You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
https://www.bbc.co.uk/news/articles/cgj54eq4vejo
Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data.
Advanced Data Protection, external (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption.
But earlier this month the UK government asked for the right to see the data, which currently not even Apple can access.
Apple did not comment at the time but has consistently opposed creating a "backdoor" in its encryption service, arguing that if it did so, it would only be a matter of time before bad actors also found a way in.
Now the tech giant has decided it will no longer be possible to activate ADP in the UK.
It means eventually no UK customer data stored on iCloud - Apple's cloud storage service - will be encrypted, making it all accessible by Apple and shareable with law enforcement, if they have a warrant.
It's the right thing for Apple to do when painted into a corner, but they should never have been put in this position in the first place. It's a dark day for security and privacy.
The “invisible ink” quote is a nice touch.
I'm still playing with markup.
For those of a tin-foil hat disposition, is the solution to use a VPN and fool Apple into thinking you live in a different country?
Probably screws you for warranty purposes, I guess....
(No idea - I'm not an Apple user...)
How does this affect the average user - as far as I know I've not signed up for ADP.
I think the bigger issue will be things like encryption on iMessage?
Amnesty International unimpressed
How does this affect the average user - as far as I know I've not signed up for ADP.
You can opt to use if for iCloud storage but its default and youre already using it for passwords, messages, health data, your apple wallet, and for safari amongst other things
How does this affect the average user - as far as I know I've not signed up for ADP.
Probably not much. "making it all accessible by Apple and shareable with law enforcement, if they have a warrant".
You can check if you have ADP on in System Settings/iCloud. I don't.
Interesting. I suppose it is the least/best Apple could do. Though I'd rather have seen Apple just ignore this and face the music.
When the UK government gave the shot across the bows on this I checked that I already had ADP turned on. I did. Encryption is a good thing. Still, it seems that to attempt to comply with gov.uk nonsense "If you're currently using ADP protections, you'll soon receive further guidance from Apple on what to do next as the provider cannot automatically disable the option for users. A timeframe will be provided to disable the option to keep using your iCloud account." https://www.techradar.com/computing/cyber-security/we-will-never-build-a-backdoor-apple-kills-its-iclouds-end-to-end-encryption-feature-in-the-uk
The IPA is a fascinating anti-privacy piece of legislation. One part of the commentary on the UK government's IPA-related private request to Apple identified that the IPA access to data was not restricted to UK citizens, but anything the government wanted to look at 'The UK notice targets all encrypted content iPhone, iPad, and macOS users across the world have stored using Apple's Advanced Data Protection (ADP).' https://www.techradar.com/computing/cyber-security/apple-could-soon-be-forced-to-give-away-all-your-encrypted-data-to-the-uk-government
While E2E encryption is still locked in for iMessage, FaceTime, etc I expect the gov.uk will continue to try and assault this.
When will they come for FileVault?
A backdoor for one is a backdoor for everyone!
From what I read when ADP was first introduced, it’s really only for people who are most likely to be at the receiving end of attacks by foreign bad actors - politicians, journalists, refugees from authoritarian governments, like China, Russia, India, etc.
Apparently once it’s activated, there are very few things you can do with the phone, it’s really locked down, so of little use to any of us; unless any of us are active against such people…
There are things like Signal, and Messages for communication; for backup there’s offline storage, although how effective anything like that is if someone really wants to see what you’ve been up to and turn up with a bunch of stern looking blokes and a fistful of official paperwork and ask if they can perhaps have a conversation…
…of course, this might be a classic example of FAAFO that the Government is going to get bitten in the ass by, much to the amusement of everyone else.
I’m quietly looking forward to hearing reports about Government secrets appearing on the Dark web after a ministerial phone has been back-doored. (S****).
"Apple could soon be forced to give away all your encrypted data to the UK government | TechRadar"
As I understand it, even if Apple were to go "oh, OK then," they can't. That's what "encrypted" means.
I’m quietly looking forward to hearing reports about Government secrets appearing on the Dark web after a ministerial phone has been back-doored. (S****).
It wouldn't be the first time. Read up on Shadow Brokers / Eternal Blue. The CIA found a huge vulnerability and rather than disclose it they wrote their own tools to exploit it, which was all fun and games until the bad guys got hold of it.
No doubt this'll be rescinded as soon as Trump threatens tariffs in response to unfair treatment of a US tech company...
From what I read when ADP was first introduced, it’s really only for people who are most likely to be at the receiving end of attacks by foreign bad actors - politicians, journalists, refugees from authoritarian governments, like China, Russia, India, etc.
Apparently once it’s activated, there are very few things you can do with the phone, it’s really locked down, so of little use to any of us; unless any of us are active against such people…
That is lockdown mode. https://support.apple.com/en-gb/105120
ADP encrypts iCloud files like notes, photos, documents, etc on Apple’s servers. As the key is held by the owner, not Apple, no one else can unencrypt them and read their contents. It is much like FileVault for the iCloud imo.
No doubt this'll be rescinded as soon as Trump threatens tariffs in response to unfair treatment of a US tech company...
maybe that was part of what was behind Tim Cook’s second row, $1,000,000, seat at the inauguration?
How does this affect the average user - as far as I know I've not signed up for ADP.
Very little impact I would think. Apple end-to-end encrypts a bunch of stuff, including messages, payment details, transactions etc. by default for all users, irrespective of if you have ADP turned on. ADP was extra stuff, like iCloud backups, photos...
Little impact I would guess, and if you really had something to hide would you put it in iCloud?
Lots of alternative solutions that do this so why just Apple?
I'd think the government have sent a similar tech assessment request to all the providers. It's just Apple who decided to leak it, get lots of PR and remove their product from the UK.
Apparently, America’s new head of Security, Tulsey Gabbard, knew nothing about this, and is demanding answers from HM Government, so expect an interesting conversation when the PM visits Trump soon…
Even the FBI backed away from demanding this sort of situation, ie backdoors into Apple’s iCloud, instead relying on a 3rd party product from an Israeli company.
Being a big Apple fan I try to follow developments but I wasn't even aware of ADP until the articles about it being removed in the UK appeared! So I guess this isn't really going to affect me. Annoying from the UK Gov though, I feel they're really going OTT with this stuff. Will be interesting to see if other countries attempt similar.
Apparently, America’s new head of Security, Tulsey Gabbard, knew nothing about this,
I think thats pretty low on the list of things that Trumps cabinet don't know about their own jobs 🙂
So, they can gain access for criminal investigations if they have a warrant. Not seeing an issue myself.
So, they can gain access for criminal investigations if they have a warrant. Not seeing an issue myself.
Is this the old "if you've got nothing to hide ..." argument?
It's not something that I can get too worked up about but I think there is an issue here. The actions of the UK government means that UK citizens can't take advantage of the highest levels of data security offered by Apple. As well as allowing our great law enforcement agencies (who never ask to see anything they shouldn't and never leak anything) to access their data it also makes them more vulnerable to attacks from malicious actors.
So, they can gain access for criminal investigations if they have a warrant. Not seeing an issue myself.
I don't think that is the aspect that most people are concerned about. It the UK gov's approach and understanding of privacy/security that is the concern.
Apple realised that if people were going to store lots of personal information (photos, health data etc) in the cloud then those users should be able to protect that information from bad actors accessing that information for nefarious purposes. Apple also realised that one of the potential bad actors was tech companies themselves (like Apple) who might try to harvest this data to sell advertising etc. Apple decided to take the credible position that they shouldn't have access to your personal data and so you could protect it in such a way that even they can't see it.
Now along come the UK gov and say, we want to be able to see the data. Apple say, "the only people who can give you access are the users". UK gov say "make us a back door". Apple, to their credit, say "that would be ****ing stupid, once there's a back door someone will get it, we designed this to be properly secure". UK Gov response "we insist". The end result is UK gov can (with a warrant) obtain the files, but all (new) UK Apple users data is less secure as a result. I'm not worried about the UK gov getting access to my data with a warrant - I am worried that someone at apple screws up unencrypted security and someone less welcome gets in. I am even more worried that all tech companies now have a great excuse to not fully encrypt data, and thus a temptation to harvest the data.
Essentially UK gov have decided that law enforcement / national security risks trump our individual privacy rights. I can see that is a delicate balance but true security threats will simply move to underground channels whilst the rest of us using commercial solutions lose protection.
So, they can gain access for criminal investigations if they have a warrant. Not seeing an issue myself.
Neither do I; however, what HM Government was demanding went far further, as it would allow foreign malign governments, hacker groups and other organisations with bad intentions to go ferreting around into the private information belonging to journalists, politicians, people who are likely to be on the receiving end of actual harm from their own governments; the fact that Russia has either murdered or attempted to harm its own citizens in this country should make that perfectly clear.
China is actively pursuing dissidents who are living abroad, including the U.K., and while I’m not against members of our government being exposed to the extreme embarrassment of having their private information being exposed to the public, some of that information could be downright dangerous in the wrong hands, if it’s military intelligence, for example. A minor detail that seems to have slipped past the individual who actually came up with this half-assed piece of ****whittery.
I’m not sure if whoever it was can be posted somewhere overseas where they can’t go meddling in such matters, but I’m sure there’s something they could be found to do in somewhere like, oh, I don’t know, Tristan Da Cuna, for example…
Just read this:
”The UK isn't the only country pushing to pick the lock of encrypted communications to facilitate criminal investigations.
Sweden has recently joined the list of governments considering passing legislation to make it mandatory for the likes of Signal, WhatsApp, and iMessage to create an encryption backdoor into their software. If successful, the new rules could come into force as early as March 2026.”
But there’s also this:
”Outside Sweden, the EU has also been trying to pass a proposal to scan citizens' private communications, those encrypted included, since 2022 to halt the spread of child sexual abuse material (CSAM). Deemed Chat Control by its critics, the bill keeps receiving pushback from experts and lawmakers alike, who couldn't yet find a compromise after almost three years and two lighter versions.
In January, Europol's chief Catherine De Bolle reiterated such efforts to break encryption, arguing "anonymity is not a fundamental right" and technology giants have a "social responsibility" to give the police access to encrypted messages used by criminals.
At the same time, however, recent events like the Salt Typhoon attack on all the major US telecoms have shown how encryption is crucial for the privacy and safety of everyone's data. On that occasion, even FBI and CISA experts have been calling citizens to switch to encrypted services in the aftermath of this unprecedented cyberattack.”
🤷🏼♂️
This is just bollocks from the Apple marketing department. If they can turn it off as they say and reveal the content, then it was never truly secure in the first place.
Essentially UK gov have decided that law enforcement / national security risks trump our individual privacy rights. I can see that is a delicate balance but true security threats will simply move to underground channels whilst the rest of us using commercial solutions lose protection
I have mixed feelings but erring towards agreeing with the Government's approach (even though I think it be largely ineffective) due to the limited amount of control they can exert). Being able to view communications of criminals and terrorists/other bad actors is incredibly important to the good work that law enforcement and the security services do. The downside is my data is a little less safe (it's essentially still encrypted but will be decryptable via a well-protected mechanism so the issue won't be some random hacker will be able to view my iCloud data it's more whether that decryption mechanism is vulnerable during a wider breach, has enough audit controls and over-sight to negate the insider threat and if I trust the Government isn't going to abuse access requests - the latter I personally do for now).
There are systems in place already to allow for such access (e.g. to someone's Hotmail account via a portal Microsoft provide) that is highly restricted and requires a warrant for authorisation of each request. Mandating no irreversible encryption just allows that sort of system to still function and the investigator still needs to have gathered enough evidence that the account is linked to someone doing illegal things in order to obtain the warrant. It's not just a case of PC Bloggs being able to log into the portal and access random Hotmail accounts for example).
In time I might be proven wrong by placing my trust in the UK Government and the security controls around anyone obtaining lawful access to my cloud-stored data (and if I was an American looking at the blatant abuse of power going on there I'd be a lot less trusting of my government and law enforcement agencies...).
As for the point about criminals just using other systems and it's the rest of us that get left with less secure data, there's certainly some truth to that. But it's also a lot easier for the various agencies to target communication systems used by criminals (e.g. EncroChat) rather than global tech companies (the latter of which would likely be illegal for them to try to compromise anyway, although it's likely been done). Legitimate services like Telegram are more of a problem though (if they remain outside of the legislative control) as they're easy enough not just for OCGs to use but also criminals like pedophiles but that's why the legislation is targeting those sort of legitimate services in the first place.
So, they can gain access for criminal investigations if they have a warrant. Not seeing an issue myself.
The issue is that if "they" can gain access via legitimate means then so can anyone else via illegitimate ones. And as I said a week ago, This Has Already Happened.
This is just bollocks from the Apple marketing department. If they can turn it off as they say and reveal the content, then it was never truly secure in the first place.
This is true as far as it goes except, they can't. This is baked into Apple's encryption system (and indeed, any secure encryption generally). They can't just switch it off and go "off you go then lads, here's all the data" even if they wanted to. Decryption of personal data would either require interaction from the user to unlock it or it will simply be lost.
Security is odd like this. We want to lock our doors to keep burglars out, but it's a different story when the door slams shut behind you and you suddenly start looking at which window would be easiest to jemmy open. We can't have it both ways. Intentionally crippled security is no security at all, you might as well take the door off its hinges and be done with it.
9to5Mac’s take on the situation, and they’ve made a very good point about how Apple have handled it.
This is just bollocks from the Apple marketing department. If they can turn it off as they say and reveal the content, then it was never truly secure in the first place.
nope, you’re talking bollocks in fact! Apple haven’t said that at all, as even a cursory search (eg. reading Apple’s official announcement) would reveal:
-
For users in the UK who already enabled Advanced Data Protection, Apple will soon provide additional guidance. Apple cannot disable ADP automatically for these users. Instead, UK users will be given a period of time to disable the feature themselves to keep using their iCloud account.
I wish it wasn't continually referred to as a back door.
Apples standard encryption is still in place, covered by whatever audit and process that Apple apply to the geolocated data held for the UK (and probably EU) customer base.
I.e. Users data is hidden apart from those with the appropriate access privileges to get to it. A company the size of Apple, and given their spin on security being 'A Big Thing' then it's probably quite well done.
Note that it's perfectly achievable for Apple staff to help users do stuff with their services without having access to the users data.
Apples standard level of encryption is still in place for services the protects from the huge majority of threats to users comms, including end to end encryption.
All this has done is allowed the UK Gov apply through the usual judicial policy and process to tell Apple to release information as they would do for asking information from Banks, Telecoms providers **, Businesses of all shapes, peoples dashcams, companies CCTV.
i.e. THIS MAKES NO DIFFERENCE WHATS SO EVER.
Apart from those who think they are beating the man or some other tin hat nonsense, and pales into insignificance when also looking at peoples use of Google, Faceplant, ****ter, etc. and the huge amount of personal information they hold on individuals.
** The Salt Typhoon mentioned above is referring to call records and SMS traffic, not anything like iMessage, Telegram etc.
I wish it wasn't continually referred to as a back door.
...
I.e. Users data is hidden apart from those with the appropriate access privileges to get to it.
Erm that sounds like the text book definition of a backdoor to me. Unless by "appropriate access privileges" you mean me, and nobody else?
If there is a way to see my data, without me being involved in decrypting it, then it is a back door.
Credit to Apple though for making it clear that UK govt is the reason for being able to access data. No credit to Microsoft though who seem to be going down the path of doing anything in their power to transfer data from personal laptop in to their cloud (with a key that they "look after").
A book door implies that it's a hidden or obfuscated feature, this is not a hidden or obfuscated feature, unless you call all the hyped backdoor nonsense obfuscation.
OK so it's a front door then
A company the size of Apple, and given their spin on security being 'A Big Thing' then it's probably quite well done.
i.e. THIS MAKES NO DIFFERENCE WHATS SO EVER.
An analogy here is that Timpsons would be required to keep a copy of every key they cut and store it with your details, just in case the police want to rummage through your sock drawer without asking you.
What? You don't like the sound of having a key hanging around where people can access your things without asking you first? Don't worry about a thing, the authorities have assured us that they will only do so if it's for something really, REALLY, superduper important like terrorism, or child porn.
And let's be honest, nobody likes those bloody muslamic terror nonces. Only a muslamic terror nonce would oppose this.
What's that? Somebody broke into Timpsons and stole all the keys and the list of who they belong to and now they have free access to look in your stuff whenever they like? Oh well, at least we kept you safe from all those MUSLAMIC TERROR NONCES
That 9to5Mac article is hilarious in it clickbait'ness.
Reporting on another publications interpretation on undisclosed information with no detail on what was actually in any order.
Brilliant.
Right. So quoting an exploit from 2017 is applicable?
Of course there are vulnerabilities, all OS maintainers issue updates and patches all the time, what's your point?
What? You don't like the sound of having a key hanging around where people can access your things without asking you first? Don't worry about a thing, the authorities have assured us that they will only do so if it's for something really, REALLY, superduper important like terrorism, or child porn.
This is a really poor argument for this, ANY access to user date by UK Gov would have to follow process to the letter, as discussed Apple would not capitulate without proper process.
And the idea that Apples internal security process is worse than a users is just laughable.
Right. So quoting an exploit from 2017 is applicable?
Of course there are vulnerabilities, all OS maintainers issue updates and patches all the time, what's your point?
Absolutely it was applicable. You said that Apple's security was "probably quite well done". I quoted that specific exploit because it was rather famous at the time as a completely amateur hour bit bit of coding showing that quite the opposite, their security is at best "nothing special" and they are most definitely not immune to being hacked.
What? You don't like the sound of having a key hanging around where people can access your things without asking you first? Don't worry about a thing, the authorities have assured us that they will only do so if it's for something really, REALLY, superduper important like terrorism, or child porn.
This is a really poor argument for this, ANY access to user date by UK Gov would have to follow process to the letter, as discussed Apple would not capitulate without proper process.
Not sure I follow...I'm not saying the court won't follow proper process. I'm saying it will be used for other things than what the government described it being used for, namely terrorism and child porn.
Quite obviously the government chose those two specific emotive examples so that anybody opposing the measures would look mental.
And the idea that Apples internal security process is worse than a users is just laughable.
Not sure what that's got to do with anything.
A back door implies that it's a hidden or obfuscated feature, this is not a hidden or obfuscated feature, unless you call all the hyped backdoor nonsense obfuscation.
It’s a special feature within the security section that allows the device owner to secure the device beyond what the normal security settings that the average security conscious user would need and expect.
Once that setting is optioned, then the user has to be very, very careful to have the appropriate password available in a secure location, because if they lose it, and/or forget it, then they are royally stuffed, because they will never get back into their phone, and Apple absolutely cannot help them, the phone is just a brick. That’s what HM Government was demanding Apple build a back-door access into, and Apple, quite rightly told them to go and do one, and removed the facility from phones in the U.K. Which had the result of HM Government going public and admitting that they had asked Apple, in a secret communication, to do something that Apple were legally not allowed to disclose they’d been told to do.
For those who don’t understand what the government were demanding from Apple, maybe this article explains it in simpler terms…
Can someone post the relevant details from the Washington Post article that seems to be the basis for a lot of facts about what was requested by HMG please.
Why do you need information from an American newspaper when it’s clearly explained in the posts above.
An analogy here is that Timpsons would be required to keep a copy of every key they cut and store it with your details, just in case the police want to rummage through your sock drawer without asking you.
As a kid I was sent on an errand to the village key-cutter and cobbler to get a new key cut for our back door. I handed him the key, he glanced at it, turned round and picked up a key from a bunch hanging on a nail and sold it to me. Our house was one of an estate of 1970s new-builds. It turned out all the houses - approx 400 or so - had been fitted with keyed-alike locks.
Well it's not explained is it, it's just 2nd and third hand journalistic conjecture unless we see the original source.
Also, could you point me in the direction of the source for HMG going public that you mention please?
ta.