Apple drags UK government to court over 'backdoor' order Apple has reportedly filed a legal complaint with the UK's Investigatory Powers Tribunal (IPT) contesting the British government's order that it must forcibly break the encryption of iCloud data. The appeal will be the first of its kind lodged with the IPT, an independent judicial body that oversees legal complaints against …
"it's understood that the notice didn't include any technical instructions for Apple"
If the HO or any other organisation thinks that a secure back door is feasible all it has to do is produce a proof of concept example that passes expert external scrutiny. Until then it's time to stop demanding others do what they can't.
But you can guarantee that when some MPs' data gets exposed due to a back door which the government insisted on, there will be howls of outrage from them!
This is the problem with having MPs who are mostly technically illiterate - they are determined not to understand that there is no such thing as a secure back door. If it exists it will, sooner or later, be compromised by criminals / foreign governments / spooks.
Being technically illiterate isn't the problem, it's not listening to people who are. We shouldn't expect our MPs to know everything, but they should have enough critical thinking to understand legitimate expert opinion.
The problem with this specific scenario is that security and accessibility are greyscale rather than black and white.
On the opposite ends of the spectrum you have E2EE and not. In between that you can have a secondary key for decryption (the problem is how you protect that) or N secondary keys, of which you need M to do the decryption (improves the protection because now you'd need to compromise multiple keys) but then you can't call those E2EE encrypted.
It's not a greyscale. It really isn't.
They're asking the locksmiths to hand over a copy of everyone's front door key every time they fit one, so they can sneak in at any time without anyone knowing.
Thus creating the biggest temptation and the biggest target possible.
Eg the US telephone intercept system was compromised by China for many years before anyone realised.
So, is everyone in the Metropolitan Police and Home Office willing to hand me a copy of their front door key? And send me a replacement every time they change it?
I promise I won't use it - unless I really want to, in which case I won't tell anyone I went through their stuff.
"They're asking the locksmiths to hand over a copy of everyone's front door key every time they fit one, so they can sneak in at any time without anyone knowing."
It's worse than that since it's more like they require a locksmith to set the lock with a master keyed set of pins and that master is the same for everybody so one key to rule them all. That master key code may also be published due to transparency laws a city has to comply with. Deviant Ollum has shown this on some of his presentations.
"That master key code may also be published due to transparency laws a city has to comply with."
No. While mostly agree with you, transparency laws does not require showing everything. Security keys, and many other "secret" things" are already exuded. Try asking a "city" for their own data encryption keys and see how far you get. Of course, things leak, The more people who know, the more likely to leak. But they will not be obliged to disclose under "transparency" laws.
Agreed.
Also, even if the key did leak it would probably be useless by itself. In cryptography if you have a "master" key from which all other private keys are derived, you still need the derivation method in order to derive other private keys...it is technically feasible for this sort of "backdoor" to exist, and it is possible to secure it to a certain extent...however, it is still risky and it is very expensive, it's also not seamless from a customer point of view...it's much harder to revoke and reissue new keys which would leave users exposed for an amount of time that might not be acceptable.
"transparency laws does not require showing everything."
What I can remember being shown was the published spec that was sent out on an RFQ that included the key code. So, not something you could easily look up on a city's information page, but a bit less of a secret for having sent it out as part of a bidding package that anybody could request.
The locksmith argument was the one in my head. Would we be having this discussion if the government had insisted on every bank vault and safe having a masterkey held by the government?
Would they still think that the additional mechanism to open the vault could be made to only be accessed by 'the good guys'?
Would the change from a mathmatical argument to a physical one highlight the stupidity of their thinking even to themselves? Probably not lets be honest, they'd probably expect some LoTR type protection ("speak friend and enter"). Or they'll make a law to say that only the police can use the backdoor because that would be a deterrent to criminals.
The problem is the limit they've put on their understanding. They know they don't need master keys to all the safes because with today's tech they can break into any safe in the land. It might take time and explosives but they know it can be done so they're not bothered. So they clearly understand the, effective, unbreakability of today's encryption and hence they want a backdoor. I think they also understand the impact of the key becoming public but what they choose not to understand is the inevitability of the key becoming public.
No, what's more likely is they are trying to insist on Apple storing peoples keys so that Apple can retrieve them upon request. I don't think this is a bulk collection attempt...for once...trouble is, this sort of thing puts Apple at risk, because if they get popped the keys can leak...Apple has been popped quite a few times and will be popped again, it's inevitable.
Even worse, they don't necessarily need to be popped. A foreign government could just plant the right person in the right department...which Apple is at particularly high risk for because they refuse to reject DEI...with that sort of policy in place, it's a lot easier for a foreign government to embed itself inside Apple under the guise of a DEI hire.
"Apple is at particularly high risk for because they refuse to reject DEI."
What has DEI got to do with background checking employees with access to company-critical information ?
The main risk in such cases is from home-grown ne'er-do-wells offering large bribes (and/or threats).
"What has DEI got to do with background checking employees with access to company-critical information"
Everything.
Because you might be hiring foreign nationals for the sake of it to meet quotas rather than because you can't find the a talent locally.
With DEI, you might be tempted to skip certain parts of background checks because you have quotas to meet...or you might lower the bar because it isn't possible to do proper background checks...countries like China etc do not provide detailed information about their own people to foreign entities...you can't really trust the info to be accurate either...especially if that person is a plant.
Background checks mean diddly squat if the person you're checking out is a plant, they will have a carefully crafted past...of course they're going to look great on paper...that's by design.
My crap comment because I can't remember the details, but I think its similar when UK asked for snooping for something similar and said it wouldn't be abused for general snooping, only terrorist snooping. Then they started to abuse it for general snooping.
At the end of the day, all "terrorists" will do is find their own custom encrpytion.
They don't need to because they're already probably using custom encryption...we've seen in the past entire services set up by law enforcement to entice criminals and ne'er do wells in to what they think is a secure system...large scale criminals are not using iCloud, Facebook etc etc...they probably never have.
"At the end of the day, all "terrorists" will do is find their own custom encrpytion."
Maybe they've® figured out that the cat is amongst the pigeons with encryption so if they force the average person into the less secure (non-secure) method, anybody using something they don't have a backdoor for is the bad guy. The old way was assuming anybody using encryption was the bad actor. If you find a message that's just 6 letter groups of letters, that's the criminal. Until it's found out that it's the central bank trying to communicate something and nobody in the plod thought to check what was at the address so when they all showed up in body armor and toting guns, weren't they embarrassed?
I wouldn't expect ALL MPs to be technically literate, but in a functioning democracy it would be hoped that there would be a wide range of expertise across the house, and that those who knew about something would be appointed to ministerial jobs in that area.
Of course that's not the reality, and a large proportion of them are journalists, lawyers, PR people, and 'professional politicians' who have never had a real job outside of politcs. And those who get to the top like grandstanding, and won't let minor issues like technical realities get in the way of their vision!
"But you can guarantee that when some MPs' data gets exposed due to a back door which the government insisted on, there will be howls of outrage from them!"
MPs may well expect their messages, at least between themselves, to be leaked by one of the participants in a conversation, e.g. giving the entire lot to the journalist who's going to help them ghost-write their memoirs or just dropping individual messages as and when it suits their own agenda. They probably don't realise that security can exist.
"MPs may well expect their messages, at least between themselves, to be leaked by one of the participants in a conversation, e.g. giving the entire lot to the journalist who's going to help them ghost-write their memoirs"
I think it would be more likely to embarrass somebody from the other party and a good chance we already see lots of that.
"I don't think they care whether or not it's secure."
There's a physical analog in the US. In many cities, a business must install a "Knox-box" that is storage for keys to open their business via a "secure" key that the fire department has. The trouble is that it's often not long before those keys are compromised which means that there's a key that effectively opens every retail shop in the city/district. Since it's often faster and easier to steal a car to crash through the front of the shop, that's what they'll do if they don't know about those lock boxes. The very sophisticated operators will order the box for their location and reverse the key to make one since it won't be typically supplied with the box.
"The fire department master keys are all available online."
The KnoxBox keys are particular to a jurisdiction and Knox isn't the only maker of that type of product. The silhouette of the key is supposed to be controlled so you can't just order up blanks without being registered. Of course, that never lasts long. You just order them from some Asian supplier off of their web page as I don't think there's any sort of law against it and Customs is not going to light up on some keys being imported through the post. I have all sorts of "lock sport" stuff that isn't legal to sell in many places within the US. I'm sure they'd want to lock me up for "burglary tools" if that's all they could do me for. The downside is that I do legitimate lock stuff for real estate customers so I'd be out after my cavity search and de-lousing.
"I thought the Axe was all the master key the fire departments needed to open doors "
With tougher security doors being fitted to retail shops, it's faster and easier to use a key that's in a nearby lock-box. They may also want to access a building through an adjacent business than the one that's on fire and tearing the doors off of that isn't polite even if they do bust a hole in a common wall.
> If the HO or any other organisation thinks that a secure back door is feasible all it has to do is produce a proof of concept example that passes expert external scrutiny. Until then it's time to stop demanding others do what they can't.
The "backdoor" being asked for is not into the encryption algorithm, it's a backdoor into Apple's systems.
Apple's standard iCloud, iMessage etc capabilities *already* provide a means for law enforcement to see the content because Apple maintains the encryption keys on behalf of the users. So it's a simple matter for UK law enforcement to get a court order demanding access and then Apple will happily comply and provided decrypted content.
The implication therefore is that the TCN goes further and I suspect it asks for remote access to Apples' systems by UK law enforcement so they can log in and browse users' data without a court order and without Apple necessarily knowing who they're snooping on.
So I would very much like to see the content of this TCN, whether technically inept or not.
"Apple's standard iCloud, iMessage etc capabilities *already* provide a means for law enforcement to see the content because Apple maintains the encryption keys on behalf of the users. So it's a simple matter for UK law enforcement to get a court order demanding access and then Apple will happily comply and provided decrypted content.”
Err. no, no they don’t. I think you have confused two different things.
iMessage is fully end to end encrypted, Apple do NOT have any means of reading the message and warrant or not, nor can they hand over the plaintext as they simply have no means to get it. Also some other things are E2E encrypted, health data, passwords and keychain data etc.
But, if you use iCloud backup for your phone then that backup is encrypted with a key that Apple has, so if presented with a warrant then Apple can and will hand over the plain data in the backups which probably include iMessages etc. So imagine that you communicate with someone else over iMessage, Apple and, by extension law enforcement can’t ever (discretely) access those messages, but if either you or the other party backup up their phone to iCloud, then all bets are off.
Unless you (both) turn on ADP; in which case the entire iCloud backup is E2E encrypted, Apple no longer have a key and, as above can’t hand over plaintext data - but this does have a price, you forget the passwords and/or lose access to your iCloud account and everything is lost, photos, videos, messages, all gone and Apple cannot help. Hence ADP is NOT enabled by default, you have to manually do it and click through various ‘are you sure, because....’ type dialog boxes.
The TCN is because Apple could ‘technically’ put a back door into the encryption system, it doesn’t have to be secure that ‘only the good guys can use’, it just has to exist. Apple are adamant that they won't do this and hence have pulled the feature - well partially, if you don't already have it enabled, they you can’t, but for existing ADP users, it is still working and Apple simply can’t remotely disable it and somehow decrypt the existing encrypted backups.
> Err. no, no they don’t. I think you have confused two different things.
> iMessage is fully end to end encrypted, Apple do NOT have any means of reading the message and warrant or not, nor can they hand over the plaintext as they simply have no means to get it. Also some other things are E2E encrypted, health data, passwords and keychain data etc.
Yes, you're right. As the original AC I did pause for a second before including iMessage in the list but the recent announcement of quantum proof encryption by Apple [1] made me think that iMessage was only end to end for messages stored on the device and not if they were stored in iCloud.
My main point, though, which I don't want to get lost, is that too much of the tech press is saying "backdoored encryption" and allowing the discussion to go down the "maths is maths" and "how algorithms can't be backdoored safely" path instead of focusing on the more pressing issue that it is the infrastructure / systems that are being backdoored.
A system OCRing the screen and monitoring the keyboard could certainly compromise the privacy. (Any onboard AI could be ordered to do this.)
Whether this could be described as backdoored or not is the question.
> How would an E2EE system be backdoored without a backdoor in the encryption? Other, I suppose, by having it send a second copy to someone else encrypted, for all the good that would do, with that someone's public key?
Yes, exactly that. But that second copy is not encrypted with the recipient's public key, it is encrypted with the "backdoor" key and Apple then store that message for a period of time determined by the TCN. Which is why seeing the TCN would be interesting.
This requires a change to iOS but the TCN might demand exactly that.
Yes iMessage data is encrypted on your phone. Everything on your phone is (much of it is doubly encrypted, though iMessage data is only single encrypted, for reasons too long to go into here) But when it is stored on iCloud, by default (i.e. if you haven't enabled ADP) it is encrypted with a key that Apple controls. That enables you to easily restore from backup if you lose/damage your phone by simply logging in to your Apple ID, but it also allows Apple to respond to a subpoena and give up any iMessage or other content backed up to your iCloud.
If you enable ADP then if you lose/damage your phone and you haven't taken steps to protect the key you create on your phone by saving the plaintext hex key somewhere or setting up a "recovery contact" then you lose all your data. That's why (or at least a major reason why) ADP it isn't enabled by default. Too many people would lose everything. I mean people forget passwords all the time. They did even back when a password was a simple English word for most, rather than today's 8 characters including one capital, one number, and one Chinese character for soup.
“Apple will eventually delete backups”. Unlikely. There is no law requiring Apple to delete backups, so why would they? They will put up a fight against any requirements to turn adp off. If they lose that fight legally then users will have the choice of turning adp off and reading their data, or not being able to access it until adp is turned off.
And if you turn off adp, download all your data, and delete all iCloud data, the government can’t prevent this unless they have a court order ready against you just at that moment.
The Home Office don't care if it's possible or not, they just want access to the data. This order had it's desired effect; Apple have removed* E2E encryption from UK users, which means that the security agencies can access their data. If there was some magical way to allow access to the data while it was still encrypted, then they'd take that instead.
*or are in the process of removing
This post has been deleted by its author
This post has been deleted by its author
All Home Secretaries of all political persuasions seem to demand this within a couple of weeks of taking office.
One can only think that the police/security services "persuade" them that this will solve/prevent crimes.
Or that it would prevent the leakage of any info they might have on said Home Secretary...
It's entirely possible that the courts will agree this was unlawful---if the order is as vague as reported---but the government will likely rewrite the order to comply with the law and achieve the same net effect. If I had to bet, that's where I'd put my money. (Although it might take a couple of rounds of litigation.)
True, but the next home secretary will ask again, because the Met desperately want to snoop on everything.
It's mathematically impossible to "only" do it for a specific user, because Apple don't have the keys.
Same as you cannot break into his local Timpsons and steal the key to Dan Jarvis' home. They don't have it.
But if this went through, they would.
the government will likely rewrite the order to comply with the law and achieve the same net effect
I can't see what basis Apple can argue the TCN is unlawful other than that the government has failed to consider the 'technical feasibility and cost' of implementing it. Those were important fudges Parliament put in to punt the issue of breaking E2EE down the line, and remain the central issue, which it isn't simple to either rewrite the order or re-legislate around. It'll be particularly interesting how 'cost' is interpreted in court because Apple considers privacy core to it's brand and it's a massively profitable company.
It's mathematically impossible for Apple to comply.
You cannot make a copy of a specific key next year, unless you already copied every single key at creation.
It's either broken for everyone in the entire world - including every MP, Senator, President, and member of the security services - or it's end-to-end encrypted for everyone.
Firstly, we have the dance as to whether Apple can legally present the order to a court and whether that is in a public or private session…
Secondly, we do have the CLOUD Act, which seems to be quite clear on matters:
"The Data Access Agreement fosters more timely and efficient access to electronic data required in fast-moving investigations through the use of orders covered by the Agreement."
So in line with the data access agreement, it is legitimate to ask companies to make preparations for timely and efficient access, so that when an order is received…
Note: "to dissuade the public from thinking ...", not "to prevent access ... on a whim". Yet again, the public should feel (not be certain as of right) that its rights are respected. And of course everything depends on the definition of "necessity", which is inevitably defined by those desiring access, quite apart from any illicit access by rogue staff (for which there is plenty of historical evidence in other spheres).And all of this under such a cloak of secrecy that the "user" can never find out whether their data has been accessed (except possibly via the consequences).
Government, and particularly law, can only be justified if it's transparent and above board.
... also:
- Blocking Reuters and AP from press briefings, but allowing Russian media, TASS!
- Trump launching investigations into media channels that report facts he doesn't like : https://www.theguardian.com/us-news/2025/feb/24/trump-free-speech-media-attack
- Ex-NFL punter Chris Kluwe, who was arrested for calling out MAGA?
Vance and codejunky have a weird understanding about free speech. They also apparently haven't heard of Americas "fighting words" laws: https://en.wikipedia.org/wiki/Fighting_words
> Book bans in US.
Thanks for the reminder to look up the state of play - I knew of many attempts to ban books in the US across the years, but amongst all the other goings on I'd managed to miss when the Trump Administration Dismisses Book Ban Complaints by dismissing "this false narrative" (aka "this is false news, false news"); such falsity as Utah banning students bringing their own copies to read at school ("I don’t care if it’s shredded, burned, it has to be destroyed one way or another.”).
The wider Banned Books List – 2025 has a load of books that were *required* reading in my schools ("Fahrenheit 451", "1984", "To Kill A Mockingbird", "Catcher In The Rye", "Brave New World", "Huckleberry Finn" and more) plus modern classics like "The Handmaid's Tale". Of course, the book by that horrid little Anne Frank must go. Curiously, some of these warn of (theocratic) dystopias or living under fascism...
The reasons given are as you'd expect: don't earn the young about possible dangers by allowing them to experience them vicariously, in a book they can put down and discuss, where the protagonists can show ways to deal with the dangers, just let them all come as a surprise IRL.
Of course, we can all probably name a book, renowned for encouraging gang rape, violence to children and slavery, which never appears on these lists...
Ok, back to how *our* government is buggering about.
Of course, we can all probably name a book, renowned for encouraging gang rape, violence to children and slavery, which never appears on these lists...
Activists managed to get the Bible pulled from some libraries briefly for review, but yea it turns out the violence and sex and incest and so on is perfectly fine as long as the book's other themes are on the 'correct' side of the culture war.
“ Of course, we can all probably name a book, renowned for encouraging gang rape, violence to children and slavery, which never appears on these lists...”
Interesting, as to what isn’t on the lists:
Anthony Burgess - A Clockwork Orange
Nikos Kazantzakis - The Last Temptation of Christ
Kass Morgan - The 100
Adolf Hilter - Mein Kampf
…
Personnally, if presented with the book ban, I would circumvent it by choosing different books and getting films screened (the film might be based on a banned book, but it’s a film not a book and thus not on the list of banned books….
"It is almost difficult to believe this is a real thing that happened with the President of the United States, but here’s what actually happened on Tuesday. In the morning, Donald Trump threatened to imprison protesters and defund any university that allows certain protests. Then, that same evening, he stood before Congress and declared — with apparently zero irony — that he had “stopped all government censorship and brought back free speech in America.”"
You don't have a fucking clue son.
This is the same Supreme Orange one who has ridiculed science funding on the basis that it was researching and creating "Transgender Mice".
They are "TransGENIC" mice, nicely setting back US bioresearch a few years because it's leader is a bit thick.
All those Paediatricians better watch out he'll soon have you locked up for your terrible crimes.
https://www.huffingtonpost.co.uk/entry/white-house-issues-head-scratcher-of-a-defense-for-trumps-transgender-mice-claim_n_67c8b5cae4b0e50d686ac02b
@AC
"This is the same Supreme Orange one who has ridiculed science funding on the basis that it was researching and creating "Transgender Mice"."
I am reading that Huff post link you put up and it claims this is a head scratcher. Yet if I am reading the article right it actually says Trump WAS right that this funding was to study mice going through all this trans 'care' to try and understand what effects it has on the human body. What is head scratching about it?
"As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,"
Given their response was to just unlock the front door and leave it open, that's both true and yet ignores the result they created.
They could have just ignore the order and dared the government to enforce it, which would have been a much more effective block.
As opposed to the current capitulation which lets them publicly play at resisting while cheaply overdelivering the result the order ultimately wanted.
I'm not a fanboy of Apple for various reasons - Android all the way. I have issues with them.
BUT... Big but... I sincerely hope Apple manage to tell my government to take a long hike off a short bridge.
How the fcuking hell do the worthless, motherless, barsteward, politicians in this country think they can dictate to a global network?
If I was Apple I'd cut off all
support to to the UK to teach them a lesson.
Wonder how many consulto-droids are running around Westminster with shiny Apple devices
Wonder how many would like the government to monitor the... interesting... websites they visit.
.
"Wonder how many consulto-droids are running around Westminster with shiny Apple devices"
Beyond that, they'll just take a train/ferry to the next country over and book phone service there. With a wink and nod, some operator is going to have a plan for people having a phone with service outside the UK yet will be used within the UK the majority of the time. They will have their E2EE and a raised couple of fingers to those that tried to take it away.
Ref "use any uk network".
If that's something that would be useful, there is one company offering that service:
https://anywheresim.com/
(I've never used them so don't know if it's as good as it sounds, mainly because they seem only to offer them as a PAYG service.)
"If I was Apple I'd cut off all support to to the UK to teach them a lesson."
We've been through this before. Apple is not going to cut itself off from a £26Bn market, to keep a fanboy happy.
If Apple lose, then just like they did in China, they will do as they are being told, and the cash will keep rolling in.
Apple has total control over IOS and IOS updates, and how/when they are distributed, including the E2E implementation.
Apple knows the device user's ID.
If it chooses to do so, Apple is free to create a tailored IOS update to be delivered to a designated user.
E2E depends on keys accessible to the software running on the iThing, it must be possible to leak the keys and/or create a covert side channel affecting only the designated user, without affecting E2E for any other user.
Only way to avoid that would be to never update the iThing, which leaves it open to all future vulnerabilities exploited by NSO et al.
Pain in the neck of course.
Most of the interception wants occur only after a device is seized. So there's no updating, it's locked, sometimes they sit on them for months or years until an exploit becomes available to unlock, and even then as I understand it the ADP key should still need the device passcode to decrypt it (at least that's how it should work), though the passcodes are quite low entropy so I'm not sure that's much obstacle.
So they want a speedier and less resource intensive backdoor, which also, yes, could be used covertly on an un-seized device but I don't think that's the main use-case.
"So they want a speedier and less resource intensive backdoor, which also, yes, could be used covertly on an un-seized device but I don't think that's the main use-case."
It could be since the filth could keep decrypting messages while they build a case. If the phone is seized, damage control would come into play with the players covering their tracks. Not saying they don't want to have complete access when they do have the phone in their mitts.
Or they just wait until the device/drive is decrypted/password entered etc. and then sieze it. There was a case a few years ago where police monitored a suspect who had an encrypted driive on their PC. They waited outside the premises watching through the window probably with binoculars until he entered the password and then knocked on the door. He went to the door and didn’t get a chance to encrypt the data again. The authorities then had free run of his files etc. and found the evidence they were looking for to prove he was guilty.
Ross Ulbricht was arrested like that, in a library with laptop unlocked and logged into key Silk Road accounts. But it takes a lot of resources to surveil and wait for the right moment. 99% of the time they just show up at 6am to the suspect’s known address because that's when they're most likely to be home. If they're not they shake their fists a bit and mutter 'damnit he outsmarted us'.
This may be a very rare example of there being a genuine public benefit in having Trump and Musk in charge in the US. We don't want our government to behave like the Chinese. They can and will ignore us. They can't ignore the USG if it goes into bat for GAFA.
I'd have no confidence in the current USG taking the same approach tomorrow as it took today, nor repeating tomorrows approach the day after that. But if Apple had gone along with it their security services would have been turning up at Apple's door PDQ with their own list of accoutns they wanted to be opened up.
This UK argument has too many unknowns:
(a) Has internet service provider encryption ALREADY been broken...and the UK/Apple business is just theatre?
(b) Do backdoors ALREADY exist in various internet services? (See history of NIST proposing WEAK encryption algorithms)
Suggestion:
(c) Get together with your buddies and build private encryption -- might even be a business opportunity!
(d) If enough groups implement #c, the snoops will have MANY MORE THAN THREE targets (Apple, Meta, Signal) to worry about!!
Let's start with a design for a client which implements E2EE. Included below are details of key fragments of a C implementation.
Unlike PGP, this design has no persistent encryption keys! And the key for every transaction is different (and random). (The same sort of design underlies the Signal product.)
## DESIGN FOR OPEN E2EE CLIENT ##
STATIC
(1) Feature to create a Diffie/Helman token pair
(2) Feature to publish your PUBLIC token to your friends
OUTGOING
(3) Feature to create a TRANSIENT token for each outgoing message
(4) Feature to encrypt your message (using the TRANSIENT token and your friend's PUBLIC token to create a transient encryption key, then encryption - then the transient key is destroyed)
(5) Feature to create a wrapper for each outgoing message (wrapping your name, the TRANSIENT token and your encrypted message) (Suggest binaries expressed as base64, and ZIP as wrapper.)
INCOMING
(6) Feature to decrypt incoming messages (using the sender's name, the sent TRANSIENT token, the recipient's PRIVATE token to create the transient encryption key, then decryption - then the transient key is destroyed)
HINTS
(7) Most of the detail in C can be found by searching for the work of the amazing Daniel Bernstein (you know....chacha20, curve25519........)
(8) Quite easy to do as a Linux command line application. Bit more work to use GTK3 and Glade.
PROBLEMS
(9) Distribution of PUBLIC D/H tokens
(10) Transport. Might be a nice idea to use Signal as transport!!
## END ##
<MESSAGE>
<SENDER_REF>DONALD</SENDER_REF>
<SENDER_TOKEN>4667416243136600954731327808607293796140612226673822346596990015242742188039
7583006279082265900143049955292833262075032495421414436371891488153745410389
0829654295598791342354625948818829491122725663560113975455684271009108503300
4659435283981260458003523904046096721998940645849942485899790733316338676824
3425810260070778398444933062387662524345050813470179771782261553469838210291
4863749517442117625914890506199479408929390928810896296203277012268542784517
7350403294188891001763572539672223053677485430689725095388747165388684273385
6398987021380671433352867661260312318193984368724975568765914466481060612515
1692524333029017752709278979277301727094520555989962519766082621149678165323
3458380033097396417768472579887493164643609552736091787961042204497672903098
5484779575655275458116377195544297696012145805928861232189355306013179562669
8967337842382530635914230646946727988060566215285624634561801458359001738514
8947252599905827575061592455612430030635270358106339422474578370912727397798
8410017899405029805585134042925438097730984694245316367450251137250255018688
9122221470376485623274379387624148254401072712262345231352973910672985885336
2947924504898444623042643781254067192789621413791613647398425101320992151353
0059044635997661343860735632601253500960326434955533823172739674630073158082
7722370680116863804128864779715931355883671416960421951515747292072447539711
2697785597700048413646897719385394271399512748141237270260095064733348709849
8660589189566393378314453723680636996882828828316245761104778029441687774989
0860386305580150403910825289002470348702275514753563647281828247992194375185
2833387322853556390574520990029560696786038407309715193392415988705762396363
4469403535400803067743213285900573196596185850856596365016423449247460941055
4908513658058113783460422838370867908688849325174402433873568362773964709815
7836192725080709707514296890739740293927196104600436452433170691018380080399
4292533767332036290403287055406472278098700850313127642631146904989267796551
9122688930433559123357715794763009928815293999317351583250817533852044554534
2709923617579073704094996413347375401019306970704225037711344861453274003187
1712634405326819623113718927164870797581816494080238439515480482321534802451
7520397579712689982637805197120322772337914807936361931134228470367868837512
9163630493810297570512811203523166503090893617138970434961599109205726996147
6709674534072854324799338730575931047485440898268982522525639560397312750738
4701839500904618806249292297867677319823858180481926384123967978248010409388
2008079636914587962264123555283515594943320397343609557714039479946900760713
0381563500691005570239638423849523833653753434544289848317019200031342708675
7237701556112925922199794935440933451662602035140151665702776184678693902751
3534722187909630416857118298773581646128927041433949625675439535863135682186
4652372915467408531066144959284036772572520542621137150649836245660247866001
9874976190167757778126864699125352493562698843262832380773716777738212585818
6105994747669521984714535728837211683243362775750629598611468617923375732468
7397617061204360648177858452543401031557191805013256732744476419656400309683
4598622901514548627294436677720558817882695637389541909776259888646984056207
0696262124261114758051089736859794004445057316230114778821578167377844097194
6128107356452284725510674807189141263961323574232108007533919420536278387052
0042084450028370782486574274873886156402860025302207176802814919506780055622
4429343081777125780846001496935260094659526139427702979536507147978748064027
4417335928149194511296811787270614270979217316332008383840421452958133279182
2039630346325083648165400489359435077835781407038145531583794388362393825292
3</SENDER_TOKEN>
<RECIPIENT_REF>ELON</RECIPIENT_REF>
<TEXT>3IivJlbo1e5chPf4tDyvdmDJMrZAaH1krWyQ9WUTAJKfWXCYxUE9BVK2JlKPzqxS9yKDkuNfkj7X
TlgC+/qXJfPXigM9S778cU5peJKgWwRU2hvL7e0bwpQvf4QJvcgr+Iqec3OI9nZOiWFHZAF+Cc/W
IciXSvg7IEmeG79CeVa45OCM9c/1i4325BvT8zqLGvJESn6HJciCze5gOATr2fg362ZtmwsabaUX
Lq7glxwPUoSPIBa8xQgBfRsyjW8l+K6NxsT+mNy2O3yxfjjABrAVpIOjjorD1SsK9QoPQhLwlh4i
qJ4zasiyc4gtvMJypMEJG6dexD7vxBAUQKfUFf+h/GifK7KCq+jPE5k8eMkUBVObPGwuJawAfHfk
mq7CMjFylhlpa+o2Qx890VqN+jdT7f2d20tenVSZpRKLSpF8hv8wHBUAlaK0PLehsNAYzgfpHhHR
eQk00VLeudnWwmEz+YJ3rzNHQeKJfXI3SLLxiXjcuJlxZ0AqMcJkPgFnSXt7QqrS3Gk4nfPpkm7Y
TL8ema41oimi7GrOzt8aCROp/JK7sT8MAJ+49dy6v+57+C1CcgQ0SqBiA7CjJJh0besIOjhA7pf4
l/OKZ2EprkediTqok9D2fMZNZOqz3dUoc/MiLMp7oRQmKwt1miXsQicJRTlA9iltHQYgbO7aS2hw
iqPnJ+LBs40fMnZLtdPwcjlW97kZ3mKhJJ0qbPsEcCKZzbJp7396ODR45k86KwXi4nfP01oWMDnB
wlMfTabRat2dfgMgW4R0+SndAzP+eA2EjEjoc2Jt+eO4nA1CYMMKgrweJTKGqDDmNMzsn53Rb/Rw
KHQdbaCJWky40hydOkhvnpRpFFoG6HJcuNP0mYQgJC3+LecMEvkIKZRB72h/6YyFPFK5Y+s0YCwf
9VP54/IYMSIHRbxqvdABom5rf/rc6K4Mu6yvo6tUAN49EZdDdNWW9iHiprSs0fEqZKQC7azkR9vu
Bxfu/dWI61XdRkGjMAn7Fo94ROkxXBwztX+eQjtYFrPpHpTuiiBGZbgjAk0/NIjhiANpMYZ1lJC/
zMz08slzh6Wbp6H+FnnBpIb+jHoagQCGlJdo7Lj/QvqdpwHVuB0p7+ZRfELg3UU1/ipP0002LgHM
klrXUthRQSMkk2Tb7TI0c80EbJ+Odes56+pv+gvHkXQjs3tyO51CyGiUztak5ThIHNgKtOmdJZBu
DG8L6vNxchgPdesEdnKAve/b5I9lKUCYOhOxofkRZp/UVMATtfoxLQwFaYiTHvnJ3NR4aiVL2i2P
SmkMWuUpDSr/aN0Yg9O/2A+G4ESTE4Dfdk5CxGx6jVP3UmR2iHTjIz6lkgdN0BjsaTRo40X7/4m3
mEzFibw/R9Z3Z7VfMS11fZUEysaEKpLgfPFXZYFcfcFtBcqgFUWnw7XV36kJrY/0XKgXTOUACNiN
FhyGf02B5bzuSh4vt38VByQYwlvXtFJS/z8rF0JjyijtCZpuGbF+GJ0qV0nj7fcUr2vBUU9QHbsM
mXS2RE8k4X1837EEXrhktyd8PW11Nuc72Cp6bfMJ9e0xugP9OTlNHxgqexUWG+6AYgZu1CuImw40
ZnaDYsAZ1hIlCREwCh+M0N1D7yQwXTq5t6wWk/z3tnHYLo7EKy/WJ0YwiNcB62Ql8VZXY3yMTqaN
2IYJ0YRnEQq9xzRLwmNQJ7zrdjYRFt43ndocE1IYyAXcRCob0Mv0XvhqCOMosn4orJbw+Q40u0Dn
9DXaT+yoDUlBYGG6yTJdA8mgHUm0U9dY+sJ3lsW5ptxwntH3fZ/zXEU9mdXdD3QA4i8yVXA9RwYS
ANsVfMHvXuzsBUS3y3hNqutSeAfXyKP044X+KzYXM3rssffZ02Iiq/4vDvym7H9CJ8Cf0hOhnxCA
6FbtDDmKilLXaf4kU4+/t1ZPSsaHmYVQtETS44yHaill7Ga/fbLrt3tRzY/Eq+DW0FFceHffXMnr
tkrWQQL1pvR9iY4hgNmYQEF/j1PnY5h8hCiq06qChML1nJhb4bTFkSdnUwQ/ZPOvO3Txt0edeiUJ
4yqnaVJKAMZDwy2rsWBBgG9hsXj6ap8ABgf35Ogcg/0CTZwkZnT6k0ZuHrqRv19y+8PZotbzsAJZ
pTWP0VJKZ4MhmxBwbZZXdVck8XvXA9KEvdFWqzSHQnKb84jmhKir0zfRX2YiXxYOvBOm6Xbo/KTq
SPgEWrhPAGTE5PcIuaEe6vBFMBr7VndzGxsQlQDvj165R67OnH2Vy2MWKnixtbnFaM0=
</TEXT>
</MESSAGE>
1. It’s a front door, not a back door.
2. The UK government can send any cloud provider an order “enable thr ability to read _any_user data on request and don’t tell anybody. In the case of Apple, somehow this order leaked. No other order was leaked so far. Why would anyone think other services don’t enable access?
Interestingly, it was reported (annoyed can’t locate an online report of what I heard on the radio) that Ofcom had written to relevant organisations asking them to confirm they will be compliant with the provisions of the Investigative Powers Act and Online Safety Act that come into effect in a few months time. Ie. The law requires you to have some form of “backdoor” please confirm you are complying with the law.
Once a device has been seized and they have physical access to it, yes, it can be broken into and the keys extracted.
That's ok. It means they had enough evidence to seize the device.
What they've demanded Apple provide is a database of all the keys to every Apple device, everywhere in the world, just in case they want to look at one of them years from now.
And that is insane.
@MachDiamond
You don't get it, do you?
Yes.....................Anyone using PGP has to declare their persistent keys.
Anyone using a Diffie/Hellman encryption scheme DOES NOT HAVE A CLUE about keys:
- the encryption keys are random, one time keys
- the encryption keys are created by the software.....and then thrown away after use!
Sensible implementations of D/H use multi-pass encryptions, with multiple random keys........
The user of this software HAS NO IDEA about the keys used.......and none of the keys is persistent.......that means none of the keys is saved anywhere...........
There are NO PERSISTENT KEYS when D/H is used.....
....Sorry......................NOTHING TO DECLARE..................
Get a grip!
When adjudicating Apple's objection to HM's Government demand for access to its customers' encrypted data, please probe into the following.
With regard to overall national security, to protecting UK residents from terrorism, and to reducing criminal exploitation of children and vulnerable adults, ascertain the quality of evidence supporting the assertion that the benefits of breakable-encryption outweigh those of absolutely respecting privacy.
To that end, government advocates should be required to produce statistics. For example, have estimates been made of the numbers of crimes in various categories which would have been thwarted had breaking encryption (Apple's or anyone else's) been possible? This requires examining records of crimes known to have involved encrypted communication and relating each to the outcome, i.e. criminal conviction or no progress.
There is more delving that can be done, but the point is that unsubstantiated opinions from political office holders, or from glib experts, do not constitute evidence. Given that the IPT is a quasi-judicial body, it should approach its task with forensic exactitude.
"unsubstantiated opinions from political office holders, or from glib experts, do not constitute evidence. "
Well put. I find that by demanding all of this that they are admitting their people are getting considerably worse at the detective business.
I think that it's also a change in the world since using encryption is so much more automated than 50 years ago when it would be so cumbersome that anybody using encryption or ciphers would be singling themselves out and drawing a bunch of attention. With modern tech, somebody or lots of somebodys can be using encryption and not draw attention to themselves so it would be useful for governments to be able to easily look at what's being exchanged.
Think of how much easier it would be to do something if you could get a law changed or a new law put into place that requires a business to have a 24/7 webcam with audio so you can listen in to every meeting room. Being government, that's pretty much what they'd like to do themselves to make the game much easier for them to play. Save a heck of a lot of money too and then there'd be more budget for pay rises.
When people say "I have nothing to hide", I will ask "how often do you have sex? what's your bank account details".
Things can be secret, private or confidential. we all go to the toilet, it's not a secret, but it's something we do in private. We go to the bank in a public place, but the details of the account and the transaction are confidential, and the PIN is secret.
We as citizens need privacy to function, and we should guard against the government and businesses wanting to know everything about our lives.
So we need people to actively use encryption and private messaging as a matter of habit, all the time, not just for exceptional items. Otherwise using encryption will mark you out as a person to be suspicious of.
"So we need people to actively use encryption and private messaging as a matter of habit, all the time, not just for exceptional items. Otherwise using encryption will mark you out as a person to be suspicious of."
I use WhatsApp for all messages a phone calls for that very reason and run a VPN on my 4/5G service on my phone.
How is Apple going to defend itself against government claims it needs access to everyone's encrypted messages to safeguard the nation against terrorist attacks and child pornography? No judge would choose the side of a mega-corporation under such circumstances, national security will always take precedence of people's privacy.
The only chance it has it to use the U.S. government (i.e. Trump) as a bouncer to force the UK government to relent.
Guilty until proven innocent? That is basically what you are saying here - Big Brother should have access to everything we do just in case one of the people in your town is a danger to others.
It's not just choosing "the side of a mega-corporation", it is the privacy of everybody to whom the mega-corporation provides services for that is under threat here. And in case you have not noticed, even when the authorities DO have detailed knowledge of what someone is up to they somehow fail to protect the public - not always their fault, to be fair; the Home Office has a long list of people they want to deport for such "minor" things as being convicted criminals in their homeland or crimes committed in this country but they cannot do anything about these scumbags because the "human rights" lawyers value the "rights" of criminals over the rights of victims and potential victims.
This won't do much to prevent serious threats (do you think terrorists are stupid enough to use plain language in their comms, or that an "enemy state" won't give its personnel tailor-made equipment that doesn't go anywhere near publicly-accessible data stores) but it will add another vector for potential spying on their own citizens.
The proponents for backdoors always come out with 'If you haven't done anything wrong, you have noting to worry about, this is only to stop child abuse or terrorists'. Implying therefore you should be supportive of them being able to access all your private data.
Yet the RIP act allows the government to demand backdoors in secret and makes it an offense to to tell anyone that a backdoor has even been requested. That hardly seem to follow the mantra about the only people who want to keep things secret are the bad guys?
Ive yet to hear any politician from the main political party speak up against the RIP act and so even a change of government is unlikely to change anything.
Personally Id start encrypting all your data before you store it on any cloud platform going forward. Thats assuming if you feel you can only use the cloud rather than just having a backup locally.
"Thats assuming if you feel you can only use the cloud rather than just having a backup locally."
I constantly hear advice from people about backing up to the "cloud" and shake my head. I have a live backup on the computer, a disconnected backup and a backup that gets stored at a family member's home some miles away, in a labeled box. If everything goes pear shaped, I can have them send me the latest backup in the post if I can't come get it. I also have a small portable SSD I can use in the field to have my data duplicating as it's saved depending on the job. Most of the time I can just go back and redo a job and I've never had (knock) an issue just making copies when I'm back in the office.
I don't see a good argument for spending the money to have online cloud storage for something that can be done for free. There's no way for me to back things up from the field without it costing loads of money in wireless charges. There are limits on "unlimited" service. I can also be home and dry by the time I could upload a job's worth of data through the mobe.
Total BS reasons. The UK gov have already shown that they do not care about the biggest terror threat, by constantly inviting them into the country, giving them power and control over the laws and justice system, not taking action when they commit crimes, and allowing them to run grooming gangs unabated.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
