Introduction

I don’t normally post in reaction to current events but this feels of significance, a turning point perhaps or a way to have a reasonable conversation.

Today, Apple have removed their advanced data protection (ADP) from their iCloud product in a response to a request from the UK Government. The request forces Apple to provide a mechanism to so the government can go scrumping for data. If the Government make a lawful request for an Apple users data, Apple must provide it.

ADP is an opt in service provided by Apple. The ADP service means that only the user has access to their data so Apple have taken the decision to remove ADP rather than build a backdoor into their service. They are reported to have said they were;

There will probably be some kneejerk reaction and wildly overstated proclamations of a total collapse in privacy. Although I am sympathetic to that position we should be measured in how we understand this.

In this instance Apple have removed the service that deletes the encryption key from Apple’s hardware security modules (HSM) meaning only the user will have a key to decrypt the data. The service puts the burden of key management onto the user and honestly it’s hard to see many consumers actively opting in for this service if the consequence of losing their device is that the data cannot be recovered as Apple do not have access to the key.

As best as I can tell, the standard encryption remains ‘as is’ as Apple have the key on their HSMs and could comply with a warrant. Now there are areas that will remain ‘end to end’ encrypted in iCloud and could fall within the scope of a government request for data they aren’t really the specific focus of the Investigatory Powers Act which deals with the interception and acquisition of data.

If they comply or not is another question.

In view of the fact Apple are opposed to creating any back doors it makes sense that they withdrew the opt in service rather than compromise it.

This quandary introduces a point to have some inflection about privacy, safety, and rights.

The Investigatory Powers Act 2016

First things first, what is the Investigatory Powers Act (IPA)? It is a piece of legislation also known as the snooper’s charter that gives the UK Government extensive surveillance and data collection powers for national security and crime prevention. It was passed in 2016 under Prime Minister Theresa May. It was staunchly opposed by the Liberal Democrats, and Labour were absent for the vote. At the time it was controversial and a number of amendments had to be made as it was deemed unlawful in a number of legal challenges.

It is being alleged that Apple have been issued a technical capability notice under the IPA. I say alleged as the Home Office have refused to comment and Apple are legally prohibited from confirming if they have received such a notice. On balance, it is a reasonable assumption that they have received the notice given the action they have taken.

It is not clear if notices have been issued to other companies or what action they may have taken.

Under Section 253 of the IPA a technical capability notice is an instruction from the British Government to maintain a technical capability to respond to lawful requests for data. The notice must by issued by the Secretary of State, presently Yvette Cooper. The IPA applies to telecommunication operators which are defined as,

Let’s be clear though, although a mechanism may exist, it does not mean that the government has access to all the data now. It would require a law enforcement agency to have a warrant to do so.

The upshot here is that where requested by the government telecommunications operators must provide a mechanism for law enforcement to access where a warrant is issued. The warrant is issued by the Secretary of State for access to the data. Access must be related to considerations of national security, crime prevention, public safety and those sorts of reasons. That being said, the current Secretary of State has made statements labeling suspects as criminals prior to a conviction arguably prejudiced any proceedings. So, there is little to convince me that the incumbent government wouldn’t abuse warrants to achieve a political goal.

Technological problems

Politicians seem to be the least well equipped to understand the implications of their decisions when it comes to technology. The discussion about putting backdoors into encryption so that data can be accessed for criminal investigations has been out there for a while. It seems to be that something akin to a backdoor within the encryption algorithm would breaks encryption, if not functionally, then conceptually as the point of it for the data to remain private.

It’s also worth considering if VPN providers are subject to the IPA, my view is that they would be. There is another problem with the IPA and that is the requirement for Internet Service Providers (IPS) to log data access records for a year. So what has been accessed on the internet can be reviewed by law enforcement. Although this is intended to improve safety it erodes privacy.

As security practitioners it is unlikely we will need to change our systems to allow data access beyond what is already required unless you are working in a telecommunications organisation. For those organisations it is possible that there would already be mechanisms in place to obtain access. A company cannot disclose if they have received such as request after all.

Conflict with human rights?

One claim that is made is that privacy is a human right. This is correct, to an extent . . .

Basically you have the right to privacy until the government says otherwise. Under the law any determination can made by the ruling government to take away legal rights and this appears to be true for most legislation outlining rights that originates from Europe.

Privacy can be regarded as a natural human right which in a Lockean or Hobbesian conceptualisation are inalienable, universal, and self-evident. Inalienable meaning they cannot be surrendered, transferred, or taken away as they are intrinsic to a human. The Human Rights Act 1998 can be taken as a betrayal of classical liberalism due to the “get out of jail free card” it gives to governments to arbitrarily remove those rights.

Why privacy is important and what makes the betrayal so egregious is that many other rights sit on top of it such as free expression, freedom of association, personal autonomy, dignity. But there has been a decay in the understanding of what rights are, punctuated hilariously by Jeremy Corbyn who argued that broadband was a human right.

Social contract society in Rousseau’s conceptualisation suggest that we sacrifice some of our natural rights and subordinate ourselves to the state. We do this by consent. The genesis of these laws although derived from the rights and privileges of the English as outlined by Blackstone has been bastardised by modern influences which allow these rights to be sacrificed without our consent.

Conclusion

So, what is the impact of all this?

• Is Apple’s technical security compromised? Not really unless you are in the minority that manage their own encryption keys.

• Does it change Apple’s legal obligations? No, they have been there for sometime, we only just noticed.

• Does it change what we need to do as security practitioners? Not really unless you work in specific industries.

So why is this important?

The manifestation of the Apple incident is indicative of a more fundamental problem with how we conceptualise rights. Privacy is a fundamental right, without it many other natural rights fall. This is the real problem, and one we have been up against for a great many years.

This is a stark reminder that data protection and privacy are not the same although they are used interchangeably. Privacy can only relate to a person, data protection does not have that constraint. Data can be protected without being private. But while we are here, we may as well put privacy by design on the bonfire of failed marketing gimmicks.