Apple has taken the nuclear option in response to the UK surveillance demands, disabling Advanced Data Protection (ADP) and the cloud encryption it provides.
News broke in early February that the UK government had issued Apple a legal order demanding that it provide access to users’ cloud backups in a manner that would bypass end-to-end encryption (E2EE). To make matters worse, the UK government wanted this access for ALL iPhone users worldwide, not just those within the UK, prompting U.S. lawmakers to express their concern about the UK’s actions.
To be clear, the order primarily applies to iCloud data backups, including photos and documents, while iMessage and FaceTime communication remains secured via E2EE—at least for now.
In response, Apple has disabled ADP for users within the UK, a move that renders the surveillance order moot at the expense of all UK customers’ privacy and security.
In a statement via The Guardian, Apple expressed its disappointment at the UK government’s actions.
“We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy. Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before.
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the UK. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”
The Bigger Issue
While some may be quick to point out that Apple’s choice leaves UK users without important cybersecurity and privacy protections, Apple made the only choice it could.
Cybersecurity experts, computer scientists, mathematicians, privacy advocates, and industry experts have all warned that E2EE is a binary choice: Either users are protected by strong encryption or they are not. There is simply no way to build a system that utilizes strong encryption and protects users while simultaneously providing a backdoor for law enforcement and government agencies. If a backdoor is provided for one, it can be exploited for all, something the U.S. and its telecom industry discovered with the Salt Typhoon attack.
Does that mean that it will be harder for law enforcement to gain access to the contents of phones belonging to criminals? Yes it does.
As a point of comparison:
- Do law enforcement agencies require home owners to provide a key to their dwelling to make it easier for police to access the home if they suspect something illegal is occurring?
- Do government agencies and law enforcement require safe owners to provide a copy of their keys and codes to make access easier if those agencies suspect illegal content is stored in the safe?
The answer to both questions is a resounding “NO.” If law enforcement or government agencies suspect illegal activity within a home, they break the door down. If they suspect illegal content is stored in a safe, they crack the lock or brute force the safe open.
Why should electronic protection be any different? Why should users be forced to suffer a backdoor vulnerability in their phones, tablets, and computers, all on the off-chance they might be doing something illegal? Why should users suffer the risk of that backdoor being compromised by bad actors, something that is a matter of when, not if.
In case it is still unclear, there is simply NO WAY to protect users’ privacy and cybersecurity from being exploited by the “bad guys,” while simultaneously giving the “good guys” a backdoor into that security.
It should be noted: Disabling iCloud’s ADP also doesn’t mean users can’t encrypt their data and protect it using any number of third-party tools or services. In fact, Apple’s decision puts the responsibility on the user to do just that, rather than customers wrongly assuming their data is secured when Apple is bound by a secret surveillance order.
Apple Is Caught Between a Rock and a Hard Place
In this context, Apple made an incredibly difficult decision that proved to be the only one it truly could make.
Apple opted to disable E2EE for cloud backups altogether rather than capitulate to an order that would undermine the safety and security of its users worldwide. The decision also may have the effect of sparking outrage against the UK government, forcing it to backtrack on a truly terrible and irresponsible idea, especially since Apple’s actions also impact the cloud accounts of government officials.
Ultimately, the only way users will truly be safe and secure online is if all parties recognize the important role encryption plays and if more companies and organizations are willing to take the same steps Apple did when official orders violate that safety and security.
from WebProNews https://ift.tt/9yPYOQ3
No comments:
Post a Comment