraine started the
              war? Who else does that serve but Russia?
       
                exe34 wrote 2 days ago:
                "your honour, they repeatedly hit my fist with their face".
       
              exe34 wrote 3 days ago:
              He demands $500bn of rare earth minerals, insists that Ukraine
              started the war by getting invaded and wants Zelensky to be
              replaced by a Russian puppet. It's amazing how the US went from
              the defender of the free world to just another thug.
       
                isaacremuant wrote 2 days ago:
                "defender of the free world" is just so funny to me. I'm sorry
                to burst your bubble of jingoism and US imperialism
                excepcionalism.
       
                  exe34 wrote 2 days ago:
                  what do you call US nukes in Europe? that's exactly what it
                  was - Pax Americana, 70 years of peace and prosperity has
                  come to an end for most countries. Now Russia has an ally in
                  their old enemy.
       
            GeekyBear wrote 3 days ago:
            You probably don't want to look up which US President tried to
            force Apple to insert an encryption back door into iPhones back in
            2015.
            
            However, Google did only start moving to protect location data from
            subpoenas after people started to worry that location data could be
            used as a legal weapon against women who went to an abortion
            clinic, so your larger point stands.
       
              dguest wrote 2 days ago:
              Points about Russia or partisan politics aside, there are now at
              least 10M people living in the US who have a very strong
              incentive to hide all their data from the executive branch.
              That's to say nothing of the countless millions who might want to
              help them.
              
              The demand for encryption just exploded, in a legal gray area
              (city, state, and federal laws seem to be in conflict here) it's
              just a question of whether governments allows the supply to
              follow.
       
              jshier wrote 3 days ago:
              That would be none, as it was the FBI, operating independently
              (as it's supposed to), which tried to force the issue. They even
              tried to go to Congress but found little support for their stunt.
              I'm not even sure Obama ever spoke in support of the backdoor,
              much less used any political power to make it a reality.
       
                GeekyBear wrote 3 days ago:
                Sorry, but the FBI is part of the executive branch.
                
                This is exactly like saying that President Trump has nothing to
                do with the actions of the executive branch agencies today.
       
                  exe34 wrote 3 days ago:
                  it's true that the honour system only works when there's
                  honour in the people in charge.
                  
                  when a clown moves into a palace, the clown doesn't become
                  the king - the palace becomes a circus.
       
                    GeekyBear wrote 3 days ago:
                    Haven't we already learned that gaslighting the public is
                    counterproductive?
                    
                    President Obama sold himself as a Constitutional scholar
                    who would set right the civil liberties overreach of his
                    predecessor.
                    
                    You aren't going to convince sane people that his executive
                    branch agencies sought to gut the fourth amendment without
                    his being aware of it, despite months of extensive press
                    coverage.
       
                      exe34 wrote 3 days ago:
                      "the other side is just as bad" isn't the justification
                      that a lot of people seem to think it is. if you don't
                      like what the other side has done, don't just copy them.
                      do better.
       
                        GeekyBear wrote 3 days ago:
                        It's simpler.  If you claim that a particular action
                        would be bad if the other political team were to
                        perform it, don't suddenly make excuses for that very
                        same action if it turns out that your favored political
                        team has previously performed it.
       
                          exe34 wrote 2 days ago:
                          you're still doing it.
       
          kingkongjaffa wrote 3 days ago:
          > Especially in the UK which operates as a paternalistic state and
          enjoys authoritarian support across all parties.
          
          This seemed strange to point out. It’s not really any more or less
          “paternalistic” than most western nations including the US.
       
            gleenn wrote 3 days ago:
            If you see a red car driving down the street do you not call it red
            because there are many other red cars? They're adding color (pun
            intended) to their description of the general bias of the UK
            government. What you're doing is called Whataboutism - the argument
            that others are doing something similar or as bad in different
            contexts. It doesn't make what the UK is doing any less bad for
            citizens (and non-citizens) privacy or data sovereignty.
       
              polshaw wrote 2 days ago:
              You don't say it's "especially" red then do you. The comparison
              was started by the GP.
       
            15155 wrote 3 days ago:
            Folks in the United States aren't routinely arrested for Facebook
            posts.
       
              cmdli wrote 2 days ago:
              The AP News was just kicked out of press conferences for not
              using the government-preferred term for the Gulf of Mexico. The
              new director of the FBI is pledging to go after members of the
              press that he doesn't like. The US is jumping headfirst in the
              "bad speech isn't free" direction in the past month.
       
              twixfel wrote 3 days ago:
              There are limits to speech in every country, including the US. 
              What I always find baffling is the sheer arrogance of Americans,
              that the only way to be a free and democratic country is their
              way, to the extent that they send their elected representatives
              to Germany of all places to implicitly argue for the legalisation
              of the Hitler salute.
              
              Meanwhile their country has slid into fascism.    Sad and tragic.
       
              jirf_dev wrote 3 days ago:
              Of course they are. Violent threats and admitting illegal
              activity on social media can lead to arrests in the US. By being
              so unspecific your comment does not really foster good discussion
              on the topic. You should describe what kind of posts they are
              being arrested for and which laws/protections in the UK you are
              specifically criticizing.
       
              4ndrewl wrote 3 days ago:
              They're not arrested for posting on Facebook. They're arrested
              for _what_ they're posting on Facebook.
       
                JBSay wrote 3 days ago:
                Just like any other authoritarian state
       
                  4ndrewl wrote 3 days ago:
                  Hardly. There are limits to speech in most jurisdictions.
                  That hardly crosses the threshold for "authoritarian". The
                  high profile cases in the UK have been around incitement to
                  violence and contempt of court.
       
                pb7 wrote 3 days ago:
                Yes, people in the US don't get arrested for that.
       
                  maccard wrote 3 days ago:
                  Yes, they do. [1] [2] [3]
                  
   URI            [1]: https://www.justice.gov/usao-az/pr/page-man-charged-...
   URI            [2]: https://edition.cnn.com/2015/04/30/us/georgia-woman-...
   URI            [3]: https://www.cnbc.com/amp/2023/10/19/influencer-gets-...
   URI            [4]: https://www.justice.gov/usao-ndal/pr/birmingham-man-...
       
                    fencepost wrote 3 days ago:
                    No, they get arrested for conduct that would be criminal no
                    matter where they did it. Facebook (2x) and Twitter (2x)
                    were the (virtual) venues where the crimes were committed,
                    but the crimes were attempting to organize a mob to burn
                    down a courthouse, inciting and threatening to murder
                    police, conspiracy to suppress votes and threatening to
                    kill the President. The crimes would be just as criminal
                    had they been done in person at a local bar (or any other
                    physical location).
       
                      maccard wrote 3 days ago:
                      Which is exactly the same as in the UK.
                      
                      >  The crimes would be just as criminal had they been
                      done in person at a local bar (or any other physical
                      location).
                      
                      I agree. Where the US differs is that because of the US's
                      1st amendment it's _not_ a crime to say those things even
                      in a bar.
                      
                      Anyway, all of that to say that americans are arrested
                      for posting things on the internet, despite what people
                      claim.
       
                    4ndrewl wrote 3 days ago:
                    Stop it. We don't deal in "facts" any more.
       
          kmeisthax wrote 3 days ago:
          What the politicians want is partial security: something they can
          crack but criminals can't. That is achievable in physical security,
          but not in cybersecurity.
          
          I have a feeling the politicians already know partial cybersecurity
          isn't an option, and don't care. Certainly, the intelligence
          community advising them absolutely does know. We don't even have to
          be conspiratorial about it: their jobs are easier in the world where
          secrets are illegal than in the world where hackers actually get
          stopped.
       
            eterm wrote 2 days ago:
            > That is achievable in physical security, but not in cybersecurity
            
            This isn't accurate though, and leads us down the path of trying to
            prevent these bad laws from a technical perspective when we should
            be fighting the principle of the bad law not just decrying it for
            being "unworkable".
            
            It is possible to construct encryption schemes with a "backdoor
            key" while still being provably secure against anyone else.
            
            This creates precisely the "partial security" you describe:
            Criminals can't crack the encryption, but the government can use
            their backdoor-key.
            
            But like those who argue online age-consent schemes can't work, it
            doesn't help to argue against the technical aspects of such bad
            laws. The law, particularly UK law, doesn't care for what's
            technically possible. The bad laws can sit on the books regardless
            of the technical feasibility of enforcement. Eventually technology
            can catch up, or the law can simply be applied on a best endeavours
            / selective enforcement approach.
       
              kmeisthax wrote 1 day ago:
              You are correct that we can engineer a cryptosystem with two sets
              of keys.
              
              However, nothing prevents keys from being stolen by someone else.
              In a normal cryptosystem the security of the key is entirely up
              to you; but in a "law enforcement accessible" system now you have
              to worry about the feds getting hacked, too. And since the feds
              will have backdoor keys for many, many users; there is much more
              interest in stealing those keys.
              
              Physical security has a different set of tradeoffs. Notably, you
              have to actually be physically present to manipulate and defeat a
              physical lock, which is what I was alluding to. Even then, it
              provides an example of how easily a backdoor can be compromised.
              The Travel Sentry system exists to allow TSA employees to unlock
              and inspect luggage. There are seven master keys in total; copies
              of which are spread around thousands of airports with tens to
              hundreds of TSA employees each. Suffice it to say, the master
              keys leaked decades ago and you can buy them off Amazon for a few
              bucks. Any such backdoor key will need similar levels of access
              to government employees and will likely leak for the same reasons
              as the TSA keys. Except that the consequence of an encryption
              backdoor key leaking will be much higher than someone being able
              to open luggage locks.
              
              Politically, there is also an argument that we should be able to
              keep secrets from the state. Certainly, there is a reason why we
              have a 4th Amendment, and it is not because searches and seizures
              just so happen to be inconvenient.
              
              As for age-of-consent checking, the problem is that existing age
              verification services would be able to track everyone who
              accesses an age-verified site. Which, given today's legal climate
              basically demanding age verification for everything[0], would
              give the verifier access to your whole browsing history.
              
              Physical age verification is relatively privacy-preserving: I
              present my ID and that's that. The government that issued that ID
              does not learn where I presented it, because it's an offline
              credential. The people I'm doing business with do learn my
              identity, and they could sell that information, but that's
              something they didn't need an ID to do (so we should pass a law
              to prohibit that).
              
              [0] There is also a political argument that the 1st Amendment
              precludes age verification on social media - aka "don't censor
              kids"
       
              jmholla wrote 2 days ago:
              > This creates precisely the "partial security" you describe:
              Criminals can't crack the encryption, but the government can use
              their backdoor-key.
              
              No, it doesn't. Now criminals just have to get the key. These
              schemes have been tried many times. They've been discovered by
              actors that shouldn't have access to them.
              
              Please don't go around advising government leaders and
              organizations. This is exactly the problem solving capabilities
              of governmental leaders that security experts are decrying here
              in this thread.
              
              I honestly though get you're comment was going to go along the
              lines of perfect physical security can only be perfectly secure
              from everyone, including the people it shouldn't be. We
              constantly see the hacking oh physical locations. The big things
              keeping some orgs from being attacked: redundancy, observability,
              and ENCRYPTION WITHOUT BACKDOORS!
       
              jliptzin wrote 2 days ago:
              And what happens when someone in the government inevitably leaks
              the key either intentionally or because of a hack?
       
            joncp wrote 3 days ago:
            > That is achievable in physical security, but not in
            cybersecurity.
            
            Not with physical security either, I'm afraid.
       
              kmeisthax wrote 1 day ago:
              Any physical lock can be manipulated, even the particularly
              high-security ones. But in practice, most locks are not even
              challenged because doing so requires actually walking up to the
              lock and trying. You can't try every physical lock in existence;
              but you can try every digital lock. So the effects of, say, an
              encryption backdoor key compromise would be far greater and far
              more immediate than, say, the compromise of the Travel Sentry
              master keys.
       
              cryptonector wrote 3 days ago:
              With physical security the state apparatus can provide physical
              security in the form of police and what not, as well as
              deterrence and punishment.
              
              In the world of cryptography it's... a bit harder to do something
              similar.  In the best case they can come up with a key escrow
              system that doesn't suck too much, force you to use it, and
              hopefully they don't ever get the master keys hacked and stolen
              or leaked.  But they're not asking for key escrow.  They're
              asking for providers to be the escrow agents or whatever worse
              thing they come up with.
       
        nomilk wrote 3 days ago:
        Wow - how sad. To think the 2nd highest scoring post ever on hacker
        news is Apple's 2016 A Message to Our Customers. A display of
        intelligence, morality and courage under great pressure: [1] How things
        have changed.
        
        > In a statement Apple said it was "gravely disappointed"
        
        So are we, Apple. So are we.
        
   URI  [1]: https://hn.algolia.com
       
          okeuro49 wrote 3 days ago:
          Apple did the right thing.
          
          I would much rather they were transparent, so that people can move
          services, rather than build a backdoor in secret, to appease the
          far-left Labour government.
       
            stoobs wrote 3 days ago:
            Oh stop with "far left" nonsense, none of our main political
            parties are much further than slightly left or right of centrist.
       
            nomilk wrote 3 days ago:
            Building a backdoor and telling us is better than building a
            backdoor and not telling us, but not building a backdoor at all is
            ideal.
       
        CodeWriter23 wrote 3 days ago:
        If Apple was a real American Company they would solve this issue by
        withdrawing their devices from the UK.
       
          int_19h wrote 3 days ago:
          Is Palantir a Real American Company?
       
        sumuyuda wrote 3 days ago:
        Apple could have disabled iCloud completely for UK users. This would
        protect both UK users and other users who’s data would also been
        captured in an iCloud backup.
        
        They would lose some money on services, but would have been the better
        choice to stand up to the UK government and protect the UK users.
       
          jdminhbg wrote 3 days ago:
          It's fine to continue providing the service as long as people know
          it's not encrypted. I am not worried about my photos being
          subpoenaed; I am worried about losing them. I'd rather have the
          service.
       
        j-bos wrote 3 days ago:
        This law raises serious concerns about being a non UK resident using
        British software, like Linux Mint.
       
          nobankai wrote 3 days ago:
          No, it really does not.
       
            Ylpertnodi wrote 3 days ago:
            How can you definitively know?
       
              nobankai wrote 3 days ago:
              In the case of Linux Mint, I can check the commit history, build
              the software myself and even validate it against public
              checksums. It is expressly defended against these types of
              attacks, making it an odd choice to single out.
       
                mihaaly wrote 3 days ago:
                Isn't it already a law violation using it in certain scenarios?
                Or will be soon?
       
                  Aachen wrote 2 days ago:
                  No? Instead of speaking in question marks, why not link or
                  reference the law or scenarios you're talking about?
       
                    mihaaly wrote 2 days ago:
                    You seriously need to re-learn what the concept of asking a
                    question means!
                    
                    It looks like you were using it so long for passive
                    agressive arguing that it lost its original meaning for you
                    completely!
                    
                    I was asking.
       
                      Aachen wrote 2 days ago:
                      So was I, because I have no idea what you're talking
                      about so I'm curious about any more details to be able to
                      look up why Linux Mint would be illegal in the UK.
                      There's a myriad of laws it could fall under so
                      undirected keyword searches won't let me find it and I'm
                      also not sure if anyone can even read all laws that exist
                      to see if there's anything related to what Linux Mint
                      is/does, the question seems unanswerable but hints
                      towards a certain thing being potentially illegal without
                      saying what it is
       
        xyst wrote 3 days ago:
        If you care about privacy and security of your data, you aren’t using
        public services from Apple or Google, or “big tech” anyways.
        
        I always thought of “cloud” services to be a sham. I only trust
        them with transient data or junk data anyways (glorified temp storage,
        at best).
       
        Ruq wrote 3 days ago:
        Honestly I'm surprised that rather than trying to build stupid
        backdoors and such, tyrannical governments don't just try to make a
        encryption key database. They hold ALL the keys and can get into
        anything they want, anytime they want. If you get caught with keys or
        encrypted data they can't access, punishment ensues.
        
        Like if you're gonna try to eliminate privacy and freedom, just be
        honest and open about your intentions.
       
        santiagobasulto wrote 3 days ago:
        What happens if a British citizen/resident buys an iPhone in the USA?
        
        Btw, as a European citizen, I always buy my devices in the USA. We can
        complain about the US as much as we want, but Europe is on another
        level.
       
          commandersaki wrote 3 days ago:
          I think the iCloud services is based on the region of your Apple
          Account. So you could theoretically use a US region Apple Account and
          enjoy iCloud services. But that means you won't get UK region apps,
          except in the app store you can switch to different Apple Accounts as
          you please, so you can have multiple accounts for different regions
          (which is what I do).
       
          Ylpertnodi wrote 3 days ago:
          As an EU citizen, the US* (govts) can stay way from my stuff. I won't
          even vpn through the
          
          *or any other gubments.
          
          Of course, when the rubber truncheon comes out, I'd be happy to show
          my encrypted stuff. But until then, or without a warrant, I'd prefer
          not to.
       
        andyjohnson0 wrote 3 days ago:
        Presumably this applies to the iPhones owned by UK government
        ministers, civil servants, personal devices of military personnel, UK
        businesses, etc.
        
        As a brit, I find that my government's stupidity is almost its only
        reliable attribute.
       
          mrweasel wrote 3 days ago:
          Presumably not, politicians have a way of excepting themselves in
          these types of laws. It's almost as if they understand the need for
          privacy, they just fail to apply that understanding to any scenarios
          beyond their own.
       
            fdb345 wrote 3 days ago:
            "Presumably not"
            
            Rubbish.   Give me one example?    They will have to abide as well.
       
              8fingerlouie wrote 3 days ago:
              Not a UK example, but Chat Control (2.0) explicitly exempts
              various politicians and government officials from being spied on.
       
            andyjohnson0 wrote 3 days ago:
            I meant that Apple's decision to withdraw ADP applies to them, not
            the Investigatory Powers Act. Or are you saying that Apple will
            give them a free exemption?
       
        kouru225 wrote 3 days ago:
        I’m at the point where I’m ready to get a pixel and install
        graphene
       
          wishfish wrote 3 days ago:
          I'm in a similar position. Strongly considering replacing my iPhone
          with a Pixel. But I realize I'm vulnerable via cloud services.
          GrapheneOS won't save me from someone poking through my Dropbox. I'll
          have to find another option for that too.
       
            AlgebraFox wrote 2 days ago:
            Nextcloud works great on GrapheneOS if you are willing to self
            host.
       
          noescgchq wrote 3 days ago:
          Right but then you are jailed at Heathrow for not unlocking your
          phone.
          
          The UK has made it clear that Counter Terrorism legislation has no
          limits in UK law even if that means compromising all systems and
          leaving them vulnerable to state actor attacks.
          
          MPs will continue to use encrypted messaging systems that disappear
          messages during any inquiries of course.
       
            aqueueaqueue wrote 3 days ago:
            Take a dumb phone (or none)?
       
            fdb345 wrote 3 days ago:
            Except no one has ever been jailed for simply refusing to unlock a
            phone unless there was heavy evidence there was something on the
            phone.
            
            Stop spreading incorrect FUD
       
              okasaki wrote 3 days ago:
              You're an ignorant fool:
              
   URI        [1]: https://www.theregister.com/Print/2009/11/24/ripa_jfl/
       
                fdb345 wrote 2 days ago:
                LOL literally a suspected terrorsit.
       
                  Aachen wrote 2 days ago:
                  Being in court for something doesn't make you guilty of said
                  thing. What's the "heavy evidence" you say they had before
                  jailing this person?
       
              timc3 wrote 3 days ago:
              No one that we have heard of yet.
       
            shaky-carrousel wrote 3 days ago:
            You can provide a self destroy PIN with GrapheneOS.
       
              runjake wrote 3 days ago:
              And that certainly wouldn't raise their suspicion. Surely, they'd
              immediately let you go after that stunt.
       
                shaky-carrousel wrote 2 days ago:
                Of course they could throw a tantrum, but it wouldn't be
                nothing but that, and they will have to release you once they
                cool down.
                
                What are they going to say? That they won't release you until
                you magically unerase the phone? There's nothing to wait for.
       
                  Aachen wrote 2 days ago:
                  I agree there is nothing to coerce out of you anymore and so
                  you'd not be held on this forced decryption law... but not
                  complying with such a court order probably results in another
                  offence for which you can then get punished (not sure if a
                  fine, community service, or jail time would be most likely
                  for this), on top of that it doesn't look good to the judge
                  who presides over the original case in which they de demanded
                  the decryption in the first place
       
                dclowd9901 wrote 3 days ago:
                But it would be up to him, wouldn't it? I think that's the main
                deal here: cart blanche access to your data, or giving into
                someone's bullshit fishing attempt because it's inconvenient.
       
            sangnoir wrote 3 days ago:
            Schiphol was already the superior airport for connections anyway,
            not being arrested just sweetens the deal.
       
          varispeed wrote 3 days ago:
          Until it will be illegal to do so.
       
        perdomon wrote 3 days ago:
        Can someone explain what's changed in the UK that they would consider
        requesting unfettered access to all Apple customer data (including
        outside their own borders)? I get that the NSA is infamous for
        warrant-less surveillance, but this seems a step further.
       
          drak0n1c wrote 3 days ago:
          Labour Party was elected six months ago. It is doubling down on
          existing government surveillance policy as a cure-all weapon to
          investigate and chill opposition, and to humble foreign tech
          companies.
       
          guccihat wrote 3 days ago:
          It is "just" the domestic intelligence agency ordering Apple to
          backdoor their own system be able to supply data for lawful
          interception. As I read the article, it's not a UK backdoor in the
          sense they can roam around in every users data. The domestic agencies
          still need to follow the rules of lawful interception, namely they
          need a warrant, and it is targeted at UK nationals only. At least
          that is how I read the article.
       
          crimsoneer wrote 3 days ago:
          This isn't warrant-less, it's with a warrant. This isn't really a
          change the UK, it's the UK trying to adapt to the proliferation of
          E2E encryption - ten years ago, law enforcement could always access
          your messages, now the default if you're on whatsapp/iMessage is they
          can't because E2E is on by default. UK lawmakers aren't happy with a
          default position of the state being totally incapable of reading
          messages, no matter what the law says.
          
          It might not be cryptographically sensible, but it is responding to a
          real change in the strength of the state.
       
          r00fus wrote 3 days ago:
          This is part and parcel of the collapse of western capitalism (aka
          American empire).  You get two main choices when capitalism fails -
          fascism or communism/socialism.  It's clear that the UK has chosen
          fascism (either liberals like Labor or extreme right like Reform).
       
            dumbledoren wrote 2 days ago:
            That choice exists only in cases in which the people can effect a
            revolution. The UK elite is too strongly in control of the country
            through its establishment, so, it will be a loud tumble down the
            hillside towards fascism...
       
          chippiewill wrote 3 days ago:
          Nothing's changed, they just want the same access to people's data
          they've always had. They loved completely unencrypted text messages.
          
          The rise of first-party end-to-end encryption has made life difficult
          for the security services so they just want to get rid of it.
          
          Also historically the US government loved the UK doing all this
          spying because the US wasn't allowed to do a lot of it on their own
          citizens.
       
          varispeed wrote 3 days ago:
          Uncontrolled immigration and terrorist threat, but also probably they
          want to look at people's nudes. Jolly lot.
       
        fdb345 wrote 3 days ago:
        How will they enforce this?
        
        They will have to send out messages 'You have 32465 hours before you
        account is deleted unless you decrypt'
        
        This is NOT a good look.
       
        tene80i wrote 3 days ago:
        I have a naive question, and it's genuine curiosity, not a defence of
        what's happening here.
        
        This ADP feature has only existed for a couple of years, right? I
        understand people are mad that it's now gone, but why weren't people
        mad _before_ it existed? For like, a decade? Why do people treat iCloud
        as immediately dangerous now, if they didn't before?
        
        Did they think it was fully encrypted when it wasn't? Did people not
        care about E2E encryption and now they do? Is it that E2E wasn't
        possible before? If it's such a huge deal to people now, why would they
        have ever used iCloud or anything like it, and now feel betrayed?
       
          aqueueaqueue wrote 3 days ago:
          People learn stuff over time. If you are not living like RMS you
          probably are allowing something to spy on you. If that spying gets
          removed you become aware. You don't want it back.
          
          It is like anything that gets better. Fight for the better. It is
          like aviation safety: who cares about a few crashes this year when
          people didn't complain in the 70s.
       
          saljam wrote 3 days ago:
          i mainly use apple devices, but never put anything on icloud before
          adp came out.
       
          mihaaly wrote 3 days ago:
          The situation was not something existed since the beginning of time,
          it evolved gradually. Long ago not that much and not that many
          critically private data was circulating the net, it increased and got
          essential living online by time, in some instances forced in an
          increasing portion of situations. Worry then had no grounds yet. As
          exposure of the population grew, so did the benefit for adverse
          elements breaking online data stores, growing in numbers fast, not
          all made properly in the headless chase of success. Damage and hence
          awareness grew gradually.
          
          But basically yes, people are stupid and gave no shit but believed
          all f nonsense, the marketing frauds made them eating up their crap
          happy if it had pretty words and pictures, promising something
          halfway to Paradise. Like the Cloud mirage. Those of careful
          personality were cautious since the first time Apple and alike pushed
          on people giving up control over their own data for tiny comfort (or
          no comfort eventually due to all hostile patterns in the full
          picture) not putting all and every precious or slightly valuable
          stuff to some unknown server on the internet protected only by
          hundreds of years old method: password (so not protected at all
          essentially). Memories, contacts, schedules, communications,
          documents, clone of their devices in full, putting all into 'cloud'
          (much before secure online storage became a thing)? Many times to the
          very same one? Who are that much idiots, really?!
       
          deelowe wrote 3 days ago:
          Apple has been advertising security and privacy as a top feature for
          years now. It would make sense for people to get upset if those
          features were removed.
       
          LeoPanthera wrote 3 days ago:
          iCloud did a lot less, in the past. Disabling it now gives you access
          to more data than it did a few years ago. And I also suspect it has
          far more users today than it did a few years ago.
       
          procaryote wrote 3 days ago:
          An E2E encrypted thing that later gets a special backdoor added is
          obviously much worse than a not E2E encrypted thing.
          
          It's like when google suddenly decided that their on-device-only 2FA
          app Google Authenticator should get an opt-out unencrypted cloud
          backup.
          
          It means people who don't pay a lot of attention can suddenly have
          much less protection than they were originally sold on.
       
          TradingPlaces wrote 3 days ago:
          Apple and the FBI were squabbling over this for a few years, and then
          Apple decided to end the conversation one day and implement ADP
       
          AzzyHN wrote 3 days ago:
          Hacker News is a small subsection of the internet. I think the
          majority of people, probably 90% or more, simply do not care that
          much.
       
          nikisweeting wrote 3 days ago:
          I was mad for years that ADP didn't exist / was being witheld due to
          Apple+FBI negotiations for years.
          
          I 100% treated iCloud as dangerous until they released it, and I
          cheered in the streets when they finally did.
       
          fauigerzigerk wrote 3 days ago:
          I think it makes sense for the services we rely on to get more secure
          as the world gets more dangerous. It's an arms race. You don't want
          to go back.
       
          GeekyBear wrote 3 days ago:
          You've always been able to perform encrypted backups to your own
          local PC or Mac out of the box, so people who do care about privacy
          have always had that option.
          
          One thing I've found concerning is that Apple had encrypted cloud
          backups ready to roll out years ago, but delayed releasing the
          feature when the US government objected.
          
          > After years of delay under government pressure, Apple said
          Wednesday that it will offer fully encrypted backups of photos, chat
          histories and most other sensitive user data in its cloud storage
          system worldwide, putting them out of reach of most hackers, spies
          and law enforcement. [1] So the UK government isn't the only
          government that has objected to users having real privacy
          protections.
          
   URI    [1]: https://www.washingtonpost.com/technology/2022/12/07/icloud-...
       
          xyst wrote 3 days ago:
          People were mad. Remember the Snowden leaks and PRISM program from
          NSA? [1] In fact, Apple began to adopt “privacy” first marketing
          due to this fallout. Apple even doubled down on this by not assisting
          FBI with unlocking a terrorist suspects Apple device in 2016. [2] It
          was around that time I actually had _some_ respect for Apple. I was
          even a “Apple fanboy” for some time. But that respect and
          fanboi-ism was lost between 2019 and now.
          
          Between the deterioration of the Apple ecosystem (shitty macOS
          updates), pushing scanning of photos and uploading to central server
          (CSAM scanning scandal?), the god awful “Apple wall”, very poor
          interoperability, and very anti-repair stance of devices. [1]
          
   URI    [1]: https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
   URI    [2]: https://money.cnn.com/2016/03/28/news/companies/fbi-apple-ip...
       
          post_break wrote 3 days ago:
          Yes, I was mad before it existed and didn't use icloud backups. With
          the E2E and ADP I turned it on. If it gets nuked in the US I'll go
          back to encrypted local backups only.
       
          matthewdgreen wrote 3 days ago:
          Many of us were very upset about Apple's slow-rolling this feature.
          There were many claims that they delayed the rollout due to
          government pressure [1] (note: that story is by the same reporter who
          broke today's news a couple of weeks ago.)
          
          Rolling out encryption takes time, so the best I can say is "finally
          it arrived," and then it was immediately attacked by the U.K.
          government and has now been disabled over there. I imagine that Apple
          is also now intimidated to further advertise the feature even here in
          the U.S. To me this indicates we (technical folks) should be making a
          much bigger deal about this feature to our non-technical friends.
          
   URI    [1]: https://www.reuters.com/article/world/exclusive-apple-droppe...
       
          jahewson wrote 3 days ago:
          The problem here is not with iCloud but with the U.K. government.
          People like to tell themselves the government isn’t actually
          trampling their rights but events like this make it impossible to
          ignore.
       
          ziddoap wrote 3 days ago:
          At one point in time, the entirety of web communication was
          completely unencrypted.
          
          Why were people not mad then? Do you think people would be angrier
          now, if HTTPS were suddenly outlawed?
          
          Among other valid answers, removing rights and privileges generally
          makes people angrier than not having those rights or privileges in
          the first place.
       
            muyuu wrote 3 days ago:
            always used my own encryption and cyphered any sensitive
            data/communications, but the problem is that most people won't and
            you're often compromised by them
            
            simple solutions like Whatsapp, Signal and ADP brought this to the
            masses - which some governments have issues about - and this makes
            a massive difference to everybody including those who wouldn't be
            caught dead using an iphone anyway
            
            if we could go back to the early 1990s when only professionals, Uni
            students, techies and enthusiasts used the internet I'd go in a
            heartbeat but that's not the world we're living in
       
            bostik wrote 3 days ago:
            > Why were people not mad then?
            
            Oh, we were. I am in the crowd who had been asking for generally
            used encryption since 1995. After all, we were already using SSH
            for our shell connections.
            
            The first introduction to SSL outside of internet banking and
            Amazon was for many online services to use encryption only for
            their login (and user preferences) page. The session token was then
            happily sent in the clear for all subsequent page loads.
            
            It took a while for always-on encryption to take hold, and many of
            the online services complained that enabling SSL for all their page
            loads was too expensive. Both computationally and in required
            hardware resources. When I wrote for an ICT magazine, I once did
            some easy benchmarking around the impact of public key size for
            connection handshakes. Back then a single 1024-bit RSA key
            encryption operation took 2ms. Doubling it to 2048 bits bumped that
            up to 8ms. (GMP operations have O(n^2) complexity in terms of
            keysize.)
       
              aqueueaqueue wrote 3 days ago:
              "We" is an special group. I am technical but never thought much
              about it back then. There is a boiling frog. The 90s internet was
              used for searching and silly emails. Now it has you life in the
              cloud. But that didn't happen in a day.
       
            viciousvoxel wrote 3 days ago:
            Counterpoint: when web communication was unencrypted it was before
            we did our banking, tax filing, sent medical records, and sent all
            other kinds of sensitive information over the internet. The risks
            today are not remotely the same as they once were.
       
          hirako2000 wrote 3 days ago:
          A few factors
          
          - e2e encryption is not ubiquitous yet, but awareness is ascending.
          
          - distrust for government also is on the uptrend.
          
          - more organized dissent to preserve privacy.
          
          No people didn't assume data was encrypted.
          
          Yes E2E has been possible for many decades, but businesses don't have
          privacy as a priority, sometimes even counter incentives to protect
          it. Personal data sells well.
          
          Things have changed because more people are getting to understand why
          it matters, forcing the hand of companies having to choice but at
          least feign to secure privacy.
       
          freeone3000 wrote 3 days ago:
          iCloud and iPhones have traditionally resisted US governmental
          overreach, only giving data to iCloud in cases of actual criminal
          prosecution against specific individuals. As well, iPhone backups in
          iCloud is relatively new, as are many other arbitrary storage
          features — it used to just be your songs and your photos! Now
          it’s data from all of your apps and a full phone backup. Hence the
          resistance: the stories of police being unable to recover data from a
          locked iPhone may now be over
       
          Shank wrote 3 days ago:
          I guess I'm one of the people who was upset that it didn't exist
          before, and I didn't enable iCloud Backup as a result. I didn't use
          iCloud Photos. I had everything stored on a NAS (which was in-fact
          encrypted properly) and used a rube goldberg-esque setup to move data
          to it periodically. I used iMazing and local encrypted backups on a
          schedule.
          
          Lots of people called for E2EE on this stuff, but let's be real about
          one thing: encryption as a feature being more accessible means more
          people can be exposed to it. Not everyone can afford a rube goldberg
          machine to backup their data to a NAS and not make it easily lost if
          that NAS dies or loses power. It takes immense time, skill, and
          energy to do that.
          
          And my fear isn't the government, either, mind you. I simply don't
          trust any cloud service provider to not be hacked or compromised
          (e.g., due to software vulnerability, like log4j) on a relatively
          long timescale. It's a pain to think about software security in that
          context.
          
          For me, ADP solves this and enables a lot of people who wouldn't
          otherwise be protected from cloud-based attacks to be protected.
          Sure, protection against crazy stuff like government requests is a
          bonus, but we've seen with Salt Typhoon that any backdoor can be
          found and exploited. We've seen major exploits in embedded software
          (log4j) that turn out to break massive providers.
          
          So, there were people upset, their concerns were definitely voiced on
          independent blogs and random publications, and now, we're back in the
          limelight because of the removal of the feature for people in the UK.
          
          But, speaking as a user of ADP outside of the UK, I am happy that ADP
          is standing up for it, and thankful that it exists.
          
          (To be clear: government backdoors, and government requests also
          scare me, but they aren't a direct threat to myself as much as a
          vulnerability that enables all user data to be viewed or downloaded
          by a random third-party).
       
          RenThraysk wrote 3 days ago:
          Think most people had no idea how it worked, it was magic to them.
          
          iCloud hacks (like in 2014) have raised awareness for the need for
          E2EE.
       
          writtenAnswer wrote 3 days ago:
          I think it is more about going backwards. It is often difficult to
          remove laws than to add them. This is a similar situation.
          
          In this situation, I agree that it is bad day for personal
          privacy/security
       
        fjjjrjj wrote 3 days ago:
        Does this mean I should treat travel to the UK the same way as China
        and only bring a burner device with no information on it or on cloud
        backup accounts?
       
          gnfargbl wrote 3 days ago:
          Border control agents in all countries -- including the US -- have
          fairly extensive powers to search your devices or deny you entry. I'm
          not sure this decision should change your calculus on that point.
          
          See also
          
   URI    [1]: https://medium.com/@thegrugq/stop-fabricating-travel-securit...
       
            fjjjrjj wrote 3 days ago:
            Company trade secrets probably shouldn't be on the device?  Edit -
            or the device's cloud backups?
       
        jcarrano wrote 3 days ago:
        The smartphone is a terrible platform. Something like this could never
        happen on the PC, where you can install any encryption and backup
        software that you want.
        
        While Apple did the right thing by refusing to give the UK government a
        backdoor, they are responsible for getting users in this situation in
        the first place.
        
        I'm not familiar with the iPhone and maybe there is already an
        alternative to iCloud ADP, although that would make this whole
        situation completely nonsensical.
       
          jahewson wrote 3 days ago:
          Given that the most popular software of this kind is Dropbox I’m
          quite confident that nothing you’ve said is true.
       
            jcarrano wrote 2 days ago:
            My point is that if someone wants e2e encrypted backup, it is not
            difficult to set up on a PC even for non power-users.
       
          shuckles wrote 3 days ago:
          The smartphone platform is the most secure by default personal
          computer most people own, largely because of the control enforced by
          Apple.
       
            globular-toast wrote 2 days ago:
            Secure for Apple, not for the users.
       
            devsda wrote 3 days ago:
            If we are saying "secure", we should talk about what we are
            securing and against whom.
            
            A smartphone may be secure against  malicious  individual actors
            but its certainly not the most secure when it comes to your private
            data. Modern day smartphone is designed to maximize capturing your
            private information like location, communication patterns, activity
            and (sometimes) health information and pass it on to as many
            private players(a.k.a apps) as possible, even to governments
            without your knowledge. You don't have much control over it.
            
            In that aspect it is less secure than your typical PC. A PC doesn't
            have that level of private  information in the first place and
            whatever information it has will leak only if you opt-in or get
            infected by malware.(recent Windows versions without necessary
            tweaks may be considered a malware by some).
       
              shuckles wrote 3 days ago:
              Plenty of people access their health records, etc. on a PC via
              files downloaded to random places on their computer. Are you
              trying to just say smartphones have a lot of sensors and are
              carried around in intimate places?
       
            sunshowers wrote 3 days ago:
            But along with that also comes a massive pressure point for rogue
            states to take advantage of. With a diversity of services this
            would not be nearly as possible.
       
          inetknght wrote 3 days ago:
          > Something like this could never happen on the PC, where you can
          install any encryption and backup software that you want.
          
          Microsoft wants to have a word with you regarding their Windows
          operating system that's installed on their device that you're
          renting.
       
            itscrush wrote 2 days ago:
            Veracrypt works just fine on M$ Windows 11 for FDE.
       
            jcarrano wrote 2 days ago:
            I'm on arch. Still, while I agree that Windows is becoming more
            closed, you are still free to create and distribute Windows app
            without asking anyone for permissions.
       
          snowwrestler wrote 3 days ago:
          I haven’t checked lately but since it launched the iPhone has
          allowed the owner to choose whether to back up to Apple’s servers
          (which would be affected by the UK order) or back up to their local
          computer.
       
            int_19h wrote 3 days ago:
            It's not an either-or, actually, even though the setting is worded
            like it is. But even if you have cloud backups enabled, you can
            still manually trigger a local backup.
       
            inetknght wrote 3 days ago:
            > or back up to their local computer.
            
            You mean back up to their Apple computer, yes?
            
            I certainly can't back up an iPhone to my Linux computer.
       
              sumuyuda wrote 3 days ago:
              Actually I think you can backup and restore your iPhone on Linux
              using libimobiledevice. They reverse engineered the protocols for
              the backup and restore service running on your iPhone.
              
   URI        [1]: https://libimobiledevice.org/
       
        throwaway77385 wrote 3 days ago:
        The nightmare continues.
        For now I am using 3rd party backup services that are (currently)
        promising me that my backups are encrypted by a key they do not have
        access to, or control over.
        But can this even be believed in an age where these secret notices are
        being served to any number of companies?
        I suppose the next step would be to ensure that files don't ever arrive
        in the cloud unencrypted, but I have yet to see a service that allows
        me to do this with the same level of convenience as, say, my current
        backup solution, which seamlessly backs up all my phones, my family
        members' phones, my laptops, their laptops etc.
        I depend on having an offsite backup of my data. Which inevitably
        includes my clients' data also. Which I am supposedly keeping secret
        from outside access. So how does that work once everything becomes
        backdoored?
       
          jahewson wrote 3 days ago:
          In the case of the U.K., they can throw you in jail for not handing
          over your encryption key, so it’s a moot point. They’ve been
          slowly expanding this power for twenty years now.
       
            fdb345 wrote 3 days ago:
            ive been through all this with the law.  no one ever got jailed for
            not handing over encryption keys unless they were a definitive
            criminal and theres strong evidence there is criminal data on the
            device.
            
            they tried this with me (NCA) but the judge wouldnt sign off as
            they had nothning on me or my device.     this did however REALLY
            want to access it!   fuck them.  pricks
       
              kiratp wrote 2 days ago:
              
              
   URI        [1]: https://www.telegraph.co.uk/news/2024/10/25/tommy-robins...
       
                fdb345 wrote 2 days ago:
                you just gave an example of a man who was highly likely to have
                something of interest on his phone. (as signed by a judge)
       
                  infinitifall wrote 2 days ago:
                  It is likely there is something of interest on your phone (as
                  signed by my friend Joe). Now unlock your phone or you will
                  be jailed.
       
                    fdb345 wrote 2 days ago:
                    Except that doesnt happen.   NCA wanted DESPERATELY to
                    access mine.   They couldnt do it.   No Judge would sign
                    off with evidence their was likely to be something on my
                    phone.
                    
                    See how real life destroys your oPiNioN?
       
                      pinoy420 wrote 1 day ago:
                      Why where did you do
       
              callc wrote 3 days ago:
              Ah yes, the “we have all the power but pinky promise to only
              use it on the bad guys” playbook. I have complete confidence
              and trust in that promise. /s
       
            bloqs wrote 3 days ago:
            Not for content in the cloud, as far as I understand. Someone will
            correct me, but you can be arrested and threatened with terror
            charges if you dont unlock your device, but this does not give them
            permission to access other computers via the internet.
       
              commandersaki wrote 3 days ago:
              Tommy Robinson trial for refusing to provide his unlock
              credentials when ingressing UK is happening in March this year.
       
          globular-toast wrote 3 days ago:
          Convenience usually comes at a cost. You shouldn't have to trust
          anyone. Just use a generic storage service and only upload encrypted
          files to it. Syncthing + Rclone will probably get you a similar setup
          that you control.
       
          grahamj wrote 3 days ago:
          IMO the only thing you can have a high level of trust in is your own
          *nix server. Backup those devices to it then encrypt there before
          being sent to the cloud.
       
            acuozzo wrote 3 days ago:
            > your own *nix server
            
            Just be sure it's pre-Intel Management Engine / pre-AMD Platform
            Security Processor!
       
            JohnFen wrote 3 days ago:
            Handling the encryption yourself is the way to go, but for maximum
            security, don't send that encrypted data to the cloud. Keep it all
            on your own server(s).
            
            That doesn't help people who aren't technically capable, of course.
            But at least those who are can protect themselves.
       
              cg5280 wrote 2 days ago:
              Why couldn't the government just get a warrant and take your
              local servers? At that point there doesn't seem to be much of a
              difference with respect to this threat model, at least cloud is
              convenient.
       
                derkades wrote 1 day ago:
                It is much more effort than sending a data request to a cloud
                provider, and it can't be done without you knowing.
       
              grahamj wrote 3 days ago:
              Depends what kind of security. Local doesn't help if your house
              burns down or is robbed.
       
          nemomarx wrote 3 days ago:
          security and convenience are ever at war.
       
        mynameyeff wrote 3 days ago:
        Yikes... looks like Apple sun is setting. This cannot be allowed to
        happen.
       
          HPsquared wrote 3 days ago:
          It's not just an Apple thing. It's not even just a UK thing.
       
        DataOverload wrote 3 days ago:
        This was predictable vs creating a backdoor
       
        yapyap wrote 3 days ago:
        yikes
       
        ComputerGuru wrote 3 days ago:
        Note that this doesn’t satisfy the government’s original request,
        which was for worldwide backdoor access into E2E-encrypted cloud
        accounts.
        
        But I have a more pertinent question: how can you “pull” E2E
        encryption without data loss? What happens to those that had this
        enabled?
        
        Edit:
        
        Part of my concern is that you have to keep in mind Apple's defense
        against backdooring E2E is the (US) doctrine that work cannot be
        compelled. Any solution Apple develops that enables "disable E2E for
        this account" makes it harder for them to claim that implementing that
        would be compelling work (or speech, if you prefer) if that capability
        already exists.
       
          ckcheng wrote 3 days ago:
          > Any solution Apple develops that enables "disable E2E for this
          account" makes it harder for them to claim that implementing that
          would be compelling work (or speech, if you prefer)
          
          I think it’s really speech [0], which is why it’s important to
          user privacy and security that Apple widely advertises their entire
          product line and business as valuing privacy.  That way, it’s a
          higher bar for a court to cross, on balance, when weighing whether to
          compel speech/code (& signing) to break E2EE.
          
          After all, if the CEO says privacy is unimportant [1], maybe
          compelling a code update to break E2EE is no big deal? (“The court
          is just asking you, Google, to say/code what you already believe”).
          
          Whereas if the company says they value privacy, then does the
          opposite without so much as a fight and then the stock price drops,
          maybe that’d be securities fraud? [2]. And so maybe that’d be
          harder to compel.
          
          [0]: [1]: [2]:
          
   URI    [1]: https://news.ycombinator.com/item?id=43134235
   URI    [2]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid...
   URI    [3]: https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...
       
          kelnos wrote 3 days ago:
          > the (US) doctrine that work cannot be compelled
          
          Is this actually a thing? Telecoms in the US are compelled to provide
          wiretap facilities to the US and state and local governments.
       
            ckcheng wrote 3 days ago:
            >> Apple's defense against backdooring E2E is the (US) doctrine
            that [government can’t] be compelling work (or speech, if you
            prefer)
            
            It’s really not "work” but speech. That’s why telecoms can be
            compelled to wiretap. But code is speech [2], signing that code is
            also speech, and speech is constitutionally protected (US).
            
            The tension is between the All Writs Act (requiring “third
            parties’ assistance to execute a prior order of the court”) and
            the First Amendment. [1] So Apple may be compelled to produce the
            iCloud drives the data is stored on. But they can’t be made to
            write and sign code to run locally in your iPhone to decrypt that
            E2EE data (even though obviously they technologically could).
            
            [1]
            
   URI      [1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-wr...
   URI      [2]: https://www.eff.org/deeplinks/2015/04/remembering-case-est...
       
              codedokode wrote 2 days ago:
              It's weird bending of law. Code, especially closed-source code,
              is not a speech; it's a mechanism and the government may mandate
              what features a mechanism must have (for example, a safety belt
              in a car).
       
          TeaBrain wrote 3 days ago:
          I think Prof Woodward's quote in the article will likely hold true
          for Apple's response to the original UK government request:
          
          "It was naïve of the UK government to think they could tell a US
          technology company what to do globally"
       
          mtrovo wrote 3 days ago:
          Apple is in a really tough position. I don't know if there's any way
          they could fulfil the original request without it effectively
          becoming a backdoor. Disabling E2E for the UK market is just kicking
          the can down the road.
          
          Even simply developing a tool to coerce users out of E2E without
          their explicit consent to comply with local laws could be abused in
          the future to obtain E2E messages with a warrant on different
          countries.
          
          A very difficult position to be in.
       
            MetaWhirledPeas wrote 3 days ago:
            > Apple is in a really tough position.
            
            You mean Apple is in a unique position to make a statement. No more
            Apple products in the UK. Mic drop. Exit stage left.
       
              sureIy wrote 3 days ago:
              But… money
       
                musictubes wrote 2 days ago:
                But customers. People keep saying they should just not be in
                that country. It is far better to have the choice of using an
                iPhone even if particular features are no longer available.
       
            replete wrote 3 days ago:
            Or, this is how they save face with their customers having complied
            with the request rather than stop trading with the UK.
       
          wrs wrote 3 days ago:
          > how can you “pull” E2E encryption without data loss
          
          You can’t. The article says if you don’t disable it (which you
          have to do yourself, they can’t do it for you, because it’s E2E),
          your iCloud account will be canceled.
       
            nashashmi wrote 3 days ago:
            At this point, the right thing to do is allow for an alt-service.
       
              jmb99 wrote 2 days ago:
              How would an alt service help this situation? You’d just end up
              with backdoored services advertising E2EE, no? Apple’s move
              here is definitely the right one, introduce as much friction as
              possible to hopefully get the user pissed off at their government
              for writing such stupid laws.
       
                nashashmi wrote 2 days ago:
                An alt service located in another country could provide e2ee
                for a fee and not be under UK law.
       
                NitpickLawyer wrote 2 days ago:
                > introduce as much friction as possible to hopefully get the
                user pissed off at their government for writing such stupid
                laws.
                
                I'm actually surprised that they didn't add more direct text in
                that screen. "We are unable to provide this service... BECAUSE
                OF YOUR GOVERNMENT 1984 STYLE REQUESTS. Contact your MPs here
                and here and oh, here's their unlocked icloud data, might want
                to add some choice pictures to their stash..." would have been
                a tad more on the nose...
       
              sneak wrote 3 days ago:
              Apple has an organization-wide mandate for services revenue.
              
              Every product must make money on an ongoing basis, every month.
              That's why you get constantly spammed to subscribe to things on
              iOS.
              
              Apple will never drop this anticompetitive practice of favoring
              their services until they are legally compelled to.
       
                nashashmi wrote 2 days ago:
                If they want to protest the government mandate, they should
                provide an alternative solution for the residents of this
                country
       
                bryan_w wrote 3 days ago:
                > you get constantly spammed to subscribe to things on iOS.
                
                Ad companies are the worst
       
          globular-toast wrote 3 days ago:
          > But I have a more pertinent question: how can you “pull” E2E
          encryption without data loss? What happens to those that had this
          enabled?
          
          Well exactly. The UK just showed the whole thing is a joke and that
          Apple can do this worldwide.
       
          tripdout wrote 3 days ago:
          The iOS screenshot displays a message saying it's no longer available
          for new users.
       
          rdtsc wrote 3 days ago:
          > how can you “pull” E2E encryption without data loss? What
          happens to those that had this enabled?
          
          They'll keep your data hostage and disable your iCloud account.
          Clever, huh? So they are not deleting it, just disabling your
          account. "If you don't like it, make your own hardware and cloud
          storage company" kind of a thing.
       
            lynx97 wrote 3 days ago:
            More like "If you don't like it, talk to your local politicians",
            which is, IMO, a totally valid approach.
       
              rdtsc wrote 3 days ago:
              > "If you don't like it, talk to your local politicians",
              
              Indeed people only noticed this because Apple tried to do the
              right thing and now it's somehow also Apple's fault. No good deed
              goes unpunished, I guess.
              
              I think there is a feeling the government power is so
              overwhelming that they are hoping maybe some trillion dollar
              corporation would help them out somehow.
       
          jl6 wrote 3 days ago:
          We are told the encryption keys reside only on your device. But Apple
          control “your” device so they can just issue an update that
          causes your device to decrypt data and upload it.
       
            sneak wrote 3 days ago:
            Apple do not remotely control devices, and automatic updates are
            not mandatory.
       
            GeekyBear wrote 3 days ago:
            Apple has already fought US government demands that they push an
            update that would allow the US governmrnt to break encryption on a
            user's device.
            
            > In 2015 and 2016, Apple Inc. received and objected to or
            challenged at least 11 orders issued by United States district
            courts under the All Writs Act of 1789. Most of these seek to
            compel Apple "to use its existing capabilities to extract data like
            contacts, photos and calls from locked iPhones running on operating
            systems iOS 7 and older" in order to assist in criminal
            investigations and prosecutions. A few requests, however, involve
            phones with more extensive security protections, which Apple has no
            current ability to break. These orders would compel Apple to write
            new software that would let the government bypass these devices'
            security and unlock the phones.
            
   URI      [1]: https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryptio...
       
            RenThraysk wrote 3 days ago:
            Would just upload the keys
       
              drexlspivey wrote 3 days ago:
              Presumably these keys live in a hardware security module on your
              phone called “secure enclave” and cannot be extracted
       
                kevincox wrote 3 days ago:
                Apple can push firmware updates to the HSM just like the
                device. So if they really wanted they could add an operation
                that extracted the keys (likely by encrypting them to a key
                that lives in Apple's cloud).
       
                watusername wrote 3 days ago:
                From the Advanced Data Protection whitepaper [0], it appears
                the keys are stored in the iCloud Keychain domain, so not the
                Secure Enclave:
                
                > Conceptually, Advanced Data Protection is simple: All
                CloudKit Service keys that were generated on device and later
                uploaded to the available-after-authentication iCloud Hardware
                Security Modules (HSMs) in Apple data centers are deleted from
                those HSMs and instead kept entirely within the account’s
                iCloud Keychain protection domain. They are handled like the
                existing end-to-end encrypted service keys, which means Apple
                can no longer read or access these keys.
                
                [0]:
                
   URI          [1]: https://support.apple.com/guide/security/advanced-data...
       
                  jiveturkey wrote 3 days ago:
                  wrapped by a key hierarchy ultimately rooted by a key stored
                  in the secure enclave.
       
                    watusername wrote 3 days ago:
                    Well yes, the entire storage is. I was trying to explain
                    how it's extractable.
       
                      jiveturkey wrote 3 days ago:
                      fair!
       
                fsflover wrote 3 days ago:
                Is this module auditable though, or is "just trust us", like
                everything in the Apple world?
       
                  jmb99 wrote 2 days ago:
                  An HSM bypass (extracting keys, performing unauthenticated
                  crypto ops) on any recent iOS device is worth 10s of
                  millions, easily. Especially if combined with a one-click/no
                  click. In that sense, it’s auditable, because it’s one of
                  the biggest targets for any colour hat, and the people smart
                  enough to find a bug/backdoor would only be slightly aided by
                  a spec/firmware source, and a bit more by the verilog.
                  
                  This is true for pretty much every “real” hsm on the
                  planet btw. No one is sharing cutting edge enclave details,
                  Apple isn’t unique in this regard.
       
                  theshrike79 wrote 3 days ago:
                  If someone has a reliable and workable secure enclave hack
                  they can become a multi-millionaire for selling to state
                  actors or become one of the most famous hackers in the world
                  overnight (and possibly get a life changing amount of bounty
                  from Apple)
                  
                  Basically it's not a hack someone just throws on the internet
                  for everyone to use, it's WAY too valuable to burn like that.
       
                  LPisGood wrote 3 days ago:
                  It’s auditable in the sense that there is a very high
                  potential for reward (both reputationally and financially)
                  for security researchers to break it.
       
                    fsflover wrote 1 day ago:
                    The same reward exists with FLOSS, but it's much easier to
                    audit, making findings more likely. Also, security through
                    obscurity doesn't work.
       
                RenThraysk wrote 3 days ago:
                Ah yes, good point.
       
          madeofpalk wrote 3 days ago:
          When you disable ADP, your local encryption keys are uploaded to
          Apple's servers to be read by them.
          
          Apple could just lock you out of iCloud until you do this.
       
            kbolino wrote 3 days ago:
            The hardware will not allow this, at least not without
            modifications. The encryption keys are not exportable from the
            Secure Enclave, not even to Apple's own servers.
       
              QuiEgo wrote 2 days ago:
              Behind the scenes, it'd probably decrypt it locally
              piece-by-piece with the key in the Secure Enclave, and then
              reencrypt it with a new key that Apple has a copy of when you
              disable ADP.
       
              Twisell wrote 2 days ago:
              The Apple security paper describe how to disable ADP through a
              key rotation sequence.
              
              This will be a "forced rotation", they just need to decide how to
              communicate to users and work out what happens to those who don't
              comply. Lockout until key rotation look like an option as someone
              said.
       
                biggc wrote 2 days ago:
                Naive question: what prevents Apple from pushing a malicious
                software update that automatically disables ADP to UK users?
       
                kbolino wrote 2 days ago:
                Yeah, this seems the most likely thing to happen here. You'll
                be forced to disable ADP to continue using iCloud in the UK.
                This still leaves the question of tourists and other visitors,
                but it at least fits within the parameters of the system
                without changing its fundamentals.
       
              sureIy wrote 3 days ago:
              Are you gonna unlock that phone anytime soon?
              
              Thanks for opening the enclave, don't mind if I ship these keys
              back home.
              
              No notification needed, Apple has root access.
       
                jkbbwr wrote 2 days ago:
                Unless I am making a mistake here, you still can't extract keys
                of an opened enclave. You can just run operations against those
                keys.
       
                kbolino wrote 2 days ago:
                Assuming the enclave can receive OTA firmware updates and those
                updates can completely compromise it, which are not actually
                proven facts, there's no way to target this to the UK alone
                without either exempting tourists and creating a black market
                for loophole phones or else turning all of Britain into a "set
                foot here and ruin your iPhone forever" zone.
       
            oakesm9 wrote 3 days ago:
            That’s exactly the plan. Anyone with this enabled in the UK will
            need to manually disable it or they’ll get locked out of their
            iCloud account after a deadline.
       
              pacifika wrote 2 days ago:
              And I guess Apple gets fined for not allowing government approved
              alternatives to these services not long after.
       
        Goleniewski wrote 3 days ago:
        Think about it.. You don't even have to be an Apple user to be affected
        by this issue. If someone backs up their conversations with you to
        apple cloud, your exchange is now fair game. You get no say in it
        either.
        
        We all lose.
       
          globular-toast wrote 3 days ago:
          Security hinges on trust. The only real privacy tool is PGP which
          uses a web of trust model. But it only works if people own their own
          computers and storage devices. What they've done is got everyone to
          rent their computers and storage instead. There's no security model
          that works for the users here.
       
          Vaslo wrote 3 days ago:
          Scary - I try to use signal as much as possible now for this reason.
       
            IshKebab wrote 3 days ago:
            Signal can't evade this law either.
       
              blfr wrote 3 days ago:
              Why not? Signal was willing to run all kinds crazy setups to
              evade foreign laws, like domain fronting.
              
   URI        [1]: https://signal.org/blog/doodles-stickers-censorship/
       
                botanical76 wrote 3 days ago:
                If Signal can do it, then why doesn't Apple make a stand?
       
                  buzzerbetrayed wrote 2 days ago:
                  If signal doesn’t make a stand, the entire value prop of
                  signal collapses and they cease to be a thing.
                  
                  For Apple, privacy is one value prop. But seemingly smaller
                  one than the UK market.
       
          freeqaz wrote 3 days ago:
          That's why it's important to use apps like Signal where you can set
          the retention of your messages. I've got everybody I know using it
          now!
       
            sneak wrote 3 days ago:
            I use a patched Signal client that disables retention deletion and
            remote delete messages.
       
              ruined wrote 3 days ago:
              and that's awfully rude of you, but if you were concerned about
              message retention you wouldn't do that. so what's your point?
       
                spopejoy wrote 2 days ago:
                Nothing rude about it -- if the protocol depends on client-side
                s/w to pinky-swear it respects message retention, then it's an
                insecure protocol.
                
                I like signal and use it, but I already thought message
                retention was pointless. It seems at best a trusted informal
                protocol you can use with known parties but not something you
                can really rely on.
       
            fdb345 wrote 3 days ago:
            In a world where they cancel encryption they can't access...
            doesn't Signal and its CIA funded origins concern you?
       
              HumblyTossed wrote 3 days ago:
              Nope.  I actually think that would bring more scrutiny and so I
              feel safer knowing it's not be cracked.
       
                fdb345 wrote 3 days ago:
                interesting and illogical reply
       
                  HumblyTossed wrote 3 days ago:
                  No more illogical than trusting Apple's security because it
                  is ... Apple.
       
                    fdb345 wrote 2 days ago:
                    Well, here you are discussing why UK law needed a pass
                    because they are literally blocked by Apples security.    
                    Talk about Low IQ
       
                      HumblyTossed wrote 2 days ago:
                      Thanks for the attack on my IQ.  I see I have nothing to
                      worry about.
       
            hugh-avherald wrote 3 days ago:
            Setting a retention time out is playing with fire. If the police
            get ahold of the other party's device, and present an exhibit which
            they say contains the true conversation, you could be worse off
            than if you retained the conversation. The fact that you have since
            deleted it could be incriminating.
            
            In some jurisdiction, yes, legally, such evidence might not be
            probative, but you might still convicted because of it.
       
              nickburns wrote 3 days ago:
              Ephemeral messaging is not a crime.
       
              vuln wrote 3 days ago:
              The retention time can be set by individual conversation not just
              the whole app.
       
              fdb345 wrote 3 days ago:
              message retention has literally NEVER been used as incrimination
              in a court of law.  So you are wrong.
       
                sangeeth96 wrote 3 days ago:
                Umm, isn’t this related?
                
   URI          [1]: https://www.theverge.com/2024/4/26/24141801/ftc-amazon...
       
                  the_other wrote 3 days ago:
                  Yes, but if I’m reading it right, Amazon staff were already
                  inder instruxtion to retain and share data relevant to an
                  ongoing investigation. They were aware of the process and, if
                  the article is to be believed, worked against the
                  instructions.
                  
                  That’s quite different from turning disappearing messages
                  on when you’re not explicitly under insteuctions to keep
                  records.
       
                  bunderbunder wrote 3 days ago:
                  This isn't Amazon getting in trouble for implementation of a
                  routine records retention policy. It's Amazon getting in
                  trouble for violating a document retention mandate related to
                  an ongoing lawsuit.
       
                  dvtkrlbs wrote 3 days ago:
                  I don't think so. Corporate communication is bound by
                  different laws and you have way higher burden of evidence in
                  case of legal requests. I don't think this creates a
                  precedent for personal communications.
       
                  nickburns wrote 3 days ago:
                  No. That's a civil discovery matter.
       
                    fdb345 wrote 2 days ago:
                    Its also a private business directive not a law
       
            madeofpalk wrote 3 days ago:
            Given historical backups are the norm here, retention only does so
            much.
            
            Really, apps should encrypt their own storage with keys that aren't
            stored in the backups. That's how you get security/privacy back.
       
              buran77 wrote 3 days ago:
              > That's how you get security/privacy back.
              
              Nothing an app does on a device guarantees you security or
              privacy if you don't trust or fully control the device.
       
                Aachen wrote 2 days ago:
                Yes, but they'd have to issue another one of these snooping
                demands to either the app's developer (there's loads of
                developers so this would get out of hand quickly) or to Apple
                to patch the build or read the memory or something to get the
                unencrypted data
                
                This current demand isn't blanket access to your device, it's
                access to things uploaded to Apple's online storage service.
                Having to get a backdoor that works with every app's encryption
                takes a lot more work while running the data through an
                authenticated encryption algorithm is relatively trivial for a
                developer
       
              cma wrote 3 days ago:
              Many people want control over whether they back up conversations
              with others, and think it would be crazy for sender to control
              the retention policy instead of receiver.
              
              I think sender should just be able to send a recommended
              preference hint on retention and you could have an option to
              respect it or not.
       
          noahjk wrote 3 days ago:
          Very similar to sites like LinkedIn, which ask you to share your
          personal info & contact list.
          
          I don't want to share my contact details, but the second someone I
          know decides to opt in, I lose all rights to my own data as they've
          shared it on my behalf.
          
          Maybe they have other info, such as birthday, home address, other
          emails or phone #s, etc. stored for me, which is all fair game, as
          well.
       
            folmar wrote 2 days ago:
            If you are in EU, request your data be redacted.
       
        tw600040 wrote 3 days ago:
        Ok, I am not very technical. Can someone help me understand this. I
        don't have Advanced data Protection on. Does that mean UK Gov can see
        my data now?
       
          tene80i wrote 3 days ago:
          It means Apple has the encryption keys to your backed-up data. So
          they can, in theory, access it, if the UK Gov demands that they do.
          That might never happen to you, but with ADP it would have been
          impossible, because even Apple can't access it.
          
          See
          
   URI    [1]: https://support.apple.com/en-us/102651
       
          frizlab wrote 3 days ago:
          They always could. With advanced data protection they could not. The
          law mandated to add a backdoor to allow the government to also see
          encrypted data (which made the encryption insecure by definition).
          Apple refused to comply so you don’t even have the option to
          encrypt your backups now.
       
          itishappy wrote 3 days ago:
          Potentially. It really just means your data is stored unencrypted, so
          anybody that has access to Apple's servers can access your data. I
          don't believe any government has open access to Apple's servers, but
          they can get a warrant.
       
            tw600040 wrote 3 days ago:
            I just realized ADP is not same as Lockdown mode. which Apple
            mentioned that only people that are likely to be targets need to
            turn on.
            
            Now I don't see any reason why I shouldn't turn ADP on. Turning on
            now.
       
        dsmurrell wrote 3 days ago:
        disables apple cloud sync
       
        Jackknife9 wrote 3 days ago:
        I'm going to start purging anything I store on the cloud. I'm not doing
        anything illegal, but why does the government want to treat me like I
        am.
       
          docmars wrote 3 days ago:
          Indeed. Time to leave the panopticon!
       
        ilumanty wrote 3 days ago:
        What exactly can UK users do now? Turn off "backup iPhone to iCloud"
        and stop syncing notes?
       
          greatgib wrote 1 day ago:
          Time to leave Apple, to buy and use hardware and solutions that you
          really own and have control.
       
          GeekyBear wrote 3 days ago:
          UK users can still perform an encrypted backup to their local PC or
          Mac.
       
          buildbot wrote 3 days ago:
          If you have ADP, Leave it on and have them automatically delete it at
          some point? Otherwise yes.
          
          “Customers who are already using Advanced Data Protection, or ADP,
          will need to manually disable it during an unspecified grace period
          to keep their iCloud accounts, according to the report. Apple said it
          will issue additional guidance in the future to affected users and
          that it "does not have the ability to automatically disable it on
          their behalf."
       
        ohnoitsahuman wrote 3 days ago:
        Let's vote Labor and Liberal to keep the UK from going fascist on our
        data.
        
        Oh wait....shit.
       
          JansjoFromIkea wrote 3 days ago:
          The Blairite wing of that party has always been extremely bad with
          this kind of thing (see Tony Blair's obsession with ID cards over the
          decades) so it's unsurprising they'd push something like this.
       
          rvz wrote 3 days ago:
          They got what they voted for and now that those voters are surprised?
          
          It's really hilarious to try to blame previous governments for such
          unpopular moves like this one.
          
          If Labour was any better, then they would never have used the
          Investigatory Powers Act to force Apple to take actions such as this.
          
          For those who thought Labour would never do this, should just admit
          that this move was done under Labour and they are no better than the
          Tories.
       
          b800h wrote 3 days ago:
          The party most likely to cut this stuff out is Reform, although
          they'd probably be closer to ambivalent about it.
       
            JansjoFromIkea wrote 3 days ago:
            UKIP/Brexit/Reform as a vehicle to hold large influence over
            politics from outside Westminster might.
            
            I would imagine the party's attitudes on a myriad of things would
            shift if they were in power though.
       
            spacebanana7 wrote 3 days ago:
            I’m pretty sure Reform would scrap this stuff, given the belief
            their part of politics has been a victim of these laws.
            
            Also worth considering Lib Dem if you’re not into right wing
            politics-  they did vote against the relevant investigatory powers
            act back in 2016.
       
          switch007 wrote 3 days ago:
          Labour are not anti authoritarian. Often quite pro
       
          basisword wrote 3 days ago:
          This was done under the Investigatory Powers Act which was brought in
          in 2016. Saying that Labour weren't exactly against it at the time.
          Point being snooping isn't left or right - they all love it.
       
        ta8645 wrote 3 days ago:
        Free speech already under threat and now y'all are giving up the right
        of private communication too?  For anyone cheering this on, do you
        honestly think this will only affect the "bad people", and you'll never
        have your own neck under the government's boot?  Even if you trust the
        government today, what happens when your neighbors elect a government
        you disagree with ideologically?
       
          multimoon wrote 3 days ago:
          I don’t think anyone is cheering this on.
       
            Funes- wrote 3 days ago:
            Most politicians are.
       
            int_19h wrote 3 days ago:
            Many people do, unfortunately, so long as it's framed as "only
            terrorists and pedophiles need encryption that cops can't break".
       
              botanical76 wrote 3 days ago:
              How do we actually beat this narrative? I've been proposing a
              E2EE-based chat application to my friend, and they asked me a
              similar question: won't it just be rife with pedophiles? How can
              you make a platform that will be used to that means?
              
              I have strong views about privacy as a fundamental human right,
              but I don't know how to answer that question. I certainly don't
              want to make the world worse, but this feels like a lesser of two
              evils type of deal: either make it even harder to catch bad
              actors, such as child abusers, or make it plausible that your
              government take away your freedom forever.
       
                pacifika wrote 2 days ago:
                I suppose it is conflating lack of trust in government / law
                enforcement with criminal matters.
                
                Don’t give power over yourself to people with a proven
                history of misusing it, according to your values. You don’t
                have to look hard for examples.
       
            mihaaly wrote 3 days ago:
            Instead of the word cheering we could use letting.
            
            Bad people flourish over the inaction of good people.
            
            (but yes, there are always several who protect and argue for things
            risking their own and everyone's livelihood, exposing themselves to
            shady elements, along singled out and elevated thin aspects, cannot
            understood why)
       
        wonderwonder wrote 3 days ago:
        The UK wanted access to anyone's data. Not just UK citizens and then
        additionally added regulations forbidding apple to disclose this.
        
        UK is ~3-4% of apples income. While I appreciate Apples actions here, I
        wish they would make a real stand here and pull completely out of the
        UK.
       
          mtrovo wrote 3 days ago:
          I really wish they would sit down and negotiate this more openly. The
          silence from the other players is what really makes me uncomfortable.
          The fact that only Apple is making a stand against this ask is really
          scary.
       
            wonderwonder wrote 3 days ago:
            Agreed, the UK is speed running 1984 right in front of us.
       
              kobieps wrote 2 days ago:
              Only three (well, now four) mentions of 1984 in the comments
              tells you all you need to know
       
                wonderwonder wrote 2 days ago:
                sorry friend, I am actually not sure what you mean by this
                comment. Not sure if you are agreeing or disagreeing :)
                Apologies, probably my fault.
       
        Eavolution wrote 3 days ago:
        What are you actually supposed to do in the UK if you oppose this sort
        of thing to stop laws like this coming in? It feels like the government
        has been incredibly out of touch for the last number of years.
       
          maeil wrote 3 days ago:
          > It feels like the government has been incredibly out of touch for
          the last number of years.
          
          Did you vote for any single one of them?
          
          If you did, then what you're supposed to do is stop voting for
          Tory-lite governments (such as the current one).
          
          If you didn't vote for any of these governments (including this one),
          everything else that you could do would be dangerous nowadays.
       
          i2km wrote 3 days ago:
          You get the hell out and emigrate. I did so last year. It's not going
          to get better chap
       
            globular-toast wrote 2 days ago:
            Where did you go?
       
          IneffablePigeon wrote 3 days ago:
          Join the ORG for starters. Contact your MP. But yes, the number of
          people who care is small and so things will not change until it is
          large.
       
          redox99 wrote 3 days ago:
          I would guess you'd vote a libertarian party.
       
            Apfel wrote 3 days ago:
            Probably the best on the civil liberties front are the Liberal
            Democrats (they were pretty good at quashing mandatory national ID
            cards back in the day, at least).
            
            That being said, they still have a lot of folk angry at them for
            allowing university fees to be introduced 15 years ago when they
            were in coalition government (a Tory policy!).
       
        wackget wrote 3 days ago:
        So instead of building a back door they're just completely removing the
        option to use E2E encryption altogether, thus making everything freely
        available to government by default?
        
        How is that not worse or at least equivalent to a back door?
       
          varispeed wrote 3 days ago:
          Many departments use iphones. I wonder how it will affect government
          security or government employees will be exempt?
       
          incorrecthorse wrote 3 days ago:
          It _is_ equivalent to a back door, that's the point. The UK demand
          can be accessed more rapidly and properly by disabling the feature
          than by implementing a backdoor, since it is the same thing.
       
          poisonborz wrote 3 days ago:
          Much better than a false sense of security. Customers know what they
          get, and can choose other products instead of being confused or
          cheated.
       
          ziddoap wrote 3 days ago:
          >How is that not worse or at least equivalent to a back door?
          
          It's bad for the citizens of the UK and better for everyone else on
          the planet with an iPhone. UK citizens should be angry with their
          government, not Apple.
       
          roughly wrote 3 days ago:
          They’re just pulling the feature in the UK. If they put in a back
          door, they’re pulling the feature for everyone.
       
          mholt wrote 3 days ago:
          No illusion of privacy.
       
          wonderwonder wrote 3 days ago:
          The UK requested the backdoor for all users, not just UK citizens.
       
        drcongo wrote 3 days ago:
        Could any hackers on here now please hack the fuck out of UK government
        ministers please?
       
          alecco wrote 3 days ago:
          I doubt it would play out like you think.
       
        chatmasta wrote 3 days ago:
        Ugh. Is this by App Store country? Anyone know what happens if I
        already have it configured? I’m actually in US App Store region and
        sometimes switch to UK… I wonder if that would disable it.
       
        bArray wrote 3 days ago:
        Too right, it was far more problematic than they ever made out.
        
        > The UK government's demand came through a "technical capability
        notice" under the Investigatory Powers Act (IPA), requiring Apple to
        create a backdoor that would allow British security officials to access
        encrypted user data globally. The order would have compromised Apple's
        Advanced Data Protection feature, which provides end-to-end encryption
        for iCloud data including Photos, Notes, Messages backups, and device
        backups.
        
        One scenario would be somebody in an airport and security officials are
        searching your device under the Counter Terrorism Act (where you don't
        even have the right to legal advice, or the right to remain silent).
        You maybe a British person, but you could also be a foreign person
        moving through the airport. There's no time limit on when you may be
        searched, so all people who ever travelled through British territory
        could be searched by officials.
        
        Let that sink in for a moment. We're talking about the largest back
        door I've ever heard of.
        
        What concerns me more is that Apple is the only company audibly making
        a stand. I have an Android device beside me that regularly asks me to
        back my device up to the cloud (and make it difficult to opt out), you
        think Google didn't already sign up to this? You think Microsoft
        didn't?
        
        Then think for a moment that most 2FA directly goes via a large tech
        company or to your mobile. We're just outright handing over the keys to
        all of our accounts. Your accounts have never been less protected. The
        battle is being lost for privacy and security.
       
          SoftTalker wrote 2 days ago:
          Your smartphone cannot be considered a private device. You as the
          owner don’t have sufficient control over its operating system and
          applications to ever make that claim.
       
            bArray wrote 13 hours 49 min ago:
            In theory you have the likes of the PinePhone where you can run a
            full Linux kernel [1]. You could then use something like Waydroid
            to run Android apps [2].
            
            I think the biggest concern is that many of the important apps are
            anti-emulation, for example banking apps and authentication apps.
            [1]
            
   URI      [1]: https://pine64.org/devices/pinephone_pro/
   URI      [2]: https://waydro.id/
       
          neop1x wrote 2 days ago:
          For photos, it's probably best to use an open-source (also
          self-hostable) service like Ente. For files it's best to self-host
          Nextcloud or similar. And rely on other people's computers as little
          as possible. Sadly, operating systems are very complex and mostly
          composed of proprietary blobs nowadays so there is still a risk of it
          leaking data but people can still do at least something.
       
          prmoustache wrote 2 days ago:
          > What concerns me more is that Apple is the only company audibly
          making a stand.
          
          Dropping the functionality for a particular market hardly equals to
          making a stand. Sure they  haven't added a backdoor that would give
          all user's data access to UK icloud user's data so in the end UK
          residents didn't win anything.
          
          And who knows if they simply have an agreement with US gov to have a
          backdoor only available to them and not the other govs.
       
          abalone wrote 2 days ago:
          > One scenario would be somebody in an airport and security officials
          are searching your device under the Counter Terrorism Act
          
          No, it's much broader than that. The UK is asking for a backdoor to
          your data and backups in the cloud, not on your device. Why bother
          with searching physical devices when they can just issue a secret
          subpoena to any account they want?
          
          It's actually pretty amazing that Apple made ADP possible for the
          general public. This is the culmination of a major breakthrough in
          privacy architecture about ten years ago.
          
          Traditionally you had to make a choice between end-to-end encryption
          and data recoverability. If you went with E2EE, it's only useful if
          you use a strong password, but if you forget it then Apple can't help
          you recover your account (no password reset possible). So that was
          totally unsuitable for precious memories like photos for the average
          user.
          
          Apple's first attempt to make this feasible was a recovery key that
          you print out and stuff in a drawer somewhere. But you might lose
          this. The trusted contact feature is also not totally reliable
          either, because chances are it's your spouse and they might also lose
          their device at that same time as you (for example in a house fire).
          
          So while recovery keys and trusted contacts help, the solution that
          really made the breakthrough for ADP was iCloud Keychain Backup. This
          thing is low-key so cool and kind of rips up the previous assumptions
          about E2EE.
          
          iCloud Keychain Backup makes it possible to recover your data with a
          simple, weak 6 digit passcode that you are virtually guaranteed never
          to forget, yet you are also protected from brute force attacks on the
          server. It is specifically designed to work on "adversarial clouds"
          that are being actively attacked. This is... sort of not supposed to
          be possible in the traditional thinking. But they added something
          called hardware security modules to limit the number of guesses an
          attacker can make before it wipes your key.
          
          And crucially it ensures you don't forget this passcode because it's
          your device passcode which the OS keeps in sync with the backup key.
          This is part of the reason your iPhone asks you to enter your
          passcode now and then even though your biometrics work just fine.
          
          It is a true secret that only you know and can keep in your brain
          even when your house burns down and nobody (hopefully) can derive
          from something they can research about you. This didn't really exist
          for the general populace until smartphones came along. And that
          ultimately was the breakthrough that allowed for changing the
          conventional wisdom on E2EE.
          
          iCloud Keychain Backup came out about a decade ago and it has taken
          this long to gradually test the feasibility of going 100% E2EE
          without significantly risking customer data loss. The UK is kind of
          panicking but when people see how well ADP protects their most
          personal data from breaches, I think they will demand it. It just
          wasn't practical before.
       
            bArray wrote 15 hours 52 min ago:
            > No, it's much broader than that. The UK is asking for a backdoor
            to your data and backups in the cloud, not on your device. Why
            bother with searching physical devices when they can just issue a
            secret subpoena to any account they want?
            
            My point was that there was already a clear chain in place that
            would give them access to the data of foreign nationals. It's not
            just a "UK problem", but actually the ramifications are further
            reaching.
            
            Another thing to consider is that these cookie alerts on sites were
            for EU countries only, but ended up everywhere. If Apple were to
            comply, this cloud backdoor could end up in other countries too,
            with the keys sitting there ready for collection.
            
            To make things more complex still, they would need to support
            dual/multi nationality. It probably ends up looking like a dual key
            E2E system where there is a unique key for the end-user and then a
            third party. Key revocation would likely be difficult, so it would
            likely be the cloud provided decrypting and re-encrypting the files
            per request, throwing E2E out the window entirely.
       
          HenryBemis wrote 2 days ago:
          What I fund 'amusing' is the swap between Left vs Right.
          
          'Back in the day' it was the "Right" that wanted have total
          access/total control over everything. So people turned a bit "left".
          Now the "Left" government is seeking totalitarian-style control
          ('because paedophiles/drugs/etc.).
          
          As a reminder, both Right and Left extremes went from
          'liberal/conservatives' to "we don't need elections ever again -
          trust me!".
          
          I saw this happening in the US, in Saudi (e.g. Blackberry 'keys').
          Now I see it in the UK. So I interpret this in two ways:
            1) The "Left is the new Right" (or "Right is the new Left")
            2) Left and Right are irrelevant terms when it comes down to "we
          need to exert control over people/knowledge/data/information/etc. And
          the 'guise' of Left/Right is just on the fiscal policies. So UK has
          been playing around with 'snooper charter' but at 'that' time Apple's
          encryption was not on the table.
          
          Apple (I don't blame them - very much - just a little) does what a
          company does. Makes money. And they prefer to sell-out the data of
          their clients and keep their money, than lose that money.
          
          So... yeah.. if your data is in someone else's server, that happens.
       
            bArray wrote 16 hours 0 min ago:
            If you go too far right or left, both types of authoritarianism are
            difficult to distinguish. I think this just makes the case that
            every election you need to be a swing voter, make sure your
            politicians still overlap with your ideals.
            
            Apple today appear to be on the 'correct side of history', but even
            then you need to be swing consumer.
       
            sib wrote 2 days ago:
            >> 'Back in the day' it was the "Right" that wanted have total
            access/total control over everything.
            
            It was the Clinton administration that pushed for the Clipper chip.
            
            Are you talking about a 'day' before that time?
       
          bboygravity wrote 2 days ago:
          And now imagine for a second that the only thing the UK is doing here
          is getting the same direct access that the US (NSA) has already had
          for decades.
       
          dunham wrote 2 days ago:
          > the largest back door I've ever heard of.
          
          Do you know of the clipper chip? [1] From what I recall, we were only
          spared from it by someone hacking it before it was deployed.
          
   URI    [1]: https://en.wikipedia.org/wiki/Clipper_chip
       
          bustling-noose wrote 2 days ago:
          You have no laws when traveling through immigration. Thats true in US
          too. There was an article (trying to look for it could be arstechnica
          verge I dont remember where) once where a US citizen journalist was
          detained at the border for hours while traveling into the US and
          questioned. You can be in the immigration for hours or even decades
          until you give out what they demand which can involve your unlocked
          phone and password. There are no laws protecting you.
       
          firecall wrote 3 days ago:
          Also, I wondered if by complying with British law that they may
          somehow be breaking laws of another country?
          
          Hypothetically, if Apple just provide a back door to the data they
          have on US Senators for instance, then providing that information may
          be considered treason by the US.
          
          That's a totally made up example, and I have no idea, but it seems
          like it's possibly an issue.
          
          Which is all about the issues around data sovereignty I suppose!
       
            wkat4242 wrote 2 days ago:
            Treason is a very heavy charge and as far as I know it applies more
            to individuals. Can a company be prosecuted for treason? I guess it
            depends on the country and I don't know US law well (never even
            visited there)
            
            But I'm sure local laws conflict heavily between countries yes. I'm
            often wondering how multinationals manage to navigate this maze.
            This is why we have such a big legal department I guess :) And the
            company I work for is a pretty honest one, I've never seen any
            skullduggery going on with eg privacy or media manipulation. In
            fact employees are urged to report such things and I have to do a
            course on responsible behaviour yearly. Probably a result of being
            purely B2B. But anyway I digress, just wanted to say that getting
            away with stuff does not seem to be the reason for us having a big
            legal dept.
            
            But just look at the laws of e.g. the EU and Iran. Pretty
            diametrically opposed on many topics. There's no way to satisfy
            them both.
            
            I think what helps to make this happen is that most countries don't
            try to push their laws outside of their jurisdiction. Which the UK
            is trying to do here.
       
            Zamiel_Snawley wrote 3 days ago:
            That would not be treason, by a long shot.
            
            Treason is the only crime defined in the constitution, and it is
            quite a high bar.
       
              thaumasiotes wrote 2 days ago:
              > Treason is the only crime defined in the constitution, and it
              is quite a high bar.
              
              Well, it's defined, or bounded above, in the constitution. It's
              not exactly a high bar:
              
              > Treason against the United States, shall consist only in
              levying War against them, or in adhering to their Enemies, giving
              them Aid and Comfort.
              
              So, if you happened to know Nicolas Maduro, thought he was
              looking stressed, and bought him some food, that would qualify as
              treason. There's no requirement that you act against the
              interests of the United States. The constitution will stop you
              from being prosecuted for treason for sleeping with Melania
              Trump. It won't stop you from being prosecuted for treason for
              completely spurious reasons.
       
                Zamiel_Snawley wrote 1 day ago:
                No. The Supreme Court has laid out well defined meanings for
                all the components of that phrase[0], and it is quite a high
                bar.
                
                [0]
                
   URI          [1]: https://constitution.findlaw.com/article3/annotation24...
       
              Spooky23 wrote 2 days ago:
              The king is a strict constitutionalist, who may disagree with
              you/ Pray he doesn’t.
       
          osigurdson wrote 3 days ago:
          What is going on in the UK? How do they stand for this?
       
            vixen99 wrote 2 days ago:
            Irrespective of political leanings, a lot of British people are
            saying this. They stand for it because they have to. It's a
            government that was voted in by a large margin only six months ago.
            Disquiet, if that's the word, is pretty much universal and I am not
            sure we've been quite in this position before. Keir Starmer's
            decline in approval ratings 'marks the most substantial
            post-election fall for any British prime minister in recent
            history'.
            
   URI      [1]: https://politicalpulse.net/uk-polls/keir-starmer-approval-...
       
              JansjoFromIkea wrote 2 days ago:
              By a large margin with their seat count doubling off a 1.6% swing
              in their favour. The decline in approval ratings should have been
              entirely predictable to them.
       
              osigurdson wrote 2 days ago:
              Did Starmer run on this big brother type platform?
       
              jamiek88 wrote 2 days ago:
              This is a law enacted by the previous government.
       
            nomdep wrote 3 days ago:
            When “misinformation” or “hate speech” are illegal, and the
            government decides what those are, you cannot risk complaining
       
          endgame wrote 3 days ago:
          "technical capability notice" under the Investigatory Powers Act
          (IPA)
          
          Sounds a lot like the godawful "assistance and access" laws that were
          rushed through in Australia a couple of years ago, right down to the
          name of the secret instrument sent to the entity who gets forced into
          to building the intercept capability.
          
          Now that Apple has caved once, I expect to see other providers
          strongarmed in the same way, as well as the same move tried in other
          countries.
       
          zahllos wrote 3 days ago:
          I don't really understand your comment to be honest. Section 3 of the
          Regulation of Regulatory Powers Act 2000 allows for compelled key
          disclosure (disclosure of the information sought instead of the key
          is also possible). Schedule 7 of the Counter-Terrorism Act allows 9
          hour detention, questioning and device search at the border. With
          these powers it isn't necessary to get access to iCloud backups, as
          you can get the device and/or the data.
          
          I don't think the e2e icloud backup is problematic under existing
          legislation / before the TCN. While you can't disclose the key
          because it lives in the secure enclave, you can disclose the
          information that is requested because you can log into your apple
          account and retrieve it. IANAL, but I believe this to be sufficient
          (and refusing would mean jail).
          
          The Investigatory Powers Act allows for technical capability notices,
          and the TCN in this case says (as far as we know) "allow us a method
          to be able to get the contents of any iCloud backup that is protected
          by E2EE for any user worldwide". This means that there is no need to
          ask the target to disclose information and if implemented as asked,
          also means that any user worldwide could be a target of the order,
          even if they'd never been to the UK.
          
          Relevant info:
          
          -
          
   URI    [1]: https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
       
            Aloisius wrote 3 days ago:
            I imagine they want the ability to look at someone's iCloud backups
            without notifying the owner that they are doing so or they want to
            do it when the owner is unwilling or unable  to provide keys.
            
            For the latter, there are a lot of cases where jail isn't much a
            threat (e.g. the person is dead or not in the country).
       
              zahllos wrote 2 days ago:
              Also given automatic iPhone backup it might contain information
              they want as part of an investigation that they'd otherwise have
              to demand key disclosure for (if cloud backup didn't exist)...
              Absolutely.
              
              The jail time for failure to comply with key disclosure is 2
              years unless it is national security, then it is 5. But if you're
              organised crime and facing who knows what for being a snitch it
              might be better simply to do the time.
              
              I can see why they want it. I just don't understand why the
              person I'm replying to said the feature (I think) was
              problematic. Not really a criticism, I'm just struggling to
              identify the tone and why 'too right' and 'more problematic than
              they let on'.
       
          j-krieger wrote 3 days ago:
          Even more shocking that Germany - my country - leads the leaderboard
          with over ten times as much requests as the second place.
       
          marcprux wrote 3 days ago:
          > you think Google didn't already sign up to this?
          
          My understanding is that Android's Google Drive backup has had an E2E
          encryption option for many years (they blogged about it at [1] ), and
          that the key is only stored locally in the Titan Security Module.
          
          If they are complying with the IPA, wouldn't that mean that they must
          build a mechanism into Android to exfiltrate the key? And wouldn't
          this breach be discoverable by security research, which tends to be
          much simpler on Android than it is on iOS?
          
   URI    [1]: https://security.googleblog.com/2018/10/google-and-android-h...
       
            EduardoBautista wrote 2 days ago:
            Apple's ADP is not E2E for only its backups, it's E2E for
            _everything_ in iCloud Drive and a few other iCloud services.
       
            thelittleone wrote 3 days ago:
            Could that be true and at the same time a 'vulnerability' exists
            that megacorp is party to?
       
            nomel wrote 3 days ago:
            My assumption is that Google has keys to everything in its kingdom
            [1]
            
   URI      [1]: https://qz.com/1145669/googles-true-origin-partly-lies-in-...
       
              tim333 wrote 2 days ago:
              I doubt it. Much to my annoyance they moved Google Maps Timeline
              from their database to an encrypted copy on my phone specifically
              so if law enforcement asks for the records of where you were at a
              given time and place they can say dunno, can't tell. If they had
              the keys it would wreck their legal strategy not to get hassled
              every time law enforcement are trying to track someone.
       
              skybrian wrote 2 days ago:
              The linked article makes a lot of assumptions about the "Massive
              Digital Data Systems Program". It seems this program existed. For
              example, here is a 1996 paper [1] about research funded by the
              "Massive Digital Data Systems (MDDS) Program, through the
              Department of Defense."
              
              But it's not clear that funding for early research into data
              warehousing (back when a terabyte was a lot of data) has anything
              to do with whether or not Google uses end-to-end encryption? Lots
              of research got funded through the Department of Defense.
              
              Without having relevant evidence, this is just "let's assume X is
              true, therefore X is true."
              
   URI        [1]: https://papers.rgrossman.com/proc-047.htm
       
              GeekyBear wrote 2 days ago:
              Google didn't announce that they could no longer process geofence
              warrants because they no longer stored a copy of user location
              data on their servers until last October.
              
              How much good does an encrypted device backup do when harvesting
              user data and storing it on your servers (to make ad sales more
              profitable) is your entire business model?
       
              foota wrote 2 days ago:
              That's a bit silly seeing as e.g.,
              
   URI        [1]: https://www.npr.org/sections/thetwo-way/2014/03/20/29195...
       
              yellow_lead wrote 3 days ago:
              This would mean no independent security researcher has ever taken
              a look at Google Drive's E2EE on Android. Or those that did
              missed the part where the key is uploaded.
              
              It's possible to decrypt this network traffic and see if the key
              is sent. It may be obfuscated though.
       
              autoexec wrote 3 days ago:
              My assumption is that the NSA does too.
       
              marcprux wrote 3 days ago:
              > My assumption is that Google has keys to everything in its
              kingdom
              
              If that were true, then their claims to support E2E encrypted
              backups are simply false, and they would have been subject to
              warrants to unlock backups, just like Apple had been until they
              implemented their "Advanced Data Protection" in 2022.
              
              Wouldn't there have been be some evidence of that in the past 7
              years, either through security research, or through convictions
              that hinged on information that was gotten from a supposedly
              E2E-protected backup?
       
                dietr1ch wrote 4 hours 49 min ago:
                They are so used to bend reality that could easily call it e2e
                encryption even if the key was generated by Google or had a
                skew that made it vulnerable with some extra knowledge that
                they have or will have in the next sync.
       
                ajb wrote 2 days ago:
                It's worth noting that what the security services don't have
                access to is as secret as what they do have access to.
                According to the late Ross Anderson, for many years the police
                were unable to trace calls (or was it internet access?) on one
                of the major UK mobile networks, because it had been designed
                without that and in such a way that it was hard to retrofit.
                This was considered highly confidential, lest all the drug
                dealers etc switch to that network.
       
                autoexec wrote 3 days ago:
                > Wouldn't there have been be some evidence of that in the past
                7 years, either through security research, or through
                convictions that hinged on information that was gotten from a
                supposedly E2E-protected backup?
                
                I wouldn't count on it. The main way we'd know about it would
                be a whistleblower at Google, and whistleblowers are extremely
                rare. Evidence and court records that might expose a secret
                backdoor or that the government was getting data from Google
                that was supposed to be private could easily be kept hidden
                from the public by sealing it all away for "national security
                reasons" or by obscuring it though parallel construction.
       
                  catlifeonmars wrote 2 days ago:
                  People are incredibly bad at keeping secrets. And there are a
                  LOT of people at Google. I don’t buy it.
       
                    jsjohnst wrote 1 day ago:
                    Until Yahoo! broke the news, did you know anything about
                    Google’s involvement with PRISM?
       
                    autoexec wrote 2 days ago:
                    There were a lot of people working for the NSA besides
                    snowden, but none of them blew the whistle even though some
                    of the programs he exposed had been around for 12 years.
                    There were a whole lot of people working at AT&T but
                    employees weren't lining up to tell us about Room 641A (
                    [1] ) before Mark Klein. How did everyone else manage to be
                    kept quiet? The details about MKUltra and the Manhattan
                    Project were successfully kept a secret for decades before
                    eventually being declassified.
                    
                    It'd be a huge mistake to look at the instances where
                    somebody did come forward and spill a secret and assume
                    that it means secrets aren't possible to keep or that there
                    are no secrets being kept right now. It's may not be easy
                    to keep a secret, but governments and corporations are
                    extremely well practiced and have many documented
                    successes.
                    
   URI              [1]: https://en.wikipedia.org/wiki/Room_641A
       
                      catlifeonmars wrote 2 days ago:
                      You have a point, but a major reason that the examples
                      you cited above were kept secret was because knowledge
                      about them was compartmentalized. As knowledge leaks, so
                      does the possibility of whistleblowers. It’s an
                      unstable equilibrium. My argument (which admittedly is
                      based on an anecdata about how undisciplined large tech
                      corporations are) is that it’s uniquely hard to keep
                      secrets in modern tech companies because by design,
                      knowledge is not compartmentalized. Modern large tech
                      companies have replaced fiefdoms of knowledge with
                      fiefdoms of operational expertise, if that makes sense.
                      
                      Anyway, there have been hundreds, perhaps thousands of
                      whistleblowers in the past and the examples you picked I
                      think are representative of the upper bound, rather than
                      the lower bound of the secret keeping capacity of
                      organizations.
       
                    GoblinSlayer wrote 2 days ago:
                    Google can just borrow a certified encryption library
                    elsewhere.
       
                    ChrisMarshallNY wrote 2 days ago:
                    That’s why Rule #1 of Security, is limit access;
                    regardless of clearance.
                    
                    Which explains why there’s all these security levels
                    above “Top Secret,” which is really just a baseline.
       
                jiggawatts wrote 3 days ago:
                A trivial method for circumventing code review is to simply
                push a targeted update of the firmware to devices subject to a
                government search order.
                
                There are no practical end-user protections against this
                vector.
                
                PS: I strongly suspect that at least a few public package
                distribution services are run by security agencies to enable
                this kind of attack. They can distribute clean packages 99.999%
                of the time, except for a handful of targeted servers in
                countries being spied upon. A good example is Chocolatey, which
                popped up out of nowhere, had no visible source of funding, no
                mention of their ownership structure anywhere, and was
                incorporated along with hundreds of other companies in a small
                building in the middle of nowhere. It just screams of being a
                CIA front, but obviously that's hard to prove.
       
                  nomel wrote 1 hour 15 min ago:
                  Telegram author claims this is the case [1]:
                  
                  > They were curious to learn which open source libraries are
                  integrated to the Telegram app. You know, on the client
                  side," Durov said. "And they were trying to persuade him to
                  use certain open source tools that he would then integrate
                  into the Telegram code
                  
   URI            [1]: https://www.newsweek.com/telegram-tucker-carlson-gov...
       
                  brookst wrote 2 days ago:
                  The end user protection is to sign updates and publish the
                  fingerprints. It should not be possible for one device to get
                  a different binary than everyone else.
       
                    jiggawatts wrote 1 day ago:
                    How exactly do you plan on implementing this as an end
                    user?
                    
                    Even if you somehow manage to ensure 100% consistency with
                    other users for updates you manually “pull” from the
                    vendor, the vendor could simply have your device
                    automatically reach out and update itself with a stealth
                    update.
                    
                    Or everyone can get the same exact binary, but it has a
                    hash code check on it that activates the evil bits only on
                    your device.
                    
                    Etc…
       
                  jen20 wrote 3 days ago:
                  > Chocolatey, which popped up out of nowhere
                  
                  Chocolatey assuredly did not "pop up out of nowhere" - it was
                  a labour of love from Rob Reynolds to make Windows even
                  barely usable. It likely existed for years before you ever
                  heard of it.
                  
                  > had no visible source of funding
                  
                  Rob was employed by Puppet Labs to develop it until he
                  started the commercial entity which now backs it.
                  
                  > a small building in the middle of nowhere.
                  
                  As I recall, Rob lives in Topeka, Kansas. It follows that his
                  business would be incorporated there, no?
       
                    jiggawatts wrote 2 days ago:
                    There was no evidence of any of this on the website until
                    recently (maybe 2 or 3 years ago?), and I did look at every
                    page on there. Similarly, I searched on Google for a while
                    and raised the question in more than a few forums. I dug
                    through the business registration records, etc... and found
                    none of the above.
                    
                    Sure, now, they have staff photos and the actual names of
                    people on their about page, but just a few years ago it was
                    almost completely devoid of information: [1] Look at it
                    from the perspective of a paranoid sysadmin half way around
                    the world raising a quizzical eyebrow when random Reddit
                    posts mention how convenient it is, but it's distributing
                    binaries to servers with absolutely no obvious links back
                    to any organisations, people, or even a legitimate looking
                    business building.
                    
   URI              [1]: https://web.archive.org/web/20190906125729/https:/...
       
                dylan604 wrote 3 days ago:
                Would it be possible that they feel that the revelation of this
                backdoor would be too big of a loss so that any of these
                theoretical cases of the past 7 years have used parallel
                construction to avoid revealing the encrypted data was viewed?
       
                  catlifeonmars wrote 2 days ago:
                  That’s a big and brittle conspiracy. You have to have
                  little to no defectors. It’s not a stable equilibrium
       
                reshlo wrote 3 days ago:
                Is the source code for every binary  blob present on an Android
                device available for inspection, and is the code running on
                every Android device verifiable as having been built from that
                source?
                
                > or through convictions
                
                If they wanted to use this evidence for a normal criminal case,
                they would just do parallel construction.
       
                menacingly wrote 3 days ago:
                I don't know the particulars, but in general, silence around a
                massive tech company on warrants does not mean "they said no
                and the feds decided to leave them alone"
       
                scripturial wrote 3 days ago:
                It is possible to set up end to end encryption where two
                different keys unlock your data. Your key, and a government
                key. I assume google does this.
                
                1. encrypt data with special key
                2. encrypt special key with users key, and
                3. encrypt special key with government key
                
                Anyone with the special key can read the data.the user key or
                the government key can be used to get special key.
                
                This two step process can be done for good or bad purposes. A
                user can have their key on their device, and a second backup
                key could be in a usb stick locked in a safe, so if you loose
                your phone you can get your data back using the second key.
       
                  hilbert42 wrote 2 days ago:
                  "…two different keys…. Your key, and a government key. I
                  assume google does this."
                  
                  With the present state of politics—lack of both government
                  and corporate ethics, deception, availability of much fake
                  news, etc.—there's no guarantee that you could be certain
                  of the accuracy of any information about this no matter what
                  its source or apparent authenticity.
                  
                  I'd thus suggest it'd be foolhardy to assume that total
                  privacy is assured on any of these services.
                  
                  BTW, I don't have need of these E2E services and don't use
                  them, nor would I ever use them intentionally to send
                  encrypted information. That said, occasionally, I'll send a
                  PDF or such to say a relative containing some personal info
                  and to minimize it being skimmed off by all-and-sundry—data
                  brokers, etc. I'll encrypt it, but I always do so on the
                  assumption that government can read it (that's if it's
                  bothered to do so).
                  
                  Only fools ought to think otherwise. Clearly, those in the
                  know who actually require unbreakable encryption use other
                  systems that are able to be better audited. If I were ever in
                  their position, then I'd still be suspicious and only out of
                  sheer necessity/desperation would I send an absolute minimum
                  of information.
       
                    KronisLV wrote 2 days ago:
                    > …there's no guarantee that you could be certain of the
                    accuracy of any information about this no matter what its
                    source or apparent authenticity.
                    
                    In any case like this, the only thing you could truly trust
                    would be the source code and even then you’d have to be
                    on the lookout for backdoors, which would definitely be
                    beyond my own capability to spot.
                    
                    In other words, the best bet is to probably only use open
                    source solutions that have been audited and have a good
                    track record, wherever available. Not that there are that
                    many options when it comes to mobile OSes, although at
                    least there are some for file storage and encryption.
       
                      hilbert42 wrote 2 days ago:
                      Obviously, that's the ideal course of action but I'd
                      reckon that in practice those who would have both a good
                      understanding of the code as well as the
                      intricacies/strengths of encryption algorithms and who
                      also have need to send encrypted messages is vanishing
                      small—except perhaps for some well-known government
                      agencies.
       
                        anakaine wrote 2 days ago:
                        Just because something you do today is legal and not a
                        cause for scrutiny does not mean the same will be true
                        tomorrow.
                        
                        We have seen this many times throughout history, where
                        people like academics, researchers, teachers, people of
                        particular faith, etc are targeted and each of them has
                        some sort of “evidence” produced as to some sort of
                        crime they have committed either in the present or past
                        to justify their arrest.
                        
                        The group who needs it today may be small, but having
                        it on and secure by default for all is a far better
                        protection than any justification that the current need
                        is small.
       
                    pinoy420 wrote 2 days ago:
                    > I don’t care for encryption or need it
                    
                    > encrypts a pdf sent to tech illiterate family members
       
                      hilbert42 wrote 2 days ago:
                      From where did you get both 'care' and 'illiterate' —
                      words that I never used?
                      
                      Not only have you misquoted me, but also you've attempted
                      to distort what I actually said by changing its
                      inference.
       
                    scripturial wrote 2 days ago:
                    Yes. There is no ability to know one way or the other if
                    Google, and similar services retain a secondary way to
                    access decryption key. In light of this the only option is
                    to _assume_ they have the capability.
                    
                    Given the carefully crafted way companies describe their
                    encryption services, it seems more likely than not they
                    have master keys of some sort.
       
                  DarkmSparks wrote 2 days ago:
                  I expect this is what they are all doing tbh, although isnt
                  google open source? should be checkable, if the binaries the
                  distribute match the source... oh...
                  
                  "a special key" afaik is where instead of using 2 large
                  primes for a public key, it uses 1 large prime and the other
                  is a factor of 2 biggish primes, where 1 of the biggish is
                  known, knowing one of the factors lets you factor any public
                  key with a not insignificant but still more compute than most
                  people have access to.
                  
                  UK has also invested in some serious compute that would
                  appear dedicated to exactly this task.
                  
                  basically if you dont have full control over the key
                  generation mechansim and enc/dec mechansim it is relatively
                  trivial for states to backdoor anything they want.
       
                  barsonme wrote 3 days ago:
                  E2EE means only your intended recipients can access the
                  plaintext. Unless you intend to give the government access to
                  your plaintext, what you described isn’t E2EE.
       
                    immibis wrote 2 days ago:
                    Sure is - three ends - you, the intended recipient, and the
                    government.
       
                    hot_gril wrote 2 days ago:
                    Yes, but going by that, most messaging services advertised
                    as "E2EE" are already not E2EE by default. You trust them
                    to give you the correct public keys for peer users, unless
                    you verify your peers in-person. Some like iMessage didn't
                    even have that feature until recently.
       
                    GoblinSlayer wrote 2 days ago:
                    Google intends you and the government as recipients of data
                    here.
       
                    tredre3 wrote 2 days ago:
                    Manufacturers have lied about E2EE since the beginning.
                    Some claim that having the key doesn't change that it's
                    e2ee. Others claim that using https = e2ee, because it's
                    encrypted from one end to the other, you see? (A recent
                    example is Anker Eufy)
                    
                    The point is that the dictionary definition of E2EE really
                    doesn't matter. Being pedantic about it doesn't help. The
                    only thing that matters is that the vendor describes what
                    they call E2EE.
       
                    fc417fc802 wrote 3 days ago:
                    > E2EE means only your intended recipients can access the
                    plaintext.
                    
                    No, it does not. It means that only endpoints - not
                    intermediaries - handle plaintext. It says nothing about
                    who those endpoints are or who the software is working for.
                    
                    Key escrow and E2EE are fully compatible.
       
                      prophesi wrote 2 days ago:
                      > Key escrow and E2EE are fully compatible.
                      
                      Wild to see someone on HN even entertain this idea.
       
                        baq wrote 2 days ago:
                        Wild to think otherwise.
       
                        fc417fc802 wrote 2 days ago:
                        It's literally the point of key escrow. My views on a
                        given practice are entirely irrelevant to the
                        definition of the relevant terminology.
       
                          prophesi wrote 2 days ago:
                          With key escrow, by definition you can only implement
                          end-to-many-ends encryption.
       
                            fc417fc802 wrote 2 days ago:
                            TIL group chats can't be considered E2EE. /s
       
                              prophesi wrote 2 days ago:
                              Those would be end-to-end encrypted x how many
                              recipients you intend for. Very different from
                              (end-to-end-encrypted x how many recipients you
                              intend for) + an arbitrary amount of recipients
                              you don't intend for.
       
                                fc417fc802 wrote 2 days ago:
                                > an arbitrary amount
                                
                                Presumably there are a finite number of escrow
                                agents who are known to you. Worrying that they
                                will pass your messages along to others is the
                                same as worrying that the people you're
                                chatting with do the same. It's always on you
                                to assess the trustworthiness of the other
                                parties; key escrow is no exception to that.
                                
                                To be clear I'm not a fan of large scale key
                                escrow schemes and am not going to willingly
                                use one outside of a corporate setting. But
                                lets have accurate use of terminology while
                                discussing these things.
                                
                                Surely a company with auditing requirements
                                running their own key escrow would still be
                                considered E2EE? If not E2EE then what would
                                you suppose to call that and where would you
                                draw the line?
       
                      barsonme wrote 2 days ago:
                      No, it is not. This is precisely why we have the term
                      E2EE. An escrow agent having your keys but pinky
                      promising not to touch them is indistinguishable from the
                      escrow agent simply having your plaintext.
                      
                      Unless you’re fine with the escrow agent and anybody
                      they’re willing to share the keys with being a member
                      of your group chat, in which case my original point still
                      stands.
       
                        fc417fc802 wrote 2 days ago:
                        Edit: I think you might be confusing your personal
                        intention (ie I wanted this to be private but didn't
                        realize the service provider retained a copy of the
                        keys) with the intention of the protocol (ie what the
                        system is designed to send where). Key escrow is "by
                        design" whereas E2EE protects against both system
                        intrusions (very much not by design) as well as things
                        like bugs in server software or human error when
                        handling data.
                        
                        > is indistinguishable
                        
                        Technically correct (with respect to the escrow agent
                        specifically) but rather misleading. With E2EE
                        intermediary nodes serving or routing a request do not
                        have access to it. This protects you against compromise
                        of those systems. That's the point of E2EE - only
                        authorized endpoints have access.
                        
                        The entire point of key escrow is that the escrow agent
                        is authorized. So, yes, the escrow agent has access to
                        your stuff. That doesn't somehow make it "not E2EE".
                        The point of E2EE is that you don't have to trust the
                        infra. You do of course have to trust anyone who has
                        the keys, which includes any escrow agents.
                        
                        If we used the definition "only your intended
                        recipients can access the plaintext" ... well let's be
                        clear here, an escrow agent is very much an "intended
                        recipient", so there's no issue.
                        
                        But lets extrapolate that definition. That would make
                        E2EE a property of the session rather than the
                        implementation. For example if my device is compromised
                        and my (E2EE) chat history leaks suddenly that history
                        would no longer be considered E2EE ... even though the
                        software and protocol haven't changed. It's utterly
                        nonsensical.
       
                          KronisLV wrote 2 days ago:
                          > I think you might be confusing your personal
                          intention with the intention of the protocol
                          
                          So what would be the name for a mechanism where
                          escrow is deliberately not a part of the design and
                          nobody aside from the sender and recipient can access
                          the plaintext data, no 3rd parties whatsoever, as
                          long as those two participants aren’t compromised.
                          
                          I’m not disagreeing with you but I’ve heard
                          people talk about E2EE while actually thinking it’s
                          more like the above. There is probably a term for
                          truly private communication but I’m sleepy and it
                          eludes me.
       
                            fc417fc802 wrote 2 days ago:
                            The literal answer to your question would be "E2EE
                            without key escrow" I guess. Or E2EE between just
                            me and this single party.
                            
                            However I don't think that's so much a technical
                            mechanism as it is a statement of preference or
                            understanding about who you intend to have access
                            to something.
                            
                            To that end, you'll need to define "intended
                            recipient" pretty carefully. After all, your
                            intended recipient could take a screenshot and
                            share it. Or there could be someone in a group chat
                            who isn't participating and you forgot was there.
                            Etc.
                            
                            > There is probably a term for truly private
                            communication
                            
                            I'd argue that E2EE is "truly private" between the
                            intended recipients, and that understanding who
                            exactly those are is entirely the responsibility of
                            the user.
                            
                            Of course I recognize that we're talking past each
                            other at that point. Your concern seems to be users
                            not realizing an escrow agent is present. To the
                            extent they might have been deceived about the
                            implementation I'd point out that "snuck in an
                            escrow agent" is just the tip of the security
                            iceberg. They could also have been deceived about
                            the implementation itself. And even if they weren't
                            deceived initially, a binary or web app could be
                            intentionally updated with a malicious version.
                            Does it count as "truly private" if you didn't
                            compile it yourself?
       
                              KronisLV wrote 1 day ago:
                              > Of course I recognize that we're talking past
                              each other at that point. Your concern seems to
                              be users not realizing an escrow agent is
                              present. To the extent they might have been
                              deceived about the implementation I'd point out
                              that "snuck in an escrow agent" is just the tip
                              of the security iceberg. They could also have
                              been deceived about the implementation itself.
                              And even if they weren't deceived initially, a
                              binary or web app could be intentionally updated
                              with a malicious version. Does it count as "truly
                              private" if you didn't compile it yourself?
                              
                              All of these are good points, thanks for taking
                              the time to respond! I think that to a certain
                              degree this means that, for the average layperson
                              and someone with more skills and knowledge, there
                              are still a bunch of challenges and attack
                              vectors to contend with.
                              
                              It probably involves more of something in the
                              category of OpenPGP (or just Signal, I guess)
                              where you yourselves are in control of the keys,
                              and less of counting on various web apps to do
                              right by the users. That said, E2EE with escrow
                              is still helpful against certain risks and is a
                              net positive, even if I've seen a lot of that
                              misunderstanding about what it actually does.
       
                                fc417fc802 wrote 1 day ago:
                                No problem! The more people conscious of this
                                stuff the better off we all are in the long
                                run.
                                
                                Anything that you can either audit or compile
                                yourself is generally a good bet. You might add
                                Matrix, XMPP with OMEMO, Briar, and Cwtch to
                                your list.
                                
                                Proprietary stuff isn't an entirely bad deal
                                though. If you assume they aren't blatantly
                                fraudulent then presumably your data is better
                                protected than it would have been without even
                                an attempt at E2EE.
                                
                                Same for key escrow schemes. Even if the agent
                                was literally the NSA you'd still most likely
                                be better off than the much more vulnerable
                                alternative. The fewer entities with access and
                                the more deliberate that access is the better.
       
                        zxcvgm wrote 2 days ago:
                        Well, WhatsApp backups claim they are E2E encrypted,
                        but there’s a flow that uses their HSM for the
                        encryption key, which still feels like some escrow
                        system.
                        
   URI                  [1]: https://engineering.fb.com/2021/09/10/security...
       
                          wkat4242 wrote 2 days ago:
                          True but you can choose to store the key completely
                          yourself. That fixes a big backdoor that's been
                          around for ages.
                          
                          The biggest problem remaining to me is that you don't
                          chat alone. You're always chatting with one or more
                          people. Right now there's no way of knowing how they
                          handle their backups and thus the complete history of
                          your chats with them.
                          
                          It's the same thing as trying to avoid big tech
                          reading your emails by setting up your own
                          mailserver. Technically you can do it but in practice
                          it's pointless because 95% of your emails go to users
                          of Microsoft or Google anyway these days.
       
                    mu53 wrote 3 days ago:
                    Is that google's definition or your definition? not being
                    rude, but its pretty easy to get tricky about this.
                    
                    Since you are sending the data to google, isn't google an
                    intended recipient? Google has to comply with a variety of
                    laws, and it is likely that they are doing the best they
                    can under the legal constraints. The law just doesn't allow
                    systems like this.
       
                      brookst wrote 2 days ago:
                      If Google is employing this “one simple trick”, they
                      will get sued into the ground for securities fraud and
                      false advertising.
       
                        1oooqooq wrote 2 days ago:
                        history already proved you wrong. companies offering
                        backdoor to abusive law enforcement are never sued.
                        
                        they also employ things like exempt cases. for example,
                        Whatsapp advertise E2E... but connect for the first
                        time with a business account to see all the caveats
                        that in plain text just means "meta will sign your
                        messages from this point on with a dozen keys"
       
                          wkat4242 wrote 2 days ago:
                          Oh thanks. I've never done that before. I'll try
                          that, it'll be very interesting to see those
                          disclaimers.
                          
                          I guess for consumer use all that stuff is hidden in
                          the T&C legalese which is unreadable for normal
                          people. I know the EU was trying to enforce that
                          there must be a TL;DR in normal language but I
                          haven't seen much effect of that yet.
       
                            1oooqooq wrote 2 days ago:
                            the whatsapp business account is pretty plain
                            text... and public as the founder quit meta
                            (billions on the table) because of this with an
                            open letter
       
                          brookst wrote 2 days ago:
                          It’s the lying that gets companies in trouble.
                          
                          The claim is that Google has implemented a security
                          weakness and lied about it in claims to customers and
                          investors.
                          
                          Show me another company that did this, was exposed,
                          and was not sued.
       
                            1oooqooq wrote 2 days ago:
                            yahoo sued the govt and was able to go public
                            almost a decade later. as i said, history already
                            proved that argument wrong.
       
                            alt227 wrote 2 days ago:
                            > It’s the lying that gets companies in trouble.
                            
                            It isnt if the government have asked them to lie.
       
                            tsimionescu wrote 2 days ago:
                            You are extremely naive if you think a company the
                            size of Google or Microsoft or Apple will face any
                            serious consequence from lying about E2EE actually
                            being open to various governments.
                            
                            They have lawyers aplenty, governments would file
                            amicus briefs "explaining" E2EE and so on. Worse
                            case they'll settle for a pittance.
       
                              brookst wrote 1 day ago:
                              So all you’ve got is hypotheticals that
                              coincidentally confirm your biases? These are
                              giant companies. Show me where a civil suit for
                              lying about a     product’s security was
                              defended by this kind of claim.
       
                              ipaddr wrote 2 days ago:
                              Those companies never get sued?  Never face class
                              action lawsuits either?
       
                      gtirloni wrote 2 days ago:
                      What's the intended recipient of your message? It's not
                      Google, right?
                      
                      You're discussing encryption in transit vs encryption at
                      rest in this thread.
       
                        mu53 wrote 2 days ago:
                        I agree with you, but these abstract technical systems
                        have enough wiggle room for lawyers and marketers to
                        bend the rules to get what they want
       
                  echoangle wrote 3 days ago:
                  Would that still count as E2E-encrypted if another party has
                  access? That would still count as lying to me.
       
                    dtpro20 wrote 3 days ago:
                    To call it lying is just arguing about the meanings of
                    words. This is literally what lawyers are paid to do. The
                    data payload can be called end to end encrypted. You can
                    easily say to the user that "your emails are encrypted from
                    end to end, they are encrypted before it leaves your
                    computer and decrypted on the receivers computer" without
                    talking about how your key server works.
                    
                    Systems that incorporate a method to allow unlocking using
                    multiple keys don't usually advertise the fact that this is
                    happening. People may even be legally obligated to not tell
                    you.
       
                      echoangle wrote 2 days ago:
                      Well Wikipedia says this about E2E:
                      
                      “End-to-end encryption (E2EE) is a method of
                      implementing a secure communication system where only
                      communicating users can participate. No one else,
                      including the system provider, telecom providers,
                      Internet providers or malicious actors, can access the
                      cryptographic keys needed to read or send messages.”
                      
                      So if you send another set of keys to someone else,
                      it’s obviously not E2E.
       
                        ptero wrote 2 days ago:
                        This is a high level description of intent (by a third
                        party), not a legal promise.
                        
                        This is not enforceable and promises that are not
                        enforceable are usually seen by BigCos of today as
                        optional. My 2c.
       
                          echoangle wrote 2 days ago:
                          Well I wasn’t saying I would sue them, I was
                          arguing this:
                          
                          > It is possible to set up end to end encryption
                          where two different keys unlock your data. Your key,
                          and a government key. I assume google does this.
                          
                          Which by definition is wrong (unless the government
                          is a party in the communication you want to
                          E2E-Encrypt).
       
                            ptero wrote 1 day ago:
                            I agree completely that it is wrong in spirit. But
                            wikipedia's text is a definition, not the only
                            existing one. And for practical use even the most
                            obvious definitions have legal caveats.
                            
                            For example, asking for 10 gallons of soda at a
                            restaurant advertising unlimited refills will not
                            fly, even though virtually everyone will agree on
                            the definition of the term "unlimited". My 2c.
       
                            dwaite wrote 1 day ago:
                            I believe the point being made here is that some
                            governments legally mandate that they are a party
                            in communication.
       
                      catlifeonmars wrote 2 days ago:
                      > To call it lying is just arguing about the meanings of
                      words.
                      
                      Or, as us lowly laypeople call it, lying.
       
                      mirekrusin wrote 2 days ago:
                      TIL man in the middle = e2e encryption.
       
                        scripturial wrote 2 days ago:
                        E2E encryption is not the same as MITM. You’re not
                        adding anything useful to the conversation.
                        
                        E2E encryption is not vulnerable to MITM. E2E
                        encryption is vulnerable only to how many keys there
                        are and who has access to them.
       
                          echoangle wrote 2 days ago:
                          If someone except the communicating parties has
                          access to the keys, it’s not E2E encrypted anymore
                          though. At least according to this definition:
                          
   URI                    [1]: https://en.wikipedia.org/wiki/End-to-end_enc...
       
                          chii wrote 2 days ago:
                          SO if google still has access in an E2E system, but
                          you didnt know, is it still E2E?
                          
                          What if google told you they also have a key? Does
                          that change the above answer to the question?
       
                    lttlrck wrote 3 days ago:
                    That depends on the definition of "end".
       
                      tbihl wrote 3 days ago:
                      To say nothing of the definition of "definition", or at
                      least a common understanding.
                      
   URI                [1]: https://m.youtube.com/watch?v=gRelVFm7iJE
       
                        blitzar wrote 2 days ago:
                        It depends on what the meaning of the word 'is' is
       
          h4ck_th3_pl4n3t wrote 3 days ago:
          Remember that the last fiasco was related to 2FA stores being stored
          unencrypted on google's backup cloud, namely google authenticator.
          
          And yes, it's still pwnable this way, and happens regularly.
          
          Everything in the cloud is not yours anymore, and you should always
          treat it like that.
       
          martin_a wrote 3 days ago:
          > We're talking about the largest back door I've ever heard of.
          
          Meh, I don't know. I can still decide to not go the UK and be fine. I
          think the CLOUD Act is much worse because it's independent from where
          I am.
       
          Fnoord wrote 3 days ago:
          > There's no time limit on when you may be searched, so all people
          who ever travelled through British territory could be searched by
          officials.
          
          > Let that sink in for a moment. We're talking about the largest back
          door I've ever heard of.
          
          Codename 'Krasnov' is the largest backdoor I have ever heard of. And,
          we only need to look at his behavior.
          
          These E2EE from USA can be tainted in so many ways, and FAMAG sits on
          so much data, that codename 'Krasnov' can abuse such to target
          whoever he wants in West. Because everyone you know is or has been in
          ecosystem of Apple, Google, or Microsoft.
          
          Whataboutism! Fair. From my PoV, as European, the UK government is
          (still) one of the good guys who will protect Europe from adversaries
          such as those who pwn codename 'Krasnov'. Such protection may come
          with a huge price.
       
          JumpCrisscross wrote 3 days ago:
          > One scenario would be somebody in an airport and security officials
          are searching your device
          
          No Heathrow connection necessary. “The law has extraterritorial
          powers, meaning UK law enforcement would have been able to access the
          encrypted iCloud data of Apple customers anywhere in the world,
          including in the US” [1]
          
   URI    [1]: https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...
       
            kimixa wrote 3 days ago:
            The US claims the same [1] Lots of Americans in this thread seem to
            be talking down to other countries laws while being completely
            unaware of their own
            
   URI      [1]: https://en.wikipedia.org/wiki/CLOUD_Act
       
              maeil wrote 3 days ago:
              Spot on, 727 comments, most probably by Americans, and only 2
              (including yours) bringing up the CLOUD Act, the much worse US
              equivalent. Incredible ignorance.
       
                bustling-noose wrote 2 days ago:
                Providing encrypted data and not providing encryption are two
                different things. The CLOUD act requires you to hand over data.
                It could be encrypted. The UK government is asking to hand over
                data that is also not encrypted. The two are not the same. Note
                : Not American.
       
          tholdem wrote 3 days ago:
          > What concerns me more is that Apple is the only company audibly
          making a stand.
          
          But still Apple operates in China and Google does not. This is weird
          to me. Google left China when the government wanted all keys to the
          citizens data. Apple is making a stand when it's visible and does not
          threaten their business too much.
          
          Apple is not really in the business of protecting your data, they are
          just good at marketing and keeping their image.
       
            timewizard wrote 2 days ago:
            I want to buy my phone from a phone manufacturer.
            
            I want to backup my data with a managed service.
            
            I do NOT want these to be the same company.
            
            The government,  with anti trust laws,    could easily force this
            issue.    On the other hand,  they really love how few places they
            have to go with FISA warrants to just take anyones data.  This is
            the long tail of the American security state.  So it's really
            ironic that China takes most of the blame.
       
            Spooky23 wrote 2 days ago:
            It’s different. Apple follows Chinese law to operate their
            services in China, just like Microsoft.
            
            With Google, their services are way broader. Operating a hunk of
            their search business with a third party Chinese firm just isn’t
            viable for their services, which are way more complex.
       
            GeekyBear wrote 3 days ago:
            > Google left China when the government wanted all keys to the
            citizens data.
            
            Google left China after China started hacking into Google's
            servers.
            
            >  In January, Google said it would no longer cooperate with
            government censors after hackers based in China stole some of the
            company’s source code and even broke into the Gmail accounts of
            Chinese human rights advocates. [1] They were working to reenter
            the China market  on China's terms many years later, when Google
            employees leaked the effort to the press.  Google eventually backed
            down.
            
   URI      [1]: https://www.nytimes.com/2010/03/23/technology/23google.htm...
       
              spoaceman7777 wrote 2 days ago:
              I'd imagine there were multiple factors that went into that
              business decision. Even if this was portrayed as the final straw.
       
            wrsh07 wrote 3 days ago:
            Eh Google had pretty good reasons to not operate in China (not
            seeing them in this thread, don't recall the details precisely
            enough to relate here)
            
            Apple is deeply embedded in China (manufacturing) and benefits from
            a decent (but shrinking) userbase in the country. China isn't
            asking for the keys to all iphone user data, just data stored in
            China.
       
            WhyNotHugo wrote 3 days ago:
            iCloud in China is operated by a local subsidiary. There is a
            dedicated screen explaining this when you set up an iCloud account
            in this region.
            
            They adapt to the local rules of each region, much like they’re
            doing here in the UK.
       
              fauigerzigerk wrote 1 day ago:
              >iCloud in China is operated by a local subsidiary
              
              It's not operated by an Apple subsidiary. It's operated by a
              government owned company. I'm not aware of any local laws that
              require this particular arrangement.
       
            noirbot wrote 3 days ago:
            China feels like an important difference here though. Google
            leaving China doesn't protect Chinese citizen's data any more than
            Apple turning off ADP in the UK does. As far as I know, Apple isn't
            pretending that the data of Chinese users is encrypted from their
            government, and the way they're complying with the Chinese laws
            shouldn't impact the security of users outside of China.
            
            Apple pulling ADP from UK users is similar - the UK has passed an
            ill-considered law that Apple doesn't think it can win a court case
            over, so they're complying in a way that minimally effects the
            security of people outside the UK. If, as someone outside the UK, I
            travel to the UK with ADP turned on, my understanding is it won't
            disable itself.
            
            Would you have been more satisfied if Apple just pulled out of the
            UK entirely? Bricked every iPhone ever purchased there? Google
            doesn't seem to have made any stand for security ever - them
            pulling out of China feels more to do with it meaning they wouldn't
            have had access to Chinese users' data, which is what they really
            want.
       
              viraptor wrote 2 days ago:
              > Would you have been more satisfied if Apple just pulled out of
              the UK entirely? Bricked every iPhone ever purchased there?
              
              The request/law would be rolled back in minutes in that case.
              They wouldn't dare though. (wouldn't even have to be bricking -
              just disable services like icloud)
       
                madeofpalk wrote 2 days ago:
                Apple has 40 retail stores in the UK with thousands of
                employees. They have a big new HQ in London where they have
                engineering, etc there.
                
                I cannot see Apple completely shutting down in the UK, firing
                thousands of staff, selling off any property, and cancelling
                leases, just for a week long bargaining chip.
       
            dclowd9901 wrote 3 days ago:
            Perhaps Apple has a greater leverage in China due to its outsized
            manufacturing presence. And it's likely they already dont offer ADP
            to Chinese citizens.
       
              vineyardmike wrote 2 days ago:
              > Perhaps Apple has a greater leverage in China due to its
              outsized manufacturing presence.
              
              Perhaps china has greater leverage over apple in this case...
              
              China had been an important area of growth for many companies
              during the 2010s. Apple bent over backwards to cater to that
              market. It was discussed in every financial release, and they
              obviously made tons of concessions for iCloud.
              
              The UK just comparatively isn't that much revenue, and not worth
              the fallout.
       
                chii wrote 2 days ago:
                > China had been an important area of growth for many companies
                during the 2010s. Apple bent over backwards to cater to that
                market
                
                and it is the same with european car companies (like
                volkswagon). Look at where they are now.
                
                I don't believe for a second, that china will not oust apple
                the moment there's a good reason to.
       
                  vineyardmike wrote 2 days ago:
                  > Look at where they are now.
                  
                  Apples revenue from china has been super dependent on new
                  iPhone looking different, and has been steadily declining or
                  flat for years, except for a few quarters when Huawei was
                  sanctioned.
                  
                  Chinese money was absolutely the forbidden temptress that
                  continues to screw businesses. Luxury goods, cars,
                  electronics, etc were all banking on china’s economic rise
                  to grow their revenue, and post covid recovery saw all that
                  money stay domestic.
                  
                  China won’t oust Apple because twisting Tim Cook’s arm is
                  way more useful. Same with Tesla and any other company that
                  makes a big bet there. But they absolutely won’t be giving
                  American companies an equal chance at success.
       
              SXX wrote 2 days ago:
              > And it's likely they already dont offer ADP to Chinese
              citizens.
              
              AFAIK before UK only region with ADP was China.
       
              bitpush wrote 3 days ago:
              lol you think Apple has more leverage than China? What world are
              you living in?
       
                raincole wrote 3 days ago:
                A world where HN commentators can read English.
       
          alt227 wrote 3 days ago:
          > Apple is the only company audibly making a stand
          
          Apples stand is false, they take with one hand and give with the
          other. There have been many times that Apple have been caught giving
          user data to governments at their request, lied about it, then later
          on admitted it once it had leaked from another source.
          
          This whole 'we will never make a backdoor' is a complete whitewash
          marketing stunt, why do they need to make a backdoor when they are
          providing any and all metadata to any government on request.
          
   URI    [1]: https://www.macrumors.com/2023/12/06/apple-governments-surve...
       
            lilyball wrote 3 days ago:
            > There have been many times that Apple have been caught giving
            user data to governments at their request, lied about it, then
            later on admitted it once it had leaked from another source.
            
            In other words, Apple complies with legal government orders, as
            they are required to. The government can compel them with a warrant
            to hand over data that they have, and can prohibit them from
            talking about it. That's the whole reason for the push towards
            end-to-end encryption and for not collecting any data Apple doesn't
            need to operate the products. This also ties into things like photo
            landmark identification, where Apple designed it such that they
            don't get any information about the requests and so they don't have
            any information that they could be compelled to hand to the
            government.
       
            jonhohle wrote 3 days ago:
            I think that’s the whole point of their push to E2E encrypt as
            much as possible. Saying they can’t unencrypted something worked
            for a while.
       
          troupo wrote 3 days ago:
          > What concerns me more is that Apple is the only company audibly
          making a stand.
          
          They are not making a stand. They roll over without a peep. And this
          is concerning users' privacy which they say is the core of the
          company.
          
          Compare it to fighting every government tooth and nail over every
          single little thing concerning the "we don't know if it's profitable
          and we don't keep meeting records" AppStore
       
            immibis wrote 2 days ago:
            "Not making a stand" would be leaving everything as is, and handing
            your encryption keys over to the government. By loudly disabling
            ADP and saying this feature is illegal in the UK (they really
            should have said "illegal" instead of "unavailable" so people would
            know it was the government), they are at least making half a stand.
            By leaving it enabled in other regions and for visitors from other
            regions to the UK, they're making three quarters of a stand.
       
              troupo wrote 2 days ago:
              > By loudly disabling ADP and saying this feature is illegal in
              the UK
              
              They didn't say anything loudly, or said it was illegal in the
              UK.
              
              All they had was a single comment to a single (or perhaps a
              handful at most) comment to a media outlet that they disabled it.
              
              They didn't even bother with a press release, or notify their
              users.
              
              It's not even half a stand. It's a rollover
       
                exodust wrote 1 day ago:
                Is the UK law broadly against encrypted files?
                
                For example if I encrypt a file locally, a zip file containing
                images, am I not permitted to upload that zip file to a cloud
                service in the UK?
                
                Even if the UK's demands were "access to encrypted cloud
                services", does that also mean encrypted files within encrypted
                storage? It all seems so messy. Anyone who really wants to hide
                their files, can do so regardless of demands for backdoors.
       
                  troupo wrote 1 day ago:
                  > Anyone who really wants to hide their files, can do so
                  regardless of demands for backdoors.
                  
                  The question isn't about "anyone who wants". It's about
                  "anyone, regardless of their technical skill"
       
            givinguflac wrote 3 days ago:
            “ They roll over without a peep.”
            
            What are you talking about? This is literally them doing the
            opposite, and there are multiple other public instances of them
            making a stand, not to mention in the design of their systems.
            
            Truly curious how you see this that way.
       
              troupo wrote 3 days ago:
              "Literally doing the opposite" would be keeping encryption on.
              
              Removing encryption for everyone is literally doing the opposite
              of making a stand
       
                coaksford wrote 3 days ago:
                They had two paths to comply with the law. Silently backdoor
                the worldwide cloud serving every Apple device, or loudly tell
                people in the UK they don't get to have security because their
                government prohibits them. Between these two options, this is
                clearly "making a stand".
                
                It's not as much "making a stand" as telling a major government
                that you have substantial seizable assets under their
                jurisdiction who is a major market you want to be in, that
                you're not going to do the thing that their laws say you are
                required to do, but it's hardly simple compliance either,
                instead of doing what the government wants them to do, they are
                making sure there is blowback.
                
                Whether to try to fight it in court likely depends on details
                of case law and the wording of the laws they'd be contesting, I
                imagine much of the delay in their response to the demand was
                asking their lawyers how well they think they would fare in
                court.
       
                  dumbledoren wrote 2 days ago:
                  > tell people in the UK
                  
                  This doesn't affect only people in the UK. It allows access
                  to all Apple users' data globally:
                  
                  > No Heathrow connection necessary. “The law has
                  extraterritorial powers, meaning UK law enforcement would
                  have been able to access the encrypted iCloud data of Apple
                  customers anywhere in the world, including in the US” [1].
                  
                  > [1] [2] So they can spy on you regardless of where you live
                  even in violation of your own country's privacy laws.
                  
   URI            [1]: https://www.ft.com/content/bc20274f-f352-457c-8f86-3...
   URI            [2]: https://news.ycombinator.com/item?id=43132160
       
          Krasnol wrote 3 days ago:
          It's always hilarious to see how far people here are ready to go to
          twist some bad Apple news into something which might be considered
          good.
          
          I mean seriously. Apple making a stand? What stand? They are ripping
          security out of their customers hands. Customers which are already
          dependent on the company's decision in their locked in environment.
          
          There is absolutely nothing good about it, and you dragging Android
          into it and making it look like it's even worse is suspicious. You
          can have full control over your Android device. Something impossible
          on an Apple phone. You can make your Android device safer than your
          iPhone.
       
            yunwal wrote 3 days ago:
            The government forced them to pull the feature. Would you rather
            they left a toggle-switch that doesn't actually do anything? Or are
            you thinking they should just pull out of the EU altogether?
       
              Krasnol wrote 3 days ago:
              Making a stand would be leaving UK (UK is not in the EU)
              altogether.
              
              This is almost as bad as building a backdoor. This is leaving
              your customer in the rain.
              
              Fortunately for Apple, most of them won't even know or realize
              it.
       
                musictubes wrote 2 days ago:
                No, this tells the customer that backups to iCloud are not
                secure from the government. Adding the back door would make
                people think that there was more security than there was.
                Transparency is always better than deception.
                
                Dropping the feature that the UK was targeting allows their
                customers to use all the other ways that Apple does things.
                Leaving the UK altogether is the nuclear option denying their
                customers of everything. “Apple should just leave the
                UK/China” never takes into consideration the millions of
                customers that bought or might want to buy in the future.
                Nobody would better off if Apple withdraws from a country.
       
                  Krasnol wrote 2 days ago:
                  I don't think we both have the same concept of "making a
                  stand".
                  
                  Yes, it would have been the nuclear option, but this is
                  Apple. Probably most of the most influential people in the UK
                  have an Apple phone. Just saying that you leave would cause
                  an avalanche of influence targeted at this law. Maybe other
                  companies would have joined them.
                  
                  This, this is just cover dance and I wish they'd pay for
                  this, but they won't and they know it. People locked into the
                  Apple bubble only change if it REALLY hurts. This doesn't
                  hurt the average Apple user, and those who really care moved
                  onto a system they can control themselves.
       
                codedokode wrote 2 days ago:
                Making a stand would be displaying a full-screen notification
                about why they cannot provide protection for British users'
                data and which party voted for this.
       
                  Krasnol wrote 2 days ago:
                  No. Making a stand would be to threaten to leave and watch
                  all those influential iPhone users scramble to get this law
                  rolled back. Everything else is marketing and cowardice.
       
                yunwal wrote 3 days ago:
                > This is leaving your customer in the rain.
                
                vs. taking their phone away??? Idk if you're trolling or what
                but I would be incredibly pissed at Apple if they deprecated my
                phone over something like this.
       
                  Krasnol wrote 2 days ago:
                  Yes, imagine the outrage in the rich and influential in the
                  UK if Apple would seriously threaten to leave the country
                  about this. They would cause the law to be fixed which would
                  help everybody.
                  
                  But instead. They run away.
                  
                  Selling this as "making a stand" is ridiculous. Nothing more.
       
            amatecha wrote 3 days ago:
            There is an upside (if you trust them) -- they're pulling a feature
            rather than adding a back door to it.  Supposedly, anyway.
       
              Krasnol wrote 3 days ago:
              Well, sure it could be worse.
              
              Doesn't make that one good, though.
       
          fdb345 wrote 3 days ago:
          Your Android and Microsoft backup aren't encrypted.   They are
          already fair game for a warrant.
       
          dustingetz wrote 3 days ago:
          how much distance between
          
          1) tech monopoly strong enough to stand up to G7 nation state demands
          
          2) tech monopoly strong enough to remove itself from G7 nation state
          jurisdiction?
          
          edit: s/monopoly/empire, apologies
       
            stalfosknight wrote 3 days ago:
            Apple is not a monopoly.
       
            r00fus wrote 3 days ago:
            It's amusing to think of Apple as a "monopoly" (if anything they
            have a monopsony on TSMC production) but let's just replace that
            with "giant" for purposes of discussion.
            
            Tech giants typically devolve local operations to small companies
            to avoid liability - think petroleum suppliers not owning gas
            stations (because those typically end up as superfund sites).  Not
            sure if this analogy this works for Google Android and all the
            manufacturers that deploy it for their smartphones too.
            
            So corporations have been doing this forever, trying to find legal
            loopholes where they can have their cake and eat it too.
       
          j-bos wrote 3 days ago:
          > (where you don't even have the right to legal advice, or the right
          to remain silent)
          
          A lot is posted about LEO's lying in the US, this seems worse.
       
          IshKebab wrote 3 days ago:
          > What concerns me more is that Apple is the only company audibly
          making a stand.
          
          Meta also said they would make a stand if a similar request comes for
          WhatsApp. I'm not going to hold my breath though.
       
            AutistiCoder wrote 3 days ago:
            They wouldn't even be able to.
            
            WA is end-to-end encrypted.
       
              figmert wrote 1 day ago:
              It's all lip service, because the UK Govt wouldn't ask them that.
              WhatsApp messages are EE2E. They probably already handover all
              the metadata surrounding those messages.
       
              kali_00 wrote 3 days ago:
              With almost everyones backups stored in plain-text, making it all
              a little silly.
              
              Think about it for a second: you can re-establish your WA account
              on a new device using only the SIM card from your old device. SIM
              cards don't have a storage area for random applications'
              encryption keys, and even if they did, a SIM card cannot count as
              "end-to-end" anymore. Same goes for whatever mobile cloud
              platform those backups might be stored on. And you'd hope Apple
              or Google aren't happily sending off your cloud decryption keys
              to any app that wants them. Though maybe they are?
       
                acka wrote 3 days ago:
                Reestablishing your WhatsApp account on a new device doesn't
                give access to your old chat messages, you need to restore a
                WhatsApp backup for that. The backup doesn't need to be stored
                in the cloud, you can choose to create a local file and
                manually transfer that to your new device.
                
                In any case, as soon as you start using WhatsApp on a new
                device, users in the chats you participate in will receive a
                message informing them that your encryption keys have changed.
       
              alex-robbins wrote 3 days ago:
              WhatsApp is closed source. They could backdoor it if they wanted
              to (or were forced to).
       
                bitpush wrote 3 days ago:
                And so in Apple and iOS. What is your point?
       
                  IshKebab wrote 3 days ago:
                  His point was that it is technically possible for WhatsApp to
                  add a backdoor. Apple could too.
       
          grahamj wrote 3 days ago:
          This is why, while I applaud what Apple is doing here, they need to
          allow us to supply our own E2E encryption keys.
       
            vandahm wrote 2 days ago:
            But if you don't trust Apple, how to you get the key into the
            Secure Enclave to begin with? Doesn't Apple control the software on
            your device that provides the interface into the Secure Enclave
            from outside of it?
       
              grahamj wrote 2 days ago:
              Yes Apple controls the device so you're right, you can never be
              sure what it's doing. My thinking is that an encryption backdoor
              means the key generation algo is compromised. In that case you
              want to bypass that by generating the key yourself.
              
              If the backdoor is some other method of getting your key off the
              device then all bets are off.
       
            shuckles wrote 3 days ago:
            That’s literally what the feature they’re removing did.
       
              kbolino wrote 3 days ago:
              Not exactly. It generates the keys for you and stores them on
              device in the Secure Enclave. You cannot "bring your own"
              encryption key, but the primary benefit of doing so--that Apple
              does not have access to it--is intentionally accomplished anyway
              by the implementation.
       
                shuckles wrote 3 days ago:
                I’m not sure I appreciate the value of literally bringing
                your own keys. My device generating them on my behalf as part
                of a setup process seems sufficient. You’d use openssl or
                something and defer to software to actually do keygen no matter
                what.
       
                  rkagerer wrote 3 days ago:
                  I agree it seems sort of academic at first blush, but I'm
                  going to venture a guess it's the idea that you own them,
                  instead of Apple.
                  
                  So you can eg. keep a backup on your own (secure)
                  infrastructure.  Transfer them when switching devices or even
                  mirror on two different ones*.    Extract your own secret
                  enclave contents.  Improve confidence they were generated
                  securely.  And depending on implementation, perhaps reduce
                  the ease with which Apple might "accidentally" vacuum the
                  keys up as a result of an update / order.
                  
                  *Not sure how much these two make sense in the iOS ecosystem.
                   I know on the Android side I'd absolutely love to maintain a
                  "hot standby" phone that is an exact duplicate of my daily
                  driver, so if I drop it in the ocean I can be up and running
                  again in a heartbeat with zero friction (without need to
                  restore backups, reliance on nerfed backup API's outside the
                  ones Google uses, having to re-setup 2FA, etc. and without
                  ever touching Google's creepy-feeling cloud).
       
                    kbolino wrote 3 days ago:
                    You would need to have a completely trusted software and
                    hardware stack to actually own the keys. And that is
                    already hard enough to get on a PC where ownership still
                    means something, it is not going to happen on most mobile
                    devices. To whatever extent you trust any of the stack
                    already, the Secure Enclave is a better bet than BYOK. The
                    real risk, as you imply, is if Apple is able to compromise
                    the security coprocessor with an OTA firmware update, but
                    they can definitely already push a regular OS update that
                    exfiltrates any key you type in.
       
                      codedokode wrote 2 days ago:
                      Just make an airgapped Linux device on a DYI FPGA CPU.
                      This part is not that difficult comparing to persuading
                      commercial vendors let you use your own cloud and your
                      own encryption/backup mechanisms.
       
                        rkagerer wrote 2 days ago:
                        Yeah... unfortunately it ought to be the other way
                        around.  They should have a hard time pursuading us to
                        trust them enough to use theirs.
                        
                        If your phone company asked you to give them the key to
                        your house, in perpetuity, how would you feel about
                        that?  (Particularly if they insisted you sign a 15
                        page Terms of Use first that disclaims all their
                        liability if anything goes missing).
       
                  grahamj wrote 3 days ago:
                  It depends what kind of backdoor the UK is asking for but
                  "encryption backdoor" sounds like cryptographic compromise. I
                  don't know if that's what it means but either way the only
                  way to be sure your keys are secure is to generate them
                  yourself.
       
                    kbolino wrote 3 days ago:
                    BYOK does not provide any additional security over the
                    Secure Enclave (and similar security coprocessors). In
                    fact, unless the Secure Enclave were to directly accept
                    your input and bypass the OS, BYOK is worse because the
                    software can just upload your key to a server as soon as
                    you type it in. Whereas, a key generated on the Secure
                    Enclave stays there, because there exists no operation to
                    export it.
       
                      grahamj wrote 2 days ago:
                      I don't believe it's the SE itself that encrypts user
                      data so it must already be the case that the key is
                      generated outside the SE, sent to it for storage, and is
                      retrieved if the user is authenticated.
                      
                      So the difference between Apple generating the key on
                      device and storing it in the SE and the user generating
                      it and storing it in the SE is that the user can use a
                      known-secure key generation algo. If Apple generates the
                      key you can't be sure it's cryptographically secure and
                      doesn't have a backdoor.
       
                        shuckles wrote 2 days ago:
                        The SE’s AES engine line encrypts and decrypts data
                        to flash, and the SEP is responsible for generating all
                        keys.
                        
                        At this point, the people who claim they can’t trust
                        Apple’s key generation should also distrust Intel or
                        AMD or any other vendor’s key generation as well.
                        Might as well generate keys by hand.
       
          nottorp wrote 3 days ago:
          >  have an Android device beside me that regularly asks me to back my
          device up to the cloud
          
          But is that backup encrypted? If it's not, all they need is  to
          access your data.
          
          This is about having access to backups that are theoretically
          encrypted with a key Apple doesn't have?
          
          > We're talking about the largest back door I've ever heard of.
          
          Doesn't the US have access to all the data of non US citizens whose
          data is stored in the US without any oversight?
       
            93po wrote 3 days ago:
            i think people focus on whether backups are encrypted too much. it
            really doesn't matter when the government has remote access
            equivalent to your live phone when it's in an unencrypted state,
            which they almost certainly do.
       
            noinsight wrote 3 days ago:
            > non US citizens whose data is stored in the US
            
            They don't even care where it's stored...
            
            See: CLOUD Act [1]
            
   URI      [1]: https://en.wikipedia.org/wiki/CLOUD_Act
       
              autoexec wrote 3 days ago:
              I honestly doubt they even limit themselves to the data of non-US
              citizens. They have no respect at all for the fourth amendment.
       
            crimsoneer wrote 3 days ago:
            Android data isn't encrypted at rest (or at least not in a way
            Google doesn't have the key). If the uk gov has a warrant, they can
            ask Google to provide your Google Drive content. The whole point of
            this issue is Apple specifically designed ADP so they couldn't do
            that.
       
              Gatorguy wrote 2 days ago:
              Wrong. Google Android user cloud backups are E2EE by
              default.There is no option to opt out. Use Google's backup
              service and your data is encrypted at rest, in transit, and on
              device. aka end-to-end.
              
              It's not just Google saying it. Google Cloud encryption is
              independently verified
       
              sunshowers wrote 3 days ago:
              Android backups are encrypted at rest using the lockscreen PIN or
              passphrase: [1] So not hugely secure for most people if they use
              4-6 decimal digits, but possible to make secure if you set a
              longer passphrase.
              
              I don't know what Google's going to do about this UK business.
              
              edit: Ah it looks like they have a Titan HSM involved as well.
              Have to take Google's word for it, but an HSM would let you do
              rate limits and lockouts. If that's in place, it seems all right
              to me.
              
   URI        [1]: https://developer.android.com/privacy-and-security/risks...
       
                autoexec wrote 3 days ago:
                I wonder how hard it would be for the US government to force
                Google to just get the lockscreen pin off of your device or for
                them to just infect your device with something to capture it
                themselves.
       
            squeaky-clean wrote 3 days ago:
            > But is that backup encrypted? If it's not, all they need is  to
            access your data.
            
            Based on them mentioning the difficulty of opting out, I presume
            OOP does not use Google's cloud backup.
       
            mtrovo wrote 3 days ago:
            > Doesn't the US have access to all the data of non US citizens
            whose data is stored in the US without any oversight?
            
            Totally agree. Having this discussion so US centred just makes us
            miss the forest for the trees. Apart from data owned by US
            citizens, my impression is that data stored in the US is fair game
            for three letter agencies, and I really doubt most companies would
            spend more than five minutes agreeing with law enforcement if asked
            for full access to their database on non-US nationals.
            
            Also, remember that WhatsApp is the go-to app for communication in
            most of the world outside the US. And although it's end-to-end
            encrypted, it's always nudging you to back up your data to Google
            or Apple storage. I can't think of a better target for US
            intelligence to get a glimpse of conversations about their targets
            in real time, without needing to hack each individual phone. If
            WhatsApp were a Chinese app, this conversation about E2E and backup
            restrictions would have happened a long time ago. It's the same on
            how TikTok algorithm suddenly had a strong influence on steering
            public opinion and instead of fixing the game we banned the player.
       
              wkat4242 wrote 2 days ago:
              This is different IMO. When you buy Apple you buy an American
              product and you know the company is beholden to US law. Snowden
              has made perfectly clear how much they can be trusted. When you
              buy it anyway it's an informed choice.
              
              Here a country that has no ties with most of apple's customers is
              just butting in and claiming access to all of them.
              
              So what's next. Are we also giving access to everyone's data to
              Russia? Iran?
       
              SJC_Hacker wrote 3 days ago:
              > Totally agree. Having this discussion so US centred just makes
              us miss the forest for the trees. Apart from data owned by US
              citizens, my impression is that data stored in the US is fair
              game for three letter agencies, and I really doubt most companies
              would spend more than five minutes agreeing with law enforcement
              if asked for full access to their database on 
              ̶n̶o̶n̶-̶U̶S̶ ̶n̶a̶t̶i̶o̶n̶a̶l̶s̶ anyone.
       
              mox1 wrote 3 days ago:
              International users that have Advanced Protection enabled would
              in theory be safe from all of the 3-letter agencies (like safe
              from those agencies getting the data from Apple...not safe
              generally).
              
              Realistically we are talking about FISA here, so in theory if the
              FBI gets a FISA court order to gather "All of the Apple account
              data" for a non-us person, Apple would either hand over the
              encrypted data OR just omit that....
              
              Based on the stance Apple is taking here, its reasonable to
              assume they would do the same in the US (disable the feature if
              USG asked for a backdoor or attempted to compel them to decrypt)
       
                nickburns wrote 3 days ago:
                > its reasonable to assume they would do the same in the US
                (disable the feature if USG asked for a backdoor or attempted
                to compel them to decrypt)
                
                I think it's more likely that Apple would challenge it in US
                courts and prevail. Certainly a legal battle worth waging,
                unlike in the UK.
       
                  GeekyBear wrote 3 days ago:
                  This has already happened, and Apple did fight it in the US
                  courts.
                  
                  Eventually the US government withdrew their demand.
                  
   URI            [1]: https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_en...
       
                    autoexec wrote 3 days ago:
                    It's worth pointing out that just because the FBI didn't
                    have the access they wanted, it doesn't mean that other
                    agencies don't, or that the FBI couldn't get the data they
                    wanted by other means (which was exactly what they ended up
                    doing in that specific case). It just means that they
                    wanted Apple to make it easier for them to get the data.
                    
                    It's good that Apple refused them, but I wouldn't count
                    that as evidence that the data is secure from the US
                    government.
       
                      GeekyBear wrote 2 days ago:
                      It's also worth noting that the US courts have long held
                      that computer code is speech.
                      
                      Apple's legal argument that the government's demand that
                      they insert a backdoor into iOS was tantamount to
                      compelled speech (in violation of the first amendment)
                      was going over a little too well in court.
                      
                      The Feds will often find an excuse to drop cases that
                      would set a precedent they want to avoid.
       
                    nickburns wrote 3 days ago:
                    Exactly.
                    
   URI              [1]: https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_en...
       
                mtrovo wrote 3 days ago:
                Would your answer be the same if this encrypted data was stored
                in China instead of US?
                
                I don't think messages should ever leave the device, if you
                want to migrate to a different device this could be covered by
                that user flow directly. Maybe you want to sync media like
                photos or videos shared on a group chat and I'm fine with that
                compromise but I see more risks than benefits on backing up
                messages on the cloud, no matter if it's encrypted or not.
       
                  r3trohack3r wrote 3 days ago:
                  I think the average human will disagree with you. They want
                  to preserve their data and aren't technically competent and
                  organized enough to maintain their own backups with locally
                  hosted hardware. Even the technically literate encourage
                  _offsite_ backups of your data.
                  
                  Know your threat model and what actions your trying to defend
                  against.
                  
                  Typical humans need trusted vendors that put in actual effort
                  to make themselves blind to your personal data.
       
              causal wrote 3 days ago:
              Agree in principle, though WhatsApp backups are encrypted with a
              user provided password, so ostensibly inaccessible to Google or
              whoever you use as backup
       
                scripturial wrote 2 days ago:
                What makes you think WhatsApp backups don’t have a secondary
                way to unlock the encryption key? Wouldn’t it be more logical
                to assume the encryption key for whatsapp backups can also be
                unlocked by an alternate “password”
                
                If the US is willing to build an entire data center in Outback
                Australia to allow warrantless access to US citizen data, why
                wouldn’t they be forcing WhatsApp backups to be unlockable?
       
            burnerthrow008 wrote 3 days ago:
            > Doesn't the US have access to all the data of non US citizens
            whose data is stored in the US without any oversight?
            
            Er, no...?  I'm not sure where you get that idea.  Access requires
            a warrant, and companies are not compelled to build systems which
            enable them to decrypt all data covered by the warrant.
            
            See, for example, the Las Vegas shooter case, where Apple refused
            to create an iOS build that would bypass iCloud security.
       
              nottorp wrote 3 days ago:
              I asked if your Android backup is encrypted. Implies I'm talking
              about unencrypted data.
              
              > See, for example, the Las Vegas shooter case
              
              I am not in Las Vegas or anywhere else in the US. So as far as i
              know all the data about me that is stored in the US is easily
              accessible without a warrant unless it's encrypted with a key
              that's not available with the storage.
              
              > companies are not compelled to build systems which enable them
              to decrypt all data covered by the warrant
              
              Again, not what I was talking about.
              
              I'm merely pointing out that your data is not necessarily
              encrypted, and that the "rest of the world" was already
              unprotected vs at least one state. The UK joining in would just
              add another.
       
                spankalee wrote 3 days ago:
                > all the data about me that is stored in the US is easily
                accessible without a warrant
                
                No, law enforcement needs a warrant to legally access any data.
                This is why Prism was illegal, and why companies like Google
                are pushing back against overly broad geofence search warrants.
       
                  fdb345 wrote 3 days ago:
                  All Encrochat evidence was illegal in at least three
                  different ways.   UK Law enforcement didn't care.    They
                  just lied.
       
                    multjoy wrote 3 days ago:
                    No it wasn't.
                    
                    The Dutch cracked and wiretapped it. It has been held not
                    to be intercept evidence per RIPA so capable of being used
                    in evidence.
                    
                    Most went guilty because they caught red-handed in the most
                    egregious criminality you've seen.
                    
                    Encro was designed to enable and protect criminal
                    communications. It had no redeeming public value.
       
                  alt227 wrote 3 days ago:
                  > This is why Prism was illegal
                  
                  Yet it still existed, and was used for surveillance by 3
                  letter agencies. Why do you think this is any different?
       
                    somenameforme wrote 3 days ago:
                    No idea why the two of you are using past tense. PRISM is
                    still very much alive and well.
       
                GeekyBear wrote 3 days ago:
                This is why Apple, and more recently Google, create systems
                where they don't have access to your unencrypted data on their
                servers.
                
                > Google Maps is changing the way it handles your location
                data. Instead of backing up your data to the cloud, Google will
                soon store it locally on your device. [1] You can't be forced
                to hand over data on your servers that you don't have access
                to, warrant or no.
                
                The UK wants to make this workaround illegal on an
                international basis.
                
   URI          [1]: https://www.theverge.com/2024/6/5/24172204/google-maps...
       
                  Gatorguy wrote 2 days ago:
                  Small correction.
                  
                  Google had "created a system where they don't have access to
                  your data on their servers" a couple of years BEFORE Apple.
                  Android 10 introduced it in 2019.
       
                    GeekyBear wrote 2 days ago:
                    Google didn't announce plans to stop storing a copy of user
                    location data on their servers until the middle of last
                    year.
                    
                    See the story linked above.
                    
                    They didn't announce that they could no longer access user
                    location data on their servers to respond to geofence
                    warrants until the last quarter of 2024.
       
                      Gatorguy wrote 2 days ago:
                      We're talking iCloud and data encryption compared to
                      Google's Android Cloud E2EE, and you're doing maps.
       
                        GeekyBear wrote 2 days ago:
                        Were talking about protecting your personal data from
                        government overreach, and Google's entire business
                        model is to collect as much of your personal data as
                        possible and store it on their servers to make ad sales
                        more profitable.
                        
                        Apple does its best not to collect personal data in the
                        first place.
       
                  pmontra wrote 3 days ago:
                  > You can't be forced to hand over data on your servers that
                  you don't have access to, warrant or no.
                  
                  But you can be forced to record and store that data even if
                  you don't want to.
       
                    GeekyBear wrote 3 days ago:
                    Which is why Apple takes the stance that the users device
                    shouldn't be sending data to the mothership at all, if it
                    isn't absolutely necessary.
                    
                    Compare Apple Maps and Google Maps.
                    
                    Google initially hoovered up all your location data and
                    kept it forever. They learned from Waze that one use case
                    for location data was keeping your map data updated.
                    
                    Apple figured out how to accomplish the goal of keeping map
                    data updated without storing private user data that could
                    be subject to a subpoena.
                    
                    > “We specifically don’t collect data, even from point
                    A to point B,” notes Cue. “We collect data — when we
                    do it — in an anonymous fashion, in subsections of the
                    whole, so we couldn’t even say that there is a person
                    that went from point A to point B.
                    
                    The segments that he is referring to are sliced out of any
                    given person’s navigation session. Neither the beginning
                    or the end of any trip is ever transmitted to Apple.
                    Rotating identifiers, not personal information, are
                    assigned to any data sent to Apple... Apple is working very
                    hard here to not know anything about its users.
                    
   URI              [1]: https://techcrunch.com/2018/06/29/apple-is-rebuild...
       
                      acka wrote 2 days ago:
                      Google or Apple could be forced by authorities to perform
                      correlation on the map tiles being requested by users
                      under investigation. Not as accurate as GPS coordinates
                      but probably useful nonetheless.
                      
                      One more reason to prefer offline maps for those who
                      value privacy.
       
                        GeekyBear wrote 2 days ago:
                        Given that you can browse map data for any location,
                        not just where you happen to be, I'm betting that
                        triangulation data from your carrier would be more
                        accurate.
       
                          acka wrote 2 days ago:
                          Sure, triangulation of carrier signals could lead to
                          more accurate position estimates, but if the carrier
                          isn't based in the US they are under no obligation to
                          make this data available to US authorities.
                          
                          Apple and Google are based in the US so are bound by
                          the CLOUD Act to provide any and all data they have
                          upon request, no matter where in the world it is
                          being collected or stored.
       
                skydhash wrote 3 days ago:
                People always overestimate how much companies will defy their
                government for you, legally or otherwise.
       
          sameermanek wrote 3 days ago:
          Feels like marvel was onto something with captain america and winter
          soldier.
       
            dmonitor wrote 3 days ago:
            The real prescient threat in that movie was the predictive AI
            algorithm that tracked individual behaviors and identified
            potential threats to the regime. In the movie they had a big
            airship with guns that would kill them on sight, but a more
            realistic threat is the AI deciding to feed them individualized
            propaganda to curtail their behavior. This is the villain's plot in
            Metal Gear Solid 2, which is another great story.
            
            This got me thinking about MGS2 again and rewatching the colonel's
            dialogue at the end of the game: [1] > Your persona, experiences,
            triumphs, and defeats are nothing but byproducts. The real
            objective was ensuring that we could generate and manipulate them.
            
            It's really brilliant to use a video game to deliver the message of
            the effectiveness of propaganda. 'Game design' as a concept is just
            about manipulation and hijacking dopamine responses. I don't think
            another medium can as effectively demonstrate how systems can
            manipulate people's behavior.
            
   URI      [1]: https://www.youtube.com/watch?v=eKl6WjfDqYA
       
            pplante wrote 3 days ago:
            Life is imitating too many dystopian books, movies, etc these days.
            I think we need to put an end to all creative works before the
            timeline becomes irrecoverably destroyed.
       
              dingdingdang wrote 3 days ago:
              The /s is strong with this one.
       
              Arubis wrote 3 days ago:
              I suspect you’re being flippant, but destruction of and
              restrictions on creative works as an _antidote_ to dystopia is a
              take I haven’t seen before.
       
                pplante wrote 3 days ago:
                Yes, I am being very flippant.    Sometimes we need to jest in
                order to digest reality.
       
              ekm2 wrote 3 days ago:
              Banning art?
       
                immibis wrote 2 days ago:
                Burning books, more specifically. Can't be a dystopia if nobody
                knows what the word "dystopia" means *taps forehead*
       
        Jigsy wrote 3 days ago:
        I don't like Apple, nor do I use any of their products, but as someone
        from the UK, I do respect them for doing this.
        
        Now if only the other companies who said they'd leave would grow a
        backbone...
       
        ranger_danger wrote 3 days ago:
        The beginning of the end. A sad day for Brits
       
        cgcrob wrote 3 days ago:
        Removed all my stuff from iCloud about a month ago in preparation for
        this.
       
        pyuser583 wrote 3 days ago:
        How does this affect me if I travel to the UK with an E2E encrypted
        IThing?
       
          bananapub wrote 3 days ago:
          not at all
       
        tome wrote 3 days ago:
        I'm confused.  I thought iCloud was end-to-end encrypted anyway, and
        I've never heard of ADP before.  Is ADP encryption at rest, whereas
        normal iCloud storage is only encrypted from the device to the server?
       
          jamesmotherway wrote 3 days ago:
          See the "Data categories and encryption" section:
          
          "The table below provides more detail on how iCloud protects your
          data when using standard data protection or Advanced Data
          Protection."
          
   URI    [1]: https://support.apple.com/en-us/102651
       
          dmix wrote 3 days ago:
          The only difference is Apple doesn't hold the encryption keys when
          you use ADP.
          
          In both cases it's encrypted in transit and at rest.
       
            tome wrote 3 days ago:
            TIL that Apple holds the keys to my iCloud encrypted data!
       
              burnerthrow008 wrote 3 days ago:
              Yes, otherwise, how would the web interface (iCloud.com) work?
       
                blitzar wrote 2 days ago:
                Or account recovery
       
              AlanYx wrote 3 days ago:
              For most of it, yes. There are exceptions, e.g., Health and
              Keychain, for which Apple does not have the keys even without ADP
              enabled.
       
        b800h wrote 3 days ago:
        What happens if you're an international traveller?
       
          SXX wrote 3 days ago:
          This will likely depend on your primary account region.
          Apple can't just turn off E2EE on existing account nilly willy.
       
            A4ET8a8uTh0_v2 wrote 3 days ago:
            << Apple can't just turn off E2EE on existing account nilly willy.
            
            If they are able to, then then can be compelled. Do you mean
            won't/wouldn't?
       
              buildbot wrote 3 days ago:
              “Apple said it will issue additional guidance in the future to
              affected users and that it "does not have the ability to
              automatically disable it on their behalf."”
              
              From
              
   URI        [1]: https://www.macrumors.com/2025/02/21/apple-pulls-encrypt...
       
              SXX wrote 3 days ago:
              They can break a sync on server-side for your account.
              
              They can't disable it on device though.
       
                int_19h wrote 3 days ago:
                They control the software running on your device, and said
                software ultimately has access to the encryption keys stored
                there (subject to the usual hoops; e.g. it might need you to do
                a FaceID unlock first, but it's not like you aren't already
                doing that many times every day).
       
        v3xro wrote 3 days ago:
        Very disappointed with this, but I think will be finding alternatives.
        
        Family sharing especially of Reminders is a hard one - we use lists for
        grocery shopping and it is extremely convenient.
        
        Has anyone tried out Ente [1] for photos?
        
   URI  [1]: https://ente.io/
       
        vroomvroomboom wrote 3 days ago:
        It's the right decision. Don't bow to the government, let the people
        demand it from their leaders, and vote in new ones.
       
          v3xro wrote 3 days ago:
          Yes, countries lacking in proportional representation and having
          obscure procedures like proroguing parliament are the best at
          listening to important but fairly obscure issues from their voters.
       
        vroomvroomboom wrote 3 days ago:
        It's the right choice: don't bow to government pressure, let the people
        pressure the government.
       
          madeofpalk wrote 3 days ago:
          This is Apple condeeding. Apple lost. UK Government got (almost) what
          they wanted - a backdoor into iCloud accounts.
          
          Apple's only consolation prize is that its limited to UK users for
          now. But it seems inevitable that ADP will gradually be made illegal
          all around the world.
       
            jahewson wrote 3 days ago:
            Given that they’ve only prevented new signups it looks to me more
            like Apple is trying to apply pressure to the U.K. government to
            get them to back down. The law that permits this was passed in 2016
            so the situation was default lost already.
       
              alt227 wrote 3 days ago:
              They have said all existing ADP enabled accounts will be disabled
              or deleted in time. They need to give people time to migrate
              their data out before they nuke it.
       
          Molitor5901 wrote 3 days ago:
          NO, it's the wrong choice. Most people do not understand this stuff
          enough to truly care about, and they just want their devices to work.
          This is an awful decision by Apple. There's really nothing consumers
          can do to pressure the British government.
       
            afthonos wrote 3 days ago:
            Consumers being unable to pressure government, even if true, does
            not imply this is a bad decision.
       
              Molitor5901 wrote 3 days ago:
              It's a terrible decision that will have grave ramifications. I
              see no positive to this action.
       
          miroljub wrote 3 days ago:
          How?
          
          In the UK, there's no right to bear arms, so people are pretty
          helpless against their oppressing government.
       
            blitzar wrote 2 days ago:
            We could try the American way, bear our arms and shoot up a school,
            but I don't see how that will help.
       
            mr_toad wrote 3 days ago:
            > In the UK, there's no right to bear arms, so people are pretty
            helpless against their oppressing government.
            
            When people want to revolt it doesn’t seem like the right to bear
            arms has much to do with it.  Not having the right to bear arms
            certainly hasn’t stopped countless rebellions and revolutions
            across the world.  It’s not like the French of the Russians had a
            right to bear arms before their successful revolutions.
            
            Even in the UK, the lack of a right to bear arms didn’t stop
            Cromwell using firearms to defeat Charles II at the Battle of
            Worcester.
       
            fdb345 wrote 3 days ago:
            I just dont interact with the government or British society at all.
              I have turned my back on it.
            
            If they ever come to my door I'll either go postal or leave the
            country.
            
            Its so bad here now.
       
              pinoy420 wrote 1 day ago:
              Cool LARP bro
       
            emorning3 wrote 3 days ago:
            Guns are an inefficient/stupid way to kill people anyway.
            
            Just ask Russia and Ukraine.
            
            Look around, human beings are quite clever.
       
            quickthrowman wrote 3 days ago:
            Small arms are no match for drones and a fully armed military, a
            successful rebellion by any populace against a first world military
            is impossible unless the military lays their arms down voluntarily,
            full stop.
       
              filoleg wrote 3 days ago:
              Every time this argument comes up, I just feel like rolling eyes,
              it is so overplayed.
              
              Yes, in a direct confrontation and an all out war, the populace
              stands no chance against the US military (assuming the military
              will unwaveringly side against the populace), no argument there.
              
              But an all out war is not an option, the government wouldn’t be
              trying to pulverize an entire nation and leave a rubble in place.
              If you completely destroy your populace and your cities in an
              all-out direct war, you got no country and people left to govern.
              It is all about subjugation and populace control. You can’t
              achieve this with air strikes that level whole towns.
              
              Similarly, if the US wanted to “win” in Afganistan by just
              glassing the whole region and capturing it, that would be rather
              quick and easy (from a technical perspective, not from the
              perspective of political consequences that would follow). Turns
              out, populace control and compliance are way more tricky to
              achieve than just capturing land. And while having overwhelming
              firepower and technological advantage helps with that, it isn’t
              enough.
       
                quickthrowman wrote 3 days ago:
                A first world military that has remotely piloted drones with IR
                cameras and other surveillance tools will have no problem
                crushing any form of resistance. They don’t even need to
                field any troops, they can remotely kill the rebels. How on
                earth do you wage a rebellion against such a force?
       
                bloqs wrote 3 days ago:
                I roll my eyes when I see this blissfully naive LARP/mallninja
                imagined scenario, but I do have to remind myself that the US
                was founded on the basis of forming a milita etc. and I would
                probably say the same thing if I had that upbringing. You
                forget that the vast majority of people are stupid and easily
                scared (this is not a solvable problem)
                
                Help me out - how can policing possibly work if no one is
                legally required to be policed? You just end up with murderers,
                rapists etc. expressing their right to "resist" with arms like
                in spaghetti westerns. It is totally symbolic, and would
                crumble at the first instance of serious government interest of
                arresting 'troublemakers', which would of course start with a
                well crafted PR campaign to get the rest of the public on their
                side. I think it's naive.
       
                  jahewson wrote 3 days ago:
                  This feels like a strawman because you’re only
                  hypothesizing a situation in which it wouldn’t work well.
                  
                  Imagine a dark future with a sudden military coup by a small
                  faction of extreme radicals that 85% of the population
                  opposes. could enough citizens rise up and stop them? Could
                  the calculus of being that coup leader be changed by the
                  likelihood that they will be assassinated in short order, by
                  one of millions of potential assassins? Quite possibly. These
                  are not everyday concerns, of course, but the concerns of
                  dark and dangerous times. It’s a bit like buying life
                  insurance: hopefully I never need it.
       
              protonbob wrote 3 days ago:
              Rebels are able to use techniques that a government never could
              or would. I think you underestimate the usefulness of small arms
              in guerilla warfare.
       
                quickthrowman wrote 3 days ago:
                I think you underestimate the lethality of remotely piloted
                drones with missiles and IR cameras and the futility of
                fighting against them.
       
                  protonbob wrote 2 days ago:
                  You can pretty easily build / buy these. Look at Ukraine.
                  Lots of their drones were just off the shelf. Jamming is
                  super directional and easy to spot so fighting forces use it
                  sparingly.
       
                  sillywalk wrote 3 days ago:
                  The Taliban would argue otherwise.
       
                gus_massa wrote 3 days ago:
                You underestimate the nasty things goverments have done.
       
            Molitor5901 wrote 3 days ago:
            Technically I guess you're right, but one hopes that the
            foundations of British democracy provide its citizens with the
            tools to fight against an oppressive government. The only rub is
            getting them to stand up and do that.
       
              jahewson wrote 3 days ago:
              Like what? Britain is a constitutional monarchy. Its foundations
              anticipated an oppressive king, not an oppressive parliament.
              Britain never had a revolution, it never had free speech to begin
              with. It seems to me that what made Britain successful in the
              past is maladaptive to its current situation.
       
            ornornor wrote 3 days ago:
            Because that’s working so well for the US
       
              cupcakecommons wrote 3 days ago:
              it's working really well, we don't get arrested for social media
              posts as far as I can tell
       
                ornornor wrote 3 days ago:
                If that’s the bar then I guess yes it’s a resounding
                success for freedom.
       
                  cupcakecommons wrote 3 days ago:
                  The UK seems to be actively covering up the mass rape of
                  little girls and throwing dissidents in prison. They've
                  sustained mass immigration for decades against their own
                  peoples' will. The US just shook off, at least in part, the
                  same mass immigration and the same clamping down of free
                  speech in the US. It's not the only bar, but I would
                  definitely consider it a resounding success. I can't help but
                  think the 1st and 2nd amendment play a part because the 1st
                  is obviously implicated and the 2nd is required to maintain
                  the 1st.
       
                    defrost wrote 3 days ago:
                    > The UK seems to be actively covering up the mass rape of
                    little girls
                    
                    They're doing the worst cover up ever given grooming gangs
                    and where they operate have been headlines in the UK for
                    decades.
                    
                    What they're not very good at is keeping the UK citizens at
                    large well informed with a realistic sense of proportion
                    given the scale of child sexual abuse far exceeds the
                    activities of grooming gangs.
       
                philipwhiuk wrote 3 days ago:
                 [1] [2] [3] Yes you do
                
   URI          [1]: https://www.justice.gov/usao-edny/pr/social-media-infl...
   URI          [2]: https://www.bbc.co.uk/news/articles/c86l4p583y6o
   URI          [3]: https://www.aljazeera.com/news/2021/1/19/holdindigenou...
       
                  jahewson wrote 3 days ago:
                  That’s not the same thing. You know what he means.
       
            basisword wrote 3 days ago:
            >> In the UK, there's no right to bear arms, so people are pretty
            helpless against their oppressing government.
            
            There's a right to bear arms in the US and it doesn't seem to be
            helping them with their oppressive government.
       
              grahamj wrote 3 days ago:
              It only works when the gun nuts aren’t on the side of the
              oppressors.
       
              cupcakecommons wrote 3 days ago:
              I feel like it's working pretty great
       
              protonbob wrote 3 days ago:
              Look into the Black Panthers. It actually does work quite
              effectively.
       
                throw16180339 wrote 2 days ago:
                The Mulford Act ( [1] ), a California gun control act that
                prohibits open carry, was originally passed back in the 60s to
                disarm the Black Panthers.
                
   URI          [1]: https://en.wikipedia.org/wiki/Mulford_Act
       
                bloqs wrote 3 days ago:
                You people cannot seriously be this poorly educated
       
                jahewson wrote 3 days ago:
                The fact that I can’t tell if this is a joke speaks volumes.
       
                ch4s3 wrote 3 days ago:
                Ahh yes the murders of Alex Rackley and Betty Van Patter, truly
                brave and revolutionary acts!
       
                krapp wrote 3 days ago:
                How? the Black Panthers were infiltrated and undermined by
                COINTELPRO and effectively destroyed from within, meanwhile the
                white supremacist capitalist system they fought against
                persists.
                
                Their biggest success as far as I know is starting free school
                lunches in the US, but that wasn't at gunpoint.
       
            krapp wrote 3 days ago:
            Weird. In the US there is a right to bear arms, yet people are also
            pretty helpless against their oppressing government.
       
              cupcakecommons wrote 3 days ago:
              Who do you know that's been arrested for posting on social media?
              I don't know of anyone.
       
                krapp wrote 3 days ago:
                True.
                
                American police will shoot people dead in the streets with
                impunity, the military industrial complex engages in constant
                wars regardless of popular sentiment and the American
                government is currently being carved up by neo-nazis and
                oligarchs but you can legally be racist on the internet. I
                guess it truly is the land of the free.
                
                Also... wait six months.
       
                  cupcakecommons wrote 3 days ago:
                  You're currently delusional in a very particular way and
                  that's fine. I'm looking forward to you finding your way and
                  things turning out much better than you expect (at least in
                  the US) in six months.
       
            saintfire wrote 3 days ago:
            I'm sure shooting at the government would have solved this privacy
            issue.
       
              Tostino wrote 3 days ago:
              Surprisingly, the people in the government don't much like being
              shot. See the reaction to the UHC CEO for an example.
       
                FergusArgyll wrote 2 days ago:
                This is a decent point.
                
                They're now getting investigated by the DOJ and their stock
                tanked
       
              marknutter wrote 3 days ago:
              It solved the taxation issue
       
                spacedcowboy wrote 3 days ago:
                As a green-card holder, it really didn't.
       
                krapp wrote 3 days ago:
                As far as I know Americans are still required to pay taxes, so
                no.
       
                  brink wrote 3 days ago:
                  We're working on it.
       
          ethagnawl wrote 3 days ago:
          > let the people pressure the government.
          
          Hopefully they will.
       
            basisword wrote 3 days ago:
            There was a lot of campaigning against the Investigatory Powers
            bill when it was introduced. It didn't help much given the people
            in power want more power regardless of where they sit on the
            political spectrum.
       
            tmjwid wrote 3 days ago:
            I can't imagine many here (UK) will really care, we've had multiple
            breeches of privacy imposed on us by the powers that be. - Removed
            incorrect assumption of this not being reported.
       
              alt227 wrote 3 days ago:
              I agree, have an upvote.
              
              Even though its making the media headlines today, 99% of UK
              citizens will forget this tomorrow and it will fade into the
              mists of time. Just like evey other security infringement that
              any government has imposed on its citizens.
       
              darrenf wrote 3 days ago:
              It's literally the number one story on [1] as I type this
              comment.
              
   URI        [1]: https://www.bbc.co.uk/news/
       
                gambiting wrote 3 days ago:
                And I guarantee that the reaction from most people will be
                "good, I have nothing to hide so I have nothing to worry
                about". The apathy around this stuff in the UK is unbelivable -
                I've been trying to point out that hey, for years now something
                like 17 government agencies(including DEFRA - department of
                agriculture lol) can access your internet browsing history
                WITHOUT A WARRANT and that's absolutely fine. ISPs are required
                to keep your browsing history for a year too. Again, nothing to
                hide, why would I worry about it.
       
                  spwa4 wrote 3 days ago:
                  The same is happening Europe-wide too. Everybody always
                  points to the GPDR legislation. You know what is a feature of
                  the GPDR too?
                  
                  Every European government (even some non-EU ones) can grant
                  any exception to anyone to the GPDR for any reason. And, of
                  course, every last one has granted an exception to the
                  police, to courts, to the secret service, their equivalent of
                  the IRS, and to government health care (which imho is a big
                  problem when we're talking mental health care), and when I
                  say government health care, note that this includes private
                  providers of health care, in other words insurances.
                  
                  Note: these GPDR exclusions includes denying patients access
                  to their own medical records. So if a hospital lies about
                  "providing you" with mental health treatment (which they are
                  incentivized to do, they get money for that), it can
                  helpfully immediately be used in your divorce. For you
                  yourself, however, it is conveniently impossible to verify if
                  they've done this. Nor can you ask (despite GPDR explicitly
                  granting you this right) to have your medical records just
                  erased.
                  
                  In other words. GPDR was explicitly created to give people
                  control over their own medical records, and to deny insurance
                  providers and the IRS access. It does the exact opposite.
                  
                  Exactly the sort of information I would like to hide, exactly
                  the people I would find it critical to hide it from. In other
                  words: GPDR applies pretty much only to US FANG companies ...
                  and no-one else.
                  
                  So: if you don't pay tax and use that money to pay for a
                  cancer treatment, don't think for a second the GPDR will
                  protect you. If you have cancer and would like to get
                  insured, the insurance companies will know. Etc.
       
                  genewitch wrote 3 days ago:
                  Does and of the doh or other DNS stuff help with this at all?
                  Is the only solution to VPN out of Europe?
       
                    DeepSeaTortoise wrote 3 days ago:
                    Only DNSCrypt provides any privacy. If you setup your
                    relays properly.
       
       
   DIR <- back to front page