I think this is an unquestionable overreach on the UK's part. If you live in any country that isn't the UK, you should feel the threat from this: the UK government believes that it is entitled to a backdoor on your hardware, even if you've never stepped a foot on UK soil or intend to. Mass surveillance is a threat to everyone, but this is not an instance of that, which has guards against it, like encryption. This is the UK asking for an encryption backdoor to everything, including for phones that never traverse its soil or internet boundaries, or even cross anywhere near FVEY collection devices.
It applies to content stored using ADP, Apple's E2EE tech. A backdoor into that would mean applying a backdoor into iOS on the phone itself, which is a much larger attack surface than anything centralised.
All of which highlights the clownish nature of these regulations. They are so easy for bad actors to circumvent (eg using their own E2EE), resulting in the ridiculous situation where the innocent get their data stolen and the very people you're targeting being completely unaffected.
Since it seems to be illegal to even reveal if one of these requests was received, it's also worrying that, by extension, it would be illegal to declare a data breach once the backdoor was inevitably exploited by another bad actor.
So, how would anybody know that a foreign government was spying on them? Nothing would stop them installing Pegasus on your phone and exfiltrating even your 'secure' data.
The stupid thing is that these laws always find a way to say that people in government are exempt from the provisions, and everybody except them is allowed to be spied on, but they are obviously going to be the first people to be targeted. Not some randomer hoarding CSAM.
This is a government that believes in thought crimes.
They will likely arrest people for having illegal memes on their phones or for texting messages to friends of which the government does not approve. If there was prequal to 1984, it would look something like this.
By "thought crimes", would you mean firing people for holding positions responsible for DEI policies which were assigned to them and which there was a legal obligation to enforce?
Because that would NEVER happen in the US, certainly no government agency would fire its own people for having following legally enacted government policy just because that policy was no longer in fashion (though still legal government policy, because Congress hadn't yet changed the law).
I really don’t like the UK governments stance on cyber security / counter-terrorism / et al either. In fact, as a UK citizen I’ve actively campaigned against a great many of their policies.
However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
What actually happened was people were arrested for instigating riots. This is no different to what happened in the US regarding the Capital Hill riots — people who helped organise it online were arrested too.
The UK has a long history of shitty policies invented to “protect people” but we need to be clear on what’s actually fact and what’s fiction. Otherwise you end up wasting energy protesting against things that are imaginary.
You are focusing on one set of incidents. There are lot of others not connected to any violence at all. People arrested for standing still because of what they admitted thinking and their motive for doing so. Police investigations of 'non-crime incidents'. Hate speech laws that can be very widely interpreted. Increasingly restrictive laws on public protests.
Just link to a report of an incident that you think proves your point. It’s impossible to have a sensible discussion about this issue when comments are so vague.
People have been arrested for perfectly legal anti-royalist propaganda, and threatened with arrest for such things as protesting by holding a blank sheet of paper, so I don't agree.
> In London, a barrister who held up a blank piece of paper in Parliament Square was asked for his details by Metropolitan Police officers, and told that he would be arrested under the Public Order Act if he wrote "Not My King" on the paper.
Nothing actually happened to the guy with the blank sheet of paper (or at least, if it did, that’s not reported in the article).
Certainly you can find examples of the British police overpolicing protests, and that’s something that people rightly get angry about. It’s just that there’s a huge distance between that kind of thing (which happens pretty much everywhere from time to time - do US police forces have an exemplary record of policing protests?) and the kind of wild claims you can see in this discussion that the UK has become an Orwellian police state.
Perhaps, but I am not comparing it to American forces. I'm Swedish and while I have some things to do with America, mostly indirectly, it's not my centre of reference.
It feels like the UK is in many ways leading the charge, though. The only other country that would be a contender is Australia. It was the UK for example that introduced that barbarian law that conceivably allows imprisoning people that genuinely forget the passwords to their encrypted volumes, and that was I think over a decade ago.
Lots of things are troubling. I am complaining about wild exaggerations, not saying that there is nothing to worry about or that the UK is perfect.
Unfortunately a lot of people are getting their news from Twitter, from accounts that are obsessed with painting a particular picture of the UK. Have you spent any time in the UK yourself? The impression of it that you’d get from reading HN is unrecognizable to anyone who lives here.
I don't disagree that there are wild exaggerations being made, my point was just that the UK seems further along the path than its peers.
> Have you spent any time in the UK yourself? The impression of it that you’d get from reading HN is unrecognizable to anyone who lives here.
I lived in Scotland for a while and have been to London often enough. It's it's mostly just a normal country, but things can change slowly until all of a sudden it's unavoidable. The cops showing up to peoples houses for opinions tweets is certainly frequent and concerning.
You say that but I’ve shared several examples of the same things happening in other countries like America too.
So I don’t think the UK is any further along in that regard.
There are other areas where the UK is further along though. Such as CCTV surveillance in London. There are also areas where the UK is far less Orwellian, for example our open-mindedness about abortion and gender identity.
The UK’s legal system isn’t just defined by what Musk tweets about. ;)
> You say that but I’ve shared several examples of the same things happening in other countries like America too.
You've shown some protestors getting arrested, but I don't believe you can show any equivalent of cops acting as thought police for tweets.
> for example our open-mindedness about abortion and gender identity.
Funny you say that, because there isn't so much open-mindedness as a forced viewpoint. I'm trans, FWIW, but I don't at all agree with sending cops to peoples houses because a ciswoman has doubts about accepting a transwoman completely as a woman.
I'd also say it's other western countries being compared to here, and I don't think the UK is particularly further ahead than other first world nations, aside from the US where it is very much a red/blue state issue.
> You've shown some protestors getting arrested, but I don't believe you can show any equivalent of cops acting as thought police for tweets
I have elsewhere.
> Funny you say that, because there isn't so much open-mindedness as a forced viewpoint. I'm trans, FWIW, but I don't at all agree with sending cops to peoples houses because a ciswoman has doubts about accepting a transwoman completely as a woman.
I wouldn’t say it’s a forced viewpoint here either.
Quite the opposite in fact, there’s a lot of really vocal people in the UK who publicly denounce transgender people.
> Could you relink them? I don't see anything, and I don't think you could show it is to the same extent as in the UK.
No. I’ve said my piece and I’m done.
And it isn’t even happening to extent you keep claiming. There’s been lots of evidence posted to prove that point.
> Then why do cops keep showing up for wrongthink?
They don’t.
And I know you’ll follow up with some unverifiable linked to highly disreputable sources which are several years out of date.
So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK nor reading either up-to-date nor reputable sources.
And this is precisely why this meme of the UK policing thought persists: because people form an opinion based off silly headlines and then are too singleminded to listen to the full facts.
I honestly can’t be bothered any longer on this. I’ve been actively involved in politics around precisely these kinds of issues, but of course you know better than me because it fits your own narrative about how your own country can’t also be going down the shitter.
You said this, but then continued to go out of your way to reply to another unrelated comment. Copying and pasting some links would have been less effort.
> And it isn’t even happening to extent you keep claiming. There’s been lots of evidence posted to prove that point.
Actually my llast reply showed quite the opposite. The scale is much larger, about 2,500 incidents.
> They don’t.
They do, at least 2500 times. See a recent reply for sources.
> And I know you’ll follow up with some unverifiable linked to highly disreputable sources which are several years out of date.
> So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK nor reading either up-to-date nor reputable sources.
It's a shame here to see you assuming bad faith. This reeks of tribalism, not objective argument.
The source I found was from the UK government, so I think that you preemptively dismiss that really shows who is being rational and objective and who is not.
> So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK
You keep looking for reasons to dismiss my argument fro reasons other than merit of the argument. This is telling.
I lived in the UK for years, actually, and the evidence speaks for itself, no personal experience is necessary.
> I honestly can’t be bothered any longer on this.
Maybe. You say and wrote this, yet you have a second reply you posted after this that I am about to respond to.
I won't be surprised if I end up responding yet again.
Are you not wildly exaggerating when you suggest that the ‘cops’ frequently show up at people’s houses based on things that they’ve tweeted? There aren’t even enough police officers in the UK for this to be feasible if they wanted to do it.
I didn't mean to imply that it's happening any time anyone tweet something, but there have been an alarming number of cases of cops showing up at peoples houses for tweets they've made. A far greater number than anything happening in other western countries, which doesn't even have anything close to compare it to.
Just to be clear, even 20 times is significant here, I think the actual number is much higher, but even a low number as 20 is concerning when the tweets don't promote violence, terrorism, CSASM or anything illegal.
What exactly is it that you are saying has happened 20 times? Described in objective terms, not using vague and emotive language like “thought police”, etc etc.
It’s still not clear where you’re getting the number 20 from or which incidents you’re talking about. But it sounds like these are cases of people being questioned by police and then…not getting arrested because they weren’t committing a crime. I’m not sure what is supposed to be concerning about that in the abstract. Maybe there’s something concerning about the specific incidents, but you don’t seem inclined to give any details about them.
> But it sounds like these are cases of people being questioned by police and then…not getting arrested because they weren’t committing a crime.
The problem is cops showing up at all for people sharing an opinion. The tweets were visible at cop HQ. Sending cops out reads like intimidation which is something cops do in authoritarian societies.
That’s not really the same as what’s being discussed though it’s still troubling.
Thankfully common sense prevailed and those people weren’t convicted. meanwhile in other “less Orwellian” counties people are getting charged for similar actions:
> That’s not really the same as what’s being discussed though it’s still troubling.
GP mentioned anti-royalist protester arrests and threats of arrest, you asked for a citation, I provided a link to a BBC article discussing those. How is it not "what's being discussed"? (At least in the context of this subthread.)
Fair point. But as I said, there was more to that story. And under relatively similar circumstances people are charged for protesting under similar laws in other countries too. Including ones that have freedom of speech written directly into their constitution.
So while I don’t agree with the UK arrests, it doesn’t prove that the UK is any more Orwellian than any other country.
> Thankfully common sense prevailed and those people weren’t convicted. meanwhile in other “less Orwellian” counties people are getting charged for similar actions:
>However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
Are you for real? These accusations are not merely memes.
While I don't endorse terrible people, it is note worth sometimes awful people are the target of even more awful laws. For example, you can do research into a person named "Adam Smith-Connor" who was literally convicted for standing in public while introspectively praying silently. The conduct of standing while appearing to pray was deemed as a form of illegal protest too near an abortion clinic. The same exact thing happened to another person "Isabel Vaughan-Spruce" who was not convicted.
There are also well documented incidents in the UK involving the prosecution of people making remarks online, which could arguably cross into thought-crime territory. I'll leave it to you to actually research these incidence, Google is your friend.
As usual in these HN threads on the UK, there’s a reasonable point that could be made about whether or not this restriction correctly balances the right to free speech against women’s right to access healthcare. But instead we see a lot of wildly exaggerated talk about “thought crimes”, etc. etc.
> For example, you can do research into a person named "Adam Smith-Connor" who was literally convicted for standing in public while introspectively praying silently. The conduct of standing while appearing to pray was deemed as a form of illegal protest too near an abortion clinic.
Those people are not trying to genuinely prey, but to intimidate women considering or wanting to get an abortion.
> There are also well documented incidents in the UK involving the prosecution of people making remarks online, which could arguably cross into thought-crime territory.
>However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
>What actually happened was people were arrested for instigating riots. This is no different to what happened in the US regarding the Capital Hill riots — people who helped organise it online were arrested too.
One of the "instigators" was sent to prison for tweeting "every man and his dog should smash [the] f** out of Britannia hotel (in Leeds)". While I agree such tweet might be illegal under US law (it plausibly meets the "imminent lawless action" standard), it's a stretch to equate that to "organise [the Capital Hill riots] online" (whatever that means). A tweet by a nobody who got 6 likes isn't "organising". It's shitposting.
Did you actually read that article. In there it even stated there was a pattern of behaviour and that his comments on Facebook had been shared with thousands and directly resulted criminal damage. Not only that, that his comments were intended to cause criminal damage and result in physical attacks against immigrants.
What you’ve done is selectively quoted a small subset of portions from that article to misrepresent the full trial.
Which is exactly why I had to write my comment defending the UK government earlier. Believe me, I really don’t want to defend the government.
The UK government get a lot wrong when it comes to legislation regarding technology. In fact they get nearly everything wrong and I’ve frequently had to have words my MPs about it (not that that’s done any good). But they categorically do not lock people up just for shitposting. At best that’s just an exaggeration. At worst it’s an out right misrepresentation of the facts.
>Did you actually read that article. In there it even stated there was a pattern of behaviour and that his comments on Facebook had been shared with thousands
Are you talking about this?
"The initial post received six likes. However, it was sent to your 1,500 Facebook friends and, because of your lack of privacy settings, will have been forwarded to friends of your friends."
"shared" is doing a lot of the heavy lifting here, and likely used in a misleading way. Given how facebook uses algorithmic timelines, and the wording (the judge was seemingly unwilling to use a stronger word like "seen" or "read"), my guess is that was the upper bound of people who could have seen his post, not how many people actually seen it. It certainly doesn't mean 1,500 people actually clicked the shared button next to his post (or otherwise make a conscious effort to disseminate the post), as "his comments on Facebook had been shared with thousands" implies.
> and directly resulted criminal damage.
Is there any evidence that people who has committed crimes even seen his post? Or are you simply claiming that because he made such tweets, such tweets called for riots, and riots happened, that those tweets "directly resulted criminal damage"?
>Not only that, that his comments were intended to cause criminal damage and result in physical attacks against immigrants.
This doesn't contradict my prior comment, which specifically admits his behavior is illegal under even US law. My complaint was with the characterization that his tweets counts as "organising".
And let’s not forget that the Capital Hill riots were just a small few who took things out of hand - like with this guy. So it doesn’t need to be thousands to be a criminal offence.
The guy in question pled guilty too. So he clearly admits responsibility for the attack on the hotel. And that in itself should indicate that there’s more to this story than just “shitposting” on Facebook.
The problem here is folks like Elon Musk are focusing on the “freedom of speech” aspect (and if course he is, he’s got a vested self interest to) and given Elons media reach, this story gets skewed into a different debate.
The ironic thing is the biggest voices arguing that the UK is Orwellian don’t even realise that arrests have been happening in their own county for the same things and for much longer than in the UK.
And that’s my biggest complaint about this discussion on HN: The UK is singled out when this is happening in every country. And the cases people refer to in the UK are being distorted to sound like it’s harmless memes when the actual comments are far from what any sane person would call “shitposting”.
2. Given the issues I outlined above with the word "shared", can you clarify what exactly is meant by that? Are we talking about the act of him posting to a group chat, or that other people made an conscious effort to disseminate his post?
This doesn't provide any information to refute the points I presented in my prior comment.
>The guy in question pled guilty too. So he clearly admits responsibility for the attack on the hotel.
Don't confuse pleading with guilt. He faced years/decades in prison, along with any fines/legal bills. Pleading out could be a rational choice even if he was innocent.
>And that in itself should indicate that there’s more to this story than just “shitposting” on Facebook.
This is circular reasoning. If the thing being discussed was whether prosecutors were overzealous in prosecuting such tweets, you can't use the fact that he was prosecuted in arguing that arguing prosecutors weren't overzealous.
>The ironic thing is the biggest voices arguing that the UK is Orwellian don’t even realise that arrests have been happening in their own county for the same things and for much longer than in the UK.
I'm not sure why you're still trying to argue such acts are criminal, when a few comments ago I specifically agreed with the possibility that such acts are criminal.
>[...] I agree such tweet might be illegal under US law (it plausibly meets the "imminent lawless action" standard) [...]
It's not that bad. I think the demanding a backdoor from Apple is over the top / stupid. But I haven't heard mention of thought crimes yet (brit here).
I'm entirely against what the UK government wants, however I would say:
Although you're right that tech people would still be able to choose secure encrypted options, the fact is that the majority of criminals by pure numbers are not very sophisticated - so while this sort of backdoor obviously wouldn't be a guarantee that every criminal conversation could be snooped on, it would work on the 90-99% (I'd guess towards 99) who aren't both cautious enough to try to be secure and tech savvy enough to make the right choices.
(But it's still a terrible idea, both for the sake of general privacy principles, and for the risk that current or future governments or personnel will abuse the access, and for the risk that criminals outside government will be able to take advantage of the same backdoor.)
The idea that criminals are not sophisticated is a weak excuse for this system.
Once the government starts mining data from iPhones, criminals will quickly adapt while every law-abiding citizen gets caught in the crossfire. It opens the door for abuse: officials could easily spy on their partners, dig up dirt on rivals, or target those they dislike without breaking any laws. Meanwhile, cybercriminals will have an easy target since every phone comes with this built-in vulnerability.
This system is likely to snag small-time offenders, not the real masterminds behind organized crime. This isn’t a smart solution for crime. It just sacrifices our privacy for a few token arrests.
Criminals don't need to be all sophisticated anyway. They just need to know how to reach one of the sophisticated criminals and pay them to extract whatever they need.
Incidentally, as a non US and non UKer, my data with the major tech firms has no protection anyway. Welcome to the club, US citizens :)
Most GSW victims are killed by one or two bullets, not hundreds of them.
You don't need a "vast majority" of criminals to break down a system and exfiltrate data when just a single, possibly state-backed, criminal operation can break your system down and do the job.
SMS is already known to be insecure and easily snooped on with a warrant, and has been used by police around the world in many cases, yet a surprisingly high number of criminals still use it.
The majority of criminals have no idea that their their iMessage encryption keys and iMessages are synced into the cloud and available to law enforcement with a warrant. No need to break devices security, no need for back doors.
There are already replies with sound arguments against the ideology that 90 of criminals arnt that sophisticated.
Secondly, I will also point out that criminals in general watch whats happening to other criminals. If people start going to jail because there mobile communications are being targeted, others will catch on and stop using mobile tech altogether for criminal activities.. People copy what works successfully, you don't need to be smart to do that. So yeah this argument is complete bullshit.
We should not normalize the idea that it's acceptable within a country's borders either.
It's a massive overreach to demand a backdoor to phones within the country. Don't allow the even bigger overreach to move the Overton window and make it seem like it should ever be acceptable.
I think it's reasonable here to differentiate between acceptable and legal. It's completely unacceptable, but the British people have proven time and time again they're more than happy to make horrifically unacceptable things completely legal in the pursuit of "safety."
As with the US, I would not equate "British lawmakers passed" with "British people are happy to". British people are not given direct referendum on this issue specifically, and all of the mainstream British parties currently support the Snooper's Charter.
It's easy to sell people that "we just need this one more bit of access to your private data, it helps us stops paedophiles and terrorists", but each step takes us further down a bad path.
I'm sure everybody would agree that having full camera surveillance inside every UK home is too far, but no oversight at all is also bad.
There is a point along that line where society would say "no, that's enough", but successive governments have realised that they can slowly push that point further right and nobody seems to notice, or care.
I'm not aware of British people rioting in the streets over living in a society with multiple cameras on every corner of every street, where police knock on your front door based on social media posts. They seem to accept it, even welcome it.
If the people were strongly against the Snooper's Charter there would be politicians willing to stand against it. The parties do not impose their will on the people, they do and say what they must to gain and keep power.
(Note: nothing in this message should be construed as support for the US thinking that non-US accounts or non-US income of US citizens should be any of their business.)
There's a large difference between backdooring end-to-end encryption and accessing financial records that are already by design available to the financial institution.
Why would the IRS need to access my records? Or need to impose non-US citizens to sign affidavits outside the US?
FYI I am not a "US Person", whatever that means, yet when I signed up with my bank account in an EU country I had to sign an affidavit claiming I am not a "US Person", although that designation has no meaning in the local laws.
(Note: this is an explanation, not an endorsement or any form of support.)
These requirements are in place in part because the US wants to tax the income of US citizens no matter where they are in the world. So, they make requirements like FATCA and make requirements on foreign banks that amount to "we won't do business with you unless you impose these requirements on all US citizens (which inherently also means asking everyone if they're a US citizen)".
These decryption requirements are being put in place in part because the UK wants to find potential criminals no matter where they operate from in the world. So, they make requirements like back doors and make requirements on companies that amount to "we will fine you a % of your global revenue unless you impose these requirements on all potential criminals" (which inherently also means decrypting everyone's messages)".
A similar law passed in Australia a few years ago; various Australian law enforcement agencies can request or even demand companies to make changes to their code (read: introduce backdoors).
Until people and companies start treating Australian-made software as dangerous to the extent that it affects the economy, other countries will probably follow with similar laws.
That should include being hesitant to use American software as well. There's a good reason EU companies aren't allowed to store data on American servers.
Note that it's seemingly unclear whether it's OK for EU companies to store data even on EU servers of US parent companies. Although very little has actually been done about this and everyone, governments included, is still using Microsoft 365.
In principle as long as a state has legal hooks into a large enough part of the business it’s probably ok. Data centers are less tricky than phones because they don’t move.
I’m also not sure there’s so much practical difference between a company headquartered in the EU vs USA. The relevant thing would seem to be where operations happen, and what legal and practical hooks each side has into the company, including physical location of servers and the people who operate and write code for them.
It’s not just at Australian made hardware or software. You think Australia won’t try to assert this against a global company with presence in Australia?
"TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible."
It's a step above a warrant, as an order, when building a new capability. But yes, its focused in on one case. As to "reasonable" - our current AG is a strong supporter of expanding government powers as a way to fix any new problem that appears. He's done some good. And some bad. It isn't hard to see him rubber-stamping these, if someone across the hall needs it done.
Also... If a TCN order comes through, you're not permitted to tell the business that you've been ordered to create a backdoor in them. And they can order random anyone in the company to comply - it doesn't have to go to the C-level.
The general public either don't know about growing mass surveillance and privacy invasions, or don't care. "Terrorism and child abuse = bad, and if this prevents it and I have nothing to hide then why would it be a problem for me?"
How do you know that? Similarly to the UK, USA has a process to force companies to add back doors. For all we know it might the USA wanting access and using its five eyes allies to get it done.
> Compelled speech, and compelled work, are both disallowed by the US constitution... Apple successfully used this argument several years ago when the FBI tried to demand that they break a phone for an investigation.
I'm not sure this is how the San Bernardino case actually panned out:
"Apple declined to create the software, and a hearing was scheduled for March 22. However, a day before the hearing was supposed to happen, the government obtained a delay, saying it had found a third party able to assist in unlocking the iPhone. On March 28, the government claimed that the FBI had unlocked the iPhone and withdrew its request."
The arguments were never actually tested in court, the whole thing was quietly put away once the FBI found another way to unlock the phone.
The expectation was that FBI would lose in court. But that was not guaranteed, certainly.
FBI had multiple reasons to abandon the effort, but one was that if legal precedent was established at that time, for that case, it would be harder to bypass in future cases.
I expected the FBI to win in court because the FBI had precedent on its side. The judge had asked Apple to provide reasonable technical assistance to access data on the phone, and modifying one line of code fits well within the judge's request.
Heres an example of when Apple got caught giving the US government all users push notifications, and then quite openly said they had been bound by law to keep quiet about it.
Apple has a history of giving the US government whatever user data they want, lying about it, then when it leaks publicly they are able to say 'Well we couldnt tell you because it would have been breaking the law, sorry about that'.
Have an example, of when it leaked that apple was secretly syphoning off all push notifications to the US government:
Fundamentally not the same thing. Notifications aren't encrypted. Apple has made no claim that they're secret from the govt.
Apple has very loudly and prominently and specifically stated that their encrypted is ecrypted and not even available to apple. They list which portions of icloud this applies to and not.
Huge different between an omission and a large, positive lie.
They reason they have 'very loudly and prominently' proclaimed that they will never break encryption, is to make the general public believe their data is safe with Apple. Its purely a marketing stunt. The push message syphoning to governments is only one of many ways they willingly hand over data to governments on request.
Well there is still a HUGE difference between some backroom dealing that blows up in government’s face in the most scandalous, generation defining way when it gets exposed, and a bunch of power-hungry troglodytes saying they want to play Orwellian villains in the open.
The US, through the Intel ME software, already got a backdoor in most laptop. Using PRISM, it also had one on most big Saas, and now that it's over, it probably has a similar one we don't know about given Snowden's revelations about xkeyscore and how it works.
It's very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM and we can't check their proprietary system.
We also know China has backdoors to any software or hardware product you want to sell there.
So it is a problem that the UK is asking for this for us, but from their perspective, they are just catching up with the current horrible state of things.
> very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM
People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program.
PRISM was no such thing. PRISM was the US govt snarfing up whatever data they could (under questionable legal authority), but no one has ever alleged that the data they were snarfing was provided willingly or knowingly by Google, Apple, etc.
These companies are also victims of PRISM, not participants.
All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
> People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program. PRISM was no such thing.
Wheres the evidence to say they had no idea about it and it was purely an external hacking effort?
> All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
Except all the previous times they have lied because the government asked them to. Like the time they willingly gave all users push notifications to the US government and then lied and said they didn't, until it leaked and they admitted they did and then openly spoke about how the government had forced them to keep quiet about it.
PRISM collects stored internet communications based on demands made to internet companies such as Google LLC and Apple under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms.
Sorry, I should have been more explicit. Of course all US companies comply with US court orders.
The controversial new revelation re: PRISM, via Snowden, was that NSA was also snarfing everything they could including unencrypted comms over frame relay/etc networks comprising, e.g., Google's internal inter-site networks.
To which all mentioned companies said "we were not aware of this, we never authorized a backdoor for LE at any level, this is a breach of trust and probably not legal, and now we'll encrypt everything between our internal systems too".
If they can ask whatever they want (they had secret courts that could provide any legal request), they have a massive data acquisition apparatus, they had many backdoors they actively used, and big companies complied while being silenced by a gag order, assuming they have direct backdoors provided officially today that we don't know about, and that companies with proprietary systems we can't check can't talk about, is just common sense at this point.
Why would you give them the benefit of the doubt when the 2 last decades of track record have given you all the reason not to, and that the next step is the logical conclusion?
Lions kill gazelles. But not this specific gazelle because I like this one?
But anyway, the point is moot, they don't even need to for this particular debate. They already have a lot. The UK therefor not matching them exactly is just them using a slightly parallel road for the same result.
It's a terrible thing either way for us. But I get the logic for them.
Oh, I don't trust any of the actors. But I trust the encryption math.
If the argument is that the encryption is compromised by weak factors or key escrow etc, then that is a really interesting conversation, on which I'd like to hear more informed opinions.
But if all we can do is speculate, my trust remains in the mathematics.
Right. Who would be the first country the US might go to if it wanted to spy on it's citizens from abroad? Perhaps one who already does this for them using other methods such as wire tapping?
No. Maybe it was their idea, maybe it was the US's. One thing's for sure though we wouldn't be pushing ahead with this without the tacit support of the US, particularly in the current environment.
Tenuous. The UK did not need US approval to make all of its existing privacy-violating laws. Nor did Australia, or parts of the EU.
Don't get me wrong. The only thing holding the US government back from growing all the more monstrous is a patchwork of sketchy laws that might have teeth.
But I don't see any reason to assume that the stupidity of Brits is the fault of Americans. This time.
FWIW, the US govt does not have a back door into the encrypted data held by US companies. A US company is not obligated to create a way to decrypt customer data to respond to a court order.
So this is different, and worse. Not everything stupid in the world can be blamed on the US, as it seems you're trying to do. Plenty can! But not everything. Some stupid is home grown. See also: Brexit.
I run multiple Discourse sites. You can spin that however you want. People have personal data on my sites for sure. Is that “tracking” in your book? What about in the EU’s book? Anyway, I’m not going to read the GDPR to find out whether that’s “illegal,” no matter what they say.
In other words, the EU mandates that I follow their law, even though they have no jurisdiction over me. I can follow it by refusing to track PII, or I can follow it by “blocking” Europe on the WWW. I can’t be bothered to figure out how to do either of those things, so I don’t bother. I just spin up an instance of Discourse and move on. Because their claim that I must follow their laws is just as bogus as the UK’s claim, even if I think the EU had admirable goals and the UK has terrible goals.
This always gets trotted out, usually by people who seem to have never run any web service before. IPs are apparently PII, and all default server configs log them. If you don’t, good luck complying with any security audits that will require you to keep them to make forensics possible.
This is just one of the things that makes GDPR, in practice, an “if we don’t like you, we’ll investigate you and will definitely find something” law.
I am a data controller for multiple companies, I have read the GDPR legislation cover to cover multiple times, I have been through multiple audits. You only need to care about it if you are storing personal data, end of. Downvote me if you like but thats the cold hard truth.
> IPs are apparently PII
It always pains me when people spout stuff about GDPR that they think they know but dont. Go talk to an auditor like I have many times, then you wont need to use words like 'apparently' and you will actually know what you are talking about.
> It always pains me when people spout stuff about GDPR that they think they know but dont.
Are you trying to suggest end user IPs are not PII? There is judgement from CJEU (Patrick Breyer v Bundesrepublik Deutschland, ECLI:EU:C:2016:779) regarding the older Data Protection Directive that IP address is personal data if the service provider can give the IP address to competent authority and that authority has a way to connect it to user. As most (all?) EU countries mandate that ISPs keep logs that match IP address to subscriber and competent authority can get this information, the IP address is almost always PII.
Or is your auditor suggesting that GDPR is less strict than the older directive regarding this case? From my reading the only real difference was that GDPR added a bit more precision on what reasonable actions are ("such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments"). At least to me the example given in the court case would be reasonable when taking those in account.
You can, of course, have legitimate interest to collect it (like many other forms of PII as well), even for cases where the data subject cannot object to it. It doesn't change the fact that it's almost certainly PII.
It’s your job, and you’ve put more time into this than I will ever put into it. True. You (hopefully) understand the law better than me and the commenter you replied to. But you certainly haven’t convinced me to read the GDPR legislation cover to cover multiple times to decide whether and how I can comply! The EU can’t tell me what to do with my Discourse website. I put it online. They can block it for their residents if they don’t like it. That is not my responsibility.
It isn't just UK. This isn't the first time a Nation decided that any company operating on its soil, would have to comply with an order that reach world wide operation and failure to do so would be fined on worldwide revenue.
I keep saying this, and nobody believes me, but I'm just going to keep trying:
These things happen because so often we focus the privacy conversation on corporations, which is exactly where the governments want it to be.
My controversial but strong opinion is that privacy from corporations matters very little, but privacy from governments matters very much.
We need to stop allowing the conversation to get distracted by talking about cookies and ad-tracking and whatnot, and always bring it right back to privacy from governments.
Yes, corporations and the government are often in cahoots here - but even then we should be talking about how wrong it is for governments to be buying/taking/demanding data from corporations - keeping the focus squarely on the government.
The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want. They collect data so they can make money off you. That's not so scary to me. Governments want to put you in jail (or freeze your bank account, etc) if you get out of line.
Thank you. If governments have more restrictions than corporations, all that will happen is that corporations will immediately spring up to exploit this arbitrage opportunity.
Most users' "threat model" is loss from actually losing things, or doing dumb things to themselves. They expect Apple to fix that.
Apple understands this, and in most markets there's a Genius Bar somewhere near the user, with technology letting Apple help them.
If your model is something else, they also have your back.
> remember that enabling advanced data protection just means they'll get your conversations from the other partys' iCloud backups
Conversations may have a counterparty not using ADP, your data storage probably doesn't.
And yes, who else can see things is very important. People show others "your" messages on their phones all the time, the more unfortunate the message, the more likely they are to overshare. Very much worth remembering they have copies of the same discussion, for this, and for backups.
While ADP won't solve betrayal of trust through analog sharing or digital resharing, Apple DO have a way to ensure your message is only between you and a personally verified counterparty:
On one hand, I get the business reasons for not using E2E by default (it’d make data recovery more difficult for probably the vast majority of their users, which would be a customer service headache). Hell, even some experienced users would be more inconvenienced when something goes wrong. But if they won’t enable it by default, the option to enable it needs to be MUCH more clearly presented to users. The current implementation leads users to believe their data is more private than it is, which imo is just asking for trouble down the line.
That’s not the worst thing a corp can do. The worst things a corp can do is sell your private data to someone else, monopolize a critical function and squeeze you dry, or block you from a monopolized utility that is critical to modern society.
Plus the common privacy threats: stalkers in the company accessing your private information, technical gaffes or breaches or unconcern exposing your private information, both of which could derail your life depending on what sort of marginalized groups you're a part of.
A stalker in LEO is bad, yes, but so is a stalker in your apartment lock managing company or at any other number of non-government companies you're forced to interact with.
Not having Google accounts isn't the end of the world, but given the amount that many (most?) of us rely on their services (I think of all the accounts I have tied to my @gmail email and cringe, but still I'm there), this is fairly disasterous.
I can hold my government accountable via the polling booth
I have no control over Apple or Amazon or Alphabet. I can petition the government through the court system if it tries to put me in jail, the government functions with a massive series of checks and balances.
I can't petition google, they are an unelected uncontrollable unaccountable entity that not even the government has power over
You might think you're safe because you don't carry a phone, never upload a photo, etc. You drove across the country in a car you paid cash for while bemoaning cameras that catch you speeding, in the name of "privacy". Meanwhile meta knows exactly where you are as their face recognition attached it to your shadow profile when someone took a selfie with you in the background, you were seen on a ring doorbell by amazon as you walked down the street
This "individualism" and "I'm alright jack" approach is a fallacy the world can't afford.
My government doesn't have a copy of my family tree or a good idea what my DNA is. Ancestry.com does.
> My government doesn't have a copy of my family tree
They absolutely do, your parents were on your government issued birth certificate, and the government issues marriage certificates and official name change paperwork too. I'd be a bit surprised if they don't some idea of your DNA as well, though I'd agree not to the level of Ancestry.
They all do though. Do you think the government isn't tapping the genetic databases of 23andme and Ancestry? Or the bottomless data out that is Gmail. Or iCloud. Or Gmaps location data.
I'd rather not decide who is the worse privacy offender, companies or governments, and best restrict both to a need-to-know basis.
If you live in California, with a population of 39.43 million, you get the same representation in the Senate as Wyoming with a population of 538,486 residents. Not to mention gerrymandering, the electoral college, etc. Your vote even as part of a collective doesn’t represent the will of the people.
We are seeing right now with President Musk that the President can complete ignore the constitution and the laws with “qualified immunity”. Is what we ste seeing now “accountability”?
Citizens aren't represented in the Senate. Citizens are represented in the House of Representatives. That's why California has 52 representatives and Wyoming has 1. The Senate represents the state itself, which is why each state has 2 senators. This misunderstanding of the difference between the House and the Senate needs to end.
Indeed, California has 52 times the representation but about 80 times the people. That disconnect is why the cap on the size of the House needs to be lifted.
Without the Senate, the United States of America would have taken a lot longer to congeal than it did. If it ever did.
The popular election of senators fundamentally changed a lot about how American government works - senators elected by state legislators (which was the usual method prior to that) are beholden to a very different pressure group with very different interests than the populace at large.
Now, they did go about the change properly. So points there. But at the time of the amendment, nobody really anticipated the Farm Bill (or, for that matter, Herbert Hoover getting into the positions of power he held prior to his election to the Presidency - where his performance was sufficiently strong to get him elected to the top job).
> I can hold my government accountable via the polling booth
Yes, but elected officials have used private information to disenfranchise groups of people before. Europe's right to privacy is in part a reaction to abuses that occurred in Nazi Germany.
I think this is partially correct but as the center moved rapidly to the right I’d say you need to study early 20th century governments and the arc of the US government as they decline into fascism. This is characterized primarily by privatization (and ofc surveillance and militarization of police.) In practice this means that the corps become a government just one that has zero accountability so people can’t use words like “authoritarian”
> The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want. They collect data so they can make money off you. That's not so scary to me. Governments want to put you in jail (or freeze your bank account, etc) if you get out of line.
It depends what government and what corporations. If it's a healthy functionally representative government then it's rules and laws can be to a certain extent controlled by the public. It may be harder to influence corporations. If a bank wants to close your account, or Visa stops accepting your payments or airlines don't let you fly, you can't complain, they'll just "well tough luck, it's our bank, our airplanes, our payment system, go create your own if you disagree". So I agree with you that this should be a worrying thing for the U.K. citizens, they should ask their government why the heck does it want all that data and maybe it should stop.
> Yes, corporations and the government are often in cahoots here - but even then we should be talking about how wrong it is for governments to be buying/taking/demanding data from corporations - keeping the focus squarely on the government.
Very much in cahoots. They hide behind each others backs, too. "(Apple): Sorry, government made us do it, our hands are tied". "(Govt): Sorry, _we_ are not spying on you. We just bought some data from Google or Apple".
In a democracy, the government is an outcome of elections, however they represent the majority and you may not be in that majority. This is why you can't talk about democracy without a strong culture focusing on the individual's rights, aka liberalism, otherwise all you have is a tyranny of the majority.
You're also deeply wrong. The fundamental difference between a state and corporations is that the state has a monopoly on violence and anything that a corporation is doing, and that harms individuals, can only happen with the complicity of the state. For example, there is no such thing as a natural monopoly, all monopolies are granted by the state in one way or another.
And the differences should be obvious, given the state can deprive you of freedom, it can starve you, it can inflict physical violence, and can even kill you. Corporations can't do this, unless the state commands it, obviously.
> It may be harder to influence corporations.
Actually, depriving Apple of the money you'd pay for an iPhone has more impact that your democratic vote. And even if you disagree with this, consider that you can vote for politicians promising to regulate Apple. And switching to Android or Windows has a lower cost than switching countries (and yes, that's an oligopoly, but that's because your state granted it via IP laws).
> This is why you can't talk about democracy without a strong culture focusing on the individual's rights, aka liberalism, otherwise all you have is a tyranny of the majority.
That's still all democracy is, though. A tyranny need not be absolute to be a tyranny.
> For example, there is no such thing as a natural monopoly, all monopolies are granted by the state in one way or another.
I don't see that. They could just not care. As I said it depends on what state you mean. Are you thinking a particular one? Because the state could be busy or care about other stuff than handling monopolies. Maybe there is a war going on, political in-fighting, military coup, etc. If a company buys every other competitor and is now the sole electric toaster maker some governments could just care less.
> This is why you can't talk about democracy without a strong culture focusing on the individual's rights, aka liberalism, otherwise all you have is a tyranny of the majority.
Of course. So it depends. Again, are you talking about a particular instance or in general. You can certainly talk about anything you want. The "culture of individual's rights" may not last long if a large majority of the citizens decided to either directly vote against or elect officials who are against it. Can the citizens effectively influence the government to change or can't?
> You're also deeply wrong. The fundamental difference between a state and corporations is that the state has a monopoly on violence and anything that a corporation is doing, and that harms individuals, can only happen with the complicity of the state.
I don't think you've shown the depth of wrongness here. It would take a bit more convincing.
> anything that a corporation is doing, and that harms individuals, can only happen with the complicity of the state
So, there is a way to the citizens to influence the state? And the state then has to influence or control the company, and then company would change its behavior, because it's forced to. Ok, then why the extra level of indirection, and not just influence the government to not harvest private citizens data and stop there?
> Actually, depriving Apple of the money you'd pay for an iPhone has more impact that your democratic vote.
So someone has to already be wealthy enough to buy iPhones to affect some change. Sure, that could work in some countries/corporations it might not work in others. In a healthier environment citizens should aim to influence their government instead. In the model you're proposing citizens try to influence a corporation by boycotting products, that in turn would indirectly influence the government, so it can then again influence the laws, which influence the corporations? That seems like a less healthy and more convoluted dysfunctional scenario. Certainly possible, one may argue that's what's happening in US or Western Europe, but one can image a better a different scenario than that.
I agree with your point that government overreach is more serious.
Which is why I want to emphasize that various government police (like FBI) notoriously buy data that they would need a warrant for otherwise.
I’m aware that you’re saying it, but I think you’re underestimating the extent to which preventing spying from the corps == preventing spying from the govt.
> I keep saying this, and nobody believes me, but I'm just going to keep trying:
You’re the top comment currently and you are repeating the hegemonic American belief for the last half century+. Although focusing narrowly on the government has become less popular lately
> The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want. They collect data so they can make money off you. That's not so scary to me.
Coca Cola has allegedly murdered trade unionists.[1]
> That's not so scary to me. Governments want to put you in jail (or freeze your bank account, etc) if you get out of line.
Yes. And corporations want to fight against you if you unionize. It’s not like it can sell products in order to fight unionization.
These are just off the top of my head, I'm sure I've missed plenty of ways. We also have personalized pricing to look forward to in the near future.
I've also neglected how they abuse surveillance to squash competition and smaller firms. Consumers rarely care about this, but the private and business spheres are not hermetically separate - when there is only one telecom or supermarket or other company left (or just a handful, and they collude), because they've killed competitors with anti-competitive practices, consumers and employees will feel the consequences. When they won't be able to run their own e-mail, and farmers will see supermarkets take all the profits, and be forbidden from 'unauthorized' tractor repair, and innumerable other abuses.
> The worst thing a corporation is likely to do (other than giving your data to governments) is to sell you something. That's all they want.
That's not all they want.
Just look at some recent scandals, like Cambridge Analytica. Harvesting and analyzing the right data makes it possible to influence democratic elections and referendums.
Selling you stuff is great, but tricking you to vote for lower taxes for their trillion-dollar corporations or tariffs/other negative effects for their competitors is better.
Corporations can also kill you, enslave you, steal your property, start wars, and take over your country. Think of something like Pinkerton, United Fruit, Wagner, or the East India Company.
Governments, corporations, and criminal organizations are not disjoint categories. There is a lot of overlap near the boundaries. You should focus more on what the organization is actually doing than on its nominal classification.
Corporations are legally allowed to collect much more and more varied kinds of data than governments, in general.
Governments are not barred from purchasing data from private corporations, and it's unclear what an actually-enforceable and -effective regulation on that activity would look like.
Governments can do a lot more damage than corporations when they have that kind of data, true. But nothing stops them from acquiring it by issuing money (fiat currency in the US -- practically unlimited!) and employing it for their own ends.
So it seems like focusing on the collection of which kinds of data, irrespective of who is collecting, is the real concern here.
The next step of this is when you realize that these entities are more intertwined than people give then credit for. The line between government, companies, and people gets very fuzzy very fast (especially on the levels below national governments)
Privacy from government === privacy from companies === privacy from anything else. We need not split them into their own distinct groups, we can (and should) create software, policy, etc. to protect from all at once.
>My controversial but strong opinion is that privacy from corporations matters very little, but privacy from governments matters very much.
The majority of people saying this just don't want ads at all in my opinion, since usually the argument comes up on the topic of targeted ads.
When you're right, the only thing you are to google is a number, likely some uuid in a db. To them all other identifying info is just metadata to shove into an algorithm.
Others are addressing your point about governments buying data from corporations also being bad.
But also, you think companies like Twitter, Facebook, etc which are increasingly activist and distorting truth and public discourse aren't also privacy threats?
And there is danger of it getting worse. So, your points have merit, but we cannot dismiss the threat of abusive corporations either.
Corporations can steal your work, etc. and thereby cause enormous problems that do not fit governments.
For me I think they're a much greater danger than at least my government. My government has no reason to care about what's on my computer. A company however, has an incentive to use every scrap.
Wait until you speak out against your government or try to organize a protest.
More realistically, if you are a women trying to get an abortion in Texas and message someone to help you leave the state to get one see how much more you should be worried.
Google can kill your digital identity for completely arbitrary, unknowable reasons. Especially if you are all-in on their system, as many, many people are.
How many people have ran to social media begging for help because every avenue offered for appeals are simply automatically rejected?
When Reddit started acting crazy, I deleted my Reddit account and didn’t look back.
When Facebook, went full MAGA, I deleted my Facebook and Instagram accounts.
I use Gmail. But if it disappeared, there are a million other email providers.
Google Photos is just one of many services my photos and videos sync to - iCloud, OneDrive, Amazon Drive (photos only) and my local Mac.
It would be an inconvenience for the few places that I use Gmail for. But I have use Apple’s Hide My Email feature since it’s been a thing and that’s connected to Yahoo address and I could change iCloud to forward to another email address.
It’s a lot easier to remove my dependence on Google than get from under the thumb of the US. I know, I’m seriously thinking about a “Plan B” to get out of the US after retirement with the way that the US is headed under President Musk with the dismantling of the health care system and trying to undermine Medicare and probably the ACA where I won’t be able to retire early and buy insurance on the public market.
Yes, but my government wouldn't care if I organized a protest. It's even likely that if I did, the police wouldn't even show up, and in the end, I have democratic control over it.
Meanwhile, I am in literal competition with basically all other people's companies.
The way the law in the US works, it's much easier for the government to get your data once you've given it to a company first. So it's very much intertwined.
Prior to the Progressive Era of American politics, corporations used to act a lot more like organized crime - the state sans the legitimacy. What we're seeing with governments and corporations working together is a slow return to this era. As the second Trump administration solidifies, we're going to learn the hard way that we're long past the point of corporations just wanting to sell you something.
To be clear, tech companies provide subscriber metadata (e.g., billing address, real name) with a court order or subpoena. They provide actual user data (e.g., voicemail) only with a warrant.
Or has something changed since the last time I requested user data from a tech company by subpoena? Or are you talking about intelligence collection as distinct from law enforcement?
Also worth noting that LE frequently has PC without having a warrant (for example: every time they ask a magistrate for a warrant and secure one, we can infer they had PC first). In fact they perform many searches with only PC (see: exigency, eventual discovery, etc).
It would be more apt to say any subscriber metadata Apple knows, the FBI can know without a warrant.
Outrageous and (obviously) unconfirmed claims. But again, and as an American whose private data should never fall under the purview of FISA or FAA or any other IC intelligence gathering activities, I don't seriously doubt domestic US spying/surveillance capabilities.
That LE has to feign the need for a warrant should the need arise to make lawfully admissible that which they already know and are in possession of is the most likely scenario. Encryption really is the only safeguard.
iMessage e2ee is bullshit because iCloud Backup e2ee is opt-in, and approximately 0% of Apple’s user base has turned it on, making iCloud Backup non-e2ee in practice.
All of the iMessage access data (either the iMessages themselves or the iMessage sync key for “Messages in iCloud”) is stored in the non-e2ee iCloud Backup.
This means that the iMessage service e2ee is meaningless because the iMessages themselves are not e2ee.
Note well that turning on iCloud e2ee is insufficient, as everyone else that you iMessage with will still have it off, and all of your iMessages will still be backed up non-e2ee to Apple in their device backups.
Having iCloud e2ee available is the best of both worlds for Apple: they can say that it’s available for privacy-conscious users to opt into, while still being able to turn over basically 100% of all iMessages to the feds whenever they ask.
Nobody has suggested that anyone, Feds included, has the present technical capability to break any of the security levels that are in widescale E2EE usage today.
If both you and the iMessage counterparty both have e2ee enabled for iCloud Backup, it's unlikely at present that the feds can read the messages without a warrant under FAA702 "foreign" intelligence collection (which as we now know thanks to Snowden is routinely used against even Americans).
With an actual warrant or wiretap order, there is no guarantee that Apple can't or won't insert additional endpoint keys into the conversation.
But, that said, 99.9%+ of users don't have e2ee enabled for iCloud Backup, so the e2ee in iMessage is mostly irrelevant, and it's available in full to the feds at any time, no warrant required.
>Is the government tracking me with cookies, offering cloud services, tracking me with ads, and whatnot?
The ops point is that the 'risk' of the corporation having that data is that the government could get it.
Otherwise the damage to you is what, an embarrassing ad if your sharing your screen? How does an ad on reddit having context of what you googled an hour ago actually hurt you?
Yes it's 'privacy' but there's no human involved here. The companies involve don't actually care what you're viewing (unless again, they're required to report it to the government).
Not to be cynical, but if anyone has looked at anything revealed about security agencies in the last few years it's very clear what's happening here - whenever US wants to do something unpopular/straight up illegal, it just asks the UK(or any other partner country) to do it instead. American government can't ask Apple for data on any American citizen, but if UK obtains that data and then it happens to be shared between agencies......that's all fine. It's been happening already for years.
UK governments have been pushing for this for years, usually invoking some recent terrorist event as justification.
I'm not suggesting you're wrong, but I don't think this is _just_ the UK being a US puppet, there is very much an appetite for it in the UK parliament too.
Why? Obviously in public they have to say they are outraged by it. The collaboration and intelligence sharing between UK and US is not really up to debate, it's been going on for decades.
I wouldn't go full-on conspiracy, because I expect the impetus came from the UK, but... I doubt it would have gotten this far without tacit US gov support.
Governments are huge and constantly changing things.
The cops think this is great, more power in their hands.
The feds think it'll help them out, but those local cops will try to abuse it for sure, let's hope the courts keep on top of the warrants.
The spies already have access that's almost as good by illegal means, without the need for any of those pesky warrants. But it'll be useful not to have to keep their access secret.
The judges think this is a Fourth Amendment bust-up waiting to happen, why would you even... ugh.
The defensive cyber-security types think this is very obviously a bad move.
The diplomats think the Brits are OK and will do their warrant stuff properly, but for sure there will immediately be a request from some oil-rich middle eastern dictatorship for the same access. That will make for some awkward conversations.
The elected politicians in power want to get votes, and are safe against this power being used against them. Being tough on crime and Backing The Blue might be a vote-winner. 95% of voters don't know the difference between "encrypted end-to-end" and "encrypted in transit and at rest" so getting this right might not win you many votes. On the other hand, if this takes off in the public consciousness as snooping, or intrusion, or an expansion of state power, could lose you a lot of votes. Maybe wait and see how the public reacts?
The elected politicians who aren't in power think ooooh boy, this is not a power I want used against me, and not an administration I'd trust not to use it against me.
Not only would I not be surprised if this was a US demand on the UK, but I'd think it highly likely that the law which the UK passed to allow this was also a demand from the US.
In case you're wondering why there hasn't been any reaction from the EU, it's probably because EU has long waged war on encryption and would like to have access too.
"Anonymity is not a fundamental right": experts disagree with Europol chief's request for encryption back door (January 22, 2025)
As a brit I would find it amusing if Apple, Google, Meta and Microsoft jointly announced that privacy is a hill to die on, and they'd rather collectively withdraw their businesses from the UK than accede to demands like this. My government would cave within the hour.
100%. We have very little power to demand this in my opinion.
Honestly I don't think Apple would even need to work with other tech giants on this (although that would help). The UK makes up a few percent of Apple's total revenues so while Apple would take a hit, they can afford to pull out of the UK and it could be worth doing if they're serious about proving how important privacy is to them.
Apple will face some reputational harm should they choose to put a back door in their products at the threat of an authoritarian government, and that harm will need to be weighed against the cost of pulling out of the UK entirely.
And realistically Apple announcing that they're going to pull out of the UK will result in panic in confidence in UK tech. How the hell are we going to build competitive tech companies if developers can't even access Apple products? And after 14 years of economic stagnation it's not like we have excess growth we can give up...
Apple should be very firm in their response to this. The UK are over playing their hand.
Exactly, the UK’s number one priority right now is growth, otherwise we’re headed for austerity and possibly an election victory for Reform/Nigel Farage. I don’t think entering into a standoff with Apple over this is going to do much to give the impression the UK is great for business.
That would be the Salt Typhoon that allowed the Chinese to take over the USA's law enforcement agencies taps, and spy on the politicians, police and probably the spy's themselves. The outcome of that was the US government to plead with everyone to use the communication apps they hadn't broken, like Signal and Whatsapp [0]?
It was only two months ago, and they've forgotten already?
It is only safe to assume that every security vulnerability will eventually be discovered, and exploited by a bad actor. Knowing that, willfully creating more vulnerabilities, however well intnded, is just reckless.
The story[0] I'm referring to is about the Technology Transformation Services, which I think is also apt. Also, I would argue that the actions of government are more political than technological or, actually, that making such a distinction is naive.
What the UK is asking for is largely already provided to them by Apple: Apple can already read everyone’s photos and notes, and the so-called e2ee iMessage because the messages are included in the non-e2ee backups.
Approximately nobody has enabled the optional e2ee for iCloud, so the five eyes have warrantless access to everything Apple has.
This is mostly posturing and reinforcement of the status quo.
You can't limit an OS level encryption backdoor at the point of manufacture to some intended target later down the line. This allows mass surveillance on everybody's private files. Stop posting that stupid link on every thread it has nothing to do with this.
UK here. All my data has been removed from iCloud and other public cloud services now. I cannot trust the UK government, the EU or the US government to do the right thing for my data. I also can't trust the cloud vendors to handle my data either on this basis as they are subject to the laws and as indicated recently intimately involved in political matters.
The only option left is to draw a hard line and stay behind it and of course withdraw the only minuscule stick I have which is my investment in their business.
This is basically the reverse of the Microsoft Safe Harbor case. Europeans should be safe from US spying, Americans should be safe from UK spying, and so should everyone else.
Why is it ok that the American government have a backdoor & have access to all non-American's personal data, but when the UK/EU wants something similar, suddenly it's a massive outrage. Is it just "we're stronger than you", so it's ok when we do it?
Define "backdoor". US authorities being able to demand data service providers have access to (eg. your gmail account) is nowhere comparable to an encryption backdoor, which is what's proposed here.
Your own article admits it's basically used nowhere. That's important, because OP specifically claims that the US government has"access to all non-American's personal data". Moreover it was widely condemned, contrary to OP's claim of "but when the UK/EU wants something similar, suddenly it's a massive outrage. Is it just "we're stronger than you", so it's ok when we do it?".
From a quick skim it looks like in both cases surveillance was bilateral? In other words, European partner countries also got access. Again, I'm not claiming US doesn't do any surveillance, that would be absurd. I'm specifically arguing against OP's claim that "American government have [...] access to all non-American's personal data", and that their access was somehow exclusive. All the source you presented so far only points towards the US having access to some data (in other words, they have an intelligence agency), and that they cooperate with foreign governments in some cases to get data.
>My point is: the UK demands are bad but I‘m sure the US agencies have similar demands and also backdoors, I‘m looking at you Cisco, just not openly.
Do you have evidence for US having backdoors in cisco hardware other than being "sure"?
Companies cannot really stand up to governments. Unless another government gets involved, Apple will have to follow UK law if they want to keep doing business in that country.
By the way, the US is not a stranger to that kind of overreach, either (e.g. CLOUD act).
A large part of what enables huge multinational companies like Apple to be successful and resist stuff like this is a friendly administration and threats by the largest economy in the world.
Apple is being sufficiently friendly with the current administration that lawmakers are going to go to bat for them and prevent this sort of stuff from happening. Apple is a pawn on a global stage and the governments are the true players. It’s always been this way, it’s just more obvious now. The big sea change has been the last four years big tech has been a target of its own government as well as foreign governments. That’s largely why you’ve seen big tech jump ship to a political party that better serves their interests and doesn’t constantly investigate them. I’m not being political here, it’s just a fact of life.
Apple is going to be protected as they bent the knee and kissed the ring, just look at the name of the large Gulf to the southeast of the United States in Apple Maps.
I mean apple could just sell unlocked phones that work in any country, and let people smuggle them in however they want.
Apple just happens to operate their buisness in a way that's very vulnerable to government overreach. Their OS is dependent on centralized, easily firewalled services. They have a lot of brick and mortar stores, and so on.
I believe that corporations can operate paralegally when need be.
Reminds of when UK regulator blocked Microsoft from buying Activision.
It was suggested by some that Microsoft has lots of power of UK and can threaten to pull out of UK and disable every single Windows PC and server in UK and destroy data belonging to UK businesses held in Azure, etc.
Shame it didn't happen, would have loved the reaction from Macron/French/EU given their hatred of US big tech.
I think shareholders would disagree. Several billion in sales and all assets in the UK are not insignificant. On top if that would be the reaction of other governments to seeing a business successfully defy a government. ait could be them next.
>That’s pretty big leverage.
True and it shows how foolish governments are to allow such reliance on foreign suppliers.
This is pretty clearly against EU principles. If anything this is more like a US alignment than a EU alignment.
It's pretty in line with their online protection act though, which is threatening jurisdiction over worldwide websites, no matter the size and with no clear guidance as to what a significant audience in the UK means.
> What is the problem? If Elon and a bunch of randos can have access why the UK cannot? Surely if they make a large enough donation to the west wing a deal can be made!
Are you really implying that Elon has a back door into encryption in the US? You probably better cite a source for that one cause that's deep conspiracy theory territory
Folks should stop playing with words, and call it what it is.
I feel like this should be called an act of war.
It is espionage.
UK against is people, UK against the world.
And yes, the same goes for the US, China, Russia, and anyone else that does it.
It doesn't mean if you're country does it it's right.
It's wrong everywhere, some are just OK with it, but it still doesn't make it right.
.jpg){kind=link}
This is a dramatic overreach of authority.