Apple Tries to Explain to U.K. Legislators That You Can’t Add Back Doors to Secure Protocols

Zoe Kleinman, reporting for BBC News:

Apple says it will remove services such as FaceTime and iMessage from the UK rather than weaken security if new proposals are made law and acted upon.

The government is seeking to update the Investigatory Powers Act (IPA) 2016. It wants messaging services to clear security features with the Home Office before releasing them to customers. The act lets the Home Office demand security features are disabled, without telling the public. Under the update, this would have to be immediate. [...]

WhatsApp and Signal are among the platforms to have opposed a clause in the Online Safety Bill allowing the communications regulator to require companies to install technology to scan for child-abuse material in encrypted messaging apps and other services. They will not comply with it, they say, with Signal threatening to “walk” from the UK.

The BBC headline here is fair: “Apple Slams UK Surveillance-Bill Proposals”. Techmeme’s rewrite of the headline is not: “Apple Threatens to Remove Services Like FaceTime and iMessage From the UK Rather Than Weaken Their Security Under a Proposed Investigatory Powers Act Amendment”. Usually this works the other way around — Techmeme typically rewrites headlines to add clarity and omit clickbait-yness. But Apple (and Signal, and WhatsApp) aren’t making threats here. They’re patiently explaining that E2EE messaging platforms cannot comply with what the U.K. wants to demand. It’d be like trying to comply with a law that declares 1 + 1 = 3.

The U.K. legislators pushing this believe, wrongly, that it must be possible for these messaging platforms to add “good guys only” back doors. That if they pass this law, the result will be that the nerds who work at these companies will be forced to figure out a way to comply. What will actually happen is that these companies will be forced to pull the services from U.K., because they can’t comply, unless they scrap their current end-to-end encryption and replace it — worldwide — with something insecure, which they aren’t going to do.

The UK, of course, is no longer part of the EU, but the unintended consequences are similar: the intention of the EU’s Digital Markets Act (well, one intention among many) is to force big social networks to collect data in ways that are more respectful of users’ privacy. The actual result is that Threads launched everywhere else in the world but the EU. The intention of the UK’s proposed update to the IPA is to force messaging platforms to make profound technical changes that would allow law enforcement to snoop on messages; the actual result, if it goes into effect, will be to force those messaging platforms out of the UK.

And while it’s Apple and iMessage/FaceTime that are getting the headlines today, it’s WhatsApp that’s the big player in the UK, with 75 percent of adult Britons using it monthly. It’s hard to overstate how much outrage these legislators are poised to bring upon themselves if they effectively ban WhatsApp. (The legislators themselves surely all depend upon it.)

Thursday, 20 July 2023