US tech firm says giving government oversight of security changes could endanger encrypted products
“Apple has warned that planned changes to UK surveillance laws could affect iPhone users’ privacy by forcing it to withdraw security features, which could ultimately lead to the closure of services like FaceTime and iMessage in the country.
The US tech firm has become a vocal opponent of what it views as government moves against online privacy, following a statement last month that provisions in the forthcoming online safety bill endanger message encryption.
Apple’s latest concerns centre on the Investigatory Powers Act 2016, which gives the Home Office the power to seek access to encrypted content via a “technology capability notice” [TCN], which requires the removal of “electronic protection” of data.
End-to-end encryption, which ensures only the sender and recipient of a message can see its content, is a key tech privacy feature and is a hard-fought battleground between the government and tech firms.
Apple said the changes included a provision that would give the government oversight of security changes to its products, including regular iOS software updates. The Home Office consultation proposes “mandating” operators to notify the home secretary of changes to a service that could have a “negative impact on investigatory powers”.
Apple wrote in a submission to the government that such a move would effectively grant the home secretary control over security and encryption updates globally, when allied to further proposals strengthening requirements for non-UK companies to implement changes worldwide if – like Apple – they operate via a global platform.
The proposals would “make the Home Office the de facto global arbiter of what level of data security and encryption are permissible”, Apple wrote.
Apple also expressed concern over a proposed amendment that, it says, would allow the government to immediately block implementation of a security feature while a TCN is being considered, instead of letting the feature continue to be used pending an appeal.
In comments implying encrypted products like FaceTime and iMessage could ultimately be endangered in the UK, Apple said it never built a “backdoor” into its products for the government to use, and would withdraw security features in the UK market instead. End-to-end encryption is the core security technology for FaceTime and iMessage and is viewed by Apple as an intrinsic part of those services.
“Together, these provisions could be used to force a company like Apple, that would never build a backdoor, to publicly withdraw critical security features from the UK market, depriving UK users of these protections,” said Apple.
In further comments, the company said the proposals would “result in an impossible choice between complying with a Home Office mandate to secretly install vulnerabilities into new security technologies (which Apple would never do), or to forgo development of those technologies altogether and sit on the sidelines as threats to users’ data security continue to grow”.
Alan Woodward, a professor of cybersecurity at Surrey University, who has signed an open letter warning against online safety bill proposals that could dilute encryption, said Apple’s submission on the 12-week consultation represented a “stake in the ground”.
He added: “If the government push on regardless then Apple will simply join the growing band of vendors that would leave the UK. British users could end up as one of the most isolated, and insecure, groups in the world. In that scenario nobody wins.”
The Apple submission comes after the House of Lords on Thursday approved a government amendment on the online safety bill related to scrutiny of encrypted messaging. Under the amendment Ofcom, the communications watchdog, must await a report from a “skilled person” before ordering a messaging service to use “accredited technology” – which could enable the scanning of message content, for example to identify child sexual abuse material.
The provision in the bill is widely seen by privacy campaigners as a means of potentially forcing platforms like WhatsApp and Signal to break or weaken end-to-end encryption.
Dr Nathalie Moreno, a partner at UK law firm Addleshaw Goddard specialising in data protection, cybersecurity and AI, said there was “almost no information” available about how detailed the report to Ofcom would be, and whether the “skilled person” would be a political appointment or technical expert.
“Once the government has been granted powers to intercept private messaging services, that’s it – there’s no going back,” she said.
The NSPCC, the children’s safety charity, has warned that the “shrill” debate over the online safety bill is “losing sight” of the safety rights of child sexual abuse victims.
The Home Office has been contacted for comment.“