Liberty News

The Washington Post reports:

Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud.

The British government's undisclosed order, issued last month, requires blanket capability to view fully encrypted material, not merely assistance in cracking a specific account, and has no known precedent in major democracies. Its application would mark a significant defeat for tech companies in their decades-long battle to avoid being wielded as government tools against their users.

Rather than break the security promises it made to its users everywhere, Apple is likely to stop offering encrypted storage in the U.K., the people said. Yet that concession would not fulfill the U.K. demand for backdoor access to the service in other countries, including the United States.

The Home Office has served Apple with a document called a technical capability notice, ordering it to provide access under the sweeping U.K. Investigatory Powers Act of 2016, which authorizes law enforcement to compel assistance from companies when needed to collect evidence'

Apple can appeal the U.K. capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government's needs. But the law does not permit Apple to delay complying during an appeal. Apple would also be barred from warning its users that its most advanced encryption no longer provided full security.

Meredith Whittaker, president of the nonprofit encrypted messenger Signal, said:

Using Technical Capability Notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah, rather than a tech leader. If implemented, the directive will create a dangerous cybersecurity vulnerability in the nervous system of our global economy.

An article from computerweekly.com provides some interesting details about the secret technical panel which hears appeals about unviable technical capability notices. It is called the Technical Advisory Board (TAB) and is charged with reviewing secret legal orders given to internet communications companies to arrange surveillance of their users, and to copy their emails and files, or to monitor their calls and videos.

Enquiries by Computer Weekly this week revealed, astonishingly, that the Home Office had failed to renew the contracts for TAB members so maybe there is a little disarray there.

Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new UK government proposals are made law and acted upon.

The government is seeking to update the Investigatory Powers Act (IPA) 2016. It wants messaging services to clear security features with the Home Office before releasing them to customers. The act lets the Home Office demand security features are disabled, without telling the public. Under the update, this would have to be immediate.

Currently, there has to be a review, there can also be an independent oversight process and a technology company can appeal before taking any action.

WhatsApp and Signal are among the platforms to have opposed a clause in the Online Safety Bill allowing the communications regulator to require companies to install technology to scan for child-abuse material in encrypted messaging apps and other services.

The government has opened an eight-week consultation on the proposed amendments to the IPA. , which already enables the storage of internet browsing records for 12 months and authorises the bulk collection of personal data.

Apple has made a  9 page submission to the current consultation opposing the snooping proposal:

It would not make changes to security features specifically for one country that would weaken a product for all users. Some changes would require issuing a software update so could not be made secretly The proposals constitute a serious and direct threat to data security and information privacy that would affect people outside the UK.

Mozilla, the foundation that produces the Firefox browser explains:

In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. Article 6 (para II and III) of the SREN Bill would force browser providers to create the means to mandatorily block websites present on a government provided list. Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools.

While motivated by a legitimate concern, this move to block websites directly within the browser would be disastrous for the open internet and disproportionate to the goals of the legal proposal -- fighting fraud. It will also set a worrying precedent and create technical capabilities that other regimes will leverage for far more nefarious purposes. Leveraging existing malware and phishing protection offerings rather than replacing them with government provided, device level block-lists is a far better route to achieve the goals of the legislation.

The rest of the post will provide a brief overview of the current state of phishing protection systems in browsers, the distinction between industry practices and what the draft law proposes, and proposes alternatives to achieve the goals of the legislation in a less extreme manner.

It might seem that current malware and phishing protection industry practices are not so different from the French proposal. This is far from the truth, where the key differentiating factor is that they do not block websites but merely warn users about the risks and allow them to access the websites if they choose to accept it. No such language is present in the current proposal, which is focused on blocking. Neither are there any references to privacy preserving implementations or mechanisms to prevent this feature from being utilized for other purposes. In fact, a government being able to mandate that a certain website not open at all on a browser/system is uncharted territory and even the most repressive regimes in the world prefer to block websites further up the network (ISPs, etc.) so far.

Forcing browsers to create capabilities that enable website blocking at the browser level is a slippery slope. While it might be leveraged only for malware and phishing in France today, it will set a precedent and create the technical capability within browsers for whatever a government might want to restrict or criminalize in a given jurisdiction forever. A world in which browsers can be forced to incorporate a list of banned websites at the software-level that simply do not open, either in a region or globally, is a worrying prospect that raises serious concerns around freedom of expression. If it successfully passes into law, the precedent this would set would make it much harder for browsers to reject such requests from other governments.

We remain engaged in conversations with relevant stakeholders and hope that the final law leads to a more palatable outcome for the open internet.