{"id":2243,"date":"2025-02-27T05:01:47","date_gmt":"2025-02-27T05:01:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/02\/27\/an-icloud-backdoor-would-make-our-phones-less-safe-html\/"},"modified":"2025-02-27T05:01:47","modified_gmt":"2025-02-27T05:01:47","slug":"an-icloud-backdoor-would-make-our-phones-less-safe-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/02\/27\/an-icloud-backdoor-would-make-our-phones-less-safe-html\/","title":{"rendered":"An iCloud Backdoor Would Make Our Phones Less Safe"},"content":{"rendered":"\n
An iCloud Backdoor Would Make Our Phones Less Safe<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Last month, the UK government demanded<\/a> that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. If the government demands Apple weaken its security worldwide, it would increase everyone\u2019s cyber-risk in an already dangerous world.<\/p>\n

If you\u2019re an iCloud user, you have the option of turning on something called \u201cadvanced data protection<\/a>,\u201d or ADP. In that mode, a majority of your data is end-to-end encrypted. This means that no one, not even anyone at Apple, can read that data. It\u2019s a restriction enforced by mathematics\u2014cryptography\u2014and not policy. Even if someone successfully hacks iCloud, they can\u2019t read ADP-protected data.<\/p>\n

Using a controversial power in its 2016 Investigatory Powers Act, the UK government wants Apple to re-engineer iCloud to add a \u201cbackdoor\u201d to ADP. This is so that if, sometime in the future, UK police wanted Apple to eavesdrop on a user, it could. Rather than add such a backdoor, Apple disabled ADP in the UK market.<\/p>\n

Should the UK government persist in its demands, the ramifications will be profound in two ways. First, Apple can\u2019t limit this capability to the UK government, or even only to governments whose politics it agrees with. If Apple is able to turn over users\u2019 data in response to government demand, every other country will expect the same compliance. China, for example, will likely demand that Apple out dissidents. Apple, already dependent<\/a> on China for both sales and manufacturing, won\u2019t be able to refuse.<\/p>\n

Second: Once the backdoor exists, others will attempt to surreptitiously use it. A technical means of access can\u2019t be limited to only people with proper legal authority. Its very existence invites others to try. In 2004, hackers\u2014we don\u2019t know who\u2014breached<\/a> a backdoor access capability in a major Greek cellphone network to spy on users, including the prime minister of Greece and other elected officials. Just last year, China hacked<\/a> U.S. telecoms and gained access to their systems that provide eavesdropping on cellphone users, possibly including<\/a> the presidential campaigns of both Donald Trump and Kamala Harris. That operation resulted in the FBI and the Cybersecurity and Infrastructure Security Agency recommending<\/a> that<\/a> everyone use end-to-end encrypted messaging for their own security.<\/p>\n

Apple isn\u2019t the only company that offers end-to-end encryption. Google offers<\/a> the feature as well. WhatsApp, iMessage, Signal, and Facebook Messenger offer the same level of security. There are other end-to-end encrypted cloud storage providers. Similar levels of security are available for phones and laptops. Once the UK forces Apple to break its security, actions against these other systems are sure to follow.<\/p>\n

It seems unlikely that the UK is not coordinating its actions with the other \u201cFive Eyes\u201d countries of the United States, Canada, Australia, and New Zealand: the rich English-language-speaking spying club. Australia passed a similar law<\/a> in 2018, giving it authority to demand that companies weaken their security features. As far as we know, it has never been used to force a company to re-engineer its security\u2014but since the law allows for a gag order we might never know. The UK law has a gag order as well; we only know about the Apple action because a whistleblower leaked it<\/a> to the Washington Post<\/em>. For all we know, they may have demanded this of other companies as well. In the United States, the FBI has long advocated<\/a> for the same powers. Having the UK make this demand now, when the world is distracted by the foreign-policy turmoil of the Trump administration, might be what it\u2019s been waiting for.<\/p>\n

The companies need to resist, and\u2014more importantly\u2014we need to demand they do. The UK government, like the Australians and the FBI in years past, argues that this type of access is necessary for law enforcement\u2014that it is \u201cgoing dark<\/a>\u201d and that the internet is a lawless place. We\u2019ve heard this kind of talk since the 1990s<\/a>, but its scant evidence doesn\u2019t hold water. Decades of court cases with electronic evidence show again and again the police collect evidence through a variety of means, most of them\u2014like traffic analysis or informants\u2014having nothing to do with encrypted data. What police departments need are better computer investigative and forensics capabilities, not backdoors.<\/p>\n

We can all help<\/a>. If you\u2019re an iCloud user, consider turning this feature on<\/a>. The more of us who use it, the harder it is for Apple to turn it off for those who need it to stay out of jail. This also puts pressure on other companies to offer similar security. And it helps those who need it to survive, because enabling the feature couldn\u2019t be used as a de facto admission of guilt. (This is a benefit of using WhatsApp over Signal. Since so many people in the world use WhatsApp, having it on your phone isn\u2019t in itself suspicious.)<\/p>\n

On the policy front, we have two choices. We<\/a> can\u2019t<\/a> build<\/a> security systems that work for some people and not others. We can either make our communications and devices as secure as possible against everyone who wants access, including foreign intelligence agencies and our own law enforcement, which protects everyone, including (unfortunately) criminals. Or we can weaken security\u2014the criminals\u2019 as well as everyone else\u2019s.<\/p>\n

It\u2019s a question of security vs. security<\/a>. Yes, we are all more secure if the police are able to investigate and solve crimes. But we are also more secure if our data and communications are safe from eavesdropping. A backdoor in Apple\u2019s security is not just harmful on a personal level, it\u2019s harmful to national security<\/a>. We live in a world where everyone communicates electronically and stores their important data on a computer. These computers and phones are used by every national leader, member of a legislature, police officer, judge, CEO, journalist, dissident, political operative, and citizen. They need to be as secure as possible: from account takeovers, from ransomware, from foreign spying and manipulation. Remember that the FBI recommended<\/a> that we all use backdoor-free end-to-end encryption for messaging just a few months ago.<\/p>\n

Securing digital systems is hard.\u00a0Defenders must defeat every attack, while eavesdroppers need one attack that works. Given how essential these devices are, we need to adopt a defense-dominant strategy<\/a>. To do anything else makes us all less safe.<\/p>\n

This essay originally appeared in Foreign Policy<\/a>.<\/em><\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Bruce Schneier
\n \t

\n
<\/BR>
\nGo to bruce schneier<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

An iCloud Backdoor Would Make Our Phones Less Safe Last month, the UK government demanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[276,646,57,412,763,1],"tags":[87],"class_list":["post-2243","post","type-post","status-publish","format-standard","hentry","category-apple","category-backdoors","category-bruce-schneier","category-encryption","category-uk","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2243"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=2243"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/2243\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=2243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=2243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=2243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}