UK Once Again Demands Backdoor To Apple's Encrypted Cloud Storage

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service, this time targeting only British users' data, despite US claims that Britain had abandoned all attempts to break the tech giant's encryption. Financial Times: The UK Home Office demanded in early September that Apple create a means to allow officials access to encrypted cloud backups, but stipulated that the order applied only to British citizens' data, according to people briefed on the matter.

A previous technical capability notice (TCN) issued in January sought global access to encrypted user data. That move sparked a diplomatic clash between the UK and US governments and threatened to derail the two nations' efforts to secure a trade agreement.

In February, Apple withdrew its most secure cloud storage service, iCloud Advanced Data Protection, from the UK. "Apple is still unable to offer Advanced Data Protection in the United Kingdom to new users," Apple said on Wednesday. "We are gravely disappointed that the protections provided by ADP are not available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy." It added: "As we have said many times before, we have never built a back door or master key to any of our products or services and we never will."

UK government = Privacy Rapists

[Sebby]

The UK government has issued a new order to Apple to create a backdoor into its cloud storage service

UK government is a Privacy Rapist. 'nuff said.

Re:

[Valgrus Thunderaxe]

They're just jealous the NSA has backdoors into Apple and the USG isn't sharing. We know this is true from the Snowden Leaks.

Re:

[Anonymous Coward]

obviously you have proof of this.

(notice is not a question, and i don't want to hear your nonsense.) links or shut the fuck up.

Google cares more about your privacy than Apple

[Kitkoan]

Maybe not to the NSA, but they do have this exact sharing agreement with China. It's one of those reasons why you can get an iPhone in China but not an Android phone with Google. For all Apple's claims of protecting your privacy, in the end with China, they showed they don't care about your privacy but Google does. Kinda funny that Google is the ones who are more privacy protecting than Apple is.

https://support.apple.com/en-us/111754

Of course other governments are going to want the same deal China has. So I

Re:

[ambrandt12]

Not just Apple, either (for the US-side)... I really don't think any country has an encryption scheme that the government can't crack.

Re:

[test321]

Can you clarify? You say that all governments have computationally-feasible attacks of Rijndael, Serpent and Twofish, that cryptanalysts have no idea exist?

Re:

[ambrandt12]

(scroll down)
Told ya.
The schemes don't have to be attacked... the governments aren't going to let an "encryption scheme they can't decrypt" exist, end of story. If they did, someone could get hired at the Pentagon and just email documents without a care in the world.

Re:

[test321]

The schemes don't have to be attacked... the governments aren't going to let an "encryption scheme they can't decrypt" exist,

But secure "schemes" already exist! You can encrypt storage devices using known algorithms provided by the linux kernel, which you can compile yourself from a tarball downloaded from kernel.org (gentoo user FTW). I admit I have not read the source, but many eyes have.
I agree with if it's about commercial cloud offers, but elsewhere you can deploy your own crypto. Your only vulnerability is the "trusting trust" paper which is theoretical.

Re:

[Computershack]

I admit I have not read the source, but many eyes have.

I love it when people come out with the "It's open source, many eyes have looked at it so it must be fine." Well many eyes looked at the SUDO command which is in pretty much every Linux distro there is yet there was a serious privilege escalation vulnerability that existed for TWELVE YEARS [cyberpress.org], only finally getting fixed a few months ago.

Re:

[test321]

So you found 1 old vulnerability in the code of some popular software, therefore... the government can crack my encrypted SSD?

There are probability thousands of privilege escalation vulnerabilities out there. If an attacker has a local account, you can consider it's game over. sudo is shipped but you're not obliged to configure it to work. Personally I never even installed it as the existence of sudo on a machine is an OBVIOUS security flaw in itself.

But we're talking cryptography algorithms, not a random p

Re:

[Big Hairy Gorilla]

dont use sudo. or systemd.
you don't need either

encryption

[buck-yar]

Key exchange over an untrusted medium has always been a problem. Its why the one true crypto method that can't be broken is OTP (one-time pad). That works because the key exchange is offline/beforehand. But in real world situations where this isn't possible, public/private key encryption with sufficient difficulty probably is good enough (IMHO). How hard it is to break likely comes down to the implementation. If you can't personally audit every code line, trust is involved, so it better be someone trustwort

Re:encryption

[alexgieg]

Nothing has indicated Apple has "played ball" with the govt as far as backdoors, and from some stories (unlocking terrorists phones) it seems as though the govt doesn't have any.

There's one simple metric to know whether the government has access to encrypted data: angry calls by law enforcement agencies making repeated requests for lawmakers to force companies to allow access to encrypted data.

Consider how, until several years ago, the FBI and other US TLAs were arguing all the time for access to encryption, with media reporting on that almost non-stop. Consider how they all stopped talking about it a few years later, and to this day still say little to nothing about it. Now, what's more likely: that they conformed to the fact they'll never get access to it so stopped trying; or that they don't need to ask anymore?

By using this metric it's clear the UK and the EU don't have access to encrypted content from Apple and other big techs, while US most certainly does. The moment UK and EU officials stop talking about this we'll know they, too, got access to it.

Re:

[unrtst]

By using this metric it's clear the UK and the EU don't have access to encrypted content from Apple and other big techs, while US most certainly does. The moment UK and EU officials stop talking about this we'll know they, too, got access to it.

This is the sort of logic that leads to beliefs like the flat earth.

Re:

[alexgieg]

This is the sort of logic that leads to beliefs like the flat earth.

No, it's basic "canary in the coalmine" logic: the moment it stops singing you know something is wrong.

Re:

[MooseTick]

Did the threat stop? If not, then why aren't US govt reps still complaining about it? Its not like they have been friends of Apple or big companies lately.

Re:

[Big Hairy Gorilla]

You are correct about key exchange over untrusted channels.. So I don't know the one time pad thing, but it sounds like pre-shared keys, which are post quantum resistant, afaik. Wireguard has this for that reason.

but you know about the undocumented hardware registers that Kaspersky found a few years ago on Apple hardware, right? Should come up on a google search, I don't have the reference handy, but.... ummm.. surprise! Apple did something that you're not supposed to know about.... gee... I wonder what tha

Re: UK government = Privacy Rapists

[LindleyF]

Everything Snowden exposed has been patched long since. He let those companies know they were compromised; they figured out how and took care of it. That doesn't mean governments aren't paying people to find new ways in, of course, but what they had before is certainly gone.

Re:

[VaccinesCauseAdults]

US Government = Free Speech of Russia Comedians can’t make a comment about possible shooter political affiliation. Repeaters can’t report on Pentagon without vetting and clearance of material obtained from public records. Beachgoers can’t arrange seashells into the pattern 86 47 and post an image on social media. Basically 1984.

Re:

[VaccinesCauseAdults]

* Reporters not repeaters. And holy shit, is there a way to write formatted text in this binfire website? Maybe even markdown or something. Jesus wow.

Re:

[XanC]

Did you try markup? HTML works.

Re:

[VaccinesCauseAdults]

Yeah but manually entering html tags in 2025 is a bit of a ball-ache. Do you seriously add angle bracket letter P close angle bracket on every paragraph? At least they finally got Unicode working, kinda.

Re:

[Sebby]

Yeah but manually entering html tags in 2025 is a bit of a ball-ache. Do you seriously add angle bracket letter P close angle bracket on every paragraph?

Slashdot is a testament to the 90s web, a site frozen in time.

At least they finally got Unicode working, kinda.

LOL

Re:

[cayenne8]

I find myself often putting angle brackets "P" and other tags while typing on other sites...haha.

I have it so ingrained from being here for so long...

Re:

[VaccinesCauseAdults]

If entering BR tags is trivial by your definition (taking nine taps and a couple of seconds on mobile) then hitting ENTER twice on the enter key is zero cost, taking a hundred milliseconds or so.

Re:

[Pascoea]

Using this site on a mobile device is absolutely masochistic.

Re:

[VaccinesCauseAdults]

Fair point, but I do a lot of Slashdot while commuting. Having a laptop on London Underground would be even more absolutely masochastic.

Re:

[VaccinesCauseAdults]

* due to limited space and crowding in peak time, not due to crime (before anyone suggests that)

Re:

[TigerPlish]

Free Speech of Russia Comedians canâ(TM)t make a comment about possible shooter political affiliation.

Bullshit. What happened was a disgusting display by the people celebrating the dead person's death, praising the shooter, and then you have the retard on TV say "Oh the shooter's maga" when it turns out he'd been radicalized into his actions by trans and trans-supporting loons. Shooter has a trans lover.

But before any of that was known, that idiot had to go on TV and throw the blame at one group, when it was the exact opposite group that radicalized him.

I feel for his parents. I grieve for the nation. I

Re:

[Pascoea]

and then you have the retard on TV say "Oh the shooter's maga"

Except that's not what he said. The actual quote: "We hit some new lows over the weekend with the MAGA gang desperately trying to characterize this kid who murdered Charlie Kirk as anything other than one of them, and doing everything they can to score political points from it." Yes, it's not too much of a stretch to go from those precise words to "oh the shooter's maga", but it's still stretching his words and not what he said.

Re:

[VaccinesCauseAdults]

Exactly.

In the early hours and days after the shooting, the MAGA gang indeed WERE desperately trying to characterise the kid who murdered Charlie Kirk as anything other than one of them, and indeed WERE doing everything they can to score political points from it. It’s funny because it is true. And it is exactly as Kimmel said. And it is free speech. And they got him taken off air for saying it.

1984.

Re:

[Pascoea]

I agree with both you and Kimmel: from my viewpoint that uninformed deflection was for sure going on, amongst much other speculation. I actually had a "which was absolutely happening" comment in there, after Kimmel's quote, but I deleted it. My goal was to stay as neutral and on-point as possible.

Re:

[Growlley]

well if your american then perhaps you should put your computer back in its box & return it because the brits invented them

Re:

[Sebby]

You're talking a lot about rape in the last days, using it as a drastic metaphor for things where other words would fit better. Maybe you should see someone.

Here ya go [slashdot.org] you easily triggered Meta[stasize]/Alphabet employee.

Re:

[NoMoreDupes]

Well, somebody's being a stalker!

Maybe you should surrender yourself.

From a brit

[liqu1d]

Go f yourself with a cactus please.

Re:

[mrbester]

As a fellow Brit, I concur with the rider that said fucking should be performed repeatedly and sideways.

There are only two choices...

[MpVpRb]

...security or no security
It's impossible to design a system that is secure against the bad guys and insecure against the good guys
It's also impossible to define who the good guys are, or guarantee that they will always be good
Lawyers and politicians need an education in tech reality

Re: There are only two choices...

[liqu1d]

I suspect they might implement a two tier system. Presumably they make enough from the UK they wonâ(TM)t exit so I expect a second system to be rolled out with a completely insecure design. The rest of the world with continue to run as before.

Security is non-binary

[Roger W Moore]

...security or no security

Yes but to be fair any system that allows for decryption of the data is insecure because, if you can encrypt the data then so can the bad guys even if that means they have to turn up at your house and hold a gun to your head to get the decryption key. Hence, if you want to reduce security to a simple binary choice we always chose the 'no security' option because absolute security is rather pointless.

Re:

[ambrandt12]

^a million percent^
If I encrypt an email and send it to you, your computer HAS to either have the decryption key already, or it HAS to include the key with the message... otherwise, what's the point? You'll just get an email of junk. If it's a thing that's done in the browser, then the browser, once again, has to have the key (or the email provider). If it's an open-source standard, then it's well known how to decrypt it... "if you have instructions how to scramble these letters, it's pretty much useless

Re:There are only two choices...

[gurps_npc]

I do not consider that to be 'tech reality', I consider it to be simple logic.

The point of encryption is secrecy. Effective secrecy against bad guys means effective secrecy against governments because there exists governments in the world that are bad guys.

Therefore If I want to design secrecy effective against North Korea it requires me to design secrecy effective against the UK.

In addition, if you do not recognize the need for secrecy against North Korea is greater than your need to know what I am hiding than you are NOT a good guy.

Re:

[jonwil]

If the only way to catch a particular bad guy is to weaken security for everyone (backdoors, hoarding exploits, deliberately weak encryption etc etc) then I say that bad guy should go uncaught.

And I would hold that position no matter who the bad guy might be.

Re:

[strikethree]

When you are the center of the world, you are always the good guy. Other people won't agree, but they do not matter as you are the center of the world.

Say no to cloud

[anoncoward69]

This is why you NEVER use cloud storage. If you have no choice but to use cloud storage you should be encrypting the data outside of the cloud or any "backup / syncing" software required for the cloud. If it's encrypted in the cloud the cloud provider 100% has the private key to decrypt, If it's encrypted in their backup / syncing software they most likely can also have a copy of the private key or have a backdoor to decrypt. If you encrypt it separately then only you have the private key and the only way anyone is decrypting it is to brute force it or use a vulnerability to break it.

Re:

[dgatwood]

This is why you NEVER use cloud storage. If you have no choice but to use cloud storage you should be encrypting the data outside of the cloud or any "backup / syncing" software required for the cloud. If it's encrypted in the cloud the cloud provider 100% has the private key to decrypt, If it's encrypted in their backup / syncing software they most likely can also have a copy of the private key or have a backdoor to decrypt. If you encrypt it separately then only you have the private key and the only way anyone is decrypting it is to brute force it or use a vulnerability to break it.

More to the point, this is why governments — the United States government in particular — need to demand that Apple open up their platform to allow third-party backup tools so that users can choose whether to use iCloud backups, Google Drive backups, Dropbox backups, CrashPlan backups, a not-yet-existing tool that backs up to a NAS on your home network whenever you're at home and to an encrypted disk image on iCloud when you aren't, etc. That puts the backup companies in competition with one an

Re:

[anoncoward69]

Backup to your home NAS already exists. It's called a VPN back to your home network and using an rsync client on your phone to rsync to your NAS. You're better off to rysnc overnight while on your home WiFi. but the VPN works if you really need to rsync away from home.

Re:

[anoncoward69]

It's also great if you're paranoid about TSA / Customs snooping on your device. Just factory reset it before going though the checkpoint then re-setup your VPN and rsync everything back once you're not in hostile territory.

Re:

[dgatwood]

The problem is that the iOS sandbox makes a full backup via rsync impossible, because except as permitted by specific entitlements, apps don't have access to other apps' private sandboxed data (as opposed to data that the app intentionally stores in a shared location), and unless something has changed very recently, there is no "full disk access" sandbox entitlement or equivalent on iOS(*).

* There are at least ostensibly ways to create magic sandbox escapes that would give an app that ability, but I'm 99.9

Re:

[HiThere]

Well, this is a bit old, and may not apply anymore, but you used to be able to backup entire disk partitions from Linux on the Apple. (But that might have been from a live CD, I don't remember.)

Re:

[dgatwood]

Well, this is a bit old, and may not apply anymore, but you used to be able to backup entire disk partitions from Linux on the Apple. (But that might have been from a live CD, I don't remember.)

Ah. I understand the confusion. You're talking about a Mac. The Mac platform isn't truly locked down; you can give any app full disk access trivially in System Settings, etc. This is mainly for historical reasons, because taking away privileges is a lot harder than never having them in the first place, and a lot of apps wouldn't work at all if you couldn't.

When talking about Apple's locked-down platform, I was referring to iOS (iPhone, iPad) and, by extension, iOS derivatives like VisionOS and WatchOS.

Re:

[thegarbz]

Yes as a terrorist I would take some precautions and not use cloud storage. But what do you mean "this is why" you don't use cloud storage in a general sense? Someone can request access to data. That is very vague. What does this mean for the average Brit?

That is what most of these discussions miss. The average Brit is going to see your post, shrug, and keep happily putting their holiday pics up on their Cloud storage, giving precisely zero fucks if some government secret service operative is masturbating t

Re:

[NotEmmanuelGoldstein]

The threat to UK privacy is particularly interesting because they've already experienced cloud storage that was cracked on a weekly basis. I'm talking about voice messages. News of the World was allowed to spy on celebrities' phone calls for (about) 5 years because no-one was interested in stopping their criminal behaviour. Then suddenly, the police were very interested.

but we all know

[Growlley]

they (uk) just ask the american alphabet organisation for that info and those organisations get the same in return from the uk.

Transnistria demands white M&Ms!

[abulafia]

The Empire on Which the Sun Never Sets sure seems to be intent on becoming a mean little shithole.

There's always been a nasty streak there, but creeping incompetence seems to be making it worse.

Glad I saw some of it when I did.

Re:

[Seven Spirals]

V for Vendetta was set in the UK for a reason, it would seem. We aren't doing too much better here in the USA, but we haven't succumbed to complete censorship and mass-immigration of brown Muslims, yet. So, thank $dog for small favors.

Citizenship vs Residency

[vanye]

As a US citizen living in the UK, how is this new approach going to work?

Stupid people demand stupid things

[gweihir]

What else is new.