Thatâs disturbing. Of course if somebody is E2EE the next demand will be that Apple provide a âbackdoorâ to the E2EE encryption.
It would be fascinating if the UK government demanded a backup from an EU citizen. There could literally be situations where Apple is required to both provide and not provide a given userâs data simultaneously.
Itâll be Schroedingerâs data. 
The worst part is this:
âAnd withdrawing the product from the UK might not be enough to ensure compliance - the Investigatory Powers Act applies worldwide to any tech firm with a UK market, even if they are not based in Britain.â
(quoted from the BBC article linked below)
Does it come down to Apple having to disable ADP worldwide or completely abandoning the UK market?
Iâm very curious to see how Apple handles this.
Several countries have had laws on their books for years that could require the same thing of Apple. One that got a lot of attention in 2018 was Australia. At that time some were worried that once one country required a company to break encryption, most/all others would do the same.
Yeah, Iâve been keeping track of privacy related news since I first discovered Robert Ellis Smothâs Privacy Journal newsletter back in the 80âs and lurking on the cypherpunks mailing list in the 90âs.
Attacks on personal privacy have a very, very long history and are unlikely to ever end. Snoopers gonna snoop.
This is why the Privacy talk feels so hopeless.
The only way we can get true privacy is to have a law. But the Governments of the world want the data just as much as corporate interests.
They probably want it even more than corporations. After all the US government has been buying info from data brokers for years.
And what we fear might happen, might have already occurred. And Apple isnât allow to tell anyone. So I pre-encrypt anything I store online, and will use Signal if I ever need secure communication.
This is a massive overreach from the UK Government. They have no right to demand data which either is not stored in the UK and/or does not relate to UK Citizens.
If they want to see data relating to (for example) US Citizens which is not stored in the UK, they should have to work with US law Enforcement to get a copy.
GDPR doesnât prevent personal data relating to an individual being processed, especially when it comes to law enforcement.
The public perception of GDPR since it was announced, and then brought into law has been wildly overplayed. People do not own the data about them, they donât have the ultimate right to stop companies processing data about them (there are rights to erasure and to object, but these are not absolute).
I can setup a company tomorrow and start processing data under GDPR legislation, I have to comply with the 6 principles, ensure I have a legitimate basis to process the information, and I have to respect peopleâs rights. But I can still process it.
EU GDPR (and in the UK the Data Protection Act) allows law enforcement agencies to process data for the purposes of preventing crime. They have all sorts of exceptions from GDPR.
But even nearly 7 years after GDPR became law, there are still grey areas and case law solidifying what the law actually is.
Perhaps they are. Our two countries, along with Australia, Canada, and New Zealand, have been sharing signals intelligence since the 1940s. Is it that much of a stretch to believe all these countries would like to have what the UK is proposing?
So are you saying that if the UK said âwe want all of the data contained in this particular EU citizenâs iCloud backupâ that there would be no problems?
I would be shocked if a police request for that data followed âdata minimizationâ, âstorage limitationâ, and/or âintegrity & confidentialityâ.
The IETF has you covered: RFC 1149: Standard for the transmission of IP datagrams on avian carriers
Iâm saying that all these countries would like to have full access to all encrypted communications. And if the UK succeeds it is almost certain , IMO, that all countries would demand the same thing.
Iâm saying that while the UK and EU Police forces have to take precautions while processing data (which doesnât always go well Northern Ireland police officersâ details exposed in âmonumentalâ breach | Northern Ireland | The Guardian) if they need to process data for the purposes of preventing crime, they have the ability to use personal data sometimes outside of GDPR.
There is oversight on the use of the data though.
In the event of the scenario you suggest, I would expect Big Tech to take a legal position and if necessary go to court if they feel that the request is unlawful (Microsoft when the DoJ requesting data stored on systems outside of the US) or increases the risk to Appleâs systems (Apple in the San Bernadino shooting).
This is a brand new law though, so I expect that the nuances will need to be worked out through the court system. But itâs more likely that the UK works with whichever EU country to request that they provide the data as thatâs likely to be less trouble and less costly than taking on a Tech giant.
Thatâs the thing, Law Enforcement have more leeway on those kinds of GDPR requirements if they can show that they need to retain the data for the purpose of preventing crime or terrorism.
Despite language about law enforcement, given the secrecy requirements in the law it is likely this is about access by intelligence organizations like GCHQ, MI5, etc⌠than police forces. Of course that is pure speculation on my part.
By Law Enforcement Agencies, I was including those types of organisations.
But we all know that those sort of agencies play by their own special rulesâŚ
I see, my mistake. Apparently GCHQ falls under the foreign secretary, but is is not part of the foreign office, which is interesting.
The Canadian CSE & the American NSA are military and not law enforcement organizations, although they do assist with national security related law enforcement investigations. At least on paper.
It can get a bit fuzzy in spook country.
I agree with you here.
My spidey senses start to tingle at the mention of "backdoor accessâ and the "think-of-the-childrenâ reasoning.
The UK already has Section 49 of the Regulation of Investigatory Powers Act. As I understand it, that can be used to legally insist on data encryption keys, with consequences for non-compliance. What they want is the ability to enter a private space without your knowledge and without judicial oversight - because - you know - think of the children.
Authoritarianism always sells its wares by appealing to the welfare of children, prosperity, security, and patriotism. Beware of what you are asking to give up in the name of the aforementioned. Soon, youâll have none of those once liberty has been surrendered, and one becomes beholden to the state.