The excitement ahead of Apple’s new iPhone SE, expected to launch this week, comes at the most critical time. The current threat to iPhone’s future state is as serious as it gets, and nothing Apple does is more important than resolving this before it’s too late.
I’ve described claims that Apple is being forced to backdoor its own encryption as a nightmare for Apple and its users, and that is no exaggeration. If this is not resolved before Apple’s usual iPhone update cycle in the fall, the concept of the product and the way in which it’s marketed will need to change completely. “What happens on your iPhone usually stays on your iPhone” doesn’t have the same ring to it.
The reported backdoor mandate comes at the behest of the UK government’s so-called Snooper’s Charter, a Pythonesque process wrapped in such ironic secrecy that it has generated headlines the world over for a week. This is the latest episode in the long-running saga pitching security agencies against big tech for lawfully warranted access to encrypted content — think terrorism and child abuse investigations.
Amnesty International are just the latest to warn that this “severely harms the privacy rights of users in the UK and worldwide.” And ironically, this publicly secret UK request on Apple predated the U.S. change of tone, whereby end-to-end encryption went from pariah to friend courtesy of an alarming attack on America’s telco networks. That attack was attributed to China’s state-backed hackers, who seemingly managed to extract masses of text and voice metadata and some actual content from high-profile targets.
And on that China theme, while this new encryption backdoor has been presented as something novel and alarming, there are precedents. Apple’s lawfully warranted access to iCloud backups was always a loophole until it was shut down by its new Advanced Data Protection, which end-to-end encrypts almost everything. And Apple’s iCloud security arrangements in China — per a New York Times investigation in 2021 — include compromises to appease the state.
But none of that was to deliberately develop a backdoor into Apple’s security as has been claimed, with the nasty twist being that users cannot be warned.
Apple does tell users “iCloud in China mainland is operated by GCBD (AIPO Cloud (Guizhou) Technology Co. Ltd). This allows us to continue to improve iCloud services in China mainland and comply with Chinese regulations. iCloud services and all the data you store with iCloud, including photos, videos, documents and backups, will be subject to the terms and conditions of iCloud operated by GCBD.”
In that regard, the UK is just aping China in its ask, which while not a good look for the UK is not a unique situation for Apple. One of Apple’s reported options is to carve out UK iCloud users into their own arrangement. Putting aside that Apple having one size fits all except for China and the UK makes the UK look ridiculous, it’s claimed that the UK demand goes beyond UK territorial users, meaning this option doesn’t work.
Timing is everything, and unfortunately for the UK and its mandate, this comes just weeks after the Salt Typhoon furor, where security backdoors were exploited amongst other vulnerabilities. Probably a bad time to force the same en masse.
This was the theme throughout the open letter penned by Senator Ron Wyden and Congressman Andy Biggs to Tulsi Gabbard, America’s newly installed DNI. Were Apple to comply, they warn, it would “undermine Americans’ privacy rights and expose them to espionage by China, Russia and other adversaries.”
The lawmakers correctly point out that once a backdoor is built, it likely becomes available to bad actors as well as good. This is why Amnesty and others are so vocal in their opposition to this. I’ve warned many times before that once something is developed for one government it can be demanded by all.
“The Salt Typhoon hack of U.S. telephone carriers’ wiretapping systems last year — in which President Trump and Vice President Vance’s calls were tapped by China — provides a perfect example of the dangers of surveillance backdoors. They will inevitably be compromised by sophisticated foreign adversaries and exploited in ways harmful to U.S. national security.”
The letter cites other Chinese security compromises, including when its hackers “broke into Microsoft’s systems storing federal agencies’ emails,” where they proceeded to “download approximately 60,000 emails from State Department alone.”
Probably best not to help China more easily surveil Americans, runs the argument. “If Apple is forced to build a backdoor in its products, that backdoor will end up in Americans’ phones, tablets, and computers, undermining the security of Americans’ data, as well as of the countless federal, state and local government agencies that entrust sensitive data to Apple products.”
The ask is for the U.S. to withdraw intel collaboration with the U.K. unless this mandate is reversed. I am hopeful that the furor that has arisen in the last week will prompt a secretive retreat on this request. I am yet to see any security expert suggest this is a good plan without macro-level risks. If there are any out there, please get in touch.
Meanwhile, iPhone’s core proposition remains on the line — all eyes now on Apple.
