Btw. I guess we can assume that UK wants similar data access from other cloud providers. So if people store data in some other big cloud and expect it to be encrypted securely, they are quite likely wrong.
And I wonder about smaller cloud setups. I guess UK will go after the largest providers first (Apple, Google, Office365, Backblaze…); but after that they might make the same demands (i.e. “accessing stored data without the victim knowing”) from personal Nextcloud instances?
E2EE doesn’t say a lot about how many ends there are. I suppose the UK gov’t (and many others) are fine if they are one of those ends as well.
In a system that handles both E2EE and storage, that’s painfully simple to do.
My reading of @pgeorgi’s comment is they’re suggesting Google have perhaps stretched the definition of “end-to-end” beyond generally accepted limits. That is, in such a way that if legally challenged Google may respond, in floral legalese, “the number of ‘ends’ were never defined”.
But maybe I’m reading too far :) It’s a plausible theory in any case, albeit conspiratorial in the absence of evidence. Conspiratorial thinking can be a fun and beneficial exercise, sufficiently constrained.
“E2EE with key escrow” would add a miniscule amount of data and complexity but provide a NOBUS interface into the data for whoever owns the escrow key:
A government compels the software provider (say, with a National Security Letter) to encrypt all E2EE keys with a public key provided by the government and send that encrypted data along.
Those encrypted keys are of no use to the software provider, all they can do is pass them along.
The government can decrypt the E2EE data once they get hold of it using the E2EE keys they decrypted after receiving them from the software provider.
If the software provider is the same organization as the storage provider, they can hide the matter even better: for example, increase session id length and encode the encrypted keys in those spare bits in an https header that looks pretty random to begin with. Filter out bits that represent the encrypted key on the server and pass them to the government as they come in.
From everybody’s perspective except those controlling the escrow key (that government), it still looks like a complete E2EE scheme. In particular, the storage provider can’t access the data, so that’s stronger than wire encryption.
Those encrypted keys are so small, relatively speaking, that they won’t necessarily raise red flags in transit or at rest. The only way is a complete audit of the software.
Between “app stores” as preferred delivery mechanism and “auto updates” being applied whenever the distributor wants (or is asked to), at least on platforms like Apple’s/Android that sparked the discussion, you rarely can be sure that you’re running what you audited.
That’s the context of the article, and it’s the reality of most computer users these days.
My important data is air gapped, which sidesteps the entire issue, but that’s far from the reality of most, and so is compiling your own E2EE system software after carefully auditing it, from the firmware and kernel upwards.
You have to wonder if they’ll outlaw encryption entirely. I mean, you would expect the true criminals to simply move to some homegrown system where they encrypt things themselves. It’s only the lazy/dumb criminals they’ll catch with this Apple thing.
With plenty of other Western governments hungry to attack digital privacy under their current administration, this is going to prove to be letting camel’s nose into the tent. They will be lining up to be the next customer of this feature.
I’m curious to what extent Apple’s hand was forced here. Their stance has consistently been pro-user privacy, and their actions generally reflect that. Was this Apple flipping the table on the U.K. after being asked to do something far worse? (Matthew Green had some commentary on this)
Their hand was 100% forced. The UK demands are fundamentally incompatible with ADP. Unless you’re saying it is an option to just pretend to deliver E2EE while backdooring it?
Isn’t that what they did for Chinese users? Building a custom secret store out of hardware with known local security vulnerabilities and hosting it in Chinese government owned datacenters. But it’s much easier for Apple to tell the UK to suck it up than China.
My bad—my question wasn’t well formulated. The time between the UK’s initial backdoor request and Apple pulling ADP from UK users was surprisingly short. I’m wondering why they had to comply so quickly instead of fighting longer. I don’t think they’d give in unless it was absolutely necessary or something bigger was at risk.
You’re missing the point - if the UK government has a law that says ADP is illegal apple can’t offer it, just like they can’t offer a door-to-door hitman service - they could go to court to fight the law (though in the UK that’s much harder), but while doing so they still can’t offer the service (unless they got some kind of injunction, which - because it’s the uk - is again unlikely).
Simply not offering the service, so UK residents have less data security than anyone else is the solution, is far better than trying to pretend some broken system is in any way secure. Governments need to understand that they don’t get to demand broken encryption and simultaneously pretend they’re not responsible for the security damage it does.
It wasn’t a backdoor “request”, it’s a demand. The UK told Apple they have to do xyz and can’t reveal that they’ve done it. There’s nothing to fight, it’s an order.
The options are (1) backdoor the encryption - thus defeating it for everyone else or (2) do not offer it at all.
Hopefully when the apparent “in future you will be required to turn this off” will come with a message along the lines of “the UK government has required us to store your data in a way that can be read by hackers, monetized by us, and provided to any government agency that requests it - without your knowledge - if you could please enter your password now that would be greatly appreciated”
I will eat my hat if Apple will ever do such a thing. They will say the local regulations require the user to disable it and that’s it. No sarcasm will be employed.
if you offer a service that is actually secure, you’re required to silently downgrade it to a non-secure system and you cannot tell the victims.
Alternatively you do what apple is doing and say “We are not going to offer a system in which we claim certain levels of security that are not possible, or could be actively downgraded in future without user consent or notice solely to support totalitarian governments and incompetent law enforcement”.
The technical capability notice only applies to services you provide, and the existence of that law means that any company operating in the UK that claims to offer secure storage is lying, maybe in future they’d adopt a demand that you not take down any service, but the way to defend against that is to not offer such a service in any country that has such an atrocious human rights record - and while everyone thinks of the US police force when they think of corrupt police, remember the UK police are notorious for violating human rights and the only difference is that they don’t murder people as often.
The UK government’s demand came through a “technical capability notice” under the Investigatory Powers Act (IPA), requiring Apple to create a backdoor that would allow British security officials to access encrypted user data globally.
Yes, if I understand you correctly - as mentioned in the beginning of this article (and reported earlier elsewhere) the UK government asked them to backdoor ADP.
They added a daemon (countryd) to geofence features that uses input from many sources (GPS, cell tower data, etc.) so it’s not really easy unless you have a jailbroken device that can bypass that daemon.
But… that was for things they didn’t want people to use (mainly sideloading in the EU). Hopefully here they decided to use something spoofable, which seems possible given they don’t have a strong internal incentive to geofence it.
They might have an incentive once the government comes along going “here’s a chunk of data from your server, make it readable. By the way, non-compliance might mean jail time for contempt of court for whoever is in charge of the UK company.”
Therefore I’d guess they go for the strongest option they have.
It’s not just some geofencing. Apple iCloud accounts are country-specific. The probability of hacking the iCloud infrastructure to enable this for a UK account is close to zero.
It’s not so popular these days but you can really avoid a lot of strife with a couple of USB hard drives and a bit of routine for rotating them. Doubly so for Apple users where Time Machine is so complete and effective.
Are you suggesting people can just use self-encrypted hard drives as an ADP replacement? That’s not reasonable. ADP is about E2E encrypting data used by most iCloud services, not just files in iCloud Drive. For example, Mail in iCloud mail. Unless your encrypted hard drives also have a suite of software services on top of them that communicate with all your devices, they aren’t a replacement. List of services can be found here: https://support.apple.com/en-us/102651
I assume it’s a mistake that you mention mail? That one fairly obviously has to be handled in cleartext by Apple. I’ve been out of the ecosystem for a few years but doesn’t iPhone sync directly with Macs over USB and LAN for photos, contacts and so on?
But if it sounds like I’m proposing we stop trading off data autonomy at the first whiff of multi-device always-on convenience, then yes that would also be true.
It’s not just “multi-device always-on convenience.” iCloud lets you share a file, send a message, get a reminder, save a bookmark in your browser, store a movie ticket pass, save points on a map, etc. Saying you can replace this with an encrypted hard drive is nuts.
Backing up with iTunes and USB cables is also unnecessarily painful. There is no automated backup. You have to stand there and wait for the passcode prompt to come up every time you want to do a backup, at least on Windows. It is messy and error prone. And if you accidentally hit don’t trust instead of trust even just once by accident, you are in for a world of hurt. Apple has made local backup very painful recently.
Apple has done a great job at making non cloud backups suck which is completely hypocritical given their supposed privacy stance since they own the keys to the cloud backups, so they now own every iOS user’s data (except those using ADP).
I use backup over WiFi. It still requires typing the passphrase (which they have an incentive to keep to push people on iCloud).
I’m using https://imazing.com to do the backups, I don’t remember the hard requirement I had for it but I think it’s because it initiates backups on its own, so the only manual step is the passphrase prompt.
You can customize the initiation conditions like minimum battery, time period.
It’s not the best software ever but works fine as a set it and forget it solution for me.
Time Machine can do encrypted backups to any SMB server and iOS can back up to a Mac (over WiFi) so you can quite easily back up all of your Apple devices without iCloud. The iOS devices periodically sync to the Mac, and the Mac does incremental backups to the SMB server. The Time Machine backups are to an encrypted disk image containing an APFS filesystem on the server, so the server just sees a sparse bundle with a load of files inside for chunks of the disk. You need to back up the encryption key separately if you do this, but it gives you off-site backups.
Seems like this was a less-bad option, but I’m worried about what happens when they demand a backdoor for all users, and how do we find out when/if an iOS device has been compromised in such a fashion?
How is opening the front door being worse than introducing a backdoor?!? This is the worst outcome possible and it’s a sign of things to come, for every services and all providers. E2E will simply be made unlawful, hence unavailable.
I didn’t say it was a good an outcome, but surreptitiously* introducing a backdoor surely would have been worse than pulling the service and giving everyone a clearer indication of what is happening behind the scenes. That is, you can still likely trust ADP if you have it enabled.
*My understanding is that the UK law in question forbids a company from commenting on the backdoor mechanism
Standard data protection: Messages in iCloud is end-to-end encrypted when iCloud Backup is disabled. When iCloud Backup is enabled, your backup includes a copy of the Messages in iCloud encryption key to help you recover your data. If you turn off iCloud Backup, a new key is generated on your device to protect future Messages in iCloud. This key is end-to-end encrypted between your devices and isnʼt stored by Apple
Advanced Data Protection: Messages in iCloud is always end-to-end encrypted. When iCloud Backup is enabled, everything inside it is end-to-end encrypted, including the Messages in iCloud encryption key.
It’s eternally disappointing Apple don’t encourage enrolling in ADP during initial setup, considering they do encourage enrolling in both iCloud Backups and Messages in iCloud.
Btw. I guess we can assume that UK wants similar data access from other cloud providers. So if people store data in some other big cloud and expect it to be encrypted securely, they are quite likely wrong.
And I wonder about smaller cloud setups. I guess UK will go after the largest providers first (Apple, Google, Office365, Backblaze…); but after that they might make the same demands (i.e. “accessing stored data without the victim knowing”) from personal Nextcloud instances?
I wonder about Google’s Android backup service: it’s supposedly E2EE.
Any changes to that service in the UK lately?
E2EE doesn’t say a lot about how many ends there are. I suppose the UK gov’t (and many others) are fine if they are one of those ends as well. In a system that handles both E2EE and storage, that’s painfully simple to do.
It’s very accepted at this point that the Ends in E2EE must all be end user-controlled or it’s wire encryption and not E2EE
My reading of @pgeorgi’s comment is they’re suggesting Google have perhaps stretched the definition of “end-to-end” beyond generally accepted limits. That is, in such a way that if legally challenged Google may respond, in floral legalese, “the number of ‘ends’ were never defined”.
But maybe I’m reading too far :) It’s a plausible theory in any case, albeit conspiratorial in the absence of evidence. Conspiratorial thinking can be a fun and beneficial exercise, sufficiently constrained.
It’s basically impossible to ensure, though.
“E2EE with key escrow” would add a miniscule amount of data and complexity but provide a NOBUS interface into the data for whoever owns the escrow key:
If the software provider is the same organization as the storage provider, they can hide the matter even better: for example, increase session id length and encode the encrypted keys in those spare bits in an https header that looks pretty random to begin with. Filter out bits that represent the encrypted key on the server and pass them to the government as they come in.
From everybody’s perspective except those controlling the escrow key (that government), it still looks like a complete E2EE scheme. In particular, the storage provider can’t access the data, so that’s stronger than wire encryption.
Those encrypted keys are so small, relatively speaking, that they won’t necessarily raise red flags in transit or at rest. The only way is a complete audit of the software. Between “app stores” as preferred delivery mechanism and “auto updates” being applied whenever the distributor wants (or is asked to), at least on platforms like Apple’s/Android that sparked the discussion, you rarely can be sure that you’re running what you audited.
so by “basically impossible to ensure,” you meant specifically under the regime of mobile app stores and auto-updates.
That’s the context of the article, and it’s the reality of most computer users these days. My important data is air gapped, which sidesteps the entire issue, but that’s far from the reality of most, and so is compiling your own E2EE system software after carefully auditing it, from the firmware and kernel upwards.
I think there’s a middle ground where source code is available and builds are signed and reproducible.
You have to wonder if they’ll outlaw encryption entirely. I mean, you would expect the true criminals to simply move to some homegrown system where they encrypt things themselves. It’s only the lazy/dumb criminals they’ll catch with this Apple thing.
With plenty of other Western governments hungry to attack digital privacy under their current administration, this is going to prove to be letting camel’s nose into the tent. They will be lining up to be the next customer of this feature.
I thought us and uk secret services potentially share this type of data freely? Something five eyes or whatever, for five agencies?
Five countries: US, UK, Canada, Australia, New Zealand
I’m curious to what extent Apple’s hand was forced here. Their stance has consistently been pro-user privacy, and their actions generally reflect that. Was this Apple flipping the table on the U.K. after being asked to do something far worse? (Matthew Green had some commentary on this)
Their hand was 100% forced. The UK demands are fundamentally incompatible with ADP. Unless you’re saying it is an option to just pretend to deliver E2EE while backdooring it?
Isn’t that what they did for Chinese users? Building a custom secret store out of hardware with known local security vulnerabilities and hosting it in Chinese government owned datacenters. But it’s much easier for Apple to tell the UK to suck it up than China.
Apparently the UK did not just require access to UK accounts (which they will have with the removal of E2E in the UK) but direct global access.
My bad—my question wasn’t well formulated. The time between the UK’s initial backdoor request and Apple pulling ADP from UK users was surprisingly short. I’m wondering why they had to comply so quickly instead of fighting longer. I don’t think they’d give in unless it was absolutely necessary or something bigger was at risk.
You’re missing the point - if the UK government has a law that says ADP is illegal apple can’t offer it, just like they can’t offer a door-to-door hitman service - they could go to court to fight the law (though in the UK that’s much harder), but while doing so they still can’t offer the service (unless they got some kind of injunction, which - because it’s the uk - is again unlikely).
Simply not offering the service, so UK residents have less data security than anyone else is the solution, is far better than trying to pretend some broken system is in any way secure. Governments need to understand that they don’t get to demand broken encryption and simultaneously pretend they’re not responsible for the security damage it does.
That’s fair. I’m
probablydefinitely overstating Apple’s ideological ability to say just “nah fam”.And shareholders aren’t usually keen on exiting entire markets.
It wasn’t a backdoor “request”, it’s a demand. The UK told Apple they have to do xyz and can’t reveal that they’ve done it. There’s nothing to fight, it’s an order.
The options are (1) backdoor the encryption - thus defeating it for everyone else or (2) do not offer it at all.
Hopefully when the apparent “in future you will be required to turn this off” will come with a message along the lines of “the UK government has required us to store your data in a way that can be read by hackers, monetized by us, and provided to any government agency that requests it - without your knowledge - if you could please enter your password now that would be greatly appreciated”
I will eat my hat if Apple will ever do such a thing. They will say the local regulations require the user to disable it and that’s it. No sarcasm will be employed.
That would be contravening the technical capability notice which requires the provider to keep any actions secret.
No. That’s literally the entire point.
if you offer a service that is actually secure, you’re required to silently downgrade it to a non-secure system and you cannot tell the victims.
Alternatively you do what apple is doing and say “We are not going to offer a system in which we claim certain levels of security that are not possible, or could be actively downgraded in future without user consent or notice solely to support totalitarian governments and incompetent law enforcement”.
The technical capability notice only applies to services you provide, and the existence of that law means that any company operating in the UK that claims to offer secure storage is lying, maybe in future they’d adopt a demand that you not take down any service, but the way to defend against that is to not offer such a service in any country that has such an atrocious human rights record - and while everyone thinks of the US police force when they think of corrupt police, remember the UK police are notorious for violating human rights and the only difference is that they don’t murder people as often.
oof, demanding global access is wild.
Yes, if I understand you correctly - as mentioned in the beginning of this article (and reported earlier elsewhere) the UK government asked them to backdoor ADP.
I for one am greatly anticipating the many geohacking blog posts telling us how to get ADP back by pretending to be not in the UK.
They added a daemon (countryd) to geofence features that uses input from many sources (GPS, cell tower data, etc.) so it’s not really easy unless you have a jailbroken device that can bypass that daemon.
But… that was for things they didn’t want people to use (mainly sideloading in the EU). Hopefully here they decided to use something spoofable, which seems possible given they don’t have a strong internal incentive to geofence it.
See https://theapplewiki.com/wiki/Eligibility and https://theapplewiki.com/wiki/Filesystem:/usr/libexec/countryd
I was able to bypass those checks. Stay tuned for an upcoming blog post about it :)
They might have an incentive once the government comes along going “here’s a chunk of data from your server, make it readable. By the way, non-compliance might mean jail time for contempt of court for whoever is in charge of the UK company.”
Therefore I’d guess they go for the strongest option they have.
It’s not just some geofencing. Apple iCloud accounts are country-specific. The probability of hacking the iCloud infrastructure to enable this for a UK account is close to zero.
It’s not so popular these days but you can really avoid a lot of strife with a couple of USB hard drives and a bit of routine for rotating them. Doubly so for Apple users where Time Machine is so complete and effective.
Are you suggesting people can just use self-encrypted hard drives as an ADP replacement? That’s not reasonable. ADP is about E2E encrypting data used by most iCloud services, not just files in iCloud Drive. For example, Mail in iCloud mail. Unless your encrypted hard drives also have a suite of software services on top of them that communicate with all your devices, they aren’t a replacement. List of services can be found here: https://support.apple.com/en-us/102651
I assume it’s a mistake that you mention mail? That one fairly obviously has to be handled in cleartext by Apple. I’ve been out of the ecosystem for a few years but doesn’t iPhone sync directly with Macs over USB and LAN for photos, contacts and so on?
But if it sounds like I’m proposing we stop trading off data autonomy at the first whiff of multi-device always-on convenience, then yes that would also be true.
Yes, sorry, I meant Messages and not Mail.
It’s not just “multi-device always-on convenience.” iCloud lets you share a file, send a message, get a reminder, save a bookmark in your browser, store a movie ticket pass, save points on a map, etc. Saying you can replace this with an encrypted hard drive is nuts.
Backing up with iTunes and USB cables is also unnecessarily painful. There is no automated backup. You have to stand there and wait for the passcode prompt to come up every time you want to do a backup, at least on Windows. It is messy and error prone. And if you accidentally hit don’t trust instead of trust even just once by accident, you are in for a world of hurt. Apple has made local backup very painful recently.
Apple has done a great job at making non cloud backups suck which is completely hypocritical given their supposed privacy stance since they own the keys to the cloud backups, so they now own every iOS user’s data (except those using ADP).
I use backup over WiFi. It still requires typing the passphrase (which they have an incentive to keep to push people on iCloud).
I’m using https://imazing.com to do the backups, I don’t remember the hard requirement I had for it but I think it’s because it initiates backups on its own, so the only manual step is the passphrase prompt.
You can customize the initiation conditions like minimum battery, time period. It’s not the best software ever but works fine as a set it and forget it solution for me.
Time Machine can do encrypted backups to any SMB server and iOS can back up to a Mac (over WiFi) so you can quite easily back up all of your Apple devices without iCloud. The iOS devices periodically sync to the Mac, and the Mac does incremental backups to the SMB server. The Time Machine backups are to an encrypted disk image containing an APFS filesystem on the server, so the server just sees a sparse bundle with a load of files inside for chunks of the disk. You need to back up the encryption key separately if you do this, but it gives you off-site backups.
Or simply encrypting yourself before uploading into the cloud?
Seems like this was a less-bad option, but I’m worried about what happens when they demand a backdoor for all users, and how do we find out when/if an iOS device has been compromised in such a fashion?
How is opening the front door being worse than introducing a backdoor?!? This is the worst outcome possible and it’s a sign of things to come, for every services and all providers. E2E will simply be made unlawful, hence unavailable.
I didn’t say it was a good an outcome, but surreptitiously* introducing a backdoor surely would have been worse than pulling the service and giving everyone a clearer indication of what is happening behind the scenes. That is, you can still likely trust ADP if you have it enabled.
*My understanding is that the UK law in question forbids a company from commenting on the backdoor mechanism
[Comment removed by author]
tsk tsk should have used signal
For calendar syncing? For health data? For bookmarks? For contacts? Not sure I follow.
oh crap I thought this was about iMessage. I guess they are going after iCloud but iMessage will continue to be presented as E2EE for now?
Sort of- the E2EE guarantees go away if you have iCloud Backup and Messages in iCloud enabled on an account lacking ADP.
via https://support.apple.com/en-us/102651:
It’s eternally disappointing Apple don’t encourage enrolling in ADP during initial setup, considering they do encourage enrolling in both iCloud Backups and Messages in iCloud.