Apple: proposed UK law poses a ‘serious, direct threat’ to security and privacy

According to Apple, the British government’s new surveillance laws go so far as to make it impossible for technology companies to meet all of their requirements, with Apple saying these measures will make the online world more vulnerable.

Apple, WhatsApp, Meta all threaten to shut down British messaging

The UK Home Office is pushing proposals to extend the Investigatory Powers Act (IPA) with a series of proposals that would effectively require messaging providers such as Apple, WhatsApp or Meta to install backdoors into their services. All three services are now threatening to remove the messaging apps from the UK market if the changes continue.

They make these threats for very good reason: you can’t create a backdoor for software that will only be used by the so-called ‘good guys’. Any loophole in the attack chain is identified and exploited.

It is worth mentioning that Apple considers these laws to be so repressive and so offensive to freedom of expression that it is impossible to even enforce, so it should stop offering messaging services in the UK – even if it continues to offer them in China for alleged censorship. continues.

security threat

Furthermore, the regulation the UK is trying to pass is so draconian that it also lacks a rating system and insists that tech companies share security updates with the government before they are released. This poses a major obstacle to a rapid security response to attacks of all kinds, and means the global public remains vulnerable while the Home Office decides what to do.

Apple’s lengthy response contains a number of arguments against the bill’s silly proposals, pointing out that the UK already has an extensive set of rules to regulate it. (The new rules also suggest the Home Office will seize the power to monitor messages from users in other countries.)

The company warned, “Together, these provisions could be used to force a company such as Apple, which would not build a backdoor, to publicly withdraw critical security features from the UK market, thereby UK users may be denied these protections.”

Apple has warned that the expanded powers could dramatically disrupt the global market for security technologies, “putting users in the UK and around the world at greater risk.”

It is impossible to follow the law under international obligations

I won’t go into all the arguments here – you should read them in full – but one set of criticisms is particularly important: even though Apple can comply with UK law, it cannot do so under existing international legal precedents. .

In other words, the UK proposals are inconsistent with rules already in place in partner countries including the US and the European Union (EU). Apple argues that the UK law “would infringe on the right of other governments to determine the balance between data protection and government access in their own countries”. In plain English, this means that the UK is deliberately putting itself in conflict with laws such as the EU’s GDPR and US cloud law.

“Secretly installing backdoors in end-to-end encrypted technologies to comply with UK law for persons not subject to any legal process would be a breach of that obligation” [under GDPR],

As a result, Apple cannot comply with this law under the current regulations and thus has no option but to exit the UK market.

threat to freedom of expression

Worse yet, the way the act is framed effectively means Britain is getting a mandate to impose a global cap on what people can say or share online. “This is very problematic, especially given that the legal systems of most countries recognize freedom of expression as a fundamental individual right,” Apple said.

Another set of arguments relates to how the UK wants to regulate security technologies. It seeks not only to investigate what security technologies are being used, but also to prohibit their use covertly and without oversight or review.

and a security threat

The idea is that a UK minister can issue a notice banning the use of a technology and it must be enforced, even if later review it proves to be inappropriate. This would force companies to pause critical security updates, even when threats have been actively exploited.

No one is safe from this. Apple strongly argues that this is an inappropriate authorization at this time given emerging security threats. The company cited the report as saying that globally, the total number of data breaches has more than tripled between 2013 and 2021.

The law also undermines end-to-end encryption, which helps protect users from attacks, surveillance, fraud, and worse.

my opinion

Apple’s complaints are absolutely valid. The proposals sent by the British government do not take into account the country’s existing obligations. They are also very naive.

Any move to weaken encryption not only makes the UK less secure digitally, but also undermines digital security and privacy in each member country.

Given the value of digital commerce in the UK, the proposals pose a direct threat to economic prosperity, individual liberty and state and corporate security. It is a terrible piece of legislation that would lead to duplicity in any failing authoritarian state. It should be rejected.

Please follow me on Mastodon, or join me on AppleHolic’s Bar & Grill Apple discussions Groups on MeWe.