The United Kingdom Requested Apple to Implement a Backdoor in iCloud
The UK government put forward a request last month, urging Apple to reduce the security measures of iCloud for its global users. Apple has now taken measures to comply with this request for users based in the United Kingdom. However, the legislation in the UK stipulates that Apple must provide its government with access to individuals worldwide. If the government requires Apple to lower its security measures on a global scale, it could heighten the cyber risks for everyone in an already perilous cybersecurity landscape.
If you are a user of iCloud, you have the choice to activate a feature known as “advanced data protection,” or ADP. When this mode is enabled, a significant portion of your information is encrypted end-to-end. This ensures that even individuals at Apple are unable to access this data. This restriction is maintained through mathematical principles—specifically cryptography—rather than through policies. Even if there is a successful breach of iCloud, the intruder would not be able to access ADP-secured data.
By utilizing a contentious provision within the 2016 Investigatory Powers Act, the UK government intends for Apple to alter iCloud to introduce a “backdoor” to ADP. This alteration would facilitate future scenarios where the UK police might request Apple to eavesdrop on a user. Rather than integrating such a backdoor, Apple has suspended ADP in the UK market.
If the UK government persists in its requests, the consequences will be significant in two aspects. Firstly, Apple cannot restrict this capability solely to the UK government or to governments aligning with its political stance. If Apple complies with data turnover requests from a government, other nations will anticipate similar levels of compliance. For instance, China may demand that Apple discloses information on dissidents. Given Apple’s existing reliance on China for sales and manufacturing, it may not be feasible for Apple to decline such demands.
Secondly, once a backdoor is established, unauthorized entities may attempt to exploit it covertly. A technical entry point cannot be confined to individuals possessing legitimate authorization. The mere presence of this access route encourages other entities to attempt unauthorized access. In 2004, hackers (their identities remain unknown) infiltrated a major Greek cellphone network through a backdoor, enabling them to spy on various users, including the Prime Minister and other elected officials. Likewise, last year, China hacked U.S. telecom companies, obtaining access to systems allowing eavesdropping on cellphone users, potentially including the presidential campaigns of both Donald Trump and Kamala Harris. This incident led to the FBI and the Cybersecurity and Infrastructure Security Agency recommending that individuals use end-to-end encrypted messaging as a best practice for safeguarding their security.
Apple is not the exclusive provider of end-to-end encryption. Google also offers this feature. WhatsApp, iMessage, Signal, and Facebook Messenger provide comparable security levels. Numerous other cloud storage providers offer end-to-end encryption services. Similar security levels are attainable for smartphones and laptops. If the UK compels Apple to compromise its security, repercussions for these other systems are likely to ensue.
It appears improbable that the UK is operating independently in this matter, without coordination with other countries part of the “Five Eyes” alliance, which includes the United States, Canada, Australia, and New Zealand—a coalition known for extensive information sharing among English-speaking nations. Australia implemented a comparable law in 2018, granting it the authority to mandate companies to weaken their security features. While there is no known instance of this law being applied to enforce security alterations thus far, the potential for a gag order precludes public disclosure. Similarly, the UK law also includes a gag order, with information about the Apple incident only surfacing due to a whistleblower leaking the details to the Washington Post. It remains plausible that similar requests have been made to other companies. Within the United States, the FBI has advocated for similar powers for an extended period. The timing of the UK’s request amidst the foreign policy disruptions of the Trump administration may indicate a strategic opportunity.
It is imperative for companies to resist such mandates, and more significantly, there is a need for public demand to uphold such resistance. Just like the Australian government and the FBI in the past, the UK government asserts that such access is vital for law enforcement purposes, claiming that they are “going dark” due to the pervasive lack of monitoring capabilities in the online realm. Despite persistent claims since the 1990s, there is scant evidence to support this assertion. Numerous court cases involving digital evidence highlight diverse evidence collection methods, the majority of which, such as traffic analysis or informant cooperation, do not rely on encrypted data. Law enforcement agencies require enhanced computer investigative and forensic capabilities, not backdoors.
Each of us can contribute to this cause. If you utilize iCloud, consider activating this feature. Increased user adoption makes it challenging for Apple to deactivate it for individuals reliant on this function to avoid legal repercussions. Moreover, this exerts pressure on other companies to furnish equivalent security measures. Utilizing such features not only benefits those who require enhanced security but also eliminates any implication of guilt through feature activation. This is a notable advantage of opting for WhatsApp over Signal, given the extensive global user base of WhatsApp, undoing any suspicions associated with having the app installed.
On a policy level, we face two choices. Security systems should be universally effective, rather than catering to specific entities. We have the option to bolster the security of our communications and devices to withstand any potential intrusions, be they from foreign intelligence agencies or domestic law enforcement, thereby safeguarding everyone, including, regrettably, malevolent individuals. Conversely, compromising security undermines safety for all parties, both law-abiding citizens and criminals alike.
This dilemma is rooted in the concept of security versus security. While enhanced police capabilities for crime investigation are beneficial for overall security, safeguarding data and communications from unauthorized access is equally imperative. The introduction of a backdoor in Apple’s security framework is detrimental not only on an individual level but also poses risks to national security. In a world where electronic communication and data storage are prevalent, ensuring the robust security of computers and phones—utilized by leaders, legislators, law enforcers, judges, CEOs, journalists, activists, political operatives, and citizens—is paramount. These devices must be fortified against potential breaches, ransomware threats, foreign surveillance, and manipulation. It is noteworthy that the FBI recently recommended the adoption of end-to-end encryption for messaging purposes, void of any backdoors.
The task of securing digital platforms is inherently challenging. Defenders must thwart every intrusion attempt, while eavesdroppers only need a single successful breach. Given the critical role of these devices, adopting a defense-centric strategy is imperative. Any alternative approach compromises the safety of all individuals.
This article was originally published in Foreign Policy.
About Author
