_______ __ _______
| | |.---.-..----.| |--..-----..----. | | |.-----..--.--.--..-----.
| || _ || __|| < | -__|| _| | || -__|| | | ||__ --|
|___|___||___._||____||__|__||_____||__| |__|____||_____||________||_____|
on Gopher (inofficial)
URI Visit Hacker News on the Web
COMMENT PAGE FOR:
URI Apple pulls data protection tool after UK government security row
UnreachableCode wrote 2 min ago:
What is stopping me from using something like Proton in the same way?
Why does the UK government simply make an example out of Apple on this
one?
giorgioz wrote 50 min ago:
> Caro Robson said she believed it was "unprecedented" for a company
"simply to withdraw a product rather than cooperate with a government".
She believes wrong. Google retreated from the Chinese market to not
give in. Apple stayed in China and also banned VPNs on App Stores for
Chinese customers. Kudos to Apple to not giving in to a backdoor in
this case but some there companies took a even higher moral stand in
some other situations, so there is precedent indeed.
MrCroxx wrote 2 hours 17 min ago:
I'm drunk. No offense. Why our world ends up like this.
oddb0d wrote 2 hours 32 min ago:
Hopefully it'll spur growth of decentralised, distributed peer to peer
mobiles like the new Holochain-based Volla Phone
URI [1]: https://volla.online/en/
rhubarbtree wrote 4 hours 7 min ago:
As a British citizen I am amazed at how much the government has invaded
our privacy. I think it started after 9/11 when they first introduced
terrorism laws and saw they could get away with it. I wonder if the
ruling classes are nervous, given the state and direction of our
economy and the inequality, as well as the iron grip a small part of
the country has maintained on society. They are perhaps making
preparations for a class revolt.
Having said that, in practice to date the extraordinary powers the
government has acquired are rarely used, eg to quell the race riots
last year. It feels more like a risk for the future and that makes it
harder to argue against now. One day this will hit the fan.
Iâm very curious, however, to see Americans criticise our government
for its (mostly theoretical) overreach, whilst simultaneously the
constitution of America is being torn to shreds by the actions of Musk
and Trump, with some in the tech community even cheering on DOGE.
yew wrote 1 hour 22 min ago:
Hm. I see them as connected - "we must confront our problems
domestically before we fight them abroad."
rhubarbtree wrote 58 min ago:
Please could you expand? I'm very confused by what's going on in
the states, particular the attitude in the tech community, so any
clarity would be appreciated!
yew wrote 25 min ago:
Not particularly. The matter is no longer up for discussion.
Silence and action are best.
uni_baconcat wrote 5 hours 36 min ago:
Write to local MP and Home Office. This is totally unacceptable.
MagicMoonlight wrote 6 hours 49 min ago:
They keep asking for more and more ridiculous powers, but then someone
on a terrorist watchlist will go and stab a bunch of toddlers. They
donât need more powers, they need to just do their jobs.
QuiEgo wrote 7 hours 54 min ago:
The cloud is just someone elseâs computer. If you really, really care
about privacy, self host.
AlgebraFox wrote 1 hour 11 min ago:
That works for nerds like us. But my sister or my non tech friends
don't have knowledge to self host. It is like asking a person to do a
surgery on themselves when they don't have medical knowledge. E2E
services are very crucial for such normal people.
How long do you think for governments to make it illegal to self host
or backdoor Linux builds? They have already went too far by just
asking backdoor to data of every single person on the planet. We
should oppose such unethical laws rather than finding workarounds.
Aachen wrote 4 hours 43 min ago:
For those to whom that sounds scary: buy a regular consumer NAS. They
run quite a few applications nowadays (besides being file storage as
a base feature) and are meant to be setuppable by an average person
vegabook wrote 7 hours 56 min ago:
I live between France and the UK. How do I move my iCloud account out
of Britain?
retinaros wrote 8 hours 8 min ago:
concessions afer concessions we gave away our freedom. the axis of good
is mostly responsible for this but the opposition also wanted to remove
anonymity and freedom from the web.
no one fought when the democrats called snowden or assange russian spys
for revealing clinton corruption. they just blindly sided with their
own corrupt political party and gave away freedom. just like previous
govs censored trump, banned political opponents they created a
precedent and opened the door to the end of freedom. its now beyond
politics, we should fight for the last moments of freedom we have
before its too late.
Ylpertnodi wrote 2 hours 26 min ago:
...you go first. I'll applaud, and call everyone else over, if
anything interesting happens.
blufish wrote 8 hours 48 min ago:
its a shame
aryan14 wrote 9 hours 55 min ago:
Absolutely mental the kind of people that have power. Dealing with this
like immature children.
âWe donât get what we want? We ruin it for everyone.â
Trying to backdoor a privacy feature for no real reason, just for the
sake of having a backdoor. Pathetic
sholladay wrote 10 hours 20 min ago:
So many questions around this that need answering, such as:
1. What happens if I have ADP enabled and then visit the UK? Will
photos I take there still be E2E encrypted? If not, will I be notified?
I realize that at the moment the answer is yes, that for now, they are
only disabling ADP enrollment. But they are planning to turn it off for
everyone in the UK in the future. So what happens then?
2. If they make an exception for visitors, such as by checking the
account region, then obviously anyone in the UK who cares about
security will just change their account region - a small inconvenience.
Maybe this will be a small enough group that the UK government
doesnât really care, but it could catch on.
3. Is this going to be retroactive? Itâs one thing to disallow E2E
encryption for new content going forward, where people can at least
start making different decisions about what they store in the cloud.
Itâs an entirely different thing for them to remove the protection
from existing content that was previously promised to be E2E encrypted.
When they turn off ADP for people who were already enrolled, how is
their existing data going to be handled?
This is bad news and it is going to be messy.
sureIy wrote 3 hours 49 min ago:
These are important questions, particularly 2 because even a layover
in London or Dublin puts you under UK jurisdiction. So now you have
to put that into account when traveling.
The precedent here is China. I spent a few days in China and, as far
as I know, my region is still and ADP is still active.
biztos wrote 1 hour 55 min ago:
How does a layover in Dublin put you in UK jurisdiction?
I have seen advice in big companies to only take a burner phone
when going to China on business. Perhaps the same will apply to
the UK.
6510 wrote 11 hours 28 min ago:
Being locked into an ecosystem seems really nice.
The problem is that you don't really know your future jailer.
codedokode wrote 12 hours 58 min ago:
This is a good reminder that the one who cares about privacy and
security cannot rely on closed-source products from commercial
companies; don't be deceived by marketing slogans.
bigfatkitten wrote 13 hours 3 min ago:
It's just a shame that Apple didn't include the contact details for
the Home Office officials responsible as the place for inquires
regarding the matter.
LAC-Tech wrote 13 hours 15 min ago:
At some point, we need to stop being surprised at authoritarian
countries doing authoritarian things.
Here's hoping the inevitable regime change will be a peaceful one.
willtemperley wrote 13 hours 25 min ago:
What the UK government achieved:
Lowering the data protection of it's citizens in comparison to the rest
of the world.
I was under the impression governments were supposed to protect their
citizens.
bruce511 wrote 13 hours 12 min ago:
>> Lowering the data protection of it's citizens in comparison to the
rest of the world. I was under the impression governments were
supposed to protect their citizens.
This depends on whether you see "citizens" as individuals or as a
group.
In other words it's possible that to improve the security (and thus
protect) the majority, the rights of individual citizens need to be
eroded.
For example, to protect vulnerable citizens from crime (the cliche of
child porn is useful here, but it extends to most-all crime) it's
useful for prosecutors to be able to collect evidence against guilty
parties. This means that the erosion of some privacy of those
parties.
Thus the govt balances "group security" with "individual privacy". It
has always been so. So to return to your original hypothesis;
>> Lowering the data protection of it's citizens in comparison to the
rest of the world.
... and also, making it easier to detect and prosecute criminals, and
thus protect the citizens from physical harm.
Now, of course, whenever it comes to balancing one thing against
another, there's no easy way to make everyone happy. We all want
perfect privacy, coupled with perfect security. Some will say that
they'll take more privacy, less security - others will take more
security and less privacy. Where you stand on this issue of course
depends on which side you lean.
More fundamentally though there's a trust issue. Citizens (currently)
do not trust governments. They assume that these tools can be used to
harm more than just criminals. (They're not wrong.) If you don't
trust the govt to act in good faith then naturally you choose privacy
over security.
ajdude wrote 14 hours 21 min ago:
Related discussion:
U.K. orders Apple to let it spy on usersâ encrypted accounts
(washingtonpost.com)
762 points by Despegar 14 days ago | 1070 comments
URI [1]: https://news.ycombinator.com/item?id=42970412
dk1138 wrote 14 hours 52 min ago:
The more I live Iâm less concerned about what are often described as
âbad actorsâ. The bad actors are often the state, and this kind of
information is collected without thought to the risk of future
politicians who donât follow the rules or who donât have any
respect for the laws.
IceHegel wrote 8 hours 48 min ago:
Through all history state security has been a thing. The Stasi and
KGB are transparently state security forces to the West, but the CIA
and MI5/6 are... what exactly?
The primary purpose of these agencies, despite what has been written
down on paper, is NOT to protect the citizens of the countries that
fund them. It is to protect the system that taxes those citizens.
wcerfgba wrote 14 hours 40 min ago:
States are not inherently good, they are just large organisations
with a monopoly on certain social functions. All large organisations
have the capacity to inflict terrible harm.
nisten wrote 15 hours 12 min ago:
ok so while being AI safety concerned.. uk politicians go ahead and
remove humanity's single logical control tool that they have to keep AI
in check.. encryption maths.
gg
sneak wrote 16 hours 9 min ago:
This is almost the status quo in the USA, given that nobody turns on
the optional e2ee anyway.
reader9274 wrote 16 hours 36 min ago:
"Existing users' access will be disabled at a later date."
Hmmm how? How can they decrypt your already end-to-end encrypted and
uploaded data without you entering the passphrase to do so? I can
understand them removing the data from iCloud completely, or asking you
to send the keys to Apple, but I don't understand how they can disable
the feature for already uploaded data.
Aloisius wrote 15 hours 3 min ago:
They will lock UK users out of iCloud until they manually disable
ADP.
When a user turns off ADP in settings, their device uploads the
encryption keys to Apple servers.
mu53 wrote 16 hours 30 min ago:
I am going to say something a bit controversial around here, but all
of this E2E and security stuff is just lip service for marketing to
consumers.
These companies have to comply with so many laws and want cozy
relationships with governments, so they play both sides. It likely
does things differently, but if the keys are not secure, then its not
secured
keepamovin wrote 16 hours 37 min ago:
They are not the first country to do this. Apples advanced security
features are rolled out non-uniformly across global markets. You get
different capabilities, depending on where you are and where your
account is resident, it would be great if there was a website that
listed the countries and the security protections Apple provides in
those countries.
1vuio0pswjnm7 wrote 17 hours 31 min ago:
This provides an incentive for Apple computer users to do the right
thing: Stop storing sensitive data on Apple servers. Unfortunately,
due to Apple's pre-installed proprietary operating systems that phone
home incessantly, that may be more challenging than it should be.
sensanaty wrote 18 hours 28 min ago:
Lol so much for the privacy-first Apple BS everyone keeps touting
If they had any balls whatsoever they would've rejected this and pulled
out of the UK, but of course money comes before anything else.
EGreg wrote 18 hours 46 min ago:
Why can't governments simply compel every software developer to create
a backdoor, or go to jail?
If even one government does it, then the backdoors exist globally. Here
is an overview of the global situation:
URI [1]: https://community.qbix.com/t/the-global-war-on-end-to-end-encr...
ein0p wrote 19 hours 2 min ago:
How do you like your "liberal democracy", UK-ians? Is that democratic
enough for you yet? Do you feel in control?
mattfrommars wrote 19 hours 4 min ago:
Could this be the catalyst for the rise of third party encryption
companies that operate in UK?
Or perhaps, rise to third party self host E2E cloud solution?
Only time will tell.
I've already invested in USB storage :)
edge17 wrote 19 hours 14 min ago:
Are there non-icloud backup options? There used to be local encrypted
backups through itunes, but I can't tell if that feature is still
around.
aqueueaqueue wrote 19 hours 1 min ago:
ITunes but it is a PITA. Do a test backup restore too. It may not
restore if the phone was nearly full (maybe 80%) when backed up.
Zufriedenheit wrote 19 hours 26 min ago:
Does Apple offer this type of encryption in China?
ancorevard wrote 20 hours 2 min ago:
Deep betrayal by Apple.
"privacy is a fundamental human right" - Tim Cook.
mmaunder wrote 20 hours 9 min ago:
Not relevant to the Apple story but as a general comment on UK
surveillance/search/detainment laws: Five Eyes means the US just needs
to get their citizen into the UK for their partner to gain access that
the US doesn't have to their citizen. The reciprocity possibilities are
endless.
SirMaster wrote 20 hours 27 min ago:
Well this is double plus ungood...
AutistiCoder wrote 20 hours 32 min ago:
How many UK people who haven't heard of ADP will now enable it?
anoncow wrote 21 hours 3 min ago:
>Online privacy expert Caro Robson said she believed it was
"unprecedented" for a company "simply to withdraw a product rather than
cooperate with a government.
That is such a self serving comment. If Apple provides UK a backdoor,
it weakens all users globally. With this they are following the local
law and the country deserves what the rulers of the country want. These
experts are a bit much. In the next paragraph they say something
ominous.
>"It would be a very, very worrying precedent if other
communications operators felt they simply could withdraw products and
not be held accountable by governments," she told the BBC.
rapjr9 wrote 16 min ago:
This is actually an increasing concern, that large multinational
companies are so powerful that they don't have to obey governments
any more, and can instead blackmail them by withdrawing products.
Pornhub has done this in US states. Meta has threatened to do it in
various countries. There has always been pushback to regulation from
powerful companies, but punishing countries by withdrawing products
seems to be used as a tactic more often recently. There are other
tools of power companies use as well, like deciding where to create
jobs and build facilities. Musk has used that, moving from
California to Texas. Defence and oil companies use these tactics
also.
throwaway106382 wrote 18 hours 23 min ago:
>"It would be a very, very worrying precedent if other communications
operators felt they simply could withdraw products and not be held
accountable by governments,"
This would actually be a very very very very VERY GOOD precedent if
you ask me.
Facebook pulled something similar when Canada passed the Online News
Act and instead of extorting facebook to pay the media companies for
providing a service to them (completely backasswards way to do
things), they just pulled news out of Canada. I despise Meta as a
company, but I had to give them credit for not just letting the
government shake them down.
Good riddance. Governments need to be reminded from time to time
that they are, in fact, not Gods. We can and should, just take our
ball and go play in a different park or just go home rather than obey
insane unjust laws.
donbox wrote 13 hours 45 min ago:
I love their products: whatsapp and facebook
sandblast wrote 1 hour 46 min ago:
Why?
StanislavPetrov wrote 19 hours 1 min ago:
>Online privacy expert Caro Robson
Ironic to refer to her as a "privacy expert" given her open hostility
to privacy.
aqueueaqueue wrote 19 hours 24 min ago:
"a product" and "cooperate" are doing so much work in that statement
that they collapsed and look like ________ and ________
They re-emerged as "security feature" "add vulns to security features
to make it an insecurity feature"
kelnos wrote 19 hours 54 min ago:
It's also just false. Google pulled out of China many years ago
because they didn't want to bow to the Chinese government's demands.
And they didn't just withdraw a product, they withdraw their entire
business.
kshacker wrote 19 hours 3 min ago:
I wonder what the impact of Apple withdrawing from China will be. I
know we are talking about UK, but this made me think.
Not only their sales will reduce, but hey Chinese manufacturing
cuts down. By how much? Will it be impactful? I would think so but
wonder if it is quantifiable.
sneak wrote 16 hours 8 min ago:
Almost all iPhones are made in China. They cannot pull out
without shutting down.
They make on average 60,000 ios devices there every hour, 24
hours a day, 365 days a year.
samldev wrote 12 hours 55 min ago:
Your math adds up to 525,600,000 iOS devices per year. That
can't possibly be right
helloplanets wrote 10 hours 40 min ago:
> In 2023, Apple shipped 234.6 million iPhones, capturing
20.1% market share and growing 3.7% year over year, according
to IDC data. [0]
So, probably not 525.6 million iOS devices a year, but safe
to assume it's going to be 300+ million for 2025.
35k devices an hour, give or take.
[0]:
URI [1]: https://www.forbes.com/sites/johnkoetsier/2024/01/16...
medwezys wrote 1 hour 47 min ago:
Apple has more devices than iPhones, so the OPs numbers are
not unbelievable
boxed wrote 19 hours 55 min ago:
Governments forcing companies from other countries to do business in
their country seems like the worrying precedent to me.
yunesj wrote 20 hours 20 min ago:
Fake privacy experts like Caro Robson need to be held accountable.
Aachen wrote 5 hours 29 min ago:
I often notice journalistic pieces interview people and then use
maybe 30 seconds' worth of material from a 20-minute interview. The
"expert" could have condemned it in any number of ways until the
topic of applying data protection laws came up and she said that
companies need to be held accountable (could be about GDPR, could
be about snooping laws) which the journalist then quoted, not out
of malice but because everyone already condemns it and this is the
most interesting statement of the interview
Anyway, so while I don't think we should condemn people based on
such a single quoted sentence... I took a look at her website and
the latest video reveals at 00:38 that she worked for the UK crime
agency, which does sound like the one of the greatest possible
conflicts of interest for someone called upon for privacy matters
rather than crime fighting. Watching the rest of that interview,
she approaches it fairly objectively but (my interpretation of) her
point of view seems to be on the side of "even with this backdoor,
a warrant needs issuing every time they use it and so there's
adequate safeguards and the UK crime fighters and national security
people should just get access to anything they can get a warrant
for"
mistercow wrote 4 hours 8 min ago:
Assuming youâve framed it fairly, thatâs a pretty atrocious
point of view for someone calling themselves a privacy expert to
hold. A privacy expert should know that backdoors are dangerous
to privacy even if you trust the people who are supposed to have
the keys.
cluckindan wrote 21 hours 17 min ago:
The UK backdoor means US and other FVEY states are able to freely
request any personâs private data from GCHQ.
ianopolous wrote 21 hours 19 min ago:
If anyoneâs looking for open-source, self-hostable, E2EE storage then
checkout Peergos (disclaimer: lead here):
URI [1]: https://peergos.org
-__---____-ZXyw wrote 21 hours 22 min ago:
Workers in tech jobs over the past few decades are the ones who are
primarily to blame for the total degradation of the very notion of
privacy, and our societies are, I think, reaping the consequences of
this now in many ways.
This story didn't spring up out of nowhere, like a monster from under
the bed. It's been a gradual decline since, let's say, the 90s or so.
I don't want to be vulgar, but the people who understood the best what
was happening were mostly too busy taking large paychecks to get too
upset about the whole thing. It got explained away, rationalised, joked
about, and here we are.
mihaaly wrote 20 hours 25 min ago:
Easier to push away the blame for a foot soldier, claiming to do
things on orders or claiming to be absolutely f clueless where it
leads, one is worse than the other. Thousands had to make this work
and function as it is.
Still, this is a different topic than the government use of law
enforcement for preserving the shity situation that was built by the
industry and its actors just when the trend becomes of fixing what
was made to be crap, just when people want to correct the f up of the
ignorant collaborants.
butterknife wrote 21 hours 36 min ago:
If you're in the UK, please consider signing the below petition.
Thanks.
URI [1]: https://you.38degrees.org.uk/petitions/keep-our-apple-data-enc...
wrboyce wrote 6 hours 16 min ago:
I never understand why people create petitions (targeted at the gov)
on a non-official site.
Aachen wrote 4 hours 46 min ago:
I'm not familiar with UK law, but what's the matter? They're
equally valid in jurisdictions that I know of, a signature is a
signature no matter where it was put
I'd personally just trust the government variant more with my
government ID data than a third party but that's up to the
petitioners to weigh and decide
fdb345 wrote 21 hours 48 min ago:
Are anyone of you lot getting the realisation onto why they are pushing
Passkeys so hard?
They know they access 8 out of 10 phones they seize.
DONT USE PASSKEYS
AlanYx wrote 21 hours 53 min ago:
Many people might not be aware of it, but Apple publishes a breakdown
of the number of government requests for data that it receives, broken
down by country.
The number of UK requests has ballooned in recent years: [1] Much of
this is likely related to the implementation and automation of the
US-UK data access agreement pursuant to the CLOUD Act, which has
streamlined this type of request by UK law enforcement and national
security agencies.
URI [1]: https://www.apple.com/legal/transparency/gb.html#:~:text=77%25...
EasyMark wrote 10 hours 1 min ago:
Sad to see the home of the magna carta slowly spiraling down into
fascism and 1984. The government should be required to have a
specific warrant to get at your personal data.
HaZeust wrote 17 hours 53 min ago:
I don't share your findings, EVERY six-month period between January
2014 - June 2017 shows bigger requests than any six-month period in
the last 5 years.
dvtkrlbs wrote 20 hours 50 min ago:
The problem is AFAIK this act is a lot different and Apple or any
party that gets this order is completely forbidden to talk about it.
So these kind of requests would not show up in this transparency
requests. It is IMHO fair to assume Apple will UK this backdoor given
they chose to disable Advanced Data Encryption and public would have
no insight to amount and reasons to the backdoor usage. It is really
troubling.
sva_ wrote 21 hours 34 min ago:
Looking at the ones for Germany, those seem like rookie numbers
URI [1]: https://www.apple.com/legal/transparency/de.html#:~:text=77%...
AlanYx wrote 21 hours 25 min ago:
It's also comparatively worse than the raw numbers suggest because
the customer base of Apple phones in Germany is much smaller than
in the UK.
crossroadsguy wrote 10 hours 43 min ago:
I see numbers for USA and China very low as well.
Maybe they don't have/need to request? ;-) Just saying.
mrandish wrote 21 hours 57 min ago:
> Online privacy expert Caro Robson said she believed it was
"unprecedented" for a company "simply to withdraw a product rather than
cooperate with a government".
> "It would be a very, very worrying precedent if other communications
operators felt they simply could withdraw products and not be held
accountable by governments," she told the BBC.
Attributing this shockingly pro-UK-spy-agencies quote to an "online
privacy expert" without pointing out she consults for the UN, EU and
international military agencies is typical BBC pro-government spin. In
fact, Caro, it would be "very, very worrying" if communications
operators didn't withdraw a product rather than be forced to make it
deceptive and defective by design.
als0 wrote 21 hours 59 min ago:
Is there a way for a UK iPhone to circumvent the warning and enable
ADP? Like connecting through a VPN?
IceHegel wrote 22 hours 5 min ago:
I'm sympathetic to the J.D. Vance angle, which is that European
governments are increasingly scared of their own people. This is not
doing a lot to change my mind.
retinaros wrote 8 hours 2 min ago:
lol. ask JD Vance what he thinks about Assange or Snowden.
blitzar wrote 8 hours 14 min ago:
I am unsympathetic to those that lecture others on not doing the very
thing they are doing.
randunel wrote 8 hours 27 min ago:
You might be unaware of FATCA, then.
odiroot wrote 18 hours 2 min ago:
On our continent, the obvious solution to every problem under the sun
is "more state".
bongodongobob wrote 18 hours 25 min ago:
What the fuck? They should be. They absolutely aren't right now and
that's a major problem.
dtquad wrote 19 hours 6 min ago:
J.D. Vance's problem with Europe is that we have too many brown
people.
As a very privacy-oriented European I don't need American alt-right
populists to concern troll about surveillance and privacy in Europe.
gnfargbl wrote 19 hours 41 min ago:
To give you a counterpoint: from this side of the pond it is
extremely surprising to see how effective Vance's speech has been in
distracting a good proportion of the American public. Which, I have
to suspect, was the real point.
kelnos wrote 19 hours 48 min ago:
Governments should be scared of their people, though not in the way
that I expect Vance means.
It's certainly better than the opposite, where citizens and residents
are scared of their government, which wields the power to deprive
them of their freedom, possessions, and life.
dennis_jeeves2 wrote 15 hours 38 min ago:
>Governments should be scared of their people, though not in the
way that I expect Vance means.
A guillotine once in a while for some politicians/bureaucrats will
do some good. There is a rich history of the French doing it. I'm
not even trying to be funny.
mihaaly wrote 21 hours 17 min ago:
Very wrong conclusions.
They are not scared of people, but of working, doing their job,
especially when it is difficult (catching criminals). They expect the
job to be done for them by others, on the expense of everyone, while
they collecting all the praise.
On sympathetic to Vance I did not really found a presentable
reaction, would not find on any other accidentally agreeable sentence
leaving his mouth (very low chance btw.). Talking a lot about all
kind of things sooner or later will hit something acceptable, which
will not yield an unacceptable and destructive to society figure
sympathetic.
You also should be aware of practices and conducts the various US
security services practice (and probably all governemnts out there),
if not from news or law but at least from the movies. When we come to
the topic of who is afraid of their own.
rdm_blackhole wrote 20 hours 53 min ago:
Exactly, it's the same thing with the Chat Control law in the EU
and it reminds me of the scene in the movie Office Space where the
consultants are trying to figure out who is doing what in the
company.
Basically instead of doing their jobs, the cops expect Apple, Meta
et al to intercept all the data, then feed it into some kind of AI
black box (not done by them but contracted out to someone else at
the taxpayer's expense) that will then decide if you get arrested
within the next 48H (I am exaggerating but only slightly)
What are the cops doing instead of doing their jobs? That's my
question. Aren't they paid to go out and catch the criminals or do
they simply expect to get the identity of people each day that need
to be investigated?
RIMR wrote 21 hours 8 min ago:
Well put. It's pretty much impossible to sympathize with Vance
saying this when the administration he is a part of is
scaremongering about "the enemy within".
deelowe wrote 21 hours 26 min ago:
Then Vance should do something about the 5 eyes which is likely the
source of this sort of thing.
duxup wrote 21 hours 42 min ago:
I think the US government has made these kinds of requests too,
similar tactics such as mass data collection without a warrant and so
on.
I don't think it is "scared" as much as just the usual human desire
to do whatever the task is ... without thinking of the consequences.
Cornbilly wrote 21 hours 43 min ago:
The unspoken part of that is Vance likely thinks that the people
should fear their government.
bilbo0s wrote 21 hours 5 min ago:
True.
It's a very unwise position Vance takes.
The world would clearly be better run if all governments feared
their people, than it would if all people fear their governments.
The UK can pull this kind of stuff precisely because they do not
fear any consequences from their people.
pathless wrote 21 hours 59 min ago:
This unexpected news really cemented that point for him.
leonewton253 wrote 22 hours 7 min ago:
They should of forced ADP on by default and this would of never
happened.
int_19h wrote 17 hours 3 min ago:
The problem with that is that if the user loses their key, their
account is no longer recoverable. As things are with ADP, enabling it
comes with a bunch of warnings about that, and IIRC it also forces
you to print out the recovery key for safe storage.
commandersaki wrote 20 hours 2 min ago:
That would alienate users due to key management complexity. Apple is
about having a smooth user experience.
blitzar wrote 6 hours 39 min ago:
Apple processes multiple orders of magnitude more account
recoveries for customers each day than receive government requests.
adfm wrote 22 hours 11 min ago:
It's a drag that we're seeing this crap happen, but authoritarians will
be authoritarians. What's the general opinion of tools like
Cryptomator? [^1]
[^1]:
URI [1]: https://cryptomator.org
cynicalsecurity wrote 22 hours 21 min ago:
Could this have been a reason UK pushed to separation from the EU?
EU is all for privacy while UK is slowly drifting towards becoming a
Stasi state.
rdm_blackhole wrote 21 hours 15 min ago:
This is blatantly false.
The EU has been pushing to pass the Chat Control law for the last 3
years which is even worse because at least in the UK the government
would still need to get a warrant for the data they want whereas the
EU wants to analyze your chat messages, emails and pictures in real
time without cause or need to justify themselves.
dumbledoren wrote 13 hours 8 min ago:
> Again and again, 'Eu' is not pushing anything like that. A few
Euparl MPs backed by those like Ashton Kutcher did.
rdm_blackhole wrote 8 hours 21 min ago:
The EU is pushing for this. The EU "Going Dark" group is pushing
for this as well as per [1] The fact of the matter is that if the
EU was, as it's been said, for privacy this proposal would not
have been on the table in the first place. It should have been
stopped 3 years ago but here we are again fighting for our rights
and our privacy.
And it doesn't matter how many times it gets shot down by some of
the countries in the EU, the commission changes a few words and
starts the process all over again because they know that sooner
or later they will get it through.
You can't have it both ways. You either are for privacy or you
are not. If you are then this proposal should never have seen the
light of the day and the people pushing for it should have been
given a warning that this was off-limits.
Instead they are biding their time so that when the time is right
they can come back with a slightly altered but still incredibly
damaging proposal hoping that it will pass.
The EU pro-privacy stance is joke. They want access to the same
data as the US except they don't have the courage to come out and
say it so they wrap it in a nice little gift bag with the words
"protect the children" on it.
This is hypocrisy in it's purest form. Then some governments in
the EU have the gall to call out authoritarians regimes around
the world when they crack down on dissent and free speech? Give
me a break!
URI [1]: https://edri.org/our-work/high-level-group-going-dark-ou...
izacus wrote 19 hours 35 min ago:
The Chat Control law was voted down and it would not apply for UK
if they'd still be in EU.
nickslaughter02 wrote 3 hours 22 min ago:
It has been voted down twice now. Guess what? That doesn't mean
it's dead. It's being worked on as we speak. The last meeting was
just a few weeks ago.
URI [1]: https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfn...
rdm_blackhole wrote 8 hours 16 min ago:
See my comment above, it doesn't matter that it was voted down.
The point is that it was allowed to go to a vote in the first
place.
How do you square being pro privacy but at the same time
demanding to have unlimited access to all chat messages, emails,
pictures and so on of all your citizens without the need for a
warrant, without justification and without the citizens having
any say on the matter?
The answer is that you can't. You either are for privacy or you
are not.
As for not applying to the UK, that is a moot point because as
soon as the EU gets it's wish then the UK will demand the same
kind of access. Why would the UK government turn down such an
opportunity?
nickslaughter02 wrote 21 hours 25 min ago:
No, EU is NOT "all for privacy". I don't know where this myth comes
from but I see it repeated here often.
1. EU is pushing for mandatory on-device scanning of all your
messages (chat control). The current proposal includes scanning of
all videos and images all the time for all citizens. The proposal
started with analyzing all text too. The discussions are happening
behind close doors. EU Ombudsman has accused EU commission of
"maladministration", no response.
2. EU is allowing US companies to scan your emails and messages
(ePrivacy Derogation). Extended for 2025.
3. EU is pushing for expansion of data retention and to undermine
encryption security (EU GoingDark).
"The plan includes the reintroduction and expansion of the retention
of citizensâ communications data as well as specific proposals to
undermine the secure encryption of data on all connected devices,
ranging from cars to smartphones, as well as data processed by
service providers and data in transit." [1] 4. EU is pushing for
mandatory age verification to use email, messengers and web
applications. Citizens will be required to use EU approved
verification providers. All accounts will be linked back to your real
identity.
5. "Anonymity is not a fundamental right": experts disagree with
Europol chief's request for encryption back door (January 22, 2025)
[2] -----
Do you still believe EU is all for privacy? EU's privacy is
deteriorating faster than in any other developed country / bloc. Some
of these proposals have been blocked by Germany for now but that is
expected to change after the upcoming elections.
URI [1]: https://www.patrick-breyer.de/en/eugoingdark-surveillance-pl...
URI [2]: https://www.techradar.com/computing/cyber-security/anonymity...
dumbledoren wrote 13 hours 9 min ago:
< EU is pushing for mandatory on-device scanning of all your
messages (chat control)
Again and again, 'Eu' is not pushing anything like that. A few
Euparl MPs backed by those like Ashton Kutcher did.
> Eu isnt 'planning' anything like that. Some Euparl MPs backed by
people like Ashton Kutcher tried to push a law to spy on all chat
apps. Then when the dirty web of American-style regulatory
manipulation was exposed, they backed off. It was a proposal for a
law by some MPs. Not something 'Eu' did.
nickslaughter02 wrote 3 hours 27 min ago:
How can you say EU isn't planning anything like that when the
last meeting to introduce just that was a few weeks ago? [1]
Nobody backed off, it's still on the agenda. You are right
however that the main lobby comes from US NGOs as exposed by
documents coming from EU Commission.
URI [1]: https://www.parlament.gv.at/dokument/XXVIII/EU/9693/imfn...
Kim_Bruning wrote 22 hours 27 min ago:
The current EU-UK adequacy decision[1] is up for review this 27 June
[2] .
Aspects of the UK investigatory powers act is close enough to US FISA
[2] that I think this might have some influence, if brought up. IPA
2016 was known at the time of the original adequacy decision, but IPA
was amended in 2024 . While some things might be improvements, the
changes to Technical Capability Notices warrant new scrutiny.
Especially seeing this example where IPA leads to reduced security is
of some concern, I should think. The fact that security can be
subverted in secret might make it a bit tricky for the EU to monitor at
all. [1] [2] ibid. Article 4
[3] FISA section 702
URI [1]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX...
URI [2]: https://www.govinfo.gov/content/pkg/BILLS-110hr6304pcs/html/BI...
smashah wrote 22 hours 31 min ago:
Notice all the undemocratic dictatorships that did not require this of
apple. The UK is in decline completely.
nomilk wrote 22 hours 39 min ago:
Wonder what the cost/benefit looks like from Apple's perspective.
If this requirement increases the proportion of data on Apple's servers
that is now unencrypted (or encrypted but which can be trivially
unencrypted), that could be a huge plus to Apple; more data to use for
ad targeting (or to sell to third parties), and more data to train AI
models on.
freedomben wrote 22 hours 44 min ago:
Devil's Advocate (meaning I don't agree with this, in fact I disagree
with it, but I don't see this argument being made anywhere and think it
would be interesting. If you're one of the people who are offended by
this practice of people steel-manning "the other side" and only want to
read comments that affirm your position, please don't read this
comment).
Question: Wouldn't it be better for Apple to build a UK-only encryption
that is backdoored but is at least better than nothing? If Apple
really cared about people's privacy, why just abandon them?
My position: No because this is a war, not a battle. Creating a
backdoored encryption would immediately trigger every government on the
planet passing laws banning use of non-back-doored encryption, which
would ultimately lead us to a much, much worse world. Refusing to do
it is the right thing IMHO.
everfree wrote 21 hours 8 min ago:
Without Advanced Data Protection, your data is still encrypted at
rest, it's just that Apple safeguards the encryption key. The purpose
of ADP is to remove control of this key from Apple, so that it's
impossible for Apple to leak your data to any third party, even if
they are compelled to.
So to me, backdoor encryption seems like it defeats the whole point
of ADP, no? But if not - even if there is some tiny marginal benefit
- cryptography is extremely expensive to get right. It's doubtful
that it makes financial sense to Apple to develop a new encryption
workflow for a single country for very slight security benefits.
And it still wouldn't be complying with the UK's demands anyways. The
UK demanded access to accounts worldwide. If Apple is going to be
non-compliant, then they might as well be non-compliant the easy way.
cat_meowpspsps wrote 22 hours 14 min ago:
The UK's law here is specifically targetting encrypted data globally.
> The UK government's demand came through a "technical capability
notice" under the Investigatory Powers Act (IPA), requiring Apple to
create a backdoor that would allow British security officials to
access encrypted user data globally.
ljm wrote 22 hours 48 min ago:
Fundamentally, I think the issue is more about technical literacy
amongst the political establishment who consistently rely on the
fallacy that having nothing to hide means you have nothing to fear.
Especially in the UK which operates as a paternalistic state and enjoys
authoritarian support across all parties.
On the authoritarianism: these laws are always worded in such a way
that they can be applied or targeted vaguely, basically to work around
other legislation. They will stop thinking of the children as soon as
the law is put into play, and it's hardly likely that pedo rings or
rape gangs will be top of the list of priorities.
On the technical literacy: the government has the mistaken belief that
their back door will know the difference between the good guys
(presumably them) and the bad guys, and the bad guys will be locked
out. However, the only real protection is security by obscurity: it's
illegal to reveal that this backdoor exists or was even requested. Any
bad guy can make a reasonable assumption that a multinational tech
company offering cloud services has been compromised, so this just
paints another target on their backs.
I've said it before, but I guarantee that the monkey's paw has been
infinitely curling with this, and it's a dream come true for any black
or grey hat hacker who wants to try and compromise the government
through a backdoor like this.
gerdesj wrote 16 hours 43 min ago:
"Especially in the UK which operates as a paternalistic state and
enjoys authoritarian support across all parties."
What is a "paternalistic state". I studied Latin so obviously I
understand pater == father but what is a father-like state?
What on earth is: "authoritarian support across all parties".
The UK has one Parliament, four Executives (England, Northern
Ireland, Scotland, Wales) and a Monarch (he's actually quite a few
Monarchs).
Anyway, I do agree with you that destroying routine encryption is a
bloody daft idea. It's a bit sad that Apple sold it as an extra add
on. It does not cost much to run openssl - its proper open source.
ljm wrote 5 hours 44 min ago:
Government knows whatâs best for the people (colloquially we call
it the nanny state).
All our main political parties have an authoritarian slant so these
policies have rarely received long-lasting opposition. Literally
every government in office for the past 30-odd years has presented
legislation like this.
walthamstow wrote 13 hours 58 min ago:
Paternalism, unless I'm mistaken, is a belief among those in power
that they what's best for you, better than you do, and will
exercise power on your behalf in that manner. Just like your
parents do when you're a child.
catlikesshrimp wrote 16 hours 29 min ago:
In medicine, a paternalistic attitude towards the patient from a
point of authority (like a father)
The doctor acts as if he knows more and knows what is better. The
patient has his own preferences and priorities, but they don't
necessarily match with what the doctor does.
I suppose a paternalistic state functions to satisfy the needs of
the people, and to define those needs. The people get what the
state says is best for them.
EchoReflection wrote 20 hours 23 min ago:
"it's hardly likely that pedo rings or rape gangs will be top of the
list of priorities".... is this not one of the most disturbing,
disgusting, psychologically troubling and damning ideas ever to be
put to words/brought to awareness? . Right up there "let's
meticulously plan out this horrific, atrocious, dehumanizing act and
meditate upon the consequences, and then choose the most brutal and
villainous option". Dear Lord....
dsign wrote 7 hours 58 min ago:
> is this not one of the most disturbing, disgusting,
psychologically troubling and damning ideas ever to be put to
words/brought to awareness? .
Hmm? Hell has depths. Your yard might be a little too short to
measure them? In that case, just think about this: rape is probably
most common in prisons, where you will send innocents the moment
this dragnet thing glitches.
AnthonyMouse wrote 17 hours 25 min ago:
People are extremely opposed to pedos, so they're a primary
rationalization for oppressive technology. But then you have two
problems.
First, pedos know everybody hates them, so they take measures
normal people wouldn't in order to avoid detection, and then
backdooring the tech used by everybody else doesn't work against
them because they'll use something else. But it does impair the
security of normal people.
Second, there aren't actually that many pedos and the easy to catch
ones get caught regardless and the hard to catch ones get away with
it regardless, which leaves the intersection of "easy enough to
catch but wouldn't have been caught without this" as a set
plausibly containing zero suspects. Not that they won't use it
against the ones who would have been caught anyway and then declare
victory, but it's the sort of thing that's pretty useless against
the ones it's claimed to exist in order to catch, and therefore not
something it can be used effectively in order to do.
Whereas industrial espionage or LOVEINT or draining grandma's
retirement account or manipulating ordinary people who don't
realize they should be taking countermeasures -- the abuses of the
system -- those are the things it's effective at bringing about,
because ordinary people don't expect themselves to be targets.
smsm42 wrote 20 hours 36 min ago:
It's not literacy. They don't care. They need control, and if
establishing control means increased risks for you, it's not
something they see as a negative factor. It's your problem, not
theirs.
kypro wrote 18 hours 2 min ago:
Agreed.
I used to think it was illiteracy, but when you hear politicians
talk about this you realise more often than not they're not
completely naive and can speak to the concerns people have, but
fundamentally their calculation here is that privacy doesn't really
matter that much and when your argument for not breaking encryption
based around the right to privacy you're not going to convince them
to care.
You see a similar thing in the UK (and Europe generally) with
freedom of speech. Politicians here understand why freedom of
speech is important and why people some oppose blasphemy laws, but
that doesn't mean you can just burn a bible in the UK without being
arrested for a hate crime because fundamentally our politicians
(and most people in the UK) believe freedom from offence is more
important than freedom of speech.
When values are misaligned (safety > privacy) you can't win
arguments by simply appealing to the importance of privacy or
freedom of speech. UK values are very authoritarian these days.
cryptonector wrote 19 hours 2 min ago:
They don't even need control. They want control. Why? Either
they're idiots who think they need control or they are tyrants who
know they'll need control later on when they start doing seriously
tyrannical things.
jamil7 wrote 7 hours 2 min ago:
> Why? Either they're idiots who think they need control or they
are tyrants
Many politicians are individuals without any talent who desire
power and control, politics is the only avenue open to people
like that.
smsm42 wrote 13 hours 26 min ago:
It's natural for the government to want control. It's literally
what it is optimized for - control. More control is always better
than less control. More data about subjects always better than
less data. What if they do something that we don't want them
doing and we don't know? It's scary. We need more control.
> they'll need control later on when they start doing seriously
tyrannical things.
You mean like when they start jailing people for social media
posts? Or when they are going to ban kitchen knives? Or when
they're going to hide a massive gang rape scandal because it
makes them look bad? Or when they would convict 900+ people on
false charges of fraud because they couldn't admit their computer
system was broken? Come on, we all know this is not possible.
hackernoops wrote 16 hours 3 min ago:
It's the latter.
cryptonector wrote 15 hours 51 min ago:
Of course it is.
redeeman wrote 19 hours 26 min ago:
opinion: any government that "needs" such control, is an enemy of
the people and must be abolished, and anyone can morally and
ethically do so
jbjbjbjb wrote 18 hours 58 min ago:
Well itâs important that the argument is correct. They view
ending end-to-end encryption as a way to restore the
effectiveness of traditional warrants. It isnât necessarily
about mass surveillance and the implementation could prevent mass
surveillance but allow warrants.
I oppose that because end to end encryption is still possible by
anyone with something to hide, it is trivial to implement. I
think governments should just take the L in the interest of
freedom.
staplers wrote 15 hours 38 min ago:
governments should just take the L in the interest of freedom
This was written into the US constitution. Unfortunately, most
either don't know or care that it's all but ignored in
practice.
AnthonyMouse wrote 17 hours 44 min ago:
> They view ending end-to-end encryption as a way to restore
the effectiveness of traditional warrants.
Traditional warrants couldn't retroactively capture historical
realtime communications because that stuff wasn't traditionally
recorded to begin with.
> It isnât necessarily about mass surveillance and the
implementation could prevent mass surveillance but allow
warrants.
The implementation that allows this is the one where executing
a warrant has a high inherent cost, e.g. because they have to
physically plant a bug on the device. If you can tap any device
from the server then you can tap every device from the server
(and so can anyone who can compromise the server).
jbjbjbjb wrote 16 hours 33 min ago:
They shouldnât be able to tap any device from a server.
Iâm guessing they would have to apply for a warrant and
serve the warrant to Apple who review the warrant and provide
the data.
AnthonyMouse wrote 15 hours 51 min ago:
Putting the panopticon server in a building that says Apple
or Microsoft at the entrance hasn't solved anything.
Corporations are hardly more trustworthy than the
government, can be coerced into doing the mass surveillance
under gag orders, could be doing it for themselves without
telling anyone, and would still be maintaining servers with
access to everything that could be compromised by organized
crime or foreign governments.
Which is why the clients have to be doing the encryption
themselves in a documented way that establishes the server
can't be doing that.
ben_w wrote 19 hours 41 min ago:
The government put in restrictions against using certain powers in
the Investigatory Powers Act to spy on members of parliament
(unless the Prime Minister says so, section 26), so I think they're
just oblivious to the risk model of "when hackers are involved, the
computer isn't capable of knowing the order wasn't legal".
URI [1]: https://www.legislation.gov.uk/ukpga/2016/25/section/26
tehwebguy wrote 4 hours 6 min ago:
Absolutely not, MPs are not too stupid to process the concept of
âa back door is a back doorâ they simply want this power and
do not care about security or privacy if non-MPs. Everyone who
voted for this needs to be thrown out of politics, but that will
obviously not happen.
lozenge wrote 19 hours 10 min ago:
That actually shows they understand and care because they don't
want the law to apply to them. They don't care about its effects
on other people.
ben_w wrote 18 hours 40 min ago:
No, it shows they're thinking of computers like they think of
police officers.
Computer literacy 101: to err is human, to really foul up
requires a computer.
They don't understand that by requiring the capability for
going after domestic criminals, they've given a huge gift to
their international adversaries' intelligence agencies. (And
given this is about a computer vulnerability, "international
adversaries" includes terrorists, and possibly disgruntled
teenagers, not just governments).
soulofmischief wrote 4 hours 24 min ago:
They understand. Signal Foundation's president, Meredith
Whittaker, among many other tech leaders, have made it
abundantly clear to both the UK and the EU. [1] If
politicians don't understand after such campaigning, it's a
choice in willful ignorance, not bad computer literacy.
URI [1]: https://techcrunch.com/2023/09/21/meredith-whittaker...
ben_w wrote 3 hours 1 min ago:
I personally campaigned at the time the law was being
debated. Met my local MP, even.
If I'd known about the idea of "inferential gap" at the
time, my own effort might not have been completely
ignored⦠though probably still wouldn't have changed the
end result as I still don't know how to show lawmakers that
their model of how computers and software functions has led
to a law that exposed them, personally, to hostile actors.
How even do you explain to people with zero computer
lessons that adding a new access mechanism increases the
attack surface and makes hacking easier?
The politicians seem to see computers as magic boxes,
presumably in much the same way and for much the same
reason that I see Westminster debates and PMQs as 650
people who never grew out of tipsy university debating
society life.
(And regardless of if it is fair for me to see them that
way, that makes it hard to find the right combination of
words to change their minds).
soulofmischief wrote 1 hour 28 min ago:
> How even do you explain to people with zero computer
lessons that adding a new access mechanism increases the
attack surface and makes hacking easier?
You literally tell them that. That's it. As prominent
tech leaders have been doing. They either choose to
believe experts, or disbelieve them. Or they could get a
CS major. They chose option #2. They ostensibly
disbelieve experts because what they're hearing does not
mesh with what they want.
But let's be honest with ourselves; it's not that they
disbelieve them, or don't understand. It's that they
don't care. You are giving these people way too much of a
benefit of the doubt. They have the tools at their
disposal to remove any ignorance.
newdee wrote 7 hours 51 min ago:
I think it could be for both reasons
yubblegum wrote 21 hours 27 min ago:
> technical literacy amongst the political establishment who
consistently rely on the fallacy that having nothing to hide means
you have nothing to fear.
That's an awfully generous assessment on your part. Kindly explain
just what "technical literacy" has to do with the formulation you
note. From here it reads like you are misdirecting and clouding the
-intent- by the powerful here.
Also does ERIC SCHMIDT an accomplished geek (who is an official
member of MIC since (during?) his departure from Sun Microsystems)
suffers from "technical literacy" issues: [1] Thank you in advance
for clarifying your thought process here. Tech illiteracy -> what you
got to hide there buddy?
URI [1]: https://news.ycombinator.com/item?id=983717
bunderbunder wrote 20 hours 55 min ago:
Let me offer a possible example that might be more in line with the
HN commenting guideline about interpreting people's comments as
charitably as reasonably possible:
My password manager vault isn't exactly something to hide in the
political sense, but it's definitely something I would fear is
exposed to heightened risk of compromise if there were a backdoor,
even one for government surveillance purposes. And it's a
reasonable concern that I think a lot of people aren't taking
seriously enough due, in part, to a lack of technical literacy.
Both in terms of not realizing how it materially impacts everyday
people regardless of whether they're up to no good, and in terms of
not realizing just how juicy a target this would be for agents up
to and including state-level adversaries.
As for Eric Schmidt, he's something of a peculiar case. I don't
doubt his technical literacy, but the dude is still the head of one
of the world's largest surveillance capitalist enterprises, and, as
the saying goes, "It is difficult to get a man to understand
something when his salary depends on his not understanding it."
stavros wrote 20 hours 59 min ago:
I feel like the comment was clear, technical illiteracy leads
politicians to believe that they'll be the only ones with access to
this backdoor, which isn't true.
yubblegum wrote 18 hours 0 min ago:
The comment's clarity was not questioned. You are passing around
the same tired line that because politicians do not understand
technology and how it can be used against anyone. Sure computers
are new but communication technology is not. All a politician
needs to understand is "capability". That is it. "We can read
their communications", no degree in CS required. Also, they have
power geeks advising them left and right. They know
"capabilities" can be misused. They know this.
Is this clear?
stavros wrote 17 hours 57 min ago:
>> Kindly explain just what "technical literacy" has to do with
the formulation you note.
>> Thank you in advance for clarifying your thought process
here.
> The comment's clarity was not questioned.
trinsic2 wrote 19 hours 10 min ago:
Yeah. Not buying it. They know, or someone smart enough told them
that backdoors can be accessed by anyone with enough skill. They
just don't care because the people that are asking for this are
criminals already and wanting profit off of other people's data.
ninalanyon wrote 19 hours 14 min ago:
It isn't necessarily the case that they all care if criminals can
get in to the average person's data so long as the authorities
also can.
miohtama wrote 22 hours 9 min ago:
Furthermore, one UK head of state call everyone supporting encryption
pedophiles
URI [1]: https://x.com/BenWallace70/status/1892972120818299199
hackernoops wrote 16 hours 2 min ago:
Ironic.
GJim wrote 17 hours 46 min ago:
> one UK head of state
What on earth are you talking about?
Charles III is head of state, and before that, Liz II. The monarch
absolutely does not get involved in politics.
sib wrote 4 hours 40 min ago:
>> The monarch absolutely does not get involved in politics.
The monarch picks the Prime Minister, no? That seems pretty
involved.
polshaw wrote 1 hour 54 min ago:
No, the monarch does not pick the Prime Minister. At all.
They have a ceremonial role in confirming them. Like they do
with every law that Parliament creates. If they ever actually
practically exercised this theoretical power it would be the
end of the monarchy.
mschuster91 wrote 20 hours 15 min ago:
And that's why it is so important to nip this "pedo" / "think of
the children" crap right in the bud.
Obviously pedos on the interwebs are bad, but hey as long as it's
just anime they're whacking off to I don't care too much. But the
real abuse, that's done by - especially in the UK - rich and famous
people like Jimmy Savile. And you're not gonna catch these pedos
with banning encryption, that's a fucking smokescreen if I ever saw
one, you're gonna catch them with police legwork and by actually
teaching young children about their bodies!
worik wrote 20 hours 9 min ago:
> But the real abuse, that's done by - especially in the UK -
rich and famous people like Jimmy Savile
Jimmy Savile was a vile predator. He was protected by the inane
customs of the British ruling class.
He was not alone among the toffs of England.
But do not be mistaken. It is not just the rich and powerful
where you find sexual predators. They exist at all levels of
society, all genders, most ages (I will except infants and the
aged infirm....)
Jimmy Savile was a symptom of something much darker, much worse
and widespread.
kypro wrote 17 hours 57 min ago:
Honestly if the UK wants to reduce sexual crimes against
children and adults one of the easiest ways to achieve that
would be to reform UK liable law.
In the UK if you're raped by someone famous you'd be an utter
idiot to say anything unless you're loaded or have a massive
amount of hard evidence. You couldn't have a me to movement in
the UK because everyone who came forward would be sued into
bankruptcy. This is why so many people knew about Savile but no
one said anything.
worik wrote 14 hours 39 min ago:
The rules of evidence in court are important too.
It is the victim on trial, many times.
bigfudge wrote 18 hours 3 min ago:
Jimmy Saville was many things, but I donât think he was a
toff. His ability to abuse was about power, and perhaps gender,
but not class.
mschuster91 wrote 19 hours 8 min ago:
Yeah but if you sell the populace on the idea that pedos are
only something that's a threat on the interwebs the populace
won't care about all the other pedos, and if there is a pedo
scandal like the next Savile the government can just go and
shrug and say "we did all we could". And that is the point
behind all that pedo scare.
ThePowerOfFuet wrote 21 hours 41 min ago:
URI [1]: https://xcancel.com/BenWallace70/status/189297212081829919...
doublerabbit wrote 21 hours 13 min ago:
Thank you.
scott_w wrote 21 hours 48 min ago:
Just to be clear: Wallace is not a head of state, or even an MP any
more. At one point, he was Secretary of State for Defence, a
Cabinet position, however he resigned this in 2023.
This doesnât justify his position (itâs stupid) but he
doesnât speak for the current government.
onei wrote 21 hours 19 min ago:
To clarify a bit further, the UK head of state is King Charles
III, as he is for a bunch of other countries in the Commonwealth.
Head of state in the UK is a bit weird compared to countries that
abolished or never had a monarchy.
ttepasse wrote 18 hours 22 min ago:
The vast majority of democracies separated the roles of head of
state and head of government.
ojhp wrote 19 hours 53 min ago:
Technically we did abolish the monarchy back in the 17th
century, but the replacement was so bad we brought them back
about 10 years later, which I think makes us a minority of one
and even more weird.
Anyway, back on topic: this is a ridiculous law that is forcing
services to erode their security while smart criminals can just
use some nice free open-source software somewhere else for E2E
communication. And a lot of this is definitely down to
lawmakers not understanding technology.
scott_w wrote 20 hours 43 min ago:
Youâre correct, however I gave GP the benefit of the doubt
and assumed they meant Secretary of State ;-)
And, to be fair, while Iâm generally a small r republican,
Iâm seeing benefits of having a non politically aligned head
of state after J6. While the monarch has limited power, booting
out a PM that canât command the confidence of Parliament is
one of them. The question of whether Johnson would accept being
dethroned a la Trump was always silly given his consent was
never needed.
worik wrote 20 hours 14 min ago:
> And, to be fair, while Iâm generally a small r
republican, Iâm seeing benefits of having a non politically
aligned head of state
One of the benefits of a constitutional monarchy is the head
of state did not campaign for the position.
c0ndu17 wrote 5 hours 36 min ago:
Iâve become a bit of fan of it over the last few years.
That said, I donât think the UK can be replicated.
It wraps ultimate power up in a contradiction, you have it
but you canât use it. Sure, technically you could but it
would be your last act.
Another important aspect, the for and against is currently
split between parties, so thereâs somewhat of unification
factor between parties on that divide as well.
It gets a lot of hate, because it is imperfect, but I
donât think it gets its fair shake. My views more of, if
it ainât broke is it really worth the risk changing it.
onei wrote 20 hours 20 min ago:
The UK monarch's power is largely based on convention more
than active decision making. For example, a government is
formed at the invitation of the monarch, but that's long
reflected the results of an election. Getting rid of a PM
generally happens when they run out of luck. That sometimes
coincides with the ruling party/coalition imploding. The next
PM is then shortlisted by MPs and selected by a minority of
the electorate.
I guess the US equivalent is the leader of the house being
unable to hold their majority together. In some ways the
presidential election feels more democratic if a relative
outsider (like Trump was) can win. But a 2 year lead up is
crazy.
exe34 wrote 22 hours 17 min ago:
> that having nothing to hide means you have nothing to fear
hopefully the US turning from leader of the free world to Russia's
tool will give them the kick they need to realise that just because
you trust the government now doesn't mean you trust the next
government or the one after it.
isaacremuant wrote 19 hours 55 min ago:
> hopefully the US turning from leader of the free world to
Russia's tool
So much humour in one short phrase.
Do you really believe your propaganda or is it just absentmindedly
parroting pro permanent war talking points?
bspammer wrote 7 hours 54 min ago:
What would you call the ridiculous claim that Ukraine started the
war? Who else does that serve but Russia?
exe34 wrote 19 hours 10 min ago:
He demands $500bn of rare earth minerals, insists that Ukraine
started the war by getting invaded and wants Zelensky to be
replaced by a Russian puppet. It's amazing how the US went from
the defender of the free world to just another thug.
isaacremuant wrote 6 hours 8 min ago:
"defender of the free world" is just so funny to me. I'm sorry
to burst your bubble of jingoism and US imperialism
excepcionalism.
exe34 wrote 2 hours 53 min ago:
what do you call US nukes in Europe? that's exactly what it
was - Pax Americana, 70 years of peace and prosperity has
come to an end for most countries. Now Russia has an ally in
their old enemy.
GeekyBear wrote 20 hours 37 min ago:
You probably don't want to look up which US President tried to
force Apple to insert an encryption back door into iPhones back in
2015.
However, Google did only start moving to protect location data from
subpoenas after people started to worry that location data could be
used as a legal weapon against women who went to an abortion
clinic, so your larger point stands.
dguest wrote 7 hours 56 min ago:
Points about Russia or partisan politics aside, there are now at
least 10M people living in the US who have a very strong
incentive to hide all their data from the executive branch.
That's to say nothing of the countless millions who might want to
help them.
The demand for encryption just exploded, in a legal gray area
(city, state, and federal laws seem to be in conflict here) it's
just a question of whether governments allows the supply to
follow.
jshier wrote 19 hours 23 min ago:
That would be none, as it was the FBI, operating independently
(as it's supposed to), which tried to force the issue. They even
tried to go to Congress but found little support for their stunt.
I'm not even sure Obama ever spoke in support of the backdoor,
much less used any political power to make it a reality.
GeekyBear wrote 18 hours 39 min ago:
Sorry, but the FBI is part of the executive branch.
This is exactly like saying that President Trump has nothing to
do with the actions of the executive branch agencies today.
exe34 wrote 18 hours 14 min ago:
it's true that the honour system only works when there's
honour in the people in charge.
when a clown moves into a palace, the clown doesn't become
the king - the palace becomes a circus.
GeekyBear wrote 17 hours 46 min ago:
Haven't we already learned that gaslighting the public is
counterproductive?
President Obama sold himself as a Constitutional scholar
who would set right the civil liberties overreach of his
predecessor.
You aren't going to convince sane people that his executive
branch agencies sought to gut the fourth amendment without
his being aware of it, despite months of extensive press
coverage.
exe34 wrote 17 hours 30 min ago:
"the other side is just as bad" isn't the justification
that a lot of people seem to think it is. if you don't
like what the other side has done, don't just copy them.
do better.
GeekyBear wrote 17 hours 16 min ago:
It's simpler. If you claim that a particular action
would be bad if the other political team were to
perform it, don't suddenly make excuses for that very
same action if it turns out that your favored political
team has previously performed it.
kingkongjaffa wrote 22 hours 35 min ago:
> Especially in the UK which operates as a paternalistic state and
enjoys authoritarian support across all parties.
This seemed strange to point out. Itâs not really any more or less
âpaternalisticâ than most western nations including the US.
gleenn wrote 22 hours 26 min ago:
If you see a red car driving down the street do you not call it red
because there are many other red cars? They're adding color (pun
intended) to their description of the general bias of the UK
government. What you're doing is called Whataboutism - the argument
that others are doing something similar or as bad in different
contexts. It doesn't make what the UK is doing any less bad for
citizens (and non-citizens) privacy or data sovereignty.
polshaw wrote 1 hour 50 min ago:
You don't say it's "especially" red then do you. The comparison
was started by the GP.
15155 wrote 22 hours 27 min ago:
Folks in the United States aren't routinely arrested for Facebook
posts.
cmdli wrote 11 hours 25 min ago:
The AP News was just kicked out of press conferences for not
using the government-preferred term for the Gulf of Mexico. The
new director of the FBI is pledging to go after members of the
press that he doesn't like. The US is jumping headfirst in the
"bad speech isn't free" direction in the past month.
twixfel wrote 16 hours 8 min ago:
There are limits to speech in every country, including the US.
What I always find baffling is the sheer arrogance of Americans,
that the only way to be a free and democratic country is their
way, to the extent that they send their elected representatives
to Germany of all places to implicitly argue for the legalisation
of the Hitler salute.
Meanwhile their country has slid into fascism. Sad and tragic.
jirf_dev wrote 19 hours 34 min ago:
Of course they are. Violent threats and admitting illegal
activity on social media can lead to arrests in the US. By being
so unspecific your comment does not really foster good discussion
on the topic. You should describe what kind of posts they are
being arrested for and which laws/protections in the UK you are
specifically criticizing.
4ndrewl wrote 21 hours 46 min ago:
They're not arrested for posting on Facebook. They're arrested
for _what_ they're posting on Facebook.
JBSay wrote 21 hours 6 min ago:
Just like any other authoritarian state
4ndrewl wrote 19 hours 55 min ago:
Hardly. There are limits to speech in most jurisdictions.
That hardly crosses the threshold for "authoritarian". The
high profile cases in the UK have been around incitement to
violence and contempt of court.
pb7 wrote 21 hours 7 min ago:
Yes, people in the US don't get arrested for that.
maccard wrote 20 hours 17 min ago:
Yes, they do. [1] [2] [3]
URI [1]: https://www.justice.gov/usao-az/pr/page-man-charged-...
URI [2]: https://edition.cnn.com/2015/04/30/us/georgia-woman-...
URI [3]: https://www.cnbc.com/amp/2023/10/19/influencer-gets-...
URI [4]: https://www.justice.gov/usao-ndal/pr/birmingham-man-...
fencepost wrote 19 hours 52 min ago:
No, they get arrested for conduct that would be criminal no
matter where they did it. Facebook (2x) and Twitter (2x)
were the (virtual) venues where the crimes were committed,
but the crimes were attempting to organize a mob to burn
down a courthouse, inciting and threatening to murder
police, conspiracy to suppress votes and threatening to
kill the President. The crimes would be just as criminal
had they been done in person at a local bar (or any other
physical location).
maccard wrote 19 hours 42 min ago:
Which is exactly the same as in the UK.
> The crimes would be just as criminal had they been
done in person at a local bar (or any other physical
location).
I agree. Where the US differs is that because of the US's
1st amendment it's _not_ a crime to say those things even
in a bar.
Anyway, all of that to say that americans are arrested
for posting things on the internet, despite what people
claim.
4ndrewl wrote 19 hours 54 min ago:
Stop it. We don't deal in "facts" any more.
kmeisthax wrote 22 hours 39 min ago:
What the politicians want is partial security: something they can
crack but criminals can't. That is achievable in physical security,
but not in cybersecurity.
I have a feeling the politicians already know partial cybersecurity
isn't an option, and don't care. Certainly, the intelligence
community advising them absolutely does know. We don't even have to
be conspiratorial about it: their jobs are easier in the world where
secrets are illegal than in the world where hackers actually get
stopped.
eterm wrote 5 hours 38 min ago:
> That is achievable in physical security, but not in cybersecurity
This isn't accurate though, and leads us down the path of trying to
prevent these bad laws from a technical perspective when we should
be fighting the principle of the bad law not just decrying it for
being "unworkable".
It is possible to construct encryption schemes with a "backdoor
key" while still being provably secure against anyone else.
This creates precisely the "partial security" you describe:
Criminals can't crack the encryption, but the government can use
their backdoor-key.
But like those who argue online age-consent schemes can't work, it
doesn't help to argue against the technical aspects of such bad
laws. The law, particularly UK law, doesn't care for what's
technically possible. The bad laws can sit on the books regardless
of the technical feasibility of enforcement. Eventually technology
can catch up, or the law can simply be applied on a best endeavours
/ selective enforcement approach.
jmholla wrote 11 min ago:
> This creates precisely the "partial security" you describe:
Criminals can't crack the encryption, but the government can use
their backdoor-key.
No, it doesn't. Now criminals just have to get the key. These
schemes have been tried many times. They've been discovered by
actors that shouldn't have access to them.
Please don't go around advising government leaders and
organizations. This is exactly the problem solving capabilities
of governmental leaders that security experts are decrying here
in this thread.
I honestly though get you're comment was going to go along the
lines of perfect physical security can only be perfectly secure
from everyone, including the people it shouldn't be. We
constantly see the hacking oh physical locations. The big things
keeping some orgs from being attacked: redundancy, observability,
and ENCRYPTION WITHOUT BACKDOORS!
jliptzin wrote 2 hours 38 min ago:
And what happens when someone in the government inevitably leaks
the key either intentionally or because of a hack?
joncp wrote 19 hours 12 min ago:
> That is achievable in physical security, but not in
cybersecurity.
Not with physical security either, I'm afraid.
cryptonector wrote 18 hours 59 min ago:
With physical security the state apparatus can provide physical
security in the form of police and what not, as well as
deterrence and punishment.
In the world of cryptography it's... a bit harder to do something
similar. In the best case they can come up with a key escrow
system that doesn't suck too much, force you to use it, and
hopefully they don't ever get the master keys hacked and stolen
or leaked. But they're not asking for key escrow. They're
asking for providers to be the escrow agents or whatever worse
thing they come up with.
nomilk wrote 22 hours 55 min ago:
Wow - how sad. To think the 2nd highest scoring post ever on hacker
news is Apple's 2016 A Message to Our Customers. A display of
intelligence, morality and courage under great pressure: [1] How things
have changed.
> In a statement Apple said it was "gravely disappointed"
So are we, Apple. So are we.
URI [1]: https://hn.algolia.com
okeuro49 wrote 22 hours 51 min ago:
Apple did the right thing.
I would much rather they were transparent, so that people can move
services, rather than build a backdoor in secret, to appease the
far-left Labour government.
stoobs wrote 20 hours 30 min ago:
Oh stop with "far left" nonsense, none of our main political
parties are much further than slightly left or right of centrist.
nomilk wrote 22 hours 31 min ago:
Building a backdoor and telling us is better than building a
backdoor and not telling us, but not building a backdoor at all is
ideal.
CodeWriter23 wrote 23 hours 6 min ago:
If Apple was a real American Company they would solve this issue by
withdrawing their devices from the UK.
int_19h wrote 17 hours 1 min ago:
Is Palantir a Real American Company?
sumuyuda wrote 23 hours 7 min ago:
Apple could have disabled iCloud completely for UK users. This would
protect both UK users and other users whoâs data would also been
captured in an iCloud backup.
They would lose some money on services, but would have been the better
choice to stand up to the UK government and protect the UK users.
jdminhbg wrote 22 hours 42 min ago:
It's fine to continue providing the service as long as people know
it's not encrypted. I am not worried about my photos being
subpoenaed; I am worried about losing them. I'd rather have the
service.
j-bos wrote 23 hours 7 min ago:
This law raises serious concerns about being a non UK resident using
British software, like Linux Mint.
xyst wrote 23 hours 11 min ago:
If you care about privacy and security of your data, you arenât using
public services from Apple or Google, or âbig techâ anyways.
I always thought of âcloudâ services to be a sham. I only trust
them with transient data or junk data anyways (glorified temp storage,
at best).
Ruq wrote 23 hours 14 min ago:
Honestly I'm surprised that rather than trying to build stupid
backdoors and such, tyrannical governments don't just try to make a
encryption key database. They hold ALL the keys and can get into
anything they want, anytime they want. If you get caught with keys or
encrypted data they can't access, punishment ensues.
Like if you're gonna try to eliminate privacy and freedom, just be
honest and open about your intentions.
santiagobasulto wrote 23 hours 19 min ago:
What happens if a British citizen/resident buys an iPhone in the USA?
Btw, as a European citizen, I always buy my devices in the USA. We can
complain about the US as much as we want, but Europe is on another
level.
commandersaki wrote 20 hours 3 min ago:
I think the iCloud services is based on the region of your Apple
Account. So you could theoretically use a US region Apple Account and
enjoy iCloud services. But that means you won't get UK region apps,
except in the app store you can switch to different Apple Accounts as
you please, so you can have multiple accounts for different regions
(which is what I do).
Ylpertnodi wrote 21 hours 41 min ago:
As an EU citizen, the US* (govts) can stay way from my stuff. I won't
even vpn through the
*or any other gubments.
Of course, when the rubber truncheon comes out, I'd be happy to show
my encrypted stuff. But until then, or without a warrant, I'd prefer
not to.
andyjohnson0 wrote 23 hours 22 min ago:
Presumably this applies to the iPhones owned by UK government
ministers, civil servants, personal devices of military personnel, UK
businesses, etc.
As a brit, I find that my government's stupidity is almost its only
reliable attribute.
mrweasel wrote 23 hours 14 min ago:
Presumably not, politicians have a way of excepting themselves in
these types of laws. It's almost as if they understand the need for
privacy, they just fail to apply that understanding to any scenarios
beyond their own.
fdb345 wrote 21 hours 59 min ago:
"Presumably not"
Rubbish. Give me one example? They will have to abide as well.
8fingerlouie wrote 18 hours 38 min ago:
Not a UK example, but Chat Control (2.0) explicitly exempts
various politicians and government officials from being spied on.
andyjohnson0 wrote 22 hours 34 min ago:
I meant that Apple's decision to withdraw ADP applies to them, not
the Investigatory Powers Act. Or are you saying that Apple will
give them a free exemption?
kouru225 wrote 23 hours 23 min ago:
Iâm at the point where Iâm ready to get a pixel and install
graphene
wishfish wrote 14 hours 27 min ago:
I'm in a similar position. Strongly considering replacing my iPhone
with a Pixel. But I realize I'm vulnerable via cloud services.
GrapheneOS won't save me from someone poking through my Dropbox. I'll
have to find another option for that too.
AlgebraFox wrote 1 hour 22 min ago:
Nextcloud works great on GrapheneOS if you are willing to self
host.
noescgchq wrote 23 hours 17 min ago:
Right but then you are jailed at Heathrow for not unlocking your
phone.
The UK has made it clear that Counter Terrorism legislation has no
limits in UK law even if that means compromising all systems and
leaving them vulnerable to state actor attacks.
MPs will continue to use encrypted messaging systems that disappear
messages during any inquiries of course.
aqueueaqueue wrote 18 hours 50 min ago:
Take a dumb phone (or none)?
fdb345 wrote 22 hours 27 min ago:
Except no one has ever been jailed for simply refusing to unlock a
phone unless there was heavy evidence there was something on the
phone.
Stop spreading incorrect FUD
okasaki wrote 17 hours 26 min ago:
You're an ignorant fool:
URI [1]: https://www.theregister.com/Print/2009/11/24/ripa_jfl/
fdb345 wrote 6 hours 21 min ago:
LOL literally a suspected terrorsit.
Aachen wrote 5 hours 14 min ago:
Being in court for something doesn't make you guilty of said
thing. What's the "heavy evidence" you say they had before
jailing this person?
timc3 wrote 22 hours 21 min ago:
No one that we have heard of yet.
shaky-carrousel wrote 22 hours 36 min ago:
You can provide a self destroy PIN with GrapheneOS.
runjake wrote 22 hours 26 min ago:
And that certainly wouldn't raise their suspicion. Surely, they'd
immediately let you go after that stunt.
shaky-carrousel wrote 7 hours 19 min ago:
Of course they could throw a tantrum, but it wouldn't be
nothing but that, and they will have to release you once they
cool down.
What are they going to say? That they won't release you until
you magically unerase the phone? There's nothing to wait for.
Aachen wrote 4 hours 52 min ago:
I agree there is nothing to coerce out of you anymore and so
you'd not be held on this forced decryption law... but not
complying with such a court order probably results in another
offence for which you can then get punished (not sure if a
fine, community service, or jail time would be most likely
for this), on top of that it doesn't look good to the judge
who presides over the original case in which they de demanded
the decryption in the first place
dclowd9901 wrote 21 hours 15 min ago:
But it would be up to him, wouldn't it? I think that's the main
deal here: cart blanche access to your data, or giving into
someone's bullshit fishing attempt because it's inconvenient.
sangnoir wrote 23 hours 9 min ago:
Schiphol was already the superior airport for connections anyway,
not being arrested just sweetens the deal.
varispeed wrote 23 hours 20 min ago:
Until it will be illegal to do so.
perdomon wrote 23 hours 27 min ago:
Can someone explain what's changed in the UK that they would consider
requesting unfettered access to all Apple customer data (including
outside their own borders)? I get that the NSA is infamous for
warrant-less surveillance, but this seems a step further.
drak0n1c wrote 21 hours 34 min ago:
Labour Party was elected six months ago. It is doubling down on
existing government surveillance policy as a cure-all weapon to
investigate and chill opposition, and to humble foreign tech
companies.
guccihat wrote 21 hours 47 min ago:
It is "just" the domestic intelligence agency ordering Apple to
backdoor their own system be able to supply data for lawful
interception. As I read the article, it's not a UK backdoor in the
sense they can roam around in every users data. The domestic agencies
still need to follow the rules of lawful interception, namely they
need a warrant, and it is targeted at UK nationals only. At least
that is how I read the article.
crimsoneer wrote 22 hours 16 min ago:
This isn't warrant-less, it's with a warrant. This isn't really a
change the UK, it's the UK trying to adapt to the proliferation of
E2E encryption - ten years ago, law enforcement could always access
your messages, now the default if you're on whatsapp/iMessage is they
can't because E2E is on by default. UK lawmakers aren't happy with a
default position of the state being totally incapable of reading
messages, no matter what the law says.
It might not be cryptographically sensible, but it is responding to a
real change in the strength of the state.
r00fus wrote 22 hours 39 min ago:
This is part and parcel of the collapse of western capitalism (aka
American empire). You get two main choices when capitalism fails -
fascism or communism/socialism. It's clear that the UK has chosen
fascism (either liberals like Labor or extreme right like Reform).
dumbledoren wrote 13 hours 15 min ago:
That choice exists only in cases in which the people can effect a
revolution. The UK elite is too strongly in control of the country
through its establishment, so, it will be a loud tumble down the
hillside towards fascism...
chippiewill wrote 22 hours 54 min ago:
Nothing's changed, they just want the same access to people's data
they've always had. They loved completely unencrypted text messages.
The rise of first-party end-to-end encryption has made life difficult
for the security services so they just want to get rid of it.
Also historically the US government loved the UK doing all this
spying because the US wasn't allowed to do a lot of it on their own
citizens.
varispeed wrote 23 hours 17 min ago:
Uncontrolled immigration and terrorist threat, but also probably they
want to look at people's nudes. Jolly lot.
fdb345 wrote 23 hours 32 min ago:
How will they enforce this?
They will have to send out messages 'You have 32465 hours before you
account is deleted unless you decrypt'
This is NOT a good look.
tene80i wrote 23 hours 36 min ago:
I have a naive question, and it's genuine curiosity, not a defence of
what's happening here.
This ADP feature has only existed for a couple of years, right? I
understand people are mad that it's now gone, but why weren't people
mad _before_ it existed? For like, a decade? Why do people treat iCloud
as immediately dangerous now, if they didn't before?
Did they think it was fully encrypted when it wasn't? Did people not
care about E2E encryption and now they do? Is it that E2E wasn't
possible before? If it's such a huge deal to people now, why would they
have ever used iCloud or anything like it, and now feel betrayed?
aqueueaqueue wrote 19 hours 17 min ago:
People learn stuff over time. If you are not living like RMS you
probably are allowing something to spy on you. If that spying gets
removed you become aware. You don't want it back.
It is like anything that gets better. Fight for the better. It is
like aviation safety: who cares about a few crashes this year when
people didn't complain in the 70s.
saljam wrote 19 hours 48 min ago:
i mainly use apple devices, but never put anything on icloud before
adp came out.
mihaaly wrote 20 hours 51 min ago:
The situation was not something existed since the beginning of time,
it evolved gradually. Long ago not that much and not that many
critically private data was circulating the net, it increased and got
essential living online by time, in some instances forced in an
increasing portion of situations. Worry then had no grounds yet. As
exposure of the population grew, so did the benefit for adverse
elements breaking online data stores, growing in numbers fast, not
all made properly in the headless chase of success. Damage and hence
awareness grew gradually.
But basically yes, people are stupid and gave no shit but believed
all f nonsense, the marketing frauds made them eating up their crap
happy if it had pretty words and pictures, promising something
halfway to Paradise. Like the Cloud mirage. Those of careful
personality were cautious since the first time Apple and alike pushed
on people giving up control over their own data for tiny comfort (or
no comfort eventually due to all hostile patterns in the full
picture) not putting all and every precious or slightly valuable
stuff to some unknown server on the internet protected only by
hundreds of years old method: password (so not protected at all
essentially). Memories, contacts, schedules, communications,
documents, clone of their devices in full, putting all into 'cloud'
(much before secure online storage became a thing)? Many times to the
very same one? Who are that much idiots, really?!
deelowe wrote 21 hours 24 min ago:
Apple has been advertising security and privacy as a top feature for
years now. It would make sense for people to get upset if those
features were removed.
LeoPanthera wrote 21 hours 31 min ago:
iCloud did a lot less, in the past. Disabling it now gives you access
to more data than it did a few years ago. And I also suspect it has
far more users today than it did a few years ago.
procaryote wrote 21 hours 58 min ago:
An E2E encrypted thing that later gets a special backdoor added is
obviously much worse than a not E2E encrypted thing.
It's like when google suddenly decided that their on-device-only 2FA
app Google Authenticator should get an opt-out unencrypted cloud
backup.
It means people who don't pay a lot of attention can suddenly have
much less protection than they were originally sold on.
TradingPlaces wrote 22 hours 19 min ago:
Apple and the FBI were squabbling over this for a few years, and then
Apple decided to end the conversation one day and implement ADP
AzzyHN wrote 22 hours 29 min ago:
Hacker News is a small subsection of the internet. I think the
majority of people, probably 90% or more, simply do not care that
much.
nikisweeting wrote 22 hours 53 min ago:
I was mad for years that ADP didn't exist / was being witheld due to
Apple+FBI negotiations for years.
I 100% treated iCloud as dangerous until they released it, and I
cheered in the streets when they finally did.
fauigerzigerk wrote 22 hours 55 min ago:
I think it makes sense for the services we rely on to get more secure
as the world gets more dangerous. It's an arms race. You don't want
to go back.
GeekyBear wrote 22 hours 56 min ago:
You've always been able to perform encrypted backups to your own
local PC or Mac out of the box, so people who do care about privacy
have always had that option.
One thing I've found concerning is that Apple had encrypted cloud
backups ready to roll out years ago, but delayed releasing the
feature when the US government objected.
> After years of delay under government pressure, Apple said
Wednesday that it will offer fully encrypted backups of photos, chat
histories and most other sensitive user data in its cloud storage
system worldwide, putting them out of reach of most hackers, spies
and law enforcement. [1] So the UK government isn't the only
government that has objected to users having real privacy
protections.
URI [1]: https://www.washingtonpost.com/technology/2022/12/07/icloud-...
xyst wrote 22 hours 59 min ago:
People were mad. Remember the Snowden leaks and PRISM program from
NSA? [1] In fact, Apple began to adopt âprivacyâ first marketing
due to this fallout. Apple even doubled down on this by not assisting
FBI with unlocking a terrorist suspects Apple device in 2016. [2] It
was around that time I actually had _some_ respect for Apple. I was
even a âApple fanboyâ for some time. But that respect and
fanboi-ism was lost between 2019 and now.
Between the deterioration of the Apple ecosystem (shitty macOS
updates), pushing scanning of photos and uploading to central server
(CSAM scanning scandal?), the god awful âApple wallâ, very poor
interoperability, and very anti-repair stance of devices. [1]
URI [1]: https://www.theguardian.com/world/2013/jun/06/us-tech-giants...
URI [2]: https://money.cnn.com/2016/03/28/news/companies/fbi-apple-ip...
post_break wrote 23 hours 2 min ago:
Yes, I was mad before it existed and didn't use icloud backups. With
the E2E and ADP I turned it on. If it gets nuked in the US I'll go
back to encrypted local backups only.
matthewdgreen wrote 23 hours 5 min ago:
Many of us were very upset about Apple's slow-rolling this feature.
There were many claims that they delayed the rollout due to
government pressure [1] (note: that story is by the same reporter who
broke today's news a couple of weeks ago.)
Rolling out encryption takes time, so the best I can say is "finally
it arrived," and then it was immediately attacked by the U.K.
government and has now been disabled over there. I imagine that Apple
is also now intimidated to further advertise the feature even here in
the U.S. To me this indicates we (technical folks) should be making a
much bigger deal about this feature to our non-technical friends.
URI [1]: https://www.reuters.com/article/world/exclusive-apple-droppe...
jahewson wrote 23 hours 7 min ago:
The problem here is not with iCloud but with the U.K. government.
People like to tell themselves the government isnât actually
trampling their rights but events like this make it impossible to
ignore.
ziddoap wrote 23 hours 12 min ago:
At one point in time, the entirety of web communication was
completely unencrypted.
Why were people not mad then? Do you think people would be angrier
now, if HTTPS were suddenly outlawed?
Among other valid answers, removing rights and privileges generally
makes people angrier than not having those rights or privileges in
the first place.
muyuu wrote 21 hours 34 min ago:
always used my own encryption and cyphered any sensitive
data/communications, but the problem is that most people won't and
you're often compromised by them
simple solutions like Whatsapp, Signal and ADP brought this to the
masses - which some governments have issues about - and this makes
a massive difference to everybody including those who wouldn't be
caught dead using an iphone anyway
if we could go back to the early 1990s when only professionals, Uni
students, techies and enthusiasts used the internet I'd go in a
heartbeat but that's not the world we're living in
bostik wrote 22 hours 26 min ago:
> Why were people not mad then?
Oh, we were. I am in the crowd who had been asking for generally
used encryption since 1995. After all, we were already using SSH
for our shell connections.
The first introduction to SSL outside of internet banking and
Amazon was for many online services to use encryption only for
their login (and user preferences) page. The session token was then
happily sent in the clear for all subsequent page loads.
It took a while for always-on encryption to take hold, and many of
the online services complained that enabling SSL for all their page
loads was too expensive. Both computationally and in required
hardware resources. When I wrote for an ICT magazine, I once did
some easy benchmarking around the impact of public key size for
connection handshakes. Back then a single 1024-bit RSA key
encryption operation took 2ms. Doubling it to 2048 bits bumped that
up to 8ms. (GMP operations have O(n^2) complexity in terms of
keysize.)
aqueueaqueue wrote 19 hours 15 min ago:
"We" is an special group. I am technical but never thought much
about it back then. There is a boiling frog. The 90s internet was
used for searching and silly emails. Now it has you life in the
cloud. But that didn't happen in a day.
viciousvoxel wrote 22 hours 52 min ago:
Counterpoint: when web communication was unencrypted it was before
we did our banking, tax filing, sent medical records, and sent all
other kinds of sensitive information over the internet. The risks
today are not remotely the same as they once were.
hirako2000 wrote 23 hours 19 min ago:
A few factors
- e2e encryption is not ubiquitous yet, but awareness is ascending.
- distrust for government also is on the uptrend.
- more organized dissent to preserve privacy.
No people didn't assume data was encrypted.
Yes E2E has been possible for many decades, but businesses don't have
privacy as a priority, sometimes even counter incentives to protect
it. Personal data sells well.
Things have changed because more people are getting to understand why
it matters, forcing the hand of companies having to choice but at
least feign to secure privacy.
freeone3000 wrote 23 hours 21 min ago:
iCloud and iPhones have traditionally resisted US governmental
overreach, only giving data to iCloud in cases of actual criminal
prosecution against specific individuals. As well, iPhone backups in
iCloud is relatively new, as are many other arbitrary storage
features â it used to just be your songs and your photos! Now
itâs data from all of your apps and a full phone backup. Hence the
resistance: the stories of police being unable to recover data from a
locked iPhone may now be over
Shank wrote 23 hours 23 min ago:
I guess I'm one of the people who was upset that it didn't exist
before, and I didn't enable iCloud Backup as a result. I didn't use
iCloud Photos. I had everything stored on a NAS (which was in-fact
encrypted properly) and used a rube goldberg-esque setup to move data
to it periodically. I used iMazing and local encrypted backups on a
schedule.
Lots of people called for E2EE on this stuff, but let's be real about
one thing: encryption as a feature being more accessible means more
people can be exposed to it. Not everyone can afford a rube goldberg
machine to backup their data to a NAS and not make it easily lost if
that NAS dies or loses power. It takes immense time, skill, and
energy to do that.
And my fear isn't the government, either, mind you. I simply don't
trust any cloud service provider to not be hacked or compromised
(e.g., due to software vulnerability, like log4j) on a relatively
long timescale. It's a pain to think about software security in that
context.
For me, ADP solves this and enables a lot of people who wouldn't
otherwise be protected from cloud-based attacks to be protected.
Sure, protection against crazy stuff like government requests is a
bonus, but we've seen with Salt Typhoon that any backdoor can be
found and exploited. We've seen major exploits in embedded software
(log4j) that turn out to break massive providers.
So, there were people upset, their concerns were definitely voiced on
independent blogs and random publications, and now, we're back in the
limelight because of the removal of the feature for people in the UK.
But, speaking as a user of ADP outside of the UK, I am happy that ADP
is standing up for it, and thankful that it exists.
(To be clear: government backdoors, and government requests also
scare me, but they aren't a direct threat to myself as much as a
vulnerability that enables all user data to be viewed or downloaded
by a random third-party).
RenThraysk wrote 23 hours 24 min ago:
Think most people had no idea how it worked, it was magic to them.
iCloud hacks (like in 2014) have raised awareness for the need for
E2EE.
writtenAnswer wrote 23 hours 24 min ago:
I think it is more about going backwards. It is often difficult to
remove laws than to add them. This is a similar situation.
In this situation, I agree that it is bad day for personal
privacy/security
fjjjrjj wrote 23 hours 38 min ago:
Does this mean I should treat travel to the UK the same way as China
and only bring a burner device with no information on it or on cloud
backup accounts?
gnfargbl wrote 22 hours 48 min ago:
Border control agents in all countries -- including the US -- have
fairly extensive powers to search your devices or deny you entry. I'm
not sure this decision should change your calculus on that point.
See also
URI [1]: https://medium.com/@thegrugq/stop-fabricating-travel-securit...
fjjjrjj wrote 22 hours 11 min ago:
Company trade secrets probably shouldn't be on the device? Edit -
or the device's cloud backups?
jcarrano wrote 23 hours 47 min ago:
The smartphone is a terrible platform. Something like this could never
happen on the PC, where you can install any encryption and backup
software that you want.
While Apple did the right thing by refusing to give the UK government a
backdoor, they are responsible for getting users in this situation in
the first place.
I'm not familiar with the iPhone and maybe there is already an
alternative to iCloud ADP, although that would make this whole
situation completely nonsensical.
jahewson wrote 22 hours 54 min ago:
Given that the most popular software of this kind is Dropbox Iâm
quite confident that nothing youâve said is true.
shuckles wrote 23 hours 12 min ago:
The smartphone platform is the most secure by default personal
computer most people own, largely because of the control enforced by
Apple.
globular-toast wrote 9 hours 4 min ago:
Secure for Apple, not for the users.
devsda wrote 21 hours 29 min ago:
If we are saying "secure", we should talk about what we are
securing and against whom.
A smartphone may be secure against malicious individual actors
but its certainly not the most secure when it comes to your private
data. Modern day smartphone is designed to maximize capturing your
private information like location, communication patterns, activity
and (sometimes) health information and pass it on to as many
private players(a.k.a apps) as possible, even to governments
without your knowledge. You don't have much control over it.
In that aspect it is less secure than your typical PC. A PC doesn't
have that level of private information in the first place and
whatever information it has will leak only if you opt-in or get
infected by malware.(recent Windows versions without necessary
tweaks may be considered a malware by some).
shuckles wrote 18 hours 3 min ago:
Plenty of people access their health records, etc. on a PC via
files downloaded to random places on their computer. Are you
trying to just say smartphones have a lot of sensors and are
carried around in intimate places?
sunshowers wrote 22 hours 42 min ago:
But along with that also comes a massive pressure point for rogue
states to take advantage of. With a diversity of services this
would not be nearly as possible.
inetknght wrote 23 hours 22 min ago:
> Something like this could never happen on the PC, where you can
install any encryption and backup software that you want.
Microsoft wants to have a word with you regarding their Windows
operating system that's installed on their device that you're
renting.
snowwrestler wrote 23 hours 27 min ago:
I havenât checked lately but since it launched the iPhone has
allowed the owner to choose whether to back up to Appleâs servers
(which would be affected by the UK order) or back up to their local
computer.
int_19h wrote 17 hours 16 min ago:
It's not an either-or, actually, even though the setting is worded
like it is. But even if you have cloud backups enabled, you can
still manually trigger a local backup.
inetknght wrote 23 hours 20 min ago:
> or back up to their local computer.
You mean back up to their Apple computer, yes?
I certainly can't back up an iPhone to my Linux computer.
sumuyuda wrote 23 hours 14 min ago:
Actually I think you can backup and restore your iPhone on Linux
using libimobiledevice. They reverse engineered the protocols for
the backup and restore service running on your iPhone.
URI [1]: https://libimobiledevice.org/
throwaway77385 wrote 23 hours 50 min ago:
The nightmare continues.
For now I am using 3rd party backup services that are (currently)
promising me that my backups are encrypted by a key they do not have
access to, or control over.
But can this even be believed in an age where these secret notices are
being served to any number of companies?
I suppose the next step would be to ensure that files don't ever arrive
in the cloud unencrypted, but I have yet to see a service that allows
me to do this with the same level of convenience as, say, my current
backup solution, which seamlessly backs up all my phones, my family
members' phones, my laptops, their laptops etc.
I depend on having an offsite backup of my data. Which inevitably
includes my clients' data also. Which I am supposedly keeping secret
from outside access. So how does that work once everything becomes
backdoored?
jahewson wrote 23 hours 2 min ago:
In the case of the U.K., they can throw you in jail for not handing
over your encryption key, so itâs a moot point. Theyâve been
slowly expanding this power for twenty years now.
fdb345 wrote 22 hours 8 min ago:
ive been through all this with the law. no one ever got jailed for
not handing over encryption keys unless they were a definitive
criminal and theres strong evidence there is criminal data on the
device.
they tried this with me (NCA) but the judge wouldnt sign off as
they had nothning on me or my device. this did however REALLY
want to access it! fuck them. pricks
kiratp wrote 8 hours 54 min ago:
URI [1]: https://www.telegraph.co.uk/news/2024/10/25/tommy-robins...
fdb345 wrote 6 hours 22 min ago:
you just gave an example of a man who was highly likely to have
something of interest on his phone. (as signed by a judge)
infinitifall wrote 5 hours 1 min ago:
It is likely there is something of interest on your phone (as
signed by my friend Joe). Now unlock your phone or you will
be jailed.
callc wrote 20 hours 37 min ago:
Ah yes, the âwe have all the power but pinky promise to only
use it on the bad guysâ playbook. I have complete confidence
and trust in that promise. /s
bloqs wrote 22 hours 38 min ago:
Not for content in the cloud, as far as I understand. Someone will
correct me, but you can be arrested and threatened with terror
charges if you dont unlock your device, but this does not give them
permission to access other computers via the internet.
commandersaki wrote 20 hours 17 min ago:
Tommy Robinson trial for refusing to provide his unlock
credentials when ingressing UK is happening in March this year.
globular-toast wrote 23 hours 17 min ago:
Convenience usually comes at a cost. You shouldn't have to trust
anyone. Just use a generic storage service and only upload encrypted
files to it. Syncthing + Rclone will probably get you a similar setup
that you control.
grahamj wrote 23 hours 20 min ago:
IMO the only thing you can have a high level of trust in is your own
*nix server. Backup those devices to it then encrypt there before
being sent to the cloud.
acuozzo wrote 22 hours 45 min ago:
> your own *nix server
Just be sure it's pre-Intel Management Engine / pre-AMD Platform
Security Processor!
JohnFen wrote 23 hours 4 min ago:
Handling the encryption yourself is the way to go, but for maximum
security, don't send that encrypted data to the cloud. Keep it all
on your own server(s).
That doesn't help people who aren't technically capable, of course.
But at least those who are can protect themselves.
cg5280 wrote 46 min ago:
Why couldn't the government just get a warrant and take your
local servers? At that point there doesn't seem to be much of a
difference with respect to this threat model, at least cloud is
convenient.
grahamj wrote 15 hours 12 min ago:
Depends what kind of security. Local doesn't help if your house
burns down or is robbed.
nemomarx wrote 23 hours 34 min ago:
security and convenience are ever at war.
mynameyeff wrote 23 hours 51 min ago:
Yikes... looks like Apple sun is setting. This cannot be allowed to
happen.
HPsquared wrote 23 hours 46 min ago:
It's not just an Apple thing. It's not even just a UK thing.
DataOverload wrote 23 hours 53 min ago:
This was predictable vs creating a backdoor
yapyap wrote 23 hours 53 min ago:
yikes
ComputerGuru wrote 23 hours 54 min ago:
Note that this doesnât satisfy the governmentâs original request,
which was for worldwide backdoor access into E2E-encrypted cloud
accounts.
But I have a more pertinent question: how can you âpullâ E2E
encryption without data loss? What happens to those that had this
enabled?
Edit:
Part of my concern is that you have to keep in mind Apple's defense
against backdooring E2E is the (US) doctrine that work cannot be
compelled. Any solution Apple develops that enables "disable E2E for
this account" makes it harder for them to claim that implementing that
would be compelling work (or speech, if you prefer) if that capability
already exists.
ckcheng wrote 16 hours 21 min ago:
> Any solution Apple develops that enables "disable E2E for this
account" makes it harder for them to claim that implementing that
would be compelling work (or speech, if you prefer)
I think itâs really speech [0], which is why itâs important to
user privacy and security that Apple widely advertises their entire
product line and business as valuing privacy. That way, itâs a
higher bar for a court to cross, on balance, when weighing whether to
compel speech/code (& signing) to break E2EE.
After all, if the CEO says privacy is unimportant [1], maybe
compelling a code update to break E2EE is no big deal? (âThe court
is just asking you, Google, to say/code what you already believeâ).
Whereas if the company says they value privacy, then does the
opposite without so much as a fight and then the stock price drops,
maybe thatâd be securities fraud? [2]. And so maybe thatâd be
harder to compel.
[0]: [1]: [2]:
URI [1]: https://news.ycombinator.com/item?id=43134235
URI [2]: https://www.eff.org/deeplinks/2009/12/google-ceo-eric-schmid...
URI [3]: https://www.bloomberg.com/opinion/articles/2019-06-26/everyt...
kelnos wrote 19 hours 52 min ago:
> the (US) doctrine that work cannot be compelled
Is this actually a thing? Telecoms in the US are compelled to provide
wiretap facilities to the US and state and local governments.
ckcheng wrote 17 hours 48 min ago:
>> Apple's defense against backdooring E2E is the (US) doctrine
that [government canât] be compelling work (or speech, if you
prefer)
Itâs really not "workâ but speech. Thatâs why telecoms can be
compelled to wiretap. But code is speech [2], signing that code is
also speech, and speech is constitutionally protected (US).
The tension is between the All Writs Act (requiring âthird
partiesâ assistance to execute a prior order of the courtâ) and
the First Amendment. [1] So Apple may be compelled to produce the
iCloud drives the data is stored on. But they canât be made to
write and sign code to run locally in your iPhone to decrypt that
E2EE data (even though obviously they technologically could).
[1]
URI [1]: https://www.eff.org/deeplinks/2015/10/judge-doj-not-all-wr...
URI [2]: https://www.eff.org/deeplinks/2015/04/remembering-case-est...
codedokode wrote 12 hours 55 min ago:
It's weird bending of law. Code, especially closed-source code,
is not a speech; it's a mechanism and the government may mandate
what features a mechanism must have (for example, a safety belt
in a car).
TeaBrain wrote 22 hours 50 min ago:
I think Prof Woodward's quote in the article will likely hold true
for Apple's response to the original UK government request:
"It was naïve of the UK government to think they could tell a US
technology company what to do globally"
mtrovo wrote 23 hours 14 min ago:
Apple is in a really tough position. I don't know if there's any way
they could fulfil the original request without it effectively
becoming a backdoor. Disabling E2E for the UK market is just kicking
the can down the road.
Even simply developing a tool to coerce users out of E2E without
their explicit consent to comply with local laws could be abused in
the future to obtain E2E messages with a warrant on different
countries.
A very difficult position to be in.
MetaWhirledPeas wrote 19 hours 24 min ago:
> Apple is in a really tough position.
You mean Apple is in a unique position to make a statement. No more
Apple products in the UK. Mic drop. Exit stage left.
sureIy wrote 14 hours 5 min ago:
But⦠money
musictubes wrote 12 hours 4 min ago:
But customers. People keep saying they should just not be in
that country. It is far better to have the choice of using an
iPhone even if particular features are no longer available.
replete wrote 21 hours 45 min ago:
Or, this is how they save face with their customers having complied
with the request rather than stop trading with the UK.
wrs wrote 23 hours 17 min ago:
> how can you âpullâ E2E encryption without data loss
You canât. The article says if you donât disable it (which you
have to do yourself, they canât do it for you, because itâs E2E),
your iCloud account will be canceled.
nashashmi wrote 20 hours 13 min ago:
At this point, the right thing to do is allow for an alt-service.
jmb99 wrote 12 hours 20 min ago:
How would an alt service help this situation? Youâd just end up
with backdoored services advertising E2EE, no? Appleâs move
here is definitely the right one, introduce as much friction as
possible to hopefully get the user pissed off at their government
for writing such stupid laws.
NitpickLawyer wrote 7 hours 58 min ago:
> introduce as much friction as possible to hopefully get the
user pissed off at their government for writing such stupid
laws.
I'm actually surprised that they didn't add more direct text in
that screen. "We are unable to provide this service... BECAUSE
OF YOUR GOVERNMENT 1984 STYLE REQUESTS. Contact your MPs here
and here and oh, here's their unlocked icloud data, might want
to add some choice pictures to their stash..." would have been
a tad more on the nose...
sneak wrote 16 hours 1 min ago:
Apple has an organization-wide mandate for services revenue.
Every product must make money on an ongoing basis, every month.
That's why you get constantly spammed to subscribe to things on
iOS.
Apple will never drop this anticompetitive practice of favoring
their services until they are legally compelled to.
bryan_w wrote 14 hours 33 min ago:
> you get constantly spammed to subscribe to things on iOS.
Ad companies are the worst
globular-toast wrote 23 hours 22 min ago:
> But I have a more pertinent question: how can you âpullâ E2E
encryption without data loss? What happens to those that had this
enabled?
Well exactly. The UK just showed the whole thing is a joke and that
Apple can do this worldwide.
tripdout wrote 23 hours 41 min ago:
The iOS screenshot displays a message saying it's no longer available
for new users.
rdtsc wrote 23 hours 41 min ago:
> how can you âpullâ E2E encryption without data loss? What
happens to those that had this enabled?
They'll keep your data hostage and disable your iCloud account.
Clever, huh? So they are not deleting it, just disabling your
account. "If you don't like it, make your own hardware and cloud
storage company" kind of a thing.
lynx97 wrote 22 hours 27 min ago:
More like "If you don't like it, talk to your local politicians",
which is, IMO, a totally valid approach.
rdtsc wrote 21 hours 54 min ago:
> "If you don't like it, talk to your local politicians",
Indeed people only noticed this because Apple tried to do the
right thing and now it's somehow also Apple's fault. No good deed
goes unpunished, I guess.
I think there is a feeling the government power is so
overwhelming that they are hoping maybe some trillion dollar
corporation would help them out somehow.
jl6 wrote 23 hours 42 min ago:
We are told the encryption keys reside only on your device. But Apple
control âyourâ device so they can just issue an update that
causes your device to decrypt data and upload it.
sneak wrote 15 hours 59 min ago:
Apple do not remotely control devices, and automatic updates are
not mandatory.
GeekyBear wrote 23 hours 19 min ago:
Apple has already fought US government demands that they push an
update that would allow the US governmrnt to break encryption on a
user's device.
> In 2015 and 2016, Apple Inc. received and objected to or
challenged at least 11 orders issued by United States district
courts under the All Writs Act of 1789. Most of these seek to
compel Apple "to use its existing capabilities to extract data like
contacts, photos and calls from locked iPhones running on operating
systems iOS 7 and older" in order to assist in criminal
investigations and prosecutions. A few requests, however, involve
phones with more extensive security protections, which Apple has no
current ability to break. These orders would compel Apple to write
new software that would let the government bypass these devices'
security and unlock the phones.
URI [1]: https://www.wikipedia.org/wiki/Apple%E2%80%93FBI_encryptio...
RenThraysk wrote 23 hours 27 min ago:
Would just upload the keys
drexlspivey wrote 23 hours 4 min ago:
Presumably these keys live in a hardware security module on your
phone called âsecure enclaveâ and cannot be extracted
kevincox wrote 17 hours 46 min ago:
Apple can push firmware updates to the HSM just like the
device. So if they really wanted they could add an operation
that extracted the keys (likely by encrypting them to a key
that lives in Apple's cloud).
watusername wrote 21 hours 55 min ago:
From the Advanced Data Protection whitepaper [0], it appears
the keys are stored in the iCloud Keychain domain, so not the
Secure Enclave:
> Conceptually, Advanced Data Protection is simple: All
CloudKit Service keys that were generated on device and later
uploaded to the available-after-authentication iCloud Hardware
Security Modules (HSMs) in Apple data centers are deleted from
those HSMs and instead kept entirely within the accountâs
iCloud Keychain protection domain. They are handled like the
existing end-to-end encrypted service keys, which means Apple
can no longer read or access these keys.
[0]:
URI [1]: https://support.apple.com/guide/security/advanced-data...
jiveturkey wrote 21 hours 25 min ago:
wrapped by a key hierarchy ultimately rooted by a key stored
in the secure enclave.
watusername wrote 20 hours 47 min ago:
Well yes, the entire storage is. I was trying to explain
how it's extractable.
jiveturkey wrote 18 hours 43 min ago:
fair!
fsflover wrote 22 hours 18 min ago:
Is this module auditable though, or is "just trust us", like
everything in the Apple world?
jmb99 wrote 12 hours 14 min ago:
An HSM bypass (extracting keys, performing unauthenticated
crypto ops) on any recent iOS device is worth 10s of
millions, easily. Especially if combined with a one-click/no
click. In that sense, itâs auditable, because itâs one of
the biggest targets for any colour hat, and the people smart
enough to find a bug/backdoor would only be slightly aided by
a spec/firmware source, and a bit more by the verilog.
This is true for pretty much every ârealâ hsm on the
planet btw. No one is sharing cutting edge enclave details,
Apple isnât unique in this regard.
theshrike79 wrote 19 hours 54 min ago:
If someone has a reliable and workable secure enclave hack
they can become a multi-millionaire for selling to state
actors or become one of the most famous hackers in the world
overnight (and possibly get a life changing amount of bounty
from Apple)
Basically it's not a hack someone just throws on the internet
for everyone to use, it's WAY too valuable to burn like that.
LPisGood wrote 20 hours 13 min ago:
Itâs auditable in the sense that there is a very high
potential for reward (both reputationally and financially)
for security researchers to break it.
RenThraysk wrote 22 hours 58 min ago:
Ah yes, good point.
madeofpalk wrote 23 hours 43 min ago:
When you disable ADP, your local encryption keys are uploaded to
Apple's servers to be read by them.
Apple could just lock you out of iCloud until you do this.
kbolino wrote 15 hours 1 min ago:
The hardware will not allow this, at least not without
modifications. The encryption keys are not exportable from the
Secure Enclave, not even to Apple's own servers.
QuiEgo wrote 9 hours 26 min ago:
Behind the scenes, it'd probably decrypt it locally
piece-by-piece with the key in the Secure Enclave, and then
reencrypt it with a new key that Apple has a copy of when you
disable ADP.
Twisell wrote 9 hours 33 min ago:
The Apple security paper describe how to disable ADP through a
key rotation sequence.
This will be a "forced rotation", they just need to decide how to
communicate to users and work out what happens to those who don't
comply. Lockout until key rotation look like an option as someone
said.
kbolino wrote 2 hours 33 min ago:
Yeah, this seems the most likely thing to happen here. You'll
be forced to disable ADP to continue using iCloud in the UK.
This still leaves the question of tourists and other visitors,
but it at least fits within the parameters of the system
without changing its fundamentals.
sureIy wrote 14 hours 6 min ago:
Are you gonna unlock that phone anytime soon?
Thanks for opening the enclave, don't mind if I ship these keys
back home.
No notification needed, Apple has root access.
jkbbwr wrote 7 hours 37 min ago:
Unless I am making a mistake here, you still can't extract keys
of an opened enclave. You can just run operations against those
keys.
kbolino wrote 12 hours 58 min ago:
Assuming the enclave can receive OTA firmware updates and those
updates can completely compromise it, which are not actually
proven facts, there's no way to target this to the UK alone
without either exempting tourists and creating a black market
for loophole phones or else turning all of Britain into a "set
foot here and ruin your iPhone forever" zone.
oakesm9 wrote 22 hours 32 min ago:
Thatâs exactly the plan. Anyone with this enabled in the UK will
need to manually disable it or theyâll get locked out of their
iCloud account after a deadline.
pacifika wrote 7 hours 2 min ago:
And I guess Apple gets fined for not allowing government approved
alternatives to these services not long after.
Goleniewski wrote 1 day ago:
Think about it.. You don't even have to be an Apple user to be affected
by this issue. If someone backs up their conversations with you to
apple cloud, your exchange is now fair game. You get no say in it
either.
We all lose.
globular-toast wrote 23 hours 6 min ago:
Security hinges on trust. The only real privacy tool is PGP which
uses a web of trust model. But it only works if people own their own
computers and storage devices. What they've done is got everyone to
rent their computers and storage instead. There's no security model
that works for the users here.
Vaslo wrote 23 hours 12 min ago:
Scary - I try to use signal as much as possible now for this reason.
IshKebab wrote 23 hours 10 min ago:
Signal can't evade this law either.
blfr wrote 22 hours 32 min ago:
Why not? Signal was willing to run all kinds crazy setups to
evade foreign laws, like domain fronting.
URI [1]: https://signal.org/blog/doodles-stickers-censorship/
botanical76 wrote 16 hours 25 min ago:
If Signal can do it, then why doesn't Apple make a stand?
buzzerbetrayed wrote 13 hours 3 min ago:
If signal doesnât make a stand, the entire value prop of
signal collapses and they cease to be a thing.
For Apple, privacy is one value prop. But seemingly smaller
one than the UK market.
freeqaz wrote 23 hours 54 min ago:
That's why it's important to use apps like Signal where you can set
the retention of your messages. I've got everybody I know using it
now!
sneak wrote 15 hours 59 min ago:
I use a patched Signal client that disables retention deletion and
remote delete messages.
ruined wrote 15 hours 9 min ago:
and that's awfully rude of you, but if you were concerned about
message retention you wouldn't do that. so what's your point?
fdb345 wrote 23 hours 29 min ago:
In a world where they cancel encryption they can't access...
doesn't Signal and its CIA funded origins concern you?
HumblyTossed wrote 23 hours 21 min ago:
Nope. I actually think that would bring more scrutiny and so I
feel safer knowing it's not be cracked.
fdb345 wrote 22 hours 10 min ago:
interesting and illogical reply
HumblyTossed wrote 21 hours 54 min ago:
No more illogical than trusting Apple's security because it
is ... Apple.
fdb345 wrote 6 hours 17 min ago:
Well, here you are discussing why UK law needed a pass
because they are literally blocked by Apples security.
Talk about Low IQ
hugh-avherald wrote 23 hours 32 min ago:
Setting a retention time out is playing with fire. If the police
get ahold of the other party's device, and present an exhibit which
they say contains the true conversation, you could be worse off
than if you retained the conversation. The fact that you have since
deleted it could be incriminating.
In some jurisdiction, yes, legally, such evidence might not be
probative, but you might still convicted because of it.
nickburns wrote 20 hours 49 min ago:
Ephemeral messaging is not a crime.
vuln wrote 23 hours 21 min ago:
The retention time can be set by individual conversation not just
the whole app.
fdb345 wrote 23 hours 25 min ago:
message retention has literally NEVER been used as incrimination
in a court of law. So you are wrong.
sangeeth96 wrote 21 hours 10 min ago:
Umm, isnât this related?
URI [1]: https://www.theverge.com/2024/4/26/24141801/ftc-amazon...
the_other wrote 19 hours 42 min ago:
Yes, but if Iâm reading it right, Amazon staff were already
inder instruxtion to retain and share data relevant to an
ongoing investigation. They were aware of the process and, if
the article is to be believed, worked against the
instructions.
Thatâs quite different from turning disappearing messages
on when youâre not explicitly under insteuctions to keep
records.
bunderbunder wrote 20 hours 8 min ago:
This isn't Amazon getting in trouble for implementation of a
routine records retention policy. It's Amazon getting in
trouble for violating a document retention mandate related to
an ongoing lawsuit.
dvtkrlbs wrote 20 hours 46 min ago:
I don't think so. Corporate communication is bound by
different laws and you have way higher burden of evidence in
case of legal requests. I don't think this creates a
precedent for personal communications.
nickburns wrote 20 hours 48 min ago:
No. That's a civil discovery matter.
madeofpalk wrote 23 hours 42 min ago:
Given historical backups are the norm here, retention only does so
much.
Really, apps should encrypt their own storage with keys that aren't
stored in the backups. That's how you get security/privacy back.
buran77 wrote 23 hours 31 min ago:
> That's how you get security/privacy back.
Nothing an app does on a device guarantees you security or
privacy if you don't trust or fully control the device.
Aachen wrote 5 hours 21 min ago:
Yes, but they'd have to issue another one of these snooping
demands to either the app's developer (there's loads of
developers so this would get out of hand quickly) or to Apple
to patch the build or read the memory or something to get the
unencrypted data
This current demand isn't blanket access to your device, it's
access to things uploaded to Apple's online storage service.
Having to get a backdoor that works with every app's encryption
takes a lot more work while running the data through an
authenticated encryption algorithm is relatively trivial for a
developer
cma wrote 23 hours 33 min ago:
Many people want control over whether they back up conversations
with others, and think it would be crazy for sender to control
the retention policy instead of receiver.
I think sender should just be able to send a recommended
preference hint on retention and you could have an option to
respect it or not.
noahjk wrote 23 hours 55 min ago:
Very similar to sites like LinkedIn, which ask you to share your
personal info & contact list.
I don't want to share my contact details, but the second someone I
know decides to opt in, I lose all rights to my own data as they've
shared it on my behalf.
Maybe they have other info, such as birthday, home address, other
emails or phone #s, etc. stored for me, which is all fair game, as
well.
folmar wrote 7 hours 13 min ago:
If you are in EU, request your data be redacted.
tw600040 wrote 1 day ago:
Ok, I am not very technical. Can someone help me understand this. I
don't have Advanced data Protection on. Does that mean UK Gov can see
my data now?
tene80i wrote 23 hours 42 min ago:
It means Apple has the encryption keys to your backed-up data. So
they can, in theory, access it, if the UK Gov demands that they do.
That might never happen to you, but with ADP it would have been
impossible, because even Apple can't access it.
See
URI [1]: https://support.apple.com/en-us/102651
frizlab wrote 23 hours 45 min ago:
They always could. With advanced data protection they could not. The
law mandated to add a backdoor to allow the government to also see
encrypted data (which made the encryption insecure by definition).
Apple refused to comply so you donât even have the option to
encrypt your backups now.
itishappy wrote 23 hours 49 min ago:
Potentially. It really just means your data is stored unencrypted, so
anybody that has access to Apple's servers can access your data. I
don't believe any government has open access to Apple's servers, but
they can get a warrant.
tw600040 wrote 23 hours 44 min ago:
I just realized ADP is not same as Lockdown mode. which Apple
mentioned that only people that are likely to be targets need to
turn on.
Now I don't see any reason why I shouldn't turn ADP on. Turning on
now.
dsmurrell wrote 1 day ago:
disables apple cloud sync
Jackknife9 wrote 1 day ago:
I'm going to start purging anything I store on the cloud. I'm not doing
anything illegal, but why does the government want to treat me like I
am.
docmars wrote 23 hours 46 min ago:
Indeed. Time to leave the panopticon!
ilumanty wrote 1 day ago:
What exactly can UK users do now? Turn off "backup iPhone to iCloud"
and stop syncing notes?
GeekyBear wrote 23 hours 58 min ago:
UK users can still perform an encrypted backup to their local PC or
Mac.
buildbot wrote 1 day ago:
If you have ADP, Leave it on and have them automatically delete it at
some point? Otherwise yes.
âCustomers who are already using Advanced Data Protection, or ADP,
will need to manually disable it during an unspecified grace period
to keep their iCloud accounts, according to the report. Apple said it
will issue additional guidance in the future to affected users and
that it "does not have the ability to automatically disable it on
their behalf."
ohnoitsahuman wrote 1 day ago:
Let's vote Labor and Liberal to keep the UK from going fascist on our
data.
Oh wait....shit.
JansjoFromIkea wrote 19 hours 26 min ago:
The Blairite wing of that party has always been extremely bad with
this kind of thing (see Tony Blair's obsession with ID cards over the
decades) so it's unsurprising they'd push something like this.
rvz wrote 21 hours 49 min ago:
They got what they voted for and now that those voters are surprised?
It's really hilarious to try to blame previous governments for such
unpopular moves like this one.
If Labour was any better, then they would never have used the
Investigatory Powers Act to force Apple to take actions such as this.
For those who thought Labour would never do this, should just admit
that this move was done under Labour and they are no better than the
Tories.
b800h wrote 23 hours 40 min ago:
The party most likely to cut this stuff out is Reform, although
they'd probably be closer to ambivalent about it.
JansjoFromIkea wrote 19 hours 22 min ago:
UKIP/Brexit/Reform as a vehicle to hold large influence over
politics from outside Westminster might.
I would imagine the party's attitudes on a myriad of things would
shift if they were in power though.
spacebanana7 wrote 22 hours 1 min ago:
Iâm pretty sure Reform would scrap this stuff, given the belief
their part of politics has been a victim of these laws.
Also worth considering Lib Dem if youâre not into right wing
politics- they did vote against the relevant investigatory powers
act back in 2016.
switch007 wrote 1 day ago:
Labour are not anti authoritarian. Often quite pro
basisword wrote 1 day ago:
This was done under the Investigatory Powers Act which was brought in
in 2016. Saying that Labour weren't exactly against it at the time.
Point being snooping isn't left or right - they all love it.
ta8645 wrote 1 day ago:
Free speech already under threat and now y'all are giving up the right
of private communication too? For anyone cheering this on, do you
honestly think this will only affect the "bad people", and you'll never
have your own neck under the government's boot? Even if you trust the
government today, what happens when your neighbors elect a government
you disagree with ideologically?
multimoon wrote 1 day ago:
I donât think anyone is cheering this on.
Funes- wrote 15 hours 14 min ago:
Most politicians are.
int_19h wrote 17 hours 30 min ago:
Many people do, unfortunately, so long as it's framed as "only
terrorists and pedophiles need encryption that cops can't break".
botanical76 wrote 16 hours 16 min ago:
How do we actually beat this narrative? I've been proposing a
E2EE-based chat application to my friend, and they asked me a
similar question: won't it just be rife with pedophiles? How can
you make a platform that will be used to that means?
I have strong views about privacy as a fundamental human right,
but I don't know how to answer that question. I certainly don't
want to make the world worse, but this feels like a lesser of two
evils type of deal: either make it even harder to catch bad
actors, such as child abusers, or make it plausible that your
government take away your freedom forever.
pacifika wrote 6 hours 54 min ago:
I suppose it is conflating lack of trust in government / law
enforcement with criminal matters.
Donât give power over yourself to people with a proven
history of misusing it, according to your values. You donât
have to look hard for examples.
mihaaly wrote 20 hours 40 min ago:
Instead of the word cheering we could use letting.
Bad people flourish over the inaction of good people.
(but yes, there are always several who protect and argue for things
risking their own and everyone's livelihood, exposing themselves to
shady elements, along singled out and elevated thin aspects, cannot
understood why)
wonderwonder wrote 1 day ago:
The UK wanted access to anyone's data. Not just UK citizens and then
additionally added regulations forbidding apple to disclose this.
UK is ~3-4% of apples income. While I appreciate Apples actions here, I
wish they would make a real stand here and pull completely out of the
UK.
mtrovo wrote 22 hours 42 min ago:
I really wish they would sit down and negotiate this more openly. The
silence from the other players is what really makes me uncomfortable.
The fact that only Apple is making a stand against this ask is really
scary.
wonderwonder wrote 19 hours 37 min ago:
Agreed, the UK is speed running 1984 right in front of us.
kobieps wrote 13 hours 5 min ago:
Only three (well, now four) mentions of 1984 in the comments
tells you all you need to know
wonderwonder wrote 28 min ago:
sorry friend, I am actually not sure what you mean by this
comment. Not sure if you are agreeing or disagreeing :)
Apologies, probably my fault.
Eavolution wrote 1 day ago:
What are you actually supposed to do in the UK if you oppose this sort
of thing to stop laws like this coming in? It feels like the government
has been incredibly out of touch for the last number of years.
maeil wrote 14 hours 38 min ago:
> It feels like the government has been incredibly out of touch for
the last number of years.
Did you vote for any single one of them?
If you did, then what you're supposed to do is stop voting for
Tory-lite governments (such as the current one).
If you didn't vote for any of these governments (including this one),
everything else that you could do would be dangerous nowadays.
i2km wrote 22 hours 52 min ago:
You get the hell out and emigrate. I did so last year. It's not going
to get better chap
globular-toast wrote 9 hours 2 min ago:
Where did you go?
IneffablePigeon wrote 22 hours 58 min ago:
Join the ORG for starters. Contact your MP. But yes, the number of
people who care is small and so things will not change until it is
large.
redox99 wrote 23 hours 20 min ago:
I would guess you'd vote a libertarian party.
Apfel wrote 22 hours 58 min ago:
Probably the best on the civil liberties front are the Liberal
Democrats (they were pretty good at quashing mandatory national ID
cards back in the day, at least).
That being said, they still have a lot of folk angry at them for
allowing university fees to be introduced 15 years ago when they
were in coalition government (a Tory policy!).
wackget wrote 1 day ago:
So instead of building a back door they're just completely removing the
option to use E2E encryption altogether, thus making everything freely
available to government by default?
How is that not worse or at least equivalent to a back door?
varispeed wrote 23 hours 16 min ago:
Many departments use iphones. I wonder how it will affect government
security or government employees will be exempt?
incorrecthorse wrote 23 hours 53 min ago:
It _is_ equivalent to a back door, that's the point. The UK demand
can be accessed more rapidly and properly by disabling the feature
than by implementing a backdoor, since it is the same thing.
poisonborz wrote 1 day ago:
Much better than a false sense of security. Customers know what they
get, and can choose other products instead of being confused or
cheated.
ziddoap wrote 1 day ago:
>How is that not worse or at least equivalent to a back door?
It's bad for the citizens of the UK and better for everyone else on
the planet with an iPhone. UK citizens should be angry with their
government, not Apple.
roughly wrote 1 day ago:
Theyâre just pulling the feature in the UK. If they put in a back
door, theyâre pulling the feature for everyone.
mholt wrote 1 day ago:
No illusion of privacy.
wonderwonder wrote 1 day ago:
The UK requested the backdoor for all users, not just UK citizens.
drcongo wrote 1 day ago:
Could any hackers on here now please hack the fuck out of UK government
ministers please?
alecco wrote 22 hours 40 min ago:
I doubt it would play out like you think.
chatmasta wrote 1 day ago:
Ugh. Is this by App Store country? Anyone know what happens if I
already have it configured? Iâm actually in US App Store region and
sometimes switch to UK⦠I wonder if that would disable it.
bArray wrote 1 day ago:
Too right, it was far more problematic than they ever made out.
> The UK government's demand came through a "technical capability
notice" under the Investigatory Powers Act (IPA), requiring Apple to
create a backdoor that would allow British security officials to access
encrypted user data globally. The order would have compromised Apple's
Advanced Data Protection feature, which provides end-to-end encryption
for iCloud data including Photos, Notes, Messages backups, and device
backups.
One scenario would be somebody in an airport and security officials are
searching your device under the Counter Terrorism Act (where you don't
even have the right to legal advice, or the right to remain silent).
You maybe a British person, but you could also be a foreign person
moving through the airport. There's no time limit on when you may be
searched, so all people who ever travelled through British territory
could be searched by officials.
Let that sink in for a moment. We're talking about the largest back
door I've ever heard of.
What concerns me more is that Apple is the only company audibly making
a stand. I have an Android device beside me that regularly asks me to
back my device up to the cloud (and make it difficult to opt out), you
think Google didn't already sign up to this? You think Microsoft
didn't?
Then think for a moment that most 2FA directly goes via a large tech
company or to your mobile. We're just outright handing over the keys to
all of our accounts. Your accounts have never been less protected. The
battle is being lost for privacy and security.
neop1x wrote 2 hours 15 min ago:
For photos, it's probably best to use an open-source (also
self-hostable) service like Ente. For files it's best to self-host
Nextcloud or similar. And rely on other people's computers as little
as possible. Sadly, operating systems are very complex and mostly
composed of proprietary blobs nowadays so there is still a risk of it
leaking data but people can still do at least something.
prmoustache wrote 2 hours 37 min ago:
> What concerns me more is that Apple is the only company audibly
making a stand.
Dropping the functionality for a particular market hardly equals to
making a stand. Sure they haven't added a backdoor that would give
all user's data access to UK icloud user's data so in the end UK
residents didn't win anything.
And who knows if they simply have an agreement with US gov to have a
backdoor only available to them and not the other govs.
abalone wrote 6 hours 22 min ago:
> One scenario would be somebody in an airport and security officials
are searching your device under the Counter Terrorism Act
No, it's much broader than that. The UK is asking for a backdoor to
your data and backups in the cloud, not on your device. Why bother
with searching physical devices when they can just issue a secret
subpoena to any account they want?
It's actually pretty amazing that Apple made ADP possible for the
general public. This is the culmination of a major breakthrough in
privacy architecture about ten years ago.
Traditionally you had to make a choice between end-to-end encryption
and data recoverability. If you went with E2EE, it's only useful if
you use a strong password, but if you forget it then Apple can't help
you recover your account (no password reset possible). So that was
totally unsuitable for precious memories like photos for the average
user.
Apple's first attempt to make this feasible was a recovery key that
you print out and stuff in a drawer somewhere. But you might lose
this. The trusted contact feature is also not totally reliable
either, because chances are it's your spouse and they might also lose
their device at that same time as you (for example in a house fire).
So while recovery keys and trusted contacts help, the solution that
really made the breakthrough for ADP was iCloud Keychain Backup. This
thing is low-key so cool and kind of rips up the previous assumptions
about E2EE.
iCloud Keychain Backup makes it possible to recover your data with a
simple, weak 6 digit passcode that you are virtually guaranteed never
to forget, yet you are also protected from brute force attacks on the
server. It is specifically designed to work on "adversarial clouds"
that are being actively attacked. This is... sort of not supposed to
be possible in the traditional thinking. But they added something
called hardware security modules to limit the number of guesses an
attacker can make before it wipes your key.
And crucially it ensures you don't forget this passcode because it's
your device passcode which the OS keeps in sync with the backup key.
This is part of the reason your iPhone asks you to enter your
passcode now and then even though your biometrics work just fine.
It is a true secret that only you know and can keep in your brain
even when your house burns down and nobody (hopefully) can derive
from something they can research about you. This didn't really exist
for the general populace until smartphones came along. And that
ultimately was the breakthrough that allowed for changing the
conventional wisdom on E2EE.
iCloud Keychain Backup came out about a decade ago and it has taken
this long to gradually test the feasibility of going 100% E2EE
without significantly risking customer data loss. The UK is kind of
panicking but when people see how well ADP protects their most
personal data from breaches, I think they will demand it. It just
wasn't practical before.
HenryBemis wrote 6 hours 45 min ago:
What I fund 'amusing' is the swap between Left vs Right.
'Back in the day' it was the "Right" that wanted have total
access/total control over everything. So people turned a bit "left".
Now the "Left" government is seeking totalitarian-style control
('because paedophiles/drugs/etc.).
As a reminder, both Right and Left extremes went from
'liberal/conservatives' to "we don't need elections ever again -
trust me!".
I saw this happening in the US, in Saudi (e.g. Blackberry 'keys').
Now I see it in the UK. So I interpret this in two ways:
1) The "Left is the new Right" (or "Right is the new Left")
2) Left and Right are irrelevant terms when it comes down to "we
need to exert control over people/knowledge/data/information/etc. And
the 'guise' of Left/Right is just on the fiscal policies. So UK has
been playing around with 'snooper charter' but at 'that' time Apple's
encryption was not on the table.
Apple (I don't blame them - very much - just a little) does what a
company does. Makes money. And they prefer to sell-out the data of
their clients and keep their money, than lose that money.
So... yeah.. if your data is in someone else's server, that happens.
sib wrote 4 hours 43 min ago:
>> 'Back in the day' it was the "Right" that wanted have total
access/total control over everything.
It was the Clinton administration that pushed for the Clipper chip.
Are you talking about a 'day' before that time?
bboygravity wrote 9 hours 33 min ago:
And now imagine for a second that the only thing the UK is doing here
is getting the same direct access that the US (NSA) has already had
for decades.
dunham wrote 12 hours 13 min ago:
> the largest back door I've ever heard of.
Do you know of the clipper chip? [1] From what I recall, we were only
spared from it by someone hacking it before it was deployed.
URI [1]: https://en.wikipedia.org/wiki/Clipper_chip
bustling-noose wrote 13 hours 38 min ago:
You have no laws when traveling through immigration. Thats true in US
too. There was an article (trying to look for it could be arstechnica
verge I dont remember where) once where a US citizen journalist was
detained at the border for hours while traveling into the US and
questioned. You can be in the immigration for hours or even decades
until you give out what they demand which can involve your unlocked
phone and password. There are no laws protecting you.
firecall wrote 15 hours 18 min ago:
Also, I wondered if by complying with British law that they may
somehow be breaking laws of another country?
Hypothetically, if Apple just provide a back door to the data they
have on US Senators for instance, then providing that information may
be considered treason by the US.
That's a totally made up example, and I have no idea, but it seems
like it's possibly an issue.
Which is all about the issues around data sovereignty I suppose!
wkat4242 wrote 8 hours 15 min ago:
Treason is a very heavy charge and as far as I know it applies more
to individuals. Can a company be prosecuted for treason? I guess it
depends on the country and I don't know US law well (never even
visited there)
But I'm sure local laws conflict heavily between countries yes. I'm
often wondering how multinationals manage to navigate this maze.
This is why we have such a big legal department I guess :) And the
company I work for is a pretty honest one, I've never seen any
skullduggery going on with eg privacy or media manipulation. In
fact employees are urged to report such things and I have to do a
course on responsible behaviour yearly. Probably a result of being
purely B2B. But anyway I digress, just wanted to say that getting
away with stuff does not seem to be the reason for us having a big
legal dept.
But just look at the laws of e.g. the EU and Iran. Pretty
diametrically opposed on many topics. There's no way to satisfy
them both.
I think what helps to make this happen is that most countries don't
try to push their laws outside of their jurisdiction. Which the UK
is trying to do here.
Zamiel_Snawley wrote 14 hours 48 min ago:
That would not be treason, by a long shot.
Treason is the only crime defined in the constitution, and it is
quite a high bar.
thaumasiotes wrote 7 hours 28 min ago:
> Treason is the only crime defined in the constitution, and it
is quite a high bar.
Well, it's defined, or bounded above, in the constitution. It's
not exactly a high bar:
> Treason against the United States, shall consist only in
levying War against them, or in adhering to their Enemies, giving
them Aid and Comfort.
So, if you happened to know Nicolas Maduro, thought he was
looking stressed, and bought him some food, that would qualify as
treason. There's no requirement that you act against the
interests of the United States. The constitution will stop you
from being prosecuted for treason for sleeping with Melania
Trump. It won't stop you from being prosecuted for treason for
completely spurious reasons.
Spooky23 wrote 12 hours 29 min ago:
The king is a strict constitutionalist, who may disagree with
you/ Pray he doesnât.
osigurdson wrote 16 hours 7 min ago:
What is going on in the UK? How do they stand for this?
vixen99 wrote 8 hours 58 min ago:
Irrespective of political leanings, a lot of British people are
saying this. They stand for it because they have to. It's a
government that was voted in by a large margin only six months ago.
Disquiet, if that's the word, is pretty much universal and I am not
sure we've been quite in this position before. Keir Starmer's
decline in approval ratings 'marks the most substantial
post-election fall for any British prime minister in recent
history'.
URI [1]: https://politicalpulse.net/uk-polls/keir-starmer-approval-...
JansjoFromIkea wrote 2 hours 50 min ago:
By a large margin with their seat count doubling off a 1.6% swing
in their favour. The decline in approval ratings should have been
entirely predictable to them.
osigurdson wrote 4 hours 32 min ago:
Did Starmer run on this big brother type platform?
jamiek88 wrote 8 hours 18 min ago:
This is a law enacted by the previous government.
nomdep wrote 15 hours 31 min ago:
When âmisinformationâ or âhate speechâ are illegal, and the
government decides what those are, you cannot risk complaining
endgame wrote 17 hours 41 min ago:
"technical capability notice" under the Investigatory Powers Act
(IPA)
Sounds a lot like the godawful "assistance and access" laws that were
rushed through in Australia a couple of years ago, right down to the
name of the secret instrument sent to the entity who gets forced into
to building the intercept capability.
Now that Apple has caved once, I expect to see other providers
strongarmed in the same way, as well as the same move tried in other
countries.
zahllos wrote 17 hours 46 min ago:
I don't really understand your comment to be honest. Section 3 of the
Regulation of Regulatory Powers Act 2000 allows for compelled key
disclosure (disclosure of the information sought instead of the key
is also possible). Schedule 7 of the Counter-Terrorism Act allows 9
hour detention, questioning and device search at the border. With
these powers it isn't necessary to get access to iCloud backups, as
you can get the device and/or the data.
I don't think the e2e icloud backup is problematic under existing
legislation / before the TCN. While you can't disclose the key
because it lives in the secure enclave, you can disclose the
information that is requested because you can log into your apple
account and retrieve it. IANAL, but I believe this to be sufficient
(and refusing would mean jail).
The Investigatory Powers Act allows for technical capability notices,
and the TCN in this case says (as far as we know) "allow us a method
to be able to get the contents of any iCloud backup that is protected
by E2EE for any user worldwide". This means that there is no need to
ask the target to disclose information and if implemented as asked,
also means that any user worldwide could be a target of the order,
even if they'd never been to the UK.
Relevant info:
-
URI [1]: https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
Aloisius wrote 15 hours 22 min ago:
I imagine they want the ability to look at someone's iCloud backups
without notifying the owner that they are doing so or they want to
do it when the owner is unwilling or unable to provide keys.
For the latter, there are a lot of cases where jail isn't much a
threat (e.g. the person is dead or not in the country).
zahllos wrote 7 hours 46 min ago:
Also given automatic iPhone backup it might contain information
they want as part of an investigation that they'd otherwise have
to demand key disclosure for (if cloud backup didn't exist)...
Absolutely.
The jail time for failure to comply with key disclosure is 2
years unless it is national security, then it is 5. But if you're
organised crime and facing who knows what for being a snitch it
might be better simply to do the time.
I can see why they want it. I just don't understand why the
person I'm replying to said the feature (I think) was
problematic. Not really a criticism, I'm just struggling to
identify the tone and why 'too right' and 'more problematic than
they let on'.
j-krieger wrote 17 hours 51 min ago:
Even more shocking that Germany - my country - leads the leaderboard
with over ten times as much requests as the second place.
marcprux wrote 19 hours 12 min ago:
> you think Google didn't already sign up to this?
My understanding is that Android's Google Drive backup has had an E2E
encryption option for many years (they blogged about it at [1] ), and
that the key is only stored locally in the Titan Security Module.
If they are complying with the IPA, wouldn't that mean that they must
build a mechanism into Android to exfiltrate the key? And wouldn't
this breach be discoverable by security research, which tends to be
much simpler on Android than it is on iOS?
URI [1]: https://security.googleblog.com/2018/10/google-and-android-h...
EduardoBautista wrote 4 hours 48 min ago:
Apple's ADP is not E2E for only its backups, it's E2E for
_everything_ in iCloud Drive and a few other iCloud services.
thelittleone wrote 14 hours 27 min ago:
Could that be true and at the same time a 'vulnerability' exists
that megacorp is party to?
nomel wrote 18 hours 33 min ago:
My assumption is that Google has keys to everything in its kingdom
[1]
URI [1]: https://qz.com/1145669/googles-true-origin-partly-lies-in-...
tim333 wrote 2 hours 44 min ago:
I doubt it. Much to my annoyance they moved Google Maps Timeline
from their database to an encrypted copy on my phone specifically
so if law enforcement asks for the records of where you were at a
given time and place they can say dunno, can't tell. If they had
the keys it would wreck their legal strategy not to get hassled
every time law enforcement are trying to track someone.
skybrian wrote 4 hours 58 min ago:
The linked article makes a lot of assumptions about the "Massive
Digital Data Systems Program". It seems this program existed. For
example, here is a 1996 paper [1] about research funded by the
"Massive Digital Data Systems (MDDS) Program, through the
Department of Defense."
But it's not clear that funding for early research into data
warehousing (back when a terabyte was a lot of data) has anything
to do with whether or not Google uses end-to-end encryption? Lots
of research got funded through the Department of Defense.
Without having relevant evidence, this is just "let's assume X is
true, therefore X is true."
URI [1]: https://papers.rgrossman.com/proc-047.htm
GeekyBear wrote 9 hours 8 min ago:
Google didn't announce that they could no longer process geofence
warrants because they no longer stored a copy of user location
data on their servers until last October.
How much good does an encrypted device backup do when harvesting
user data and storing it on your servers (to make ad sales more
profitable) is your entire business model?
foota wrote 13 hours 19 min ago:
That's a bit silly seeing as e.g.,
URI [1]: https://www.npr.org/sections/thetwo-way/2014/03/20/29195...
yellow_lead wrote 14 hours 25 min ago:
This would mean no independent security researcher has ever taken
a look at Google Drive's E2EE on Android. Or those that did
missed the part where the key is uploaded.
It's possible to decrypt this network traffic and see if the key
is sent. It may be obfuscated though.
autoexec wrote 14 hours 31 min ago:
My assumption is that the NSA does too.
marcprux wrote 18 hours 15 min ago:
> My assumption is that Google has keys to everything in its
kingdom
If that were true, then their claims to support E2E encrypted
backups are simply false, and they would have been subject to
warrants to unlock backups, just like Apple had been until they
implemented their "Advanced Data Protection" in 2022.
Wouldn't there have been be some evidence of that in the past 7
years, either through security research, or through convictions
that hinged on information that was gotten from a supposedly
E2E-protected backup?
ajb wrote 2 hours 49 min ago:
It's worth noting that what the security services don't have
access to is as secret as what they do have access to.
According to the late Ross Anderson, for many years the police
were unable to trace calls (or was it internet access?) on one
of the major UK mobile networks, because it had been designed
without that and in such a way that it was hard to retrofit.
This was considered highly confidential, lest all the drug
dealers etc switch to that network.
autoexec wrote 14 hours 20 min ago:
> Wouldn't there have been be some evidence of that in the past
7 years, either through security research, or through
convictions that hinged on information that was gotten from a
supposedly E2E-protected backup?
I wouldn't count on it. The main way we'd know about it would
be a whistleblower at Google, and whistleblowers are extremely
rare. Evidence and court records that might expose a secret
backdoor or that the government was getting data from Google
that was supposed to be private could easily be kept hidden
from the public by sealing it all away for "national security
reasons" or by obscuring it though parallel construction.
catlifeonmars wrote 11 hours 1 min ago:
People are incredibly bad at keeping secrets. And there are a
LOT of people at Google. I donât buy it.
GoblinSlayer wrote 6 hours 56 min ago:
Google can just borrow a certified encryption library
elsewhere.
ChrisMarshallNY wrote 7 hours 12 min ago:
Thatâs why Rule #1 of Security, is limit access;
regardless of clearance.
Which explains why thereâs all these security levels
above âTop Secret,â which is really just a baseline.
jiggawatts wrote 16 hours 7 min ago:
A trivial method for circumventing code review is to simply
push a targeted update of the firmware to devices subject to a
government search order.
There are no practical end-user protections against this
vector.
PS: I strongly suspect that at least a few public package
distribution services are run by security agencies to enable
this kind of attack. They can distribute clean packages 99.999%
of the time, except for a handful of targeted servers in
countries being spied upon. A good example is Chocolatey, which
popped up out of nowhere, had no visible source of funding, no
mention of their ownership structure anywhere, and was
incorporated along with hundreds of other companies in a small
building in the middle of nowhere. It just screams of being a
CIA front, but obviously that's hard to prove.
brookst wrote 9 hours 14 min ago:
The end user protection is to sign updates and publish the
fingerprints. It should not be possible for one device to get
a different binary than everyone else.
jen20 wrote 15 hours 21 min ago:
> Chocolatey, which popped up out of nowhere
Chocolatey assuredly did not "pop up out of nowhere" - it was
a labour of love from Rob Reynolds to make Windows even
barely usable. It likely existed for years before you ever
heard of it.
> had no visible source of funding
Rob was employed by Puppet Labs to develop it until he
started the commercial entity which now backs it.
> a small building in the middle of nowhere.
As I recall, Rob lives in Topeka, Kansas. It follows that his
business would be incorporated there, no?
jiggawatts wrote 4 hours 55 min ago:
There was no evidence of any of this on the website until
recently (maybe 2 or 3 years ago?), and I did look at every
page on there. Similarly, I searched on Google for a while
and raised the question in more than a few forums. I dug
through the business registration records, etc... and found
none of the above.
Sure, now, they have staff photos and the actual names of
people on their about page, but just a few years ago it was
almost completely devoid of information: [1] Look at it
from the perspective of a paranoid sysadmin half way around
the world raising a quizzical eyebrow when random Reddit
posts mention how convenient it is, but it's distributing
binaries to servers with absolutely no obvious links back
to any organisations, people, or even a legitimate looking
business building.
URI [1]: https://web.archive.org/web/20190906125729/https:/...
dylan604 wrote 16 hours 10 min ago:
Would it be possible that they feel that the revelation of this
backdoor would be too big of a loss so that any of these
theoretical cases of the past 7 years have used parallel
construction to avoid revealing the encrypted data was viewed?
catlifeonmars wrote 11 hours 3 min ago:
Thatâs a big and brittle conspiracy. You have to have
little to no defectors. Itâs not a stable equilibrium
reshlo wrote 17 hours 19 min ago:
Is the source code for every binary blob present on an Android
device available for inspection, and is the code running on
every Android device verifiable as having been built from that
source?
> or through convictions
If they wanted to use this evidence for a normal criminal case,
they would just do parallel construction.
menacingly wrote 17 hours 24 min ago:
I don't know the particulars, but in general, silence around a
massive tech company on warrants does not mean "they said no
and the feds decided to leave them alone"
scripturial wrote 17 hours 38 min ago:
It is possible to set up end to end encryption where two
different keys unlock your data. Your key, and a government
key. I assume google does this.
1. encrypt data with special key
2. encrypt special key with users key, and
3. encrypt special key with government key
Anyone with the special key can read the data.the user key or
the government key can be used to get special key.
This two step process can be done for good or bad purposes. A
user can have their key on their device, and a second backup
key could be in a usb stick locked in a safe, so if you loose
your phone you can get your data back using the second key.
hilbert42 wrote 6 hours 20 min ago:
"â¦two different keysâ¦. Your key, and a government key. I
assume google does this."
With the present state of politicsâlack of both government
and corporate ethics, deception, availability of much fake
news, etc.âthere's no guarantee that you could be certain
of the accuracy of any information about this no matter what
its source or apparent authenticity.
I'd thus suggest it'd be foolhardy to assume that total
privacy is assured on any of these services.
BTW, I don't have need of these E2E services and don't use
them, nor would I ever use them intentionally to send
encrypted information. That said, occasionally, I'll send a
PDF or such to say a relative containing some personal info
and to minimize it being skimmed off by all-and-sundryâdata
brokers, etc. I'll encrypt it, but I always do so on the
assumption that government can read it (that's if it's
bothered to do so).
Only fools ought to think otherwise. Clearly, those in the
know who actually require unbreakable encryption use other
systems that are able to be better audited. If I were ever in
their position, then I'd still be suspicious and only out of
sheer necessity/desperation would I send an absolute minimum
of information.
KronisLV wrote 4 hours 56 min ago:
> â¦there's no guarantee that you could be certain of the
accuracy of any information about this no matter what its
source or apparent authenticity.
In any case like this, the only thing you could truly trust
would be the source code and even then youâd have to be
on the lookout for backdoors, which would definitely be
beyond my own capability to spot.
In other words, the best bet is to probably only use open
source solutions that have been audited and have a good
track record, wherever available. Not that there are that
many options when it comes to mobile OSes, although at
least there are some for file storage and encryption.
hilbert42 wrote 2 hours 51 min ago:
Obviously, that's the ideal course of action but I'd
reckon that in practice those who would have both a good
understanding of the code as well as the
intricacies/strengths of encryption algorithms and who
also have need to send encrypted messages is vanishing
smallâexcept perhaps for some well-known government
agencies.
pinoy420 wrote 5 hours 47 min ago:
> I donât care for encryption or need it
> encrypts a pdf sent to tech illiterate family members
hilbert42 wrote 5 hours 16 min ago:
From where did you get both 'care' and 'illiterate' â
words that I never used?
Not only have you misquoted me, but also you've attempted
to distort what I actually said by changing its
inference.
scripturial wrote 6 hours 0 min ago:
Yes. There is no ability to know one way or the other if
Google, and similar services retain a secondary way to
access decryption key. In light of this the only option is
to _assume_ they have the capability.
Given the carefully crafted way companies describe their
encryption services, it seems more likely than not they
have master keys of some sort.
DarkmSparks wrote 6 hours 39 min ago:
I expect this is what they are all doing tbh, although isnt
google open source? should be checkable, if the binaries the
distribute match the source... oh...
"a special key" afaik is where instead of using 2 large
primes for a public key, it uses 1 large prime and the other
is a factor of 2 biggish primes, where 1 of the biggish is
known, knowing one of the factors lets you factor any public
key with a not insignificant but still more compute than most
people have access to.
UK has also invested in some serious compute that would
appear dedicated to exactly this task.
basically if you dont have full control over the key
generation mechansim and enc/dec mechansim it is relatively
trivial for states to backdoor anything they want.
barsonme wrote 16 hours 55 min ago:
E2EE means only your intended recipients can access the
plaintext. Unless you intend to give the government access to
your plaintext, what you described isnât E2EE.
GoblinSlayer wrote 8 hours 5 min ago:
Google intends you and the government as recipients of data
here.
tredre3 wrote 10 hours 17 min ago:
Manufacturers have lied about E2EE since the beginning.
Some claim that having the key doesn't change that it's
e2ee. Others claim that using https = e2ee, because it's
encrypted from one end to the other, you see? (A recent
example is Anker Eufy)
The point is that the dictionary definition of E2EE really
doesn't matter. Being pedantic about it doesn't help. The
only thing that matters is that the vendor describes what
they call E2EE.
fc417fc802 wrote 14 hours 50 min ago:
> E2EE means only your intended recipients can access the
plaintext.
No, it does not. It means that only endpoints - not
intermediaries - handle plaintext. It says nothing about
who those endpoints are or who the software is working for.
Key escrow and E2EE are fully compatible.
prophesi wrote 9 hours 0 min ago:
> Key escrow and E2EE are fully compatible.
Wild to see someone on HN even entertain this idea.
baq wrote 3 hours 33 min ago:
Wild to think otherwise.
fc417fc802 wrote 8 hours 57 min ago:
It's literally the point of key escrow. My views on a
given practice are entirely irrelevant to the
definition of the relevant terminology.
barsonme wrote 12 hours 46 min ago:
No, it is not. This is precisely why we have the term
E2EE. An escrow agent having your keys but pinky
promising not to touch them is indistinguishable from the
escrow agent simply having your plaintext.
Unless youâre fine with the escrow agent and anybody
theyâre willing to share the keys with being a member
of your group chat, in which case my original point still
stands.
fc417fc802 wrote 8 hours 59 min ago:
Edit: I think you might be confusing your personal
intention (ie I wanted this to be private but didn't
realize the service provider retained a copy of the
keys) with the intention of the protocol (ie what the
system is designed to send where). Key escrow is "by
design" whereas E2EE protects against both system
intrusions (very much not by design) as well as things
like bugs in server software or human error when
handling data.
> is indistinguishable
Technically correct (with respect to the escrow agent
specifically) but rather misleading. With E2EE
intermediary nodes serving or routing a request do not
have access to it. This protects you against compromise
of those systems. That's the point of E2EE - only
authorized endpoints have access.
The entire point of key escrow is that the escrow agent
is authorized. So, yes, the escrow agent has access to
your stuff. That doesn't somehow make it "not E2EE".
The point of E2EE is that you don't have to trust the
infra. You do of course have to trust anyone who has
the keys, which includes any escrow agents.
If we used the definition "only your intended
recipients can access the plaintext" ... well let's be
clear here, an escrow agent is very much an "intended
recipient", so there's no issue.
But lets extrapolate that definition. That would make
E2EE a property of the session rather than the
implementation. For example if my device is compromised
and my (E2EE) chat history leaks suddenly that history
would no longer be considered E2EE ... even though the
software and protocol haven't changed. It's utterly
nonsensical.
KronisLV wrote 4 hours 42 min ago:
> I think you might be confusing your personal
intention with the intention of the protocol
So what would be the name for a mechanism where
escrow is deliberately not a part of the design and
nobody aside from the sender and recipient can access
the plaintext data, no 3rd parties whatsoever, as
long as those two participants arenât compromised.
Iâm not disagreeing with you but Iâve heard
people talk about E2EE while actually thinking itâs
more like the above. There is probably a term for
truly private communication but Iâm sleepy and it
eludes me.
zxcvgm wrote 12 hours 23 min ago:
Well, WhatsApp backups claim they are E2E encrypted,
but thereâs a flow that uses their HSM for the
encryption key, which still feels like some escrow
system.
URI [1]: https://engineering.fb.com/2021/09/10/security...
wkat4242 wrote 2 hours 40 min ago:
True but you can choose to store the key completely
yourself. That fixes a big backdoor that's been
around for ages.
The biggest problem remaining to me is that you don't
chat alone. You're always chatting with one or more
people. Right now there's no way of knowing how they
handle their backups and thus the complete history of
your chats with them.
It's the same thing as trying to avoid big tech
reading your emails by setting up your own
mailserver. Technically you can do it but in practice
it's pointless because 95% of your emails go to users
of Microsoft or Google anyway these days.
mu53 wrote 16 hours 35 min ago:
Is that google's definition or your definition? not being
rude, but its pretty easy to get tricky about this.
Since you are sending the data to google, isn't google an
intended recipient? Google has to comply with a variety of
laws, and it is likely that they are doing the best they
can under the legal constraints. The law just doesn't allow
systems like this.
brookst wrote 9 hours 17 min ago:
If Google is employing this âone simple trickâ, they
will get sued into the ground for securities fraud and
false advertising.
1oooqooq wrote 8 hours 36 min ago:
history already proved you wrong. companies offering
backdoor to abusive law enforcement are never sued.
they also employ things like exempt cases. for example,
Whatsapp advertise E2E... but connect for the first
time with a business account to see all the caveats
that in plain text just means "meta will sign your
messages from this point on with a dozen keys"
wkat4242 wrote 2 hours 34 min ago:
Oh thanks. I've never done that before. I'll try
that, it'll be very interesting to see those
disclaimers.
I guess for consumer use all that stuff is hidden in
the T&C legalese which is unreadable for normal
people. I know the EU was trying to enforce that
there must be a TL;DR in normal language but I
haven't seen much effect of that yet.
brookst wrote 8 hours 12 min ago:
Itâs the lying that gets companies in trouble.
The claim is that Google has implemented a security
weakness and lied about it in claims to customers and
investors.
Show me another company that did this, was exposed,
and was not sued.
alt227 wrote 6 hours 56 min ago:
> Itâs the lying that gets companies in trouble.
It isnt if the government have asked them to lie.
tsimionescu wrote 7 hours 24 min ago:
You are extremely naive if you think a company the
size of Google or Microsoft or Apple will face any
serious consequence from lying about E2EE actually
being open to various governments.
They have lawyers aplenty, governments would file
amicus briefs "explaining" E2EE and so on. Worse
case they'll settle for a pittance.
ipaddr wrote 3 hours 49 min ago:
Those companies never get sued? Never face class
action lawsuits either?
gtirloni wrote 13 hours 25 min ago:
What's the intended recipient of your message? It's not
Google, right?
You're discussing encryption in transit vs encryption at
rest in this thread.
mu53 wrote 12 hours 27 min ago:
I agree with you, but these abstract technical systems
have enough wiggle room for lawyers and marketers to
bend the rules to get what they want
echoangle wrote 17 hours 3 min ago:
Would that still count as E2E-encrypted if another party has
access? That would still count as lying to me.
dtpro20 wrote 15 hours 14 min ago:
To call it lying is just arguing about the meanings of
words. This is literally what lawyers are paid to do. The
data payload can be called end to end encrypted. You can
easily say to the user that "your emails are encrypted from
end to end, they are encrypted before it leaves your
computer and decrypted on the receivers computer" without
talking about how your key server works.
Systems that incorporate a method to allow unlocking using
multiple keys don't usually advertise the fact that this is
happening. People may even be legally obligated to not tell
you.
echoangle wrote 8 hours 11 min ago:
Well Wikipedia says this about E2E:
âEnd-to-end encryption (E2EE) is a method of
implementing a secure communication system where only
communicating users can participate. No one else,
including the system provider, telecom providers,
Internet providers or malicious actors, can access the
cryptographic keys needed to read or send messages.â
So if you send another set of keys to someone else,
itâs obviously not E2E.
ptero wrote 4 hours 43 min ago:
This is a high level description of intent (by a third
party), not a legal promise.
This is not enforceable and promises that are not
enforceable are usually seen by BigCos of today as
optional. My 2c.
echoangle wrote 4 hours 13 min ago:
Well I wasnât saying I would sue them, I was
arguing this:
> It is possible to set up end to end encryption
where two different keys unlock your data. Your key,
and a government key. I assume google does this.
Which by definition is wrong (unless the government
is a party in the communication you want to
E2E-Encrypt).
catlifeonmars wrote 11 hours 5 min ago:
> To call it lying is just arguing about the meanings of
words.
Or, as us lowly laypeople call it, lying.
mirekrusin wrote 13 hours 56 min ago:
TIL man in the middle = e2e encryption.
scripturial wrote 13 hours 15 min ago:
E2E encryption is not the same as MITM. Youâre not
adding anything useful to the conversation.
E2E encryption is not vulnerable to MITM. E2E
encryption is vulnerable only to how many keys there
are and who has access to them.
echoangle wrote 8 hours 10 min ago:
If someone except the communicating parties has
access to the keys, itâs not E2E encrypted anymore
though. At least according to this definition:
URI [1]: https://en.wikipedia.org/wiki/End-to-end_enc...
chii wrote 9 hours 43 min ago:
SO if google still has access in an E2E system, but
you didnt know, is it still E2E?
What if google told you they also have a key? Does
that change the above answer to the question?
lttlrck wrote 16 hours 47 min ago:
That depends on the definition of "end".
tbihl wrote 14 hours 28 min ago:
To say nothing of the definition of "definition", or at
least a common understanding.
URI [1]: https://m.youtube.com/watch?v=gRelVFm7iJE
blitzar wrote 8 hours 49 min ago:
It depends on what the meaning of the word 'is' is
h4ck_th3_pl4n3t wrote 19 hours 38 min ago:
Remember that the last fiasco was related to 2FA stores being stored
unencrypted on google's backup cloud, namely google authenticator.
And yes, it's still pwnable this way, and happens regularly.
Everything in the cloud is not yours anymore, and you should always
treat it like that.
martin_a wrote 19 hours 46 min ago:
> We're talking about the largest back door I've ever heard of.
Meh, I don't know. I can still decide to not go the UK and be fine. I
think the CLOUD Act is much worse because it's independent from where
I am.
Fnoord wrote 19 hours 53 min ago:
> There's no time limit on when you may be searched, so all people
who ever travelled through British territory could be searched by
officials.
> Let that sink in for a moment. We're talking about the largest back
door I've ever heard of.
Codename 'Krasnov' is the largest backdoor I have ever heard of. And,
we only need to look at his behavior.
These E2EE from USA can be tainted in so many ways, and FAMAG sits on
so much data, that codename 'Krasnov' can abuse such to target
whoever he wants in West. Because everyone you know is or has been in
ecosystem of Apple, Google, or Microsoft.
Whataboutism! Fair. From my PoV, as European, the UK government is
(still) one of the good guys who will protect Europe from adversaries
such as those who pwn codename 'Krasnov'. Such protection may come
with a huge price.
JumpCrisscross wrote 21 hours 5 min ago:
> One scenario would be somebody in an airport and security officials
are searching your device
No Heathrow connection necessary. âThe law has extraterritorial
powers, meaning UK law enforcement would have been able to access the
encrypted iCloud data of Apple customers anywhere in the world,
including in the USâ [1]
URI [1]: https://www.ft.com/content/bc20274f-f352-457c-8f86-32c6d4df8...
kimixa wrote 19 hours 54 min ago:
The US claims the same [1] Lots of Americans in this thread seem to
be talking down to other countries laws while being completely
unaware of their own
URI [1]: https://en.wikipedia.org/wiki/CLOUD_Act
maeil wrote 14 hours 31 min ago:
Spot on, 727 comments, most probably by Americans, and only 2
(including yours) bringing up the CLOUD Act, the much worse US
equivalent. Incredible ignorance.
bustling-noose wrote 13 hours 15 min ago:
Providing encrypted data and not providing encryption are two
different things. The CLOUD act requires you to hand over data.
It could be encrypted. The UK government is asking to hand over
data that is also not encrypted. The two are not the same. Note
: Not American.
tholdem wrote 21 hours 50 min ago:
> What concerns me more is that Apple is the only company audibly
making a stand.
But still Apple operates in China and Google does not. This is weird
to me. Google left China when the government wanted all keys to the
citizens data. Apple is making a stand when it's visible and does not
threaten their business too much.
Apple is not really in the business of protecting your data, they are
just good at marketing and keeping their image.
Spooky23 wrote 12 hours 31 min ago:
Itâs different. Apple follows Chinese law to operate their
services in China, just like Microsoft.
With Google, their services are way broader. Operating a hunk of
their search business with a third party Chinese firm just isnât
viable for their services, which are way more complex.
GeekyBear wrote 18 hours 51 min ago:
> Google left China when the government wanted all keys to the
citizens data.
Google left China after China started hacking into Google's
servers.
> In January, Google said it would no longer cooperate with
government censors after hackers based in China stole some of the
companyâs source code and even broke into the Gmail accounts of
Chinese human rights advocates. [1] They were working to reenter
the China market on China's terms many years later, when Google
employees leaked the effort to the press. Google eventually backed
down.
URI [1]: https://www.nytimes.com/2010/03/23/technology/23google.htm...
spoaceman7777 wrote 10 hours 47 min ago:
I'd imagine there were multiple factors that went into that
business decision. Even if this was portrayed as the final straw.
wrsh07 wrote 19 hours 2 min ago:
Eh Google had pretty good reasons to not operate in China (not
seeing them in this thread, don't recall the details precisely
enough to relate here)
Apple is deeply embedded in China (manufacturing) and benefits from
a decent (but shrinking) userbase in the country. China isn't
asking for the keys to all iphone user data, just data stored in
China.
WhyNotHugo wrote 19 hours 5 min ago:
iCloud in China is operated by a local subsidiary. There is a
dedicated screen explaining this when you set up an iCloud account
in this region.
They adapt to the local rules of each region, much like theyâre
doing here in the UK.
noirbot wrote 19 hours 40 min ago:
China feels like an important difference here though. Google
leaving China doesn't protect Chinese citizen's data any more than
Apple turning off ADP in the UK does. As far as I know, Apple isn't
pretending that the data of Chinese users is encrypted from their
government, and the way they're complying with the Chinese laws
shouldn't impact the security of users outside of China.
Apple pulling ADP from UK users is similar - the UK has passed an
ill-considered law that Apple doesn't think it can win a court case
over, so they're complying in a way that minimally effects the
security of people outside the UK. If, as someone outside the UK, I
travel to the UK with ADP turned on, my understanding is it won't
disable itself.
Would you have been more satisfied if Apple just pulled out of the
UK entirely? Bricked every iPhone ever purchased there? Google
doesn't seem to have made any stand for security ever - them
pulling out of China feels more to do with it meaning they wouldn't
have had access to Chinese users' data, which is what they really
want.
viraptor wrote 5 hours 10 min ago:
> Would you have been more satisfied if Apple just pulled out of
the UK entirely? Bricked every iPhone ever purchased there?
The request/law would be rolled back in minutes in that case.
They wouldn't dare though. (wouldn't even have to be bricking -
just disable services like icloud)
madeofpalk wrote 3 hours 35 min ago:
Apple has 40 retail stores in the UK with thousands of
employees. They have a big new HQ in London where they have
engineering, etc there.
I cannot see Apple completely shutting down in the UK, firing
thousands of staff, selling off any property, and cancelling
leases, just for a week long bargaining chip.
dclowd9901 wrote 21 hours 17 min ago:
Perhaps Apple has a greater leverage in China due to its outsized
manufacturing presence. And it's likely they already dont offer ADP
to Chinese citizens.
vineyardmike wrote 11 hours 29 min ago:
> Perhaps Apple has a greater leverage in China due to its
outsized manufacturing presence.
Perhaps china has greater leverage over apple in this case...
China had been an important area of growth for many companies
during the 2010s. Apple bent over backwards to cater to that
market. It was discussed in every financial release, and they
obviously made tons of concessions for iCloud.
The UK just comparatively isn't that much revenue, and not worth
the fallout.
chii wrote 9 hours 40 min ago:
> China had been an important area of growth for many companies
during the 2010s. Apple bent over backwards to cater to that
market
and it is the same with european car companies (like
volkswagon). Look at where they are now.
I don't believe for a second, that china will not oust apple
the moment there's a good reason to.
vineyardmike wrote 6 hours 10 min ago:
> Look at where they are now.
Apples revenue from china has been super dependent on new
iPhone looking different, and has been steadily declining or
flat for years, except for a few quarters when Huawei was
sanctioned.
Chinese money was absolutely the forbidden temptress that
continues to screw businesses. Luxury goods, cars,
electronics, etc were all banking on chinaâs economic rise
to grow their revenue, and post covid recovery saw all that
money stay domestic.
China wonât oust Apple because twisting Tim Cookâs arm is
way more useful. Same with Tesla and any other company that
makes a big bet there. But they absolutely wonât be giving
American companies an equal chance at success.
SXX wrote 11 hours 42 min ago:
> And it's likely they already dont offer ADP to Chinese
citizens.
AFAIK before UK only region with ADP was China.
bitpush wrote 18 hours 8 min ago:
lol you think Apple has more leverage than China? What world are
you living in?
raincole wrote 15 hours 57 min ago:
A world where HN commentators can read English.
alt227 wrote 21 hours 57 min ago:
> Apple is the only company audibly making a stand
Apples stand is false, they take with one hand and give with the
other. There have been many times that Apple have been caught giving
user data to governments at their request, lied about it, then later
on admitted it once it had leaked from another source.
This whole 'we will never make a backdoor' is a complete whitewash
marketing stunt, why do they need to make a backdoor when they are
providing any and all metadata to any government on request.
URI [1]: https://www.macrumors.com/2023/12/06/apple-governments-surve...
lilyball wrote 20 hours 50 min ago:
> There have been many times that Apple have been caught giving
user data to governments at their request, lied about it, then
later on admitted it once it had leaked from another source.
In other words, Apple complies with legal government orders, as
they are required to. The government can compel them with a warrant
to hand over data that they have, and can prohibit them from
talking about it. That's the whole reason for the push towards
end-to-end encryption and for not collecting any data Apple doesn't
need to operate the products. This also ties into things like photo
landmark identification, where Apple designed it such that they
don't get any information about the requests and so they don't have
any information that they could be compelled to hand to the
government.
jonhohle wrote 21 hours 17 min ago:
I think thatâs the whole point of their push to E2E encrypt as
much as possible. Saying they canât unencrypted something worked
for a while.
troupo wrote 22 hours 10 min ago:
> What concerns me more is that Apple is the only company audibly
making a stand.
They are not making a stand. They roll over without a peep. And this
is concerning users' privacy which they say is the core of the
company.
Compare it to fighting every government tooth and nail over every
single little thing concerning the "we don't know if it's profitable
and we don't keep meeting records" AppStore
givinguflac wrote 21 hours 41 min ago:
â They roll over without a peep.â
What are you talking about? This is literally them doing the
opposite, and there are multiple other public instances of them
making a stand, not to mention in the design of their systems.
Truly curious how you see this that way.
troupo wrote 20 hours 11 min ago:
"Literally doing the opposite" would be keeping encryption on.
Removing encryption for everyone is literally doing the opposite
of making a stand
coaksford wrote 19 hours 49 min ago:
They had two paths to comply with the law. Silently backdoor
the worldwide cloud serving every Apple device, or loudly tell
people in the UK they don't get to have security because their
government prohibits them. Between these two options, this is
clearly "making a stand".
It's not as much "making a stand" as telling a major government
that you have substantial seizable assets under their
jurisdiction who is a major market you want to be in, that
you're not going to do the thing that their laws say you are
required to do, but it's hardly simple compliance either,
instead of doing what the government wants them to do, they are
making sure there is blowback.
Whether to try to fight it in court likely depends on details
of case law and the wording of the laws they'd be contesting, I
imagine much of the delay in their response to the demand was
asking their lawyers how well they think they would fare in
court.
dumbledoren wrote 13 hours 44 min ago:
> tell people in the UK
This doesn't affect only people in the UK. It allows access
to all Apple users' data globally:
> No Heathrow connection necessary. âThe law has
extraterritorial powers, meaning UK law enforcement would
have been able to access the encrypted iCloud data of Apple
customers anywhere in the world, including in the USâ [1].
> [1] [2] So they can spy on you regardless of where you live
even in violation of your own country's privacy laws.
URI [1]: https://www.ft.com/content/bc20274f-f352-457c-8f86-3...
URI [2]: https://news.ycombinator.com/item?id=43132160
Krasnol wrote 22 hours 27 min ago:
It's always hilarious to see how far people here are ready to go to
twist some bad Apple news into something which might be considered
good.
I mean seriously. Apple making a stand? What stand? They are ripping
security out of their customers hands. Customers which are already
dependent on the company's decision in their locked in environment.
There is absolutely nothing good about it, and you dragging Android
into it and making it look like it's even worse is suspicious. You
can have full control over your Android device. Something impossible
on an Apple phone. You can make your Android device safer than your
iPhone.
yunwal wrote 18 hours 55 min ago:
The government forced them to pull the feature. Would you rather
they left a toggle-switch that doesn't actually do anything? Or are
you thinking they should just pull out of the EU altogether?
Krasnol wrote 17 hours 16 min ago:
Making a stand would be leaving UK (UK is not in the EU)
altogether.
This is almost as bad as building a backdoor. This is leaving
your customer in the rain.
Fortunately for Apple, most of them won't even know or realize
it.
musictubes wrote 12 hours 18 min ago:
No, this tells the customer that backups to iCloud are not
secure from the government. Adding the back door would make
people think that there was more security than there was.
Transparency is always better than deception.
Dropping the feature that the UK was targeting allows their
customers to use all the other ways that Apple does things.
Leaving the UK altogether is the nuclear option denying their
customers of everything. âApple should just leave the
UK/Chinaâ never takes into consideration the millions of
customers that bought or might want to buy in the future.
Nobody would better off if Apple withdraws from a country.
Krasnol wrote 5 hours 35 min ago:
I don't think we both have the same concept of "making a
stand".
Yes, it would have been the nuclear option, but this is
Apple. Probably most of the most influential people in the UK
have an Apple phone. Just saying that you leave would cause
an avalanche of influence targeted at this law. Maybe other
companies would have joined them.
This, this is just cover dance and I wish they'd pay for
this, but they won't and they know it. People locked into the
Apple bubble only change if it REALLY hurts. This doesn't
hurt the average Apple user, and those who really care moved
onto a system they can control themselves.
codedokode wrote 12 hours 36 min ago:
Making a stand would be displaying a full-screen notification
about why they cannot provide protection for British users'
data and which party voted for this.
Krasnol wrote 5 hours 32 min ago:
No. Making a stand would be to threaten to leave and watch
all those influential iPhone users scramble to get this law
rolled back. Everything else is marketing and cowardice.
yunwal wrote 16 hours 13 min ago:
> This is leaving your customer in the rain.
vs. taking their phone away??? Idk if you're trolling or what
but I would be incredibly pissed at Apple if they deprecated my
phone over something like this.
Krasnol wrote 5 hours 33 min ago:
Yes, imagine the outrage in the rich and influential in the
UK if Apple would seriously threaten to leave the country
about this. They would cause the law to be fixed which would
help everybody.
But instead. They run away.
Selling this as "making a stand" is ridiculous. Nothing more.
amatecha wrote 22 hours 14 min ago:
There is an upside (if you trust them) -- they're pulling a feature
rather than adding a back door to it. Supposedly, anyway.
Krasnol wrote 17 hours 14 min ago:
Well, sure it could be worse.
Doesn't make that one good, though.
fdb345 wrote 22 hours 31 min ago:
Your Android and Microsoft backup aren't encrypted. They are
already fair game for a warrant.
dustingetz wrote 23 hours 5 min ago:
how much distance between
1) tech monopoly strong enough to stand up to G7 nation state demands
2) tech monopoly strong enough to remove itself from G7 nation state
jurisdiction?
edit: s/monopoly/empire, apologies
stalfosknight wrote 22 hours 55 min ago:
Apple is not a monopoly.
r00fus wrote 22 hours 57 min ago:
It's amusing to think of Apple as a "monopoly" (if anything they
have a monopsony on TSMC production) but let's just replace that
with "giant" for purposes of discussion.
Tech giants typically devolve local operations to small companies
to avoid liability - think petroleum suppliers not owning gas
stations (because those typically end up as superfund sites). Not
sure if this analogy this works for Google Android and all the
manufacturers that deploy it for their smartphones too.
So corporations have been doing this forever, trying to find legal
loopholes where they can have their cake and eat it too.
j-bos wrote 23 hours 10 min ago:
> (where you don't even have the right to legal advice, or the right
to remain silent)
A lot is posted about LEO's lying in the US, this seems worse.
IshKebab wrote 23 hours 12 min ago:
> What concerns me more is that Apple is the only company audibly
making a stand.
Meta also said they would make a stand if a similar request comes for
WhatsApp. I'm not going to hold my breath though.
AutistiCoder wrote 20 hours 39 min ago:
They wouldn't even be able to.
WA is end-to-end encrypted.
kali_00 wrote 19 hours 22 min ago:
With almost everyones backups stored in plain-text, making it all
a little silly.
Think about it for a second: you can re-establish your WA account
on a new device using only the SIM card from your old device. SIM
cards don't have a storage area for random applications'
encryption keys, and even if they did, a SIM card cannot count as
"end-to-end" anymore. Same goes for whatever mobile cloud
platform those backups might be stored on. And you'd hope Apple
or Google aren't happily sending off your cloud decryption keys
to any app that wants them. Though maybe they are?
acka wrote 15 hours 3 min ago:
Reestablishing your WhatsApp account on a new device doesn't
give access to your old chat messages, you need to restore a
WhatsApp backup for that. The backup doesn't need to be stored
in the cloud, you can choose to create a local file and
manually transfer that to your new device.
In any case, as soon as you start using WhatsApp on a new
device, users in the chats you participate in will receive a
message informing them that your encryption keys have changed.
alex-robbins wrote 19 hours 34 min ago:
WhatsApp is closed source. They could backdoor it if they wanted
to (or were forced to).
bitpush wrote 18 hours 7 min ago:
And so in Apple and iOS. What is your point?
IshKebab wrote 17 hours 48 min ago:
His point was that it is technically possible for WhatsApp to
add a backdoor. Apple could too.
grahamj wrote 23 hours 31 min ago:
This is why, while I applaud what Apple is doing here, they need to
allow us to supply our own E2E encryption keys.
vandahm wrote 9 hours 54 min ago:
But if you don't trust Apple, how to you get the key into the
Secure Enclave to begin with? Doesn't Apple control the software on
your device that provides the interface into the Secure Enclave
from outside of it?
shuckles wrote 23 hours 14 min ago:
Thatâs literally what the feature theyâre removing did.
kbolino wrote 22 hours 10 min ago:
Not exactly. It generates the keys for you and stores them on
device in the Secure Enclave. You cannot "bring your own"
encryption key, but the primary benefit of doing so--that Apple
does not have access to it--is intentionally accomplished anyway
by the implementation.
shuckles wrote 18 hours 1 min ago:
Iâm not sure I appreciate the value of literally bringing
your own keys. My device generating them on my behalf as part
of a setup process seems sufficient. Youâd use openssl or
something and defer to software to actually do keygen no matter
what.
rkagerer wrote 14 hours 49 min ago:
I agree it seems sort of academic at first blush, but I'm
going to venture a guess it's the idea that you own them,
instead of Apple.
So you can eg. keep a backup on your own (secure)
infrastructure. Transfer them when switching devices or even
mirror on two different ones*. Extract your own secret
enclave contents. Improve confidence they were generated
securely. And depending on implementation, perhaps reduce
the ease with which Apple might "accidentally" vacuum the
keys up as a result of an update / order.
*Not sure how much these two make sense in the iOS ecosystem.
I know on the Android side I'd absolutely love to maintain a
"hot standby" phone that is an exact duplicate of my daily
driver, so if I drop it in the ocean I can be up and running
again in a heartbeat with zero friction (without need to
restore backups, reliance on nerfed backup API's outside the
ones Google uses, having to re-setup 2FA, etc. and without
ever touching Google's creepy-feeling cloud).
kbolino wrote 14 hours 44 min ago:
You would need to have a completely trusted software and
hardware stack to actually own the keys. And that is
already hard enough to get on a PC where ownership still
means something, it is not going to happen on most mobile
devices. To whatever extent you trust any of the stack
already, the Secure Enclave is a better bet than BYOK. The
real risk, as you imply, is if Apple is able to compromise
the security coprocessor with an OTA firmware update, but
they can definitely already push a regular OS update that
exfiltrates any key you type in.
codedokode wrote 12 hours 39 min ago:
Just make an airgapped Linux device on a DYI FPGA CPU.
This part is not that difficult comparing to persuading
commercial vendors let you use your own cloud and your
own encryption/backup mechanisms.
rkagerer wrote 10 hours 2 min ago:
Yeah... unfortunately it ought to be the other way
around. They should have a hard time pursuading us to
trust them enough to use theirs.
If your phone company asked you to give them the key to
your house, in perpetuity, how would you feel about
that? (Particularly if they insisted you sign a 15
page Terms of Use first that disclaims all their
liability if anything goes missing).
grahamj wrote 15 hours 5 min ago:
It depends what kind of backdoor the UK is asking for but
"encryption backdoor" sounds like cryptographic compromise. I
don't know if that's what it means but either way the only
way to be sure your keys are secure is to generate them
yourself.
kbolino wrote 14 hours 45 min ago:
BYOK does not provide any additional security over the
Secure Enclave (and similar security coprocessors). In
fact, unless the Secure Enclave were to directly accept
your input and bypass the OS, BYOK is worse because the
software can just upload your key to a server as soon as
you type it in. Whereas, a key generated on the Secure
Enclave stays there, because there exists no operation to
export it.
nottorp wrote 1 day ago:
> have an Android device beside me that regularly asks me to back my
device up to the cloud
But is that backup encrypted? If it's not, all they need is to
access your data.
This is about having access to backups that are theoretically
encrypted with a key Apple doesn't have?
> We're talking about the largest back door I've ever heard of.
Doesn't the US have access to all the data of non US citizens whose
data is stored in the US without any oversight?
93po wrote 21 hours 8 min ago:
i think people focus on whether backups are encrypted too much. it
really doesn't matter when the government has remote access
equivalent to your live phone when it's in an unencrypted state,
which they almost certainly do.
noinsight wrote 21 hours 57 min ago:
> non US citizens whose data is stored in the US
They don't even care where it's stored...
See: CLOUD Act [1]
URI [1]: https://en.wikipedia.org/wiki/CLOUD_Act
autoexec wrote 14 hours 10 min ago:
I honestly doubt they even limit themselves to the data of non-US
citizens. They have no respect at all for the fourth amendment.
crimsoneer wrote 22 hours 2 min ago:
Android data isn't encrypted at rest (or at least not in a way
Google doesn't have the key). If the uk gov has a warrant, they can
ask Google to provide your Google Drive content. The whole point of
this issue is Apple specifically designed ADP so they couldn't do
that.
Gatorguy wrote 12 hours 37 min ago:
Wrong. Google Android user cloud backups are E2EE by
default.There is no option to opt out. Use Google's backup
service and your data is encrypted at rest, in transit, and on
device. aka end-to-end.
It's not just Google saying it. Google Cloud encryption is
independently verified
sunshowers wrote 18 hours 52 min ago:
Android backups are encrypted at rest using the lockscreen PIN or
passphrase: [1] So not hugely secure for most people if they use
4-6 decimal digits, but possible to make secure if you set a
longer passphrase.
I don't know what Google's going to do about this UK business.
edit: Ah it looks like they have a Titan HSM involved as well.
Have to take Google's word for it, but an HSM would let you do
rate limits and lockouts. If that's in place, it seems all right
to me.
URI [1]: https://developer.android.com/privacy-and-security/risks...
autoexec wrote 14 hours 7 min ago:
I wonder how hard it would be for the US government to force
Google to just get the lockscreen pin off of your device or for
them to just infect your device with something to capture it
themselves.
squeaky-clean wrote 22 hours 30 min ago:
> But is that backup encrypted? If it's not, all they need is to
access your data.
Based on them mentioning the difficulty of opting out, I presume
OOP does not use Google's cloud backup.
mtrovo wrote 23 hours 1 min ago:
> Doesn't the US have access to all the data of non US citizens
whose data is stored in the US without any oversight?
Totally agree. Having this discussion so US centred just makes us
miss the forest for the trees. Apart from data owned by US
citizens, my impression is that data stored in the US is fair game
for three letter agencies, and I really doubt most companies would
spend more than five minutes agreeing with law enforcement if asked
for full access to their database on non-US nationals.
Also, remember that WhatsApp is the go-to app for communication in
most of the world outside the US. And although it's end-to-end
encrypted, it's always nudging you to back up your data to Google
or Apple storage. I can't think of a better target for US
intelligence to get a glimpse of conversations about their targets
in real time, without needing to hack each individual phone. If
WhatsApp were a Chinese app, this conversation about E2E and backup
restrictions would have happened a long time ago. It's the same on
how TikTok algorithm suddenly had a strong influence on steering
public opinion and instead of fixing the game we banned the player.
wkat4242 wrote 2 hours 43 min ago:
This is different IMO. When you buy Apple you buy an American
product and you know the company is beholden to US law. Snowden
has made perfectly clear how much they can be trusted. When you
buy it anyway it's an informed choice.
Here a country that has no ties with most of apple's customers is
just butting in and claiming access to all of them.
So what's next. Are we also giving access to everyone's data to
Russia? Iran?
SJC_Hacker wrote 19 hours 27 min ago:
> Totally agree. Having this discussion so US centred just makes
us miss the forest for the trees. Apart from data owned by US
citizens, my impression is that data stored in the US is fair
game for three letter agencies, and I really doubt most companies
would spend more than five minutes agreeing with law enforcement
if asked for full access to their database on
̶n̶o̶n̶-̶U̶S̶ ̶n̶a̶t̶i̶o̶n̶a̶l̶s̶ anyone.
mox1 wrote 22 hours 27 min ago:
International users that have Advanced Protection enabled would
in theory be safe from all of the 3-letter agencies (like safe
from those agencies getting the data from Apple...not safe
generally).
Realistically we are talking about FISA here, so in theory if the
FBI gets a FISA court order to gather "All of the Apple account
data" for a non-us person, Apple would either hand over the
encrypted data OR just omit that....
Based on the stance Apple is taking here, its reasonable to
assume they would do the same in the US (disable the feature if
USG asked for a backdoor or attempted to compel them to decrypt)
nickburns wrote 21 hours 2 min ago:
> its reasonable to assume they would do the same in the US
(disable the feature if USG asked for a backdoor or attempted
to compel them to decrypt)
I think it's more likely that Apple would challenge it in US
courts and prevail. Certainly a legal battle worth waging,
unlike in the UK.
GeekyBear wrote 20 hours 21 min ago:
This has already happened, and Apple did fight it in the US
courts.
Eventually the US government withdrew their demand.
URI [1]: https://en.m.wikipedia.org/wiki/Apple%E2%80%93FBI_en...
autoexec wrote 14 hours 14 min ago:
It's worth pointing out that just because the FBI didn't
have the access they wanted, it doesn't mean that other
agencies don't, or that the FBI couldn't get the data they
wanted by other means (which was exactly what they ended up
doing in that specific case). It just means that they
wanted Apple to make it easier for them to get the data.
It's good that Apple refused them, but I wouldn't count
that as evidence that the data is secure from the US
government.
GeekyBear wrote 8 hours 47 min ago:
It's also worth noting that the US courts have long held
that computer code is speech.
Apple's legal argument that the government's demand that
they insert a backdoor into iOS was tantamount to
compelled speech (in violation of the first amendment)
was going over a little too well in court.
The Feds will often find an excuse to drop cases that
would set a precedent they want to avoid.
nickburns wrote 20 hours 18 min ago:
Exactly.
URI [1]: https://en.wikipedia.org/wiki/Apple%E2%80%93FBI_en...
mtrovo wrote 22 hours 0 min ago:
Would your answer be the same if this encrypted data was stored
in China instead of US?
I don't think messages should ever leave the device, if you
want to migrate to a different device this could be covered by
that user flow directly. Maybe you want to sync media like
photos or videos shared on a group chat and I'm fine with that
compromise but I see more risks than benefits on backing up
messages on the cloud, no matter if it's encrypted or not.
r3trohack3r wrote 16 hours 25 min ago:
I think the average human will disagree with you. They want
to preserve their data and aren't technically competent and
organized enough to maintain their own backups with locally
hosted hardware. Even the technically literate encourage
_offsite_ backups of your data.
Know your threat model and what actions your trying to defend
against.
Typical humans need trusted vendors that put in actual effort
to make themselves blind to your personal data.
causal wrote 22 hours 30 min ago:
Agree in principle, though WhatsApp backups are encrypted with a
user provided password, so ostensibly inaccessible to Google or
whoever you use as backup
scripturial wrote 12 hours 12 min ago:
What makes you think WhatsApp backups donât have a secondary
way to unlock the encryption key? Wouldnât it be more logical
to assume the encryption key for whatsapp backups can also be
unlocked by an alternate âpasswordâ
If the US is willing to build an entire data center in Outback
Australia to allow warrantless access to US citizen data, why
wouldnât they be forcing WhatsApp backups to be unlockable?
burnerthrow008 wrote 1 day ago:
> Doesn't the US have access to all the data of non US citizens
whose data is stored in the US without any oversight?
Er, no...? I'm not sure where you get that idea. Access requires
a warrant, and companies are not compelled to build systems which
enable them to decrypt all data covered by the warrant.
See, for example, the Las Vegas shooter case, where Apple refused
to create an iOS build that would bypass iCloud security.
nottorp wrote 1 day ago:
I asked if your Android backup is encrypted. Implies I'm talking
about unencrypted data.
> See, for example, the Las Vegas shooter case
I am not in Las Vegas or anywhere else in the US. So as far as i
know all the data about me that is stored in the US is easily
accessible without a warrant unless it's encrypted with a key
that's not available with the storage.
> companies are not compelled to build systems which enable them
to decrypt all data covered by the warrant
Again, not what I was talking about.
I'm merely pointing out that your data is not necessarily
encrypted, and that the "rest of the world" was already
unprotected vs at least one state. The UK joining in would just
add another.
spankalee wrote 23 hours 1 min ago:
> all the data about me that is stored in the US is easily
accessible without a warrant
No, law enforcement needs a warrant to legally access any data.
This is why Prism was illegal, and why companies like Google
are pushing back against overly broad geofence search warrants.
fdb345 wrote 22 hours 29 min ago:
All Encrochat evidence was illegal in at least three
different ways. UK Law enforcement didn't care. They
just lied.
multjoy wrote 21 hours 38 min ago:
No it wasn't.
The Dutch cracked and wiretapped it. It has been held not
to be intercept evidence per RIPA so capable of being used
in evidence.
Most went guilty because they caught red-handed in the most
egregious criminality you've seen.
Encro was designed to enable and protect criminal
communications. It had no redeeming public value.
fdb345 wrote 6 hours 19 min ago:
LOL you can't even get the countries involved right you
muppet. Obviously a deluded pig or a pig lacky.
Encrochat was illegal in at least 3 ways to UK and
European law. The intercept evidence per RIPA was the
lie. The data was not at rest. The British Police and
courts are criminals and liars.
alt227 wrote 22 hours 47 min ago:
> This is why Prism was illegal
Yet it still existed, and was used for surveillance by 3
letter agencies. Why do you think this is any different?
somenameforme wrote 22 hours 32 min ago:
No idea why the two of you are using past tense. PRISM is
still very much alive and well.
GeekyBear wrote 23 hours 31 min ago:
This is why Apple, and more recently Google, create systems
where they don't have access to your unencrypted data on their
servers.
> Google Maps is changing the way it handles your location
data. Instead of backing up your data to the cloud, Google will
soon store it locally on your device. [1] You can't be forced
to hand over data on your servers that you don't have access
to, warrant or no.
The UK wants to make this workaround illegal on an
international basis.
URI [1]: https://www.theverge.com/2024/6/5/24172204/google-maps...
Gatorguy wrote 12 hours 32 min ago:
Small correction.
Google had "created a system where they don't have access to
your data on their servers" a couple of years BEFORE Apple.
Android 10 introduced it in 2019.
GeekyBear wrote 9 hours 55 min ago:
Google didn't announce plans to stop storing a copy of user
location data on their servers until the middle of last
year.
See the story linked above.
They didn't announce that they could no longer access user
location data on their servers to respond to geofence
warrants until the last quarter of 2024.
Gatorguy wrote 4 hours 4 min ago:
We're talking iCloud and data encryption compared to
Google's Android Cloud E2EE, and you're doing maps.
pmontra wrote 21 hours 55 min ago:
> You can't be forced to hand over data on your servers that
you don't have access to, warrant or no.
But you can be forced to record and store that data even if
you don't want to.
GeekyBear wrote 21 hours 13 min ago:
Which is why Apple takes the stance that the users device
shouldn't be sending data to the mothership at all, if it
isn't absolutely necessary.
Compare Apple Maps and Google Maps.
Google initially hoovered up all your location data and
kept it forever. They learned from Waze that one use case
for location data was keeping your map data updated.
Apple figured out how to accomplish the goal of keeping map
data updated without storing private user data that could
be subject to a subpoena.
> âWe specifically donât collect data, even from point
A to point B,â notes Cue. âWe collect data â when we
do it â in an anonymous fashion, in subsections of the
whole, so we couldnât even say that there is a person
that went from point A to point B.
The segments that he is referring to are sliced out of any
given personâs navigation session. Neither the beginning
or the end of any trip is ever transmitted to Apple.
Rotating identifiers, not personal information, are
assigned to any data sent to Apple... Apple is working very
hard here to not know anything about its users.
URI [1]: https://techcrunch.com/2018/06/29/apple-is-rebuild...
acka wrote 13 hours 46 min ago:
Google or Apple could be forced by authorities to perform
correlation on the map tiles being requested by users
under investigation. Not as accurate as GPS coordinates
but probably useful nonetheless.
One more reason to prefer offline maps for those who
value privacy.
GeekyBear wrote 9 hours 49 min ago:
Given that you can browse map data for any location,
not just where you happen to be, I'm betting that
triangulation data from your carrier would be more
accurate.
acka wrote 8 hours 14 min ago:
Sure, triangulation of carrier signals could lead to
more accurate position estimates, but if the carrier
isn't based in the US they are under no obligation to
make this data available to US authorities.
Apple and Google are based in the US so are bound by
the CLOUD Act to provide any and all data they have
upon request, no matter where in the world it is
being collected or stored.
skydhash wrote 23 hours 44 min ago:
People always overestimate how much companies will defy their
government for you, legally or otherwise.
sameermanek wrote 1 day ago:
Feels like marvel was onto something with captain america and winter
soldier.
dmonitor wrote 23 hours 34 min ago:
The real prescient threat in that movie was the predictive AI
algorithm that tracked individual behaviors and identified
potential threats to the regime. In the movie they had a big
airship with guns that would kill them on sight, but a more
realistic threat is the AI deciding to feed them individualized
propaganda to curtail their behavior. This is the villain's plot in
Metal Gear Solid 2, which is another great story.
This got me thinking about MGS2 again and rewatching the colonel's
dialogue at the end of the game: [1] > Your persona, experiences,
triumphs, and defeats are nothing but byproducts. The real
objective was ensuring that we could generate and manipulate them.
It's really brilliant to use a video game to deliver the message of
the effectiveness of propaganda. 'Game design' as a concept is just
about manipulation and hijacking dopamine responses. I don't think
another medium can as effectively demonstrate how systems can
manipulate people's behavior.
URI [1]: https://www.youtube.com/watch?v=eKl6WjfDqYA
pplante wrote 1 day ago:
Life is imitating too many dystopian books, movies, etc these days.
I think we need to put an end to all creative works before the
timeline becomes irrecoverably destroyed.
dingdingdang wrote 22 hours 36 min ago:
The /s is strong with this one.
Arubis wrote 22 hours 51 min ago:
I suspect youâre being flippant, but destruction of and
restrictions on creative works as an _antidote_ to dystopia is a
take I havenât seen before.
pplante wrote 20 hours 57 min ago:
Yes, I am being very flippant. Sometimes we need to jest in
order to digest reality.
ekm2 wrote 23 hours 15 min ago:
Banning art?
Jigsy wrote 1 day ago:
I don't like Apple, nor do I use any of their products, but as someone
from the UK, I do respect them for doing this.
Now if only the other companies who said they'd leave would grow a
backbone...
ranger_danger wrote 1 day ago:
The beginning of the end. A sad day for Brits
cgcrob wrote 1 day ago:
Removed all my stuff from iCloud about a month ago in preparation for
this.
pyuser583 wrote 1 day ago:
How does this affect me if I travel to the UK with an E2E encrypted
IThing?
bananapub wrote 1 day ago:
not at all
tome wrote 1 day ago:
I'm confused. I thought iCloud was end-to-end encrypted anyway, and
I've never heard of ADP before. Is ADP encryption at rest, whereas
normal iCloud storage is only encrypted from the device to the server?
jamesmotherway wrote 1 day ago:
See the "Data categories and encryption" section:
"The table below provides more detail on how iCloud protects your
data when using standard data protection or Advanced Data
Protection."
URI [1]: https://support.apple.com/en-us/102651
dmix wrote 1 day ago:
The only difference is Apple doesn't hold the encryption keys when
you use ADP.
In both cases it's encrypted in transit and at rest.
tome wrote 1 day ago:
TIL that Apple holds the keys to my iCloud encrypted data!
burnerthrow008 wrote 23 hours 57 min ago:
Yes, otherwise, how would the web interface (iCloud.com) work?
blitzar wrote 6 hours 51 min ago:
Or account recovery
AlanYx wrote 1 day ago:
For most of it, yes. There are exceptions, e.g., Health and
Keychain, for which Apple does not have the keys even without ADP
enabled.
b800h wrote 1 day ago:
What happens if you're an international traveller?
SXX wrote 1 day ago:
This will likely depend on your primary account region.
Apple can't just turn off E2EE on existing account nilly willy.
A4ET8a8uTh0_v2 wrote 1 day ago:
<< Apple can't just turn off E2EE on existing account nilly willy.
If they are able to, then then can be compelled. Do you mean
won't/wouldn't?
buildbot wrote 1 day ago:
âApple said it will issue additional guidance in the future to
affected users and that it "does not have the ability to
automatically disable it on their behalf."â
From
URI [1]: https://www.macrumors.com/2025/02/21/apple-pulls-encrypt...
SXX wrote 1 day ago:
They can break a sync on server-side for your account.
They can't disable it on device though.
int_19h wrote 17 hours 4 min ago:
They control the software running on your device, and said
software ultimately has access to the encryption keys stored
there (subject to the usual hoops; e.g. it might need you to do
a FaceID unlock first, but it's not like you aren't already
doing that many times every day).
v3xro wrote 1 day ago:
Very disappointed with this, but I think will be finding alternatives.
Family sharing especially of Reminders is a hard one - we use lists for
grocery shopping and it is extremely convenient.
Has anyone tried out Ente [1] for photos?
URI [1]: https://ente.io/
vroomvroomboom wrote 1 day ago:
It's the right decision. Don't bow to the government, let the people
demand it from their leaders, and vote in new ones.
v3xro wrote 1 day ago:
Yes, countries lacking in proportional representation and having
obscure procedures like proroguing parliament are the best at
listening to important but fairly obscure issues from their voters.
vroomvroomboom wrote 1 day ago:
It's the right choice: don't bow to government pressure, let the people
pressure the government.
madeofpalk wrote 23 hours 40 min ago:
This is Apple condeeding. Apple lost. UK Government got (almost) what
they wanted - a backdoor into iCloud accounts.
Apple's only consolation prize is that its limited to UK users for
now. But it seems inevitable that ADP will gradually be made illegal
all around the world.
jahewson wrote 22 hours 52 min ago:
Given that theyâve only prevented new signups it looks to me more
like Apple is trying to apply pressure to the U.K. government to
get them to back down. The law that permits this was passed in 2016
so the situation was default lost already.
alt227 wrote 22 hours 42 min ago:
They have said all existing ADP enabled accounts will be disabled
or deleted in time. They need to give people time to migrate
their data out before they nuke it.
Molitor5901 wrote 1 day ago:
NO, it's the wrong choice. Most people do not understand this stuff
enough to truly care about, and they just want their devices to work.
This is an awful decision by Apple. There's really nothing consumers
can do to pressure the British government.
afthonos wrote 23 hours 16 min ago:
Consumers being unable to pressure government, even if true, does
not imply this is a bad decision.
Molitor5901 wrote 21 hours 52 min ago:
It's a terrible decision that will have grave ramifications. I
see no positive to this action.
miroljub wrote 1 day ago:
How?
In the UK, there's no right to bear arms, so people are pretty
helpless against their oppressing government.
blitzar wrote 7 hours 1 min ago:
We could try the American way, bear our arms and shoot up a school,
but I don't see how that will help.
mr_toad wrote 16 hours 53 min ago:
> In the UK, there's no right to bear arms, so people are pretty
helpless against their oppressing government.
When people want to revolt it doesnât seem like the right to bear
arms has much to do with it. Not having the right to bear arms
certainly hasnât stopped countless rebellions and revolutions
across the world. Itâs not like the French of the Russians had a
right to bear arms before their successful revolutions.
Even in the UK, the lack of a right to bear arms didnât stop
Cromwell using firearms to defeat Charles II at the Battle of
Worcester.
fdb345 wrote 23 hours 28 min ago:
I just dont interact with the government or British society at all.
I have turned my back on it.
If they ever come to my door I'll either go postal or leave the
country.
Its so bad here now.
emorning3 wrote 23 hours 53 min ago:
Guns are an inefficient/stupid way to kill people anyway.
Just ask Russia and Ukraine.
Look around, human beings are quite clever.
quickthrowman wrote 23 hours 57 min ago:
Small arms are no match for drones and a fully armed military, a
successful rebellion by any populace against a first world military
is impossible unless the military lays their arms down voluntarily,
full stop.
filoleg wrote 23 hours 28 min ago:
Every time this argument comes up, I just feel like rolling eyes,
it is so overplayed.
Yes, in a direct confrontation and an all out war, the populace
stands no chance against the US military (assuming the military
will unwaveringly side against the populace), no argument there.
But an all out war is not an option, the government wouldnât be
trying to pulverize an entire nation and leave a rubble in place.
If you completely destroy your populace and your cities in an
all-out direct war, you got no country and people left to govern.
It is all about subjugation and populace control. You canât
achieve this with air strikes that level whole towns.
Similarly, if the US wanted to âwinâ in Afganistan by just
glassing the whole region and capturing it, that would be rather
quick and easy (from a technical perspective, not from the
perspective of political consequences that would follow). Turns
out, populace control and compliance are way more tricky to
achieve than just capturing land. And while having overwhelming
firepower and technological advantage helps with that, it isnât
enough.
quickthrowman wrote 17 hours 41 min ago:
A first world military that has remotely piloted drones with IR
cameras and other surveillance tools will have no problem
crushing any form of resistance. They donât even need to
field any troops, they can remotely kill the rebels. How on
earth do you wage a rebellion against such a force?
bloqs wrote 22 hours 27 min ago:
I roll my eyes when I see this blissfully naive LARP/mallninja
imagined scenario, but I do have to remind myself that the US
was founded on the basis of forming a milita etc. and I would
probably say the same thing if I had that upbringing. You
forget that the vast majority of people are stupid and easily
scared (this is not a solvable problem)
Help me out - how can policing possibly work if no one is
legally required to be policed? You just end up with murderers,
rapists etc. expressing their right to "resist" with arms like
in spaghetti westerns. It is totally symbolic, and would
crumble at the first instance of serious government interest of
arresting 'troublemakers', which would of course start with a
well crafted PR campaign to get the rest of the public on their
side. I think it's naive.
jahewson wrote 22 hours 4 min ago:
This feels like a strawman because youâre only
hypothesizing a situation in which it wouldnât work well.
Imagine a dark future with a sudden military coup by a small
faction of extreme radicals that 85% of the population
opposes. could enough citizens rise up and stop them? Could
the calculus of being that coup leader be changed by the
likelihood that they will be assassinated in short order, by
one of millions of potential assassins? Quite possibly. These
are not everyday concerns, of course, but the concerns of
dark and dangerous times. Itâs a bit like buying life
insurance: hopefully I never need it.
protonbob wrote 23 hours 55 min ago:
Rebels are able to use techniques that a government never could
or would. I think you underestimate the usefulness of small arms
in guerilla warfare.
quickthrowman wrote 17 hours 50 min ago:
I think you underestimate the lethality of remotely piloted
drones with missiles and IR cameras and the futility of
fighting against them.
protonbob wrote 1 hour 19 min ago:
You can pretty easily build / buy these. Look at Ukraine.
Lots of their drones were just off the shelf. Jamming is
super directional and easy to spot so fighting forces use it
sparingly.
sillywalk wrote 14 hours 10 min ago:
The Taliban would argue otherwise.
gus_massa wrote 23 hours 24 min ago:
You underestimate the nasty things goverments have done.
Molitor5901 wrote 1 day ago:
Technically I guess you're right, but one hopes that the
foundations of British democracy provide its citizens with the
tools to fight against an oppressive government. The only rub is
getting them to stand up and do that.
jahewson wrote 22 hours 26 min ago:
Like what? Britain is a constitutional monarchy. Its foundations
anticipated an oppressive king, not an oppressive parliament.
Britain never had a revolution, it never had free speech to begin
with. It seems to me that what made Britain successful in the
past is maladaptive to its current situation.
ornornor wrote 1 day ago:
Because thatâs working so well for the US
cupcakecommons wrote 23 hours 36 min ago:
it's working really well, we don't get arrested for social media
posts as far as I can tell
ornornor wrote 22 hours 58 min ago:
If thatâs the bar then I guess yes itâs a resounding
success for freedom.
cupcakecommons wrote 14 hours 36 min ago:
The UK seems to be actively covering up the mass rape of
little girls and throwing dissidents in prison. They've
sustained mass immigration for decades against their own
peoples' will. The US just shook off, at least in part, the
same mass immigration and the same clamping down of free
speech in the US. It's not the only bar, but I would
definitely consider it a resounding success. I can't help but
think the 1st and 2nd amendment play a part because the 1st
is obviously implicated and the 2nd is required to maintain
the 1st.
defrost wrote 14 hours 10 min ago:
> The UK seems to be actively covering up the mass rape of
little girls
They're doing the worst cover up ever given grooming gangs
and where they operate have been headlines in the UK for
decades.
What they're not very good at is keeping the UK citizens at
large well informed with a realistic sense of proportion
given the scale of child sexual abuse far exceeds the
activities of grooming gangs.
philipwhiuk wrote 23 hours 26 min ago:
[1] [2] [3] Yes you do
URI [1]: https://www.justice.gov/usao-edny/pr/social-media-infl...
URI [2]: https://www.bbc.co.uk/news/articles/c86l4p583y6o
URI [3]: https://www.aljazeera.com/news/2021/1/19/holdindigenou...
jahewson wrote 22 hours 41 min ago:
Thatâs not the same thing. You know what he means.
basisword wrote 1 day ago:
>> In the UK, there's no right to bear arms, so people are pretty
helpless against their oppressing government.
There's a right to bear arms in the US and it doesn't seem to be
helping them with their oppressive government.
grahamj wrote 23 hours 0 min ago:
It only works when the gun nuts arenât on the side of the
oppressors.
cupcakecommons wrote 23 hours 37 min ago:
I feel like it's working pretty great
protonbob wrote 23 hours 56 min ago:
Look into the Black Panthers. It actually does work quite
effectively.
throw16180339 wrote 13 hours 2 min ago:
The Mulford Act ( [1] ), a California gun control act that
prohibits open carry, was originally passed back in the 60s to
disarm the Black Panthers.
URI [1]: https://en.wikipedia.org/wiki/Mulford_Act
bloqs wrote 22 hours 26 min ago:
You people cannot seriously be this poorly educated
jahewson wrote 22 hours 47 min ago:
The fact that I canât tell if this is a joke speaks volumes.
ch4s3 wrote 23 hours 30 min ago:
Ahh yes the murders of Alex Rackley and Betty Van Patter, truly
brave and revolutionary acts!
krapp wrote 23 hours 50 min ago:
How? the Black Panthers were infiltrated and undermined by
COINTELPRO and effectively destroyed from within, meanwhile the
white supremacist capitalist system they fought against
persists.
Their biggest success as far as I know is starting free school
lunches in the US, but that wasn't at gunpoint.
krapp wrote 1 day ago:
Weird. In the US there is a right to bear arms, yet people are also
pretty helpless against their oppressing government.
cupcakecommons wrote 23 hours 35 min ago:
Who do you know that's been arrested for posting on social media?
I don't know of anyone.
krapp wrote 21 hours 44 min ago:
True.
American police will shoot people dead in the streets with
impunity, the military industrial complex engages in constant
wars regardless of popular sentiment and the American
government is currently being carved up by neo-nazis and
oligarchs but you can legally be racist on the internet. I
guess it truly is the land of the free.
Also... wait six months.
cupcakecommons wrote 14 hours 17 min ago:
You're currently delusional in a very particular way and
that's fine. I'm looking forward to you finding your way and
things turning out much better than you expect (at least in
the US) in six months.
saintfire wrote 1 day ago:
I'm sure shooting at the government would have solved this privacy
issue.
Tostino wrote 23 hours 44 min ago:
Surprisingly, the people in the government don't much like being
shot. See the reaction to the UHC CEO for an example.
marknutter wrote 1 day ago:
It solved the taxation issue
spacedcowboy wrote 22 hours 54 min ago:
As a green-card holder, it really didn't.
krapp wrote 23 hours 49 min ago:
As far as I know Americans are still required to pay taxes, so
no.
brink wrote 23 hours 36 min ago:
We're working on it.
ethagnawl wrote 1 day ago:
> let the people pressure the government.
Hopefully they will.
basisword wrote 1 day ago:
There was a lot of campaigning against the Investigatory Powers
bill when it was introduced. It didn't help much given the people
in power want more power regardless of where they sit on the
political spectrum.
tmjwid wrote 1 day ago:
I can't imagine many here (UK) will really care, we've had multiple
breeches of privacy imposed on us by the powers that be. - Removed
incorrect assumption of this not being reported.
alt227 wrote 21 hours 54 min ago:
I agree, have an upvote.
Even though its making the media headlines today, 99% of UK
citizens will forget this tomorrow and it will fade into the
mists of time. Just like evey other security infringement that
any government has imposed on its citizens.
darrenf wrote 1 day ago:
It's literally the number one story on [1] as I type this
comment.
URI [1]: https://www.bbc.co.uk/news/
gambiting wrote 1 day ago:
And I guarantee that the reaction from most people will be
"good, I have nothing to hide so I have nothing to worry
about". The apathy around this stuff in the UK is unbelivable -
I've been trying to point out that hey, for years now something
like 17 government agencies(including DEFRA - department of
agriculture lol) can access your internet browsing history
WITHOUT A WARRANT and that's absolutely fine. ISPs are required
to keep your browsing history for a year too. Again, nothing to
hide, why would I worry about it.
spwa4 wrote 23 hours 42 min ago:
The same is happening Europe-wide too. Everybody always
points to the GPDR legislation. You know what is a feature of
the GPDR too?
Every European government (even some non-EU ones) can grant
any exception to anyone to the GPDR for any reason. And, of
course, every last one has granted an exception to the
police, to courts, to the secret service, their equivalent of
the IRS, and to government health care (which imho is a big
problem when we're talking mental health care), and when I
say government health care, note that this includes private
providers of health care, in other words insurances.
Note: these GPDR exclusions includes denying patients access
to their own medical records. So if a hospital lies about
"providing you" with mental health treatment (which they are
incentivized to do, they get money for that), it can
helpfully immediately be used in your divorce. For you
yourself, however, it is conveniently impossible to verify if
they've done this. Nor can you ask (despite GPDR explicitly
granting you this right) to have your medical records just
erased.
In other words. GPDR was explicitly created to give people
control over their own medical records, and to deny insurance
providers and the IRS access. It does the exact opposite.
Exactly the sort of information I would like to hide, exactly
the people I would find it critical to hide it from. In other
words: GPDR applies pretty much only to US FANG companies ...
and no-one else.
So: if you don't pay tax and use that money to pay for a
cancer treatment, don't think for a second the GPDR will
protect you. If you have cancer and would like to get
insured, the insurance companies will know. Etc.
genewitch wrote 1 day ago:
Does and of the doh or other DNS stuff help with this at all?
Is the only solution to VPN out of Europe?
DeepSeaTortoise wrote 21 hours 45 min ago:
Only DNSCrypt provides any privacy. If you setup your
relays properly.
herf wrote 1 day ago:
Why is there only one "iCloud" to backup your iPhone and store photos?
Lots of ADP users would use a corporate or self-hosted solution
instead.
snowwrestler wrote 23 hours 19 min ago:
As far as I know you can still opt to backup your entire iPhone to a
local computer instead of iCloud.
You can also manually transfer photos to the computer. Or you can
enable a different app (Google Photos or Dropbox for example) to
store copies of every picture you take, and then turn off iCloud
Photos.
Note that neither Google nor Dropbox are E2E encrypted either though.
varispeed wrote 23 hours 14 min ago:
What would you recommend as a DIY method?
I have a NAS that is accessible through VPN. But I don't trust its
encryption, thought it is in my controlled location.
int_19h wrote 17 hours 17 min ago:
The simplest arrangement for me was to have the device back up to
my Mac, and then said Mac has Time Machine set up to back up to
the NAS. iOS and Mac local backups can be encrypted by the OS
itself.
spacedcowboy wrote 22 hours 39 min ago:
Doing it locally doesn't really help. The RIP bill can force you
to disclose your own encryption keys to the UK government, and if
you "forgot them" you can be put in jail as if you were convicted
of whatever they're accusing you of.
That's why cloud backup was useful.
[edit: actually I mis-remembered this, it's "only" 2 years (or 5
if it's national-security-related) that they'll jail you for.
"Only" carrying a lot of water there...]
varispeed wrote 18 hours 55 min ago:
For this you can use truecrypt nested containers, so it will
reveal data depending on your given password and there is no
way to prove there is something else in the container.
To be fair this should be standard.
nobankai wrote 1 day ago:
The reason is that Apple was never required by UK law to offer any
alternative. I think the DSA intended to challenge that, but it would
do nothing for UK residents.
thraway3837 wrote 1 day ago:
Could moves like this by other repressive regimes finally open the door
to consumer-owned, consumer-controlled, decentralized cloud storage
systems that are fully encrypted and inaccessible by any agency or
individual except by the owner?
Would be a beautiful thing to see. Not sure how storage would work
though since you cannot take payment (that would make it centralized),
and storage would have to be distributed, but by who?
zimpenfish wrote 1 day ago:
> inaccessible by any agency or individual except by the owner?
I believe the UK already has "you must unlock anything we ask" as
part of the RIP/2000[0].
[0]
URI [1]: https://en.wikipedia.org/wiki/Regulation_of_Investigatory_Po...
declan_roberts wrote 1 day ago:
I don't get what's happening to civil liberty in Europe.
dumbledoren wrote 13 hours 13 min ago:
The empire is collapsing, so the chairs are being moved aside, the
curtain behind the stage is being drawn and the ugly brick wall is
being exposed...
alt227 wrote 22 hours 58 min ago:
We can drink alcohol in outdoor public places, can Americans?
tekla wrote 17 hours 46 min ago:
Yes.
spacebanana7 wrote 22 hours 4 min ago:
The problem is the decline. We had more liberties 10 years ago than
we do today.
Whether Americans are free or unfree shouldnât distract us from
this.
15155 wrote 22 hours 5 min ago:
This is specific to each municipality/state. The United States
federally has no laws regarding the outdoor consumption of alcohol.
anal_reactor wrote 1 day ago:
At least we don't get to pee in the cup at work
doublerabbit wrote 1 day ago:
This was Brexits doing. As we are no longer EU, we have our own cool
rules such as the upcoming PM allowed to watch me take a piss law.
sunaookami wrote 1 day ago:
The EU is currently planning exactly the same thing with Chat
Control.
dumbledoren wrote 13 hours 12 min ago:
Eu isnt 'planning' anything like that. Some Euparl MPs backed by
people like Ashton Kutcher tried to push a law to spy on all chat
apps. Then when the dirty web of American-style regulatory
manipulation was exposed, they backed off. It was a proposal for
a law by some MPs. Not something 'Eu' did.
sunaookami wrote 8 hours 17 min ago:
They backed off "for now". They are trying this for ages, did
you forget about ACTA and Von der Leyen's past censorship
attempts in Germany? Have you read the DSA? Of course the EU is
planning to go full authoritian in the name of "protecting
democracy".
nickslaughter02 wrote 23 hours 22 min ago:
What EU is planning with chat control is much worse. The UK still
requires a warrant to access your iCloud data. EU wants to force
companies to install spyware on your devices that will monitor
whatever you send or receive in real time without any probable
cause or suspicion.
zimpenfish wrote 1 day ago:
> This was Brexits doing.
Not really? We've had horrors like the 2000 RIP[0] well before
Brexit. The Blair government made a huge dent in civil liberties
and the Tories carried it on.
[0]
URI [1]: https://en.wikipedia.org/wiki/Regulation_of_Investigatory_...
Jigsy wrote 1 day ago:
This is one of the reasons why I will never vote Labour.
The UK has always hated not allowing people to self-incriminate,
though...
zimpenfish wrote 1 day ago:
> This is one of the reasons why I will never vote Labour.
The Tories are generally worse. But I agree it's currently a
case of "lesser of two evils".
Jigsy wrote 1 day ago:
I wouldn't vote for Tory either.
I usually vote for Lib Dem. Though they do things from time
to time I don't like...
doublerabbit wrote 21 hours 59 min ago:
This is why Scotland needs independence. It was once and
with it chained by the UK, they're squeezing everything
they can. Look at Wales, just pets for the UK. Scotland is
an actually pretty awesome country but like Canada is kept
pet by a leader. The only thing that could save this
shitshow is Scotland getting independence. Lets be honest
here. You thought Boris Johnson was bad ripping holes left
right and center. Trump makes Boris look like a pet rat.
And that's an insult to real rats.
int_19h wrote 17 hours 6 min ago:
I may be wrong here, but my impression of Scottish
politics is that it's just as paternalistic and
nanny-state if not more so.
doublerabbit wrote 3 hours 51 min ago:
Yes and no. But Scottish politics have more
progressive.
Ultimately Scotland is governed by the UK so any first
party rounds are annulled before they get a chance by
the UK.
vroomvroomboom wrote 1 day ago:
Nothing is happening to it. Governmental overreach, and then if
people really want encryption they will vote in privacy-friendly
officials. Here in Oregon, USA, we have Ron Wyden, who knows more
about netsec than most IT graduates.
As long as you can vote there is still civil liberty, just vote for
the right people who care about this stuff.
thenaturalist wrote 1 day ago:
None of what you just said translates to any European country.
None.
Executive power is very representative, not direct, with the sole
exception imo being Switzerland?
GJim wrote 1 day ago:
Pot, meet kettle!
Frankly, our democracies are currently in a rather precarious state.
piyuv wrote 1 day ago:
This can set a dangerous precedent. Now why wouldnât any country
demand the same, basically eliminating Advanced Data Protection
everywhere, making user data easily accessible to Apple (and therefore
governments)?
bananapub wrote 1 day ago:
what do you mean? other countries have demanded the same, e.g.
China.
juanpicardo wrote 1 day ago:
China only requires it for their citizens. The UK asked access to
any person's data in the world.
llm_nerd wrote 1 day ago:
It isn't really a precedent. Companies, even high-rolling American
tech companies, have to abide by the laws and regulations of the
countries that they operate in. I guess there is a question of
whether this is a legal demand that they truly had to follow, or just
a request, and whether they could fight it in court, but Apple seems
to be hoping to adjudicate it in the court of public opinion
(apparently the initial backdoor request was secret and it got
leaked).
GeekyBear wrote 1 day ago:
> abide by the laws and regulations of the countries that they
operate in.
In this case, the UK is seeking to use local law to change what is
allowable on an international basis.
That's a bit different than a nation controlling the law on their
own soil.
llm_nerd wrote 1 day ago:
That was Apple's interpretation : That to comply with what the UK
requested they would have to have the same thing everywhere.
But of course that is nonsense, and Apple could theoretically
have a nation-specific backdoor (e.g. for accounts in a given
country a separate sequestered decryption key is created and kept
in escrow for court order).
I mean, Apple "complied" by disabling ADP just in the UK. They
undermined their own "worldwide" claim, as ADP still works
everywhere else, and the UK has no access.
grahamj wrote 23 hours 4 min ago:
> They undermined their own "worldwide" claim, as ADP still
works everywhere else, and the UK has no access.
Disagree. There is a difference between ADP being unavailable
in one country and it working differently in that country.
Implementing a backdoor would mean changing the way ADP works.
kbolino wrote 23 hours 29 min ago:
The keys are stored only in the Secure Enclave. Encryption and
decryption are handled outside the standard CPU and OS. This is
hardware-level protection, not just some flag on a cloud
account to be flipped. The only way for Apple to break this
system is to break it for everyone, since anything else would
risk bleed over or insufficient compliance.
GeekyBear wrote 23 hours 44 min ago:
> of course that is nonsense
Organizations like the EFF do not agree.
> most concerning, the U.K. is apparently seeking a backdoor
into usersâ data regardless of where they are or what
citizenship they have.
URI [1]: https://www.eff.org/deeplinks/2025/02/uks-demands-appl...
llm_nerd wrote 23 hours 42 min ago:
So Apple is non-compliant, given that all they did is disable
ADP in the UK.
Right?
adgjlsfhk1 wrote 22 hours 46 min ago:
they're non-complient but they made it a lot harder for the
UK to fight. by showing that the "backdoor" is disabling
the feature, for the UK to pursue this further, the need a
judge to rule that the UK has the authority to prevent an
American company from providing a feature in America.
spacedcowboy wrote 22 hours 57 min ago:
I think that's right, and I think the UK will tell them so,
and the issue will escalate.
Perhaps, if the UK continues to push, Apple will indeed
pull out of the UK, but it'll make it as public as possible
and tell the world who it was that forced its hand and what
the consequences are - and I don't think the UK government
is going to like that result.
ziml77 wrote 23 hours 14 min ago:
IANAL but that's not for any of us to decide. Depending on
their initial motivations, the UK might consider this to be
enough to rescind the demand for a backdoor. If it's not
then Apple will face going to court and in that case they
could choose more extreme actions like ceasing business in
the UK.
ziddoap wrote 1 day ago:
The choice was either eliminate it now (globally, via introduction of
a backdoor) or eliminate it in the UK (but keep it globally).
So, perhaps this is a bit of a dangerous precedent, but it was the
least-bad option.
philsnow wrote 1 day ago:
Thatâs a false dichotomy.
Another choice, however unpalatable to all parties, would have been
for Apple to stop doing business in the UK.
bargainbin wrote 22 hours 39 min ago:
Iâm full in on Apple and hoped they nuked iCloud in the UK for
this rather than compromise the product.
This is still better than a back door but it sets an awful
precedent.
madeofpalk wrote 23 hours 36 min ago:
> would have been for Apple to stop doing business in the UK
Apple employes thousands of people in the UK. I really don't see
any practical way they could have done that.
spacedcowboy wrote 23 hours 1 min ago:
They could
They could pull out of the UK, and to hell with the
consequences, but then if the EU decide to do the same thing,
or the US, or China says "hold my beer", then the problem
becomes much larger.
Losing the UK market wouldn't impact Apple that much - it'd be
a hit to the stock, of course, but as a fraction of worldwide
business, it isn't that huge. Larger markets would be a bigger
issue.
netdevphoenix wrote 1 day ago:
Why do pro-privacy tech folks on here act like Apple is some
charity? Apple is a business. It won't fight a citizen's fight on
your behalf. It is on citizens to use their democratic power to
ensure their representatives act as the voting base wants.
Apple's goal is to make money. The government is a representation
of your will.
v3xro wrote 19 hours 3 min ago:
Because while a business goal is to make money, it is not
necessarily, unlike what you have 80% of the people here
believe, to make the most money possible. Ethics can exist in
businesses too.
aqueueaqueue wrote 18 hours 59 min ago:
This, plus privacy is in Apple's brand. Without this and
other Apple-esque things (lack of bloatware etc.) you may as
well get a Samsung for 2/3 price.
haswell wrote 1 day ago:
> Apple is a business. It won't fight a citizen's fight on your
behalf.
Being a business does not remove ethical considerations. And
Iâm an environment where corporations are considered people,
it seems reasonable to expect some degree of alignment with
normal citizens.
> Apple's goal is to make money. The government is a
representation of your will.
The government is increasingly not a representation of the
collective will, and is instead captured by those corporations.
I canât help but feel the âbut they exist to make moneyâ
line too often ignores the many ways this is not a sufficiently
complex explanation of the situation.
lowbloodsugar wrote 23 hours 46 min ago:
lol. It literally does. This is a great example. You believe
this is an ethical issue. Other shareholders (you are a
shareholder, right?) could disagree and now there is a
lawsuit. âComplying with national lawâ seems like an easy
win for them.
kennysoona wrote 23 hours 48 min ago:
> where corporations are considered people,
People always get this wrong. Corporations are not people.
They just have certain rights like owning property. Corporate
personhood != full personhood.
netdevphoenix wrote 23 hours 49 min ago:
Corporations are people in the legal sense not in any other
philosophical way. Just like non-humans proposed for
personhood, they are not entities expected to behave
ethically. Like a dog, you set rules and apply punishments
when they breach it. You don't argue ethics with a dog
because they are not relevant to them
ziddoap wrote 1 day ago:
See my other reply.
They could also sell the entire business to Google. Why bother
with listing options even worse for everyone involved?
v3xro wrote 1 day ago:
I mean they could have tried not complying, and fighting a
lawsuit at the ECHR (right of every person to a private life).
Takes money and time but more attractive than the other
options.
ziddoap wrote 1 day ago:
It's less attractive, riskier, and more costly of a decision
for Apple. Apple is a corporation, not an altruist.
This play by Apple applies pressure to the UK government
indirectly via its citizens, for free, rather than taking the
risk and expenses of a lawsuit.
piyuv wrote 1 day ago:
When UK demanded a backdoor to e2ee in iMessage, Apple told them
theyâd rather get out of UK. Why not do the same here? Youâre
posing a false dichotomy.
GeekyBear wrote 1 day ago:
> Apple told them theyâd rather get out of UK
To my knowledge, Apple has always said that their response would
be to withdraw affected services rather than break encryption.
> Apple has said planned changes to British surveillance laws
could affect iPhone usersâ privacy by forcing it to withdraw
security features, which could ultimately lead to the closure of
services such as FaceTime and iMessage in the UK.
URI [1]: https://www.theguardian.com/technology/2023/jul/20/uk-su...
piyuv wrote 1 day ago:
True! Thanks for the correction.
IMO they couldâve categorized the whole iCloud service as
âaffectedâ and disable all of it.
GeekyBear wrote 1 day ago:
My guess is that the order they received would have only
effected encrypted device backups, at least so far.
Users in the UK do still have the option to perform an
encrypted backup to their local PC or Mac.
ziddoap wrote 1 day ago:
What would that change, effectively, other than have Apple lose
money?
The UK would still lose ADP (and then also just Apple products in
general). A precedent would still be set.
Your posing a strictly worse third option. Sure, it's an option,
I guess. Apple could also just close down globally, as a fourth
option. Or sell off to Google as a fifth. But I was trying to
present the least-bad option (turn off ADP), rather than an
exhaustive list.
elfbargpt wrote 1 day ago:
I totally get your point, but calling the UK's bluff could
work. Are they really willing to ban Apple products in the UK?
Maybe, maybe not
maeil wrote 14 hours 51 min ago:
Depends on if the US emperor and his cronies have the UK's
backs on this issue. If they don't, calling the bluff would
work, there's zero chance the UK gov would ban Apple products
without US approval. The backlash among the public would be
far worse than the TikTok ban. Imagine all companies using
Macs. The order of power here is US > Apple > UK.
JKCalhoun wrote 1 day ago:
Wait, are you saying the U.S. might demand the same? In the current
political environment?
piyuv wrote 1 day ago:
UK is much smaller than US and they didnât even fight this
¯\_(ã)_/¯
world2vec wrote 1 day ago:
I regret immensely not having turned ADP before... Now I'm feeling
really angry at this whole thing.
kennysoona wrote 1 day ago:
If you care, then it's time to ditch iPhone and Android phones
altogether. It's not like anything they offer will be safe. You need
to invest instead in a FairPhone with e/OS or a PinePhone or some
similar alternative. Something where you have complete control of the
software and ideally the hardware.
tomwphillips wrote 1 day ago:
The article reports that it will be disabled for existing users at a
later date.
basisword wrote 1 day ago:
I'm guessing this is because they haven't figured out a way to do
it yet. I'm not very well versed in how these systems work but
surely this type of encryption can't be disabled by Apple remotely
(or they would have that backdoor they don't want)?
robinhouston wrote 1 day ago:
The Bloomberg article has a little more detail about this:
> Customers already using Advanced Data Protection, or ADP, will
need to manually disable it during an unspecified grace period to
keep their iCloud accounts. The company said it will issue
additional guidance in the future to affected users and that it
does not have the ability to automatically disable it on their
behalf.
snowwrestler wrote 23 hours 23 min ago:
The âgrace periodâ will also function nicely as a period of
time for UK citizens to shout at their government
representatives about this.
basisword wrote 1 day ago:
Wow, thanks for sharing! I thought that might be the case but
"disable it or we'll have to nuke your data" seems so extreme I
thought there must be a better way.
int_19h wrote 17 hours 20 min ago:
Anything else would be indicative of ADP encryption not
working the way they said it does.
george_perez wrote 23 hours 56 min ago:
I'm thinking that by losing their iCloud account is just
means it will be blocked from syncing anything with Apple's
servers.
neilalexander wrote 1 day ago:
They will either just automatically turn it off in a future
device software update, or they'll just post a deadline after
which they will delete user data and prevent sync if it isn't
disabled by the user.
dmix wrote 1 day ago:
Here's how:
On iPhone or iPad
Open the Settings app.
Tap your name, then tap iCloud.
Scroll down, tap Advanced Data Protection, then tap Turn on
Advanced Data Protection.
Follow the onscreen instructions to review your recovery methods
and enable Advanced Data Protection.
On Mac
Choose Apple menu  > System Settings.
Click your name, then click iCloud.
Click Advanced Data Protection, then click Turn On.
Follow the onscreen instructions to review your recovery methods
and enable Advanced Data Protection.
soraminazuki wrote 1 day ago:
Unfortunately, the title says
> Apple pulls data protection tool after UK government security row
doublerabbit wrote 1 day ago:
Can confirm.
"Apple can no longer deliver ADP in the United Kingdom to new
users" with the enable button disabled.
dmix wrote 1 day ago:
Only in the UK, everyone else should still do it. Not on by
default
grahamj wrote 22 hours 56 min ago:
Apple should start prompting users to enable it.
dmix wrote 22 hours 40 min ago:
probably avoiding the support issues of users losing access
to encryption key recovery
matthewdgreen wrote 1 day ago:
The best time to turn on ADP was before this happened. For folks not
in the U.K., the second best time is right now. The more people who
use it, the more disruptive it will be to turn off.
Keep in mind there are some risks with any E2EE service! Youâll
need to store a backup key or nominate a backup contact, and
thereâs a risk you could lose data. Some web-based iCloud services
donât work (there is a mode to reactivate them, with obvious
security consequences.) for what itâs worth, Iâve been using it
for well over a year (including one dead phone and recovery) and from
my perspective it's invisible and works perfectly.
lrdd wrote 1 day ago:
As a citizen, I donât understand what the UK government thinks they
are getting here - other than the possibility of leaks of the
nationâs most sensitive data.
Also is it not possible to set up my Apple account outside of the UK
while living here?
retinaros wrote 8 hours 1 min ago:
full control on everyone they deem as an opponent. in UK being dimmed
and oponent is about posting the wrong meme or even standing in the
wrong street at the wrong moment.
tick_tock_tick wrote 17 hours 28 min ago:
The UK is arresting people for posting memes. They want full control
and that's it.
mr_toad wrote 19 hours 4 min ago:
> Also is it not possible to set up my Apple account outside of the
UK while living here?
The ability to turn on Advanced Data Protection does seem to be tied
to your iCloud region (as of now I can still turn it on, and Iâm in
the UK but have an account from overseas).
varispeed wrote 23 hours 18 min ago:
It's for Labour "data analysts" to go through people photos and
search for nudes.
vr46 wrote 1 day ago:
You need a non-UK card to use on your Apple Account to change its
region.
dawnerd wrote 1 day ago:
Would a Wise card work?
mr_toad wrote 18 hours 47 min ago:
You need proof of address.
gambiting wrote 23 hours 23 min ago:
No, because it still has a British billing address.
feb012025 wrote 1 day ago:
I don't know, they've definitely been cracking down on journalists
over the past year. Could be an attempt to crack down harder / create
a chilling effect
lucasRW wrote 22 hours 20 min ago:
They've been sending people to prison for posting memes....
mr_toad wrote 18 hours 52 min ago:
Memes with illegal content. Itâs not hard to imagine creating
a meme that would have the FBI knocking on your door.
GJim wrote 1 day ago:
> other than the possibility of leaks of the nationâs most
sensitive data
Amusing when you consider the National Cyber Security Centre (NCSC, a
part of GCHQ), along with the Information Commissioners Office, both
publish guidance recommending, and describing how to use, encryption
to protect personal and sensitive data.
Our government is almost schizophrenic in its attitude to encryption.
Am4TIfIsER0ppos wrote 16 hours 44 min ago:
That's because GCHQ knows they can kill if you refuse to decrypt so
they have no problem suggesting it to you.
Macha wrote 22 hours 32 min ago:
I mean, this is no different than one part of the government
suggesting running laundry at night to reduce the environmental
impact of energy use, while another suggests only running it while
awake to reduce fire hazard. Governments and corporations rarely
have complete internal alignment.
wrs wrote 23 hours 10 min ago:
In the US, the NSA has always had both missions (protect our
countryâs data and expose every other countryâs data). Since
everyone uses the same technology nowadays, thatâs a rather hard
set of missions to reconcile, and sometimes it looks a little
ridiculous. As of fairly recently, they have a special committee
that decides how to resolve that conflict for discovered exploits.
palmotea wrote 1 day ago:
> Our government is almost schizophrenic in its attitude to
encryption.
Of course: it's not a monolithic entity. It's a composite of
different parts that have different goals an interests.
spwa4 wrote 23 hours 57 min ago:
And yet if I steal your money and refuse to give it back, or let
you steal it back, you'll call that hypocritical. What does the
size of an entity have to do with whether this is idiotic or not?
palmotea wrote 23 hours 21 min ago:
>> Of course: it's not a monolithic entity. It's a composite of
different parts that have different goals an interests.
> And yet if I steal your money and refuse to give it back, or
let you steal it back, you'll call that hypocritical.
That's a bad analogy.
> What does the size of an entity have to do with whether this
is idiotic or not?
Because it's not about the size, and I said nothing about the
size. It's about it being composed of different minds,
organized into different organizations, focused on different
goals.
It's just not going to behave like one mind (without a lot of
inefficiency, because you'd need literal central planning),
because that's not the kind of thing that it is.
pjc50 wrote 23 hours 47 min ago:
You're not an entity, you're a person. Scale really does make a
difference.
spwa4 wrote 23 hours 30 min ago:
You're making the argument that the UK government will stop
using encryption itself once the information about this
becoming illegal makes it through the government.
It won't. The courts will refuse to force them to stop, and
even if the courts attempt to force it, some government
departments just won't listen, and be protected from the
consequences.
This is another case of "the law applies to you, but not to
me".
pjc50 wrote 21 hours 28 min ago:
The law is that encrypted comms must be provided to the
security services on request. This is not a problem for
government agencies. It is not illegal per se.
spwa4 wrote 3 hours 50 min ago:
I went digging a bit. No. You're wrong. You cannot
substitute the law we're discussing with something else.
If the law truly is that encrypted comms must be provided
to the security services upon request, then Apple
Encryption is not a problem. Security services simply
should ask the owner of the icloud account ...
So that's NOT what the law says.
The law says that private sector entities cannot have
effective encryption (so NOT government agencies). Why do
I put it like that? Because it MUST be possible for the
security services to get access to any data they can
intercept in any way WITHOUT telling/alerting the
participants. They must be able to ALTER those
communications. Or to make it more practical: any
software maker MUST be able to provide access to any data
the security services physically intercept, encrypted
hard drives, ssh capture ... anything. And no, there is
no exception for open source software.
ANYONE who puts this in software is criminally liable, as
well as any firm (director/...) of any firm that has
software doing this:
// we're done with the key for this session, erase
the key
key := 0
Obviously this means any government agency that runs a
https website is violating this law. Publish an IOS app?
Violation! (you're using encryption that is designed not
to let anyone, including you yourself, alter the app on
the wire). Publish an android app? Same. Publish a
fucking rpm package on yum? (the signing code obviously
violates this law). A fucking garbage collector violates
this law. BUT ...
But there is one VERY specific limitation. Only the
government gets to complain about this, and obviously,
there is zero plans to enforce this equally. The
government sure as hell is not planning to actually put
in the effort to make the encryption they use compliant
with this law. It's just to get at the contents of
confiscated harddrives. It's just to force foreign
companies to unlock phones that have been confiscated.
Oh and there's stricter punishments if you tell anyone
you're complying with this. This law can be used to
arrest Linus Torvalds until he backdoors encrypted loop
devices, and threaten him with decades prison if he tells
anyone he's done that.
And can I just say? If this law was put, properly
explained, to the people of the UK, there's no way it
would get 50% of the vote.
hkwerf wrote 1 day ago:
I suppose they don't believe certain facts engineers are telling
them. With Brexit it was coined "Project Fear". Now they're being
told that adding backdoors to an encrypted service almost
completely erodes trust in the encryption and, as in the case with
Apple here, in the vendor. However, I suppose it is very hard to
find objective facts to back this. I'd guess this is why Apple
chose to both completely disable encryption and inform users about
the cause.
Now we're probably just waiting for a law mandating encryption of
cloud data. Let's see whether Apple will actually leave the UK
market altogether or introduce a backdoor.
gjsman-1000 wrote 1 day ago:
Correct me if I'm wrong here, and maybe this is too charged for HN,
but looking over at you guys from the US:
The US has problems (don't get me wrong, look at our politics,
enough said); but the UK seems to be speedrunning a collapse. The
NHS having patients dying in hallways; Rotherham back in the
popular mind; a bad economy even by EU standards; a massive talent
exodus (as documented even on HN regarding hardware engineers); a
military in the news for being too run down to even help Ukraine;
and most relevant to this story - the government increasingly
acting in every way like it is extremely paranoid of the citizens.
Any personal thoughts?
lucasRW wrote 22 hours 20 min ago:
Many people think like you. Western Europe in general has been
destroyed by a certain ideology, and whoever can emigrate does
emigrate.
pjc50 wrote 23 hours 42 min ago:
There's a lethargy, but it's hardly speedrunning. Things will be
the same or slightly worse in a decade. I'm not sure I can say
the same for the US, it seems different this time.
> The NHS having patients dying in hallways
Sadly routine in winter. Nobody wants to spend the money to fix
this. Well, the public want the money spent, but they do not want
it raised in taxes.
> Rotherham back in the popular mind
The original events were between 1997 and 2013. The reason
they're back in the mind is the newspapers want to keep them
there to maintain islamophobia. Other incidents (more recently
Glasgow grooming gangs) aren't used for that purpose.
> a bad economy even by EU standards
Average by EU standards. But stagnant, yes.
> the government increasingly acting in every way like it is
extremely paranoid of the citizens.
They've been like this my entire life. Arguably it was a bit
worse until the IRA ceasefire. Certainly the security services
have been pushing anti-encryption for at least three decades.
NegativeLatency wrote 23 hours 58 min ago:
Seems like the US is trying to catch up, especially with the
whole talent exodus thing and defunding of vital research
funding.
munksbeer wrote 1 day ago:
I'm an immigrant to the UK. I have lived here permanently for 21
successive years, though I was actually in and out of the UK for
years before that. My current anecdotal feeling about the UK is
at a pretty low point.
If it was an option, I would seriously look to emigrate again,
but I honestly don't know where. The most appealing option for me
is Australia, but my age works against me. I know everywhere has
its issues, but I'm just so worn down by the horrible adversarial
political system and gutter press in the UK right now. We seem
unable to do anything of note recently. A train line connecting
not very much of the UK has cost so much money, and in the end it
hasn't even joined up the important part.
I don't know, life is good at a local level. I am privileged and
live in a fantastically beautiful town, and life here is safe and
friendly. If I ignored everything else for a while it would
probably do me good.
fdb345 wrote 22 hours 1 min ago:
Like most immigrants you were sold a lie. Enjoy.
munksbeer wrote 21 hours 17 min ago:
Sorry? The UK has been an amazing place for me. It still is,
when I focus locally, instead of being swept up by everything
else.
Are you also an immigrant to the UK? I suggest you embrace
it.
fdb345 wrote 6 hours 16 min ago:
Go home. We dont want you. Havent you noticed yet?
DeepSeaTortoise wrote 22 hours 9 min ago:
Australia is hardly any better. E.g. it forces software
engineers to try to sneak backdoors into the software they're
working on.
Imagine hiring someone you didn't know had an Australian dual
citizenship and two years later all your customers' data is
leaked onto the net.
denismi wrote 7 hours 53 min ago:
Australian law explicitly prohibits requests that have
someone "implement or build a systemic weaknesses, or a
systemic vulnerability, into a form of electronic protection"
- including any request to "implement or build a new
decryption capability", anything which would "render
systematic methods of authentication or encryption less
effective", anything aimed at one person but could
"jeopardise the security or any information held by another
person", anything which "creates a material risk that
otherwise secure information can be accessed by an
unauthorised third party".
This UK request as reported would not be legal in Australia.
nickslaughter02 wrote 3 hours 9 min ago:
Since 2018:
> Technical Capability Notices (TCNs): TCNs are orders that
require a company to build new capabilities that assist law
enforcement agencies in accessing encrypted data. The
Attorney-General must approve a TCN by confirming it is
reasonable, proportionate, practical, and technically
feasible.
> Itâs that final one thatâs the real problem. The
Australian government can force tech companies to build
backdoors into their systems.
URI [1]: https://www.schneier.com/blog/archives/2024/09/aus...
denismi wrote 2 hours 11 min ago:
Yes. Since the 'Telecommunications and Other Legislation
Amendment (Assistance and Access) Bill 2018' which I was
directly quoting from, and explicitly prohibits systemic
backdoors.
That blog's own reference points this out:
> Regular use of encryption as electronic protection,
such as online banking or shopping, is not of primary
concern in the Act. To reinforce this, the Act includes
safeguards between government and industry, such as
restricting backdoors and decryption capabilities,
preventing the creation of systemic weaknesses, and
accessing communication without proper jurisdiction,
warrants, or authorisations.
So I can only assume that the author is either too lazy
to bother reading their own reference in full (let alone
researching the topic of their blog), or is being
knowingly dishonest.
captain_coffee wrote 1 day ago:
Yes - that is my impression as well as someone currently living
in London.
Literally ever single system that I have to interact with seems
to be somewhere on the spectrum between barely functioning and
complete disfunctionality, with almost very few exceptions that
come to mind.
By system in this context I mean every institution, service
provider, company, business... everything.
Couple that with low salaries across the board - including the
"high paying tech jobs in London" with price increases that are
out of control with no reason to believe this is ever going to
stop you end up with a standard of living significantly lower
than let's say for example the EU countries of Eastern Europe.
Currently trying to figure out where to go next
card_zero wrote 23 hours 13 min ago:
Well Albanians apparently want to live in Norwich, leading to a
bizarre anti-propaganda campaign with bleak black-and-white
photography to convince them it's horrible. [1] Probably your
money would go futher in Albania, and they've got a cool flag,
but the devil's in the details.
URI [1]: https://www.bbc.com/news/articles/c99n0x4r17mo
captain_coffee wrote 22 hours 13 min ago:
I was referring to EU [European Union] countries. Albania is
not in the EU so I am not sure what the point of your comment
was besides trolling
card_zero wrote 22 hours 7 min ago:
It isn't? Huh, you're right, a lot of the Balkans aren't, I
did not know that.
I don't think anywhere in the EU really describes itself as
Eastern Europe, though. That's Ukraine, Belarus, Moldova.
So really just Romania, sometimes.
captain_coffee wrote 22 hours 1 min ago:
Literally quite a significant number of EU countries
describe themselves as Eastern European, what you said is
factually wrong.
At this point I am considering your replies as either
trolling or interacting in bad faith.
card_zero wrote 21 hours 59 min ago:
Can't I just be incorrect?
For my education, which countries?
world2vec wrote 1 day ago:
You need a valid payment method from that country and then cancel all
current subscriptions and change to that new country/region.
mr_toad wrote 18 hours 54 min ago:
Youâll probably want a method of downloading apps tied to the UK
app store though - particularly banking apps.
chatmasta wrote 1 day ago:
btw, anyone know if this cancels Apple+ Support too? Iâve been
resisting switching countries because I donât want to lose that
subscription since you can only subscribe within 60 days of device
purchase.
jiriknesl wrote 1 day ago:
I wonder, what are the alternatives now?
Tresorit? Self-hosted Nextcloud?
scarface_74 wrote 1 day ago:
Itâs really not that complicated and none of those options can
serve as an adequate backup for iOS devices including app data and
meta data.
Just back up your phone to your computer via iTunes (Windows) or the
built in facility on Macs
fguerraz wrote 1 day ago:
There is no alternative really as only iCloud can back-up your
settings, saved networks, and apps data.
Other apps like Nextcloud, can only backup documents (those not in
apps) and pictures, because there's an API for this.
iTunes backup is an option, but it's not automatic and convenient.
alt227 wrote 22 hours 59 min ago:
Is that true? Only iCloud can back up an iPhone? They dont provide
any way to even extract an encrypted archive so you can keep it
safe for yourself?
I get more and more amazed at Apples lock in tactics. This is why I
own nothing Apple, and have complete control over everything in my
digital world.
nikisweeting wrote 21 hours 31 min ago:
iTunes backup is perfectly reasonable alternative to iCloud that
retains e2ee, I don't know why they were dissing it. It can back
up everything that iCloud can and it's automatic, you just plug
your phone in, no lock in tactics.
SSLy wrote 22 hours 53 min ago:
No, you can use iTunes to make a local backup too. It was a thing
long before iCloud.
alt227 wrote 21 hours 51 min ago:
Fair enough, however iTunes is also Apple software no?
So your choice is use Apple software to make your backups,
or....?
int_19h wrote 17 hours 11 min ago:
Interacting with any device running iOS requires Apple
software (or reverse engineered hacks) for many features.
However, in this case, the point is that you can use Apple
software to make a local backup (and you can enforce the
"local" part by doing so offline), and then use whatever you
want to encrypt and stash away the resulting files.
SSLy wrote 21 hours 45 min ago:
well, yeah, iphones could be bit more open, and I wish they
were. But there's no real way for UK to force Apple into
adding backdoors into that.
dmix wrote 1 day ago:
It encrypts your entire phone backups as well
connorgurney wrote 1 day ago:
Really disappointed that our government decided to take such a stance.
What are people using when self-hosting services in the scope of iCloud
nowadays? Nextcloud seems the closest comparable service.
alt227 wrote 22 hours 54 min ago:
If you own an iPhone then nothing can come close to the feature set
of iCloud. Apple just have it on lockdown and dont expose the
functionality that would be needed for a competitor to take advantage
of this.
A great time for all people to jump to android IMO and experience the
freedom of choice it gives you.
LuciOfStars wrote 1 day ago:
Not gonna lie, I expected Apple to just kind of roll over and take the
blow on this one. Interesting.
eugenekolo wrote 19 hours 38 min ago:
They heavily compete on "privacy" and "security", so I wouldn't
expect them to. Additionally, once you start rolling with one
government, every one wants you to do something for them while
offering you no additional money for the work and weakening of your
project.
madeofpalk wrote 23 hours 34 min ago:
They did. They've giving the UK Government a backdoor to all UK
users.
Apple lost here.
gormandizer wrote 23 hours 1 min ago:
But Apple is not giving the UK Government anything they didn't
already have. Now iCloud encryption will function in the UK just as
it has for years (decades?) before the inception of ADP.
balozi wrote 23 hours 5 min ago:
Technically, they are leaving the front door open to all interested
parties
ben_w wrote 1 day ago:
If any of the tech firms would resist, it would be Apple.
I wasn't sure which way they'd go.
scarface_74 wrote 1 day ago:
While Apple especially under Tim Cook has done a lot questionable
acquiescences under Cook for political expediences, they really
didnât have a choice here. It was the law.
Now going back on Twitter to get in the good graces of President
Musk and bringing TikTok back to the AppStore even though it is
clearly against the law is different.
busymom0 wrote 1 day ago:
> they really didnât have a choice here
They did have a choice. They could have said they will just get
out of UK. That would have resulted in enough political turmoil
in UK that their government would roll back this stupid law.
Apple chickened out.
scarface_74 wrote 1 day ago:
If the UK wants the law to change, thatâs up to the citizens
of the UK. These are the people they elected.
Donât expect Apple to rescue the UK citizens to from their
own choices.
busymom0 wrote 1 day ago:
So, Apple will just give in to whoever is in power? They were
not this soft in the San Bernardino case when FBI asked them
to unlock a phone.
ben_w wrote 1 day ago:
> So, Apple will just give in to whoever is in power?
This is definitionally why a country is sovereign and a
company isn't.
> They were not this soft in the San Bernardino case when
FBI asked them to unlock a phone.
FBI has to follow the laws of the USA.
The UK writes the laws of the UK, which Apple (if they want
to operate in the UK) has to follow.
scarface_74 wrote 1 day ago:
The FBI doesnât create laws. If Congress had passed a
law then you would have a good analogy.
Yes Apple follows the laws of every country it operates in
just like any other company.
maeil wrote 14 hours 34 min ago:
Apple absolutely does not follow the laws of every
country it operates in, else TikTok wouldn't be back on
the App Store.
scarface_74 wrote 12 hours 0 min ago:
If only I had thought about that, I might have
mentioned it.
Oh wait [1] > Now going back on Twitter to get in the
good graces of President Musk and bringing TikTok back
to the AppStore even though it is clearly against the
law is different.
URI [1]: https://news.ycombinator.com/item?id=43128684
maeil wrote 7 hours 58 min ago:
Then why subsequently say that they follow the laws
of every country they operate in? They don't, so
whether the FBI makes the laws is not relevant.
ImJamal wrote 1 day ago:
There is an easy way to avoid having to follow laws of a
country. Don't operate in that country.
ben_w wrote 19 hours 54 min ago:
If you don't want to be sued by activist investors, you
need a good reason for that, and to be able to tell
those investors what else you tried first before
escalating that far if you eventually do pull out of a
market.
nobankai wrote 1 day ago:
Abandoning the UK market would hurt Apple more than it would
hurt the UK. They are not a nation-state, Apple cannot wage
diplomacy by threatening the government, they can only shoot
their own foot off and say it was for the good of everyone.
It would also partially validate the EU's regulation if they
abandoned the UK but stayed in Europe. Apple very much doesn't
want to feed either side a line.
busymom0 wrote 1 day ago:
They could have started with not offering iCloud at all in
UK. See how the blowback gets UK government to play ball and
rollback the law.
It may have hurt Apple in the short term but helped in the
long term.
thewebguyd wrote 23 hours 2 min ago:
Then instead of mandating a backdoor to cloud data, the UK
would just mandate backdoor access to the devices
themselves, again forcing Apple's hand to either comply or
GTFO, if they want it bad enough.
We're losing the fight, and people are as apathetic as ever
around privacy and security issues.
Besides, never trust E2EE where you don't control both
ends, but everyone here should have already known that.
Retr0id wrote 1 day ago:
As someone currently a citizen of the UK, what are my best emigration
opportunities?
mtrovo wrote 22 hours 31 min ago:
You do realise that the UK government is, and always has been,
notorious for surveillance. They haven't changed since before WW2 and
probably never will, even if Apple suddenly decides to play hardball
with them.
And to be very, very honest, if you look across the Five Eyes
nations, I don't think this is much different from what other
countries deal with when it comes to access to data. You had PRISM,
the trick of asking other countries for access to their own citizens
data to avoid scrutiny, and Apple delaying the implementation of E2E
in the US after federal agencies got pissed about it. The list goes
on for a long time. At least in the UK, the government is so detached
from commoners hurt feelings that they ask for what they want
explicitly, with no fear of political consequences.
Retr0id wrote 22 hours 8 min ago:
The fact that it's always sucked is precisely why I want to leave.
miroljub wrote 1 day ago:
If you value personal freedoms, you should go to East Europe. The
more to the east, the better. Snowden went to Russia.
int_19h wrote 16 hours 59 min ago:
[1]
URI [1]: https://en.wikipedia.org/wiki/SORM
URI [2]: https://en.wikipedia.org/wiki/Roskomnadzor
pelorat wrote 22 hours 28 min ago:
Kremlin has full access to every service operating in Russia. If a
service is banned in Russia, that's a service you should use. If
it's not banned, it already has a backdoor.
filoleg wrote 23 hours 39 min ago:
Snowden didnât go to Russia because of the government there
âvaluing personal freedoms,â he went there bevause it is one of
the very few major countries that absolutely will not cooperate
with any extradition requests from western countries.
If you are thinking of going to east europe (and especially Russia)
in search of personal freedoms, I got a bridge to sell you (for
context, I grew up in Russia). The only âfreedomâ some of those
countries might provide is the freedom from the long reach of the
hands of western governments (and even that is a âmaybeâ, as
Andrew Tate has been discovering recently).
bmicraft wrote 1 day ago:
freedom to _what_? Corruption is high, media is pretty restricted
under Orban, and it doesn't look all that great for freely
expressing your identity either. Whether Poland will follow their
direction or manage to turn around is still up in the air.
You're only more "free" there if you have the money to bribe
officials.
ben_w wrote 1 day ago:
> Snowden went to Russia.
He was stuck in an airport when his passport got cancelled. It's
not really a free choice if you can't go anywhere else, and planes
suspected of carrying you get forced to land, even if by virtue of
being denied airspace access until they run out of fuel.
URI [1]: https://en.wikipedia.org/wiki/Evo_Morales_grounding_incide...
donohoe wrote 1 day ago:
Ireland might be easy option.
UK citizens do not need a visa or residency permit to live and work
in Ireland due to the Common Travel Area (CTA) agreement
SSLy wrote 1 day ago:
Dublin?
readthenotes1 wrote 1 day ago:
Wasn't this in line with JD Vance's European Eulogy last week, that
we shouldn't be using 1984 as a playbook?
i2km wrote 22 hours 13 min ago:
1984 could only ever have been written by an Englishman
princetman wrote 1 day ago:
Depends on what youâre after
* Australia
* United States
* Singapore
* Dubai
* Europe (Belgium/Switzerland/Netherlands)
ben_w wrote 1 day ago:
Of the whole list, if the Investigatory Powers Act is what you
didn't like, I'd pick Switzerland first, then Belgium/Netherlands.
Of course, that assumes you're fluent in the local languages. Hoe
goed spreekt u Nederlands?
I made a jump to Germany in 2018, and, thanks to learning a new
language, have had a front-row seat to how flat the real Dunning
Kruger effect really is: [1] Dubai, even as an international hub
where you may be able to get by with English â Ùا تضÙع
ÙÙت٠باستخداÙ
دÙÙÙÙج٠ÙتعÙÙ
اÙÙغة
اÙعربÙØ©Ø ÙÙد ØاÙÙت Ø®Ùا٠اÙÙباء ÙÙ
ا
زÙت Ùا أعر٠اÙأبجدÙØ© â is much more
authoritarian than the UK. Similar for Singapore.
If you're monolingual, and privacy is your concern, then the US is
an improvement over Australia.
But also consider Canada and Ireland.
Ireland isn't in Five Eyes, Canada is, but also Canada is slightly
further away from the madness of Trump etc. than any company still
inside the USA.
I'm not even sure what's going to happen with the US federal
government given that DOGE cannot meet its stated goals even by
deleting all discretionary-budget federal agencies like the NSA,
CIA, FBI, all branches of the armed forces, etc. but on the other
hand the private sector is busy doing a huge volume of spying
anyway in the name of selling adverts⦠chaos is impossible to
predict, and you should want to predict things at least a few years
out if you're going to the trouble of relocating.
URI [1]: https://en.wikipedia.org/wiki/File:DunningâKruger_Effect...
nickslaughter02 wrote 3 hours 12 min ago:
> then Belgium/Netherlands
Belgium's EU presidency was pushing for Chat Control (on-device
scanning of all your messages). Hungary took over and was pushing
for the same. Poland took over and is proposing changes. Denmark
has been in favor of the original proposal and is taking over in
July 2025.
cge wrote 1 day ago:
>Ireland isn't in Five Eyes,
That's true, and I suspect Ireland does not do as much
surveillance as many other countries, but if I recall correctly,
it does have a passphrase-or-prison law like the UK. I also get
the sense that in a number of cases, it tends to view its laws as
suggestions, for example, with the autism dossiers scandal [1],
and in some sense, gets away with it in the way that a small
country can. To me, it feels like a country where you don't need
to worry about organized, systemic surveillance abuses, but do
need to worry about departments or even individual employees who
decide that they just don't like you.
[1]
URI [1]: https://en.m.wikipedia.org/wiki/Department_of_Health_aut...
bananapub wrote 1 day ago:
Australia is even more everyone-is-a-cop than the UK, and is doing
this exact same shit for the exact same reason.
pjc50 wrote 1 day ago:
If you're after freedom, you absolutely do not want Singapore or
Dubai.
airhangerf15 wrote 1 day ago:
The United States has the strongest laws for freedom of speech.
You can't get arrested and face years of criminal legal trials,
ending in an £800 fine for making a joke with your dog in
America. Police won't show up at your house for Facebook posts
like they do in Aussiestan. American courts probably won't take
your infant away from you and force a medical procedure on it
like in Kiwistan just because you wanted to use your own blood
donors for the operation.
It's been degrading in the US too. Xitter is not at all a free
speech platform and that technocrat says whatever he has to for
popularity until he can chip your brain. Cutting a few million in
wasteful government spending doesn't make up for how he loves
China and deeply desires their level of autocracy.
America's laws have somehow held in-spite of presidents that seek
to crush it (yes, both of them, both sides. They're the same.
Stop believing the headlines and read the damn articles).
Although defamation law has been weaponized to neuter some forms
of speech and reporting.
There is an internal push by the CIA in America to further
destabilize it and cause radical elements in the fake-left and
fake-right to call for more authoritarianism. It's not a great
nation, but sadly it is the last bastion of true liberty .. and
it's eroding every day from every side.
In 20 years there might not be anywhere to flee to. Fight for
your country. They can't put every British person in prison if
everyone decided to tell the truth.
pjc50 wrote 23 hours 55 min ago:
> American courts probably won't take your infant away from
you and force a medical procedure on it like in Kiwistan just
because you wanted to use your own blood donors for the
operation.
Whenever someone writes "just" in a case like this I can tell
there's a complicated, ugly legal case that's being grossly
misrepresented, and quite possibly one where no responsible
journalist is reporting because of child privacy issues/laws.
The problem with both British and American surveillance state
authoritarianism is it's hugely popular with the public when
used against the ""wrong"" people. You might have "free speech"
(subject to qualifications such as Comstock and their modern
day equivalents) but you're much, much less likely to be shot
and killed by the police - or a random stranger - in the UK.
nobankai wrote 1 day ago:
That said, American leadership is still fine with dragnet
surveillance and coercing corporations to lie to their
audience: [1] Being American has it's perks, but privacy isn't
one of them.
URI [1]: https://arstechnica.com/tech-policy/2023/12/apple-admi...
blibble wrote 1 day ago:
this is not a free speech issue, it's about key escrow
and the US invented technical crypto backdoors
URI [1]: https://en.wikipedia.org/wiki/Clipper_chip
faku812 wrote 1 day ago:
Australia is the worst of all
nobankai wrote 1 day ago:
If you abhor surveillance, don't pick a Five-Eyes nation.
y33t wrote 1 day ago:
Don't forget the 14-Eyes, which includes most of Western Europe.
InsomniacL wrote 1 day ago:
malicious compliance.
Providing access when ordered by a court is not as secure so we're
removing all encryption?
pjc50 wrote 1 day ago:
"If we can't provide this product legally, we're not going to provide
it at all" ends up being the only reasonable position in situations
like this.
At least this way doesn't compromise users in other countries.
ziddoap wrote 1 day ago:
>Providing access when ordered by a court is not as secure so we're
removing all encryption?
Providing a back door for one government reduces the security and
privacy of the service worldwide.
This decision keeps the security and privacy for the rest of the
world. Sucks for the UK that your politicians decided to go this
route.
rxyz wrote 1 day ago:
the whole point of ADP is that they cannot provide access
CharlesW wrote 1 day ago:
Yes, the parent commenter missed the part where Apple cannot see
the encrypted content when ADP is used.
InsomniacL wrote 1 day ago:
I'm not suggesting Apple should be able to see the content, I'm
saying the Police should be able to, when they have a valid court
order issued in accordance with the legislation.
For example, A 'Personal Recovery Key' could be recorded in a
police database.
To gain access to 'encrypted' data from Apple, a court order is
needed, once they have the encrypted data, they can unencrypt it
using the key only they hold.
There's lots of ways to skin a cat.
svachalek wrote 1 day ago:
We have a 5th amendment. You shouldn't have to do all the
police work for them.
cassianoleal wrote 1 day ago:
> A 'Personal Recovery Key' could be recorded in a police
database.
That's about as secure as not having ADP at all, or worse. If
that police database gets compromised, not only my data is
accessible to the attackers, but I will be none the wiser about
it.
InsomniacL wrote 23 hours 40 min ago:
An attacker would have to both compromise the police database
AND Apple to retrieve the data.
The Key could even be split, say 3 ways. Apple holds 1 piece,
the police hold another, and the Courts hold the third, all
three would be needed to decrypt the data.
This is too far in to the weeds though.
It is not beyond humanities ability to have a system as
secure as ADP while still providing a mechanism to access
terrorists phones for example.
ferbivore wrote 1 day ago:
Leaving aside the fact that RIPA was drafted by deranged
lunatics and deserves zero compliance from anyone, who the hell
would you trust to run this database?
zikduruqe wrote 1 day ago:
But Apple could say, you have 45 days to remove it or we will
delete it, then you have to resync your data.
JKCalhoun wrote 1 day ago:
No! That's not ... the comfy chair is it?
brookst wrote 1 day ago:
Why would they? What priorities are better served by that
approach?
zikduruqe wrote 1 day ago:
Why would they say to all new users, that they cannot have
Advanced Data Protection, whereas older customers can?
Now you have a certain percentage of users with encrypted
data, and a certain percentage of users that do not. The UK
government will not like that. And now Apple has shown that
it will not take a stand for privacy it might have to do it
to comply.
brookst wrote 9 hours 0 min ago:
Ah, you missed the part where Apple also said existing
users will have to turn it off at an unspecified date.
smidgeon wrote 1 day ago:
End-to-end-encryption-except-when-the-UK-government-is-interested
doesn't have the same ring to it, liable to damage the brand ....
nobankai wrote 1 day ago:
FWIW people always put too much trust in E2EE where they didn't
control either end. This was a loooong time coming.
dmix wrote 1 day ago:
People aren't going to use your self-hosted E2E tools on a wide
scale. We've been down that road. Best to secure the systems
people already use.
lokar wrote 1 day ago:
Itâs not really end to end in that sense. They donât get the
key, they just store opaque data for you.
The only way apple could get your data is to push code to your
device to steal the key.
ferbivore wrote 1 day ago:
I think their point was that you don't control your device. If
Apple did push code to your device to steal the key, how would
you be able to tell?
DIR <- back to front page