encryption_thumb

Last month saw a bill introduced in the United Kingdom that would significantly weaken Apple’s encryption of user data on iOS devices. The Investigatory Powers Bill could force Apple to maintain a key that would allow unlocking of the data on smartphones, and apps such as iMessage and FaceTime. Apple on Monday spoke out against the bill, in a written submission to the UK house of Parliament.

Apple Speaks Out Against UK's Investigatory Powers Bill

9to5Mac:

In the submission, Apple argued that the bill would hurt law-abiding citizens in an effort to simply attempt to combat the few “bad actors” who attempt to carry out attacks. The company went on to explain that many think it is possible to create a system that keeps all user data secure, while only allowing data to be accessed when a proper warrant is served. The issue with this thinking, Apple says, is that the government does not know in advance who would be a target of investigation (via Independent.ie).

Apple CEO Tim Cook voiced similar concerns during an interview with CBS’s 60 Minutes on Sunday.

“If there’s a way to get in, somebody will find the way in. There have been people who suggest that we should have a back door. But the reality is if you put a back door in, that back door’s for everybody, for good guys and bad guys.”

UK Prime Minister David Cameron is backing the bill, which would force Apple to stop encrypting user data in such a way that doesn’t offer a “backdoor” for government access.

Apple’s letter to the UK House of Parliament:

“The bill threatens to hurt law-abiding citizens in its effort to combat the few bad actors who have a variety of ways to carry out their attacks. The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.

Some have asserted that, given the expertise of technology companies, they should be able to construct a system that keeps the data of nearly all users secure but still allows the data of very few users to be read covertly when a proper warrant is served. But the Government does not know in advance which individuals will become targets of investigation, so the encryption system necessarily would need to be compromised for everyone.

The best minds in the world cannot rewrite the laws of mathematics. Any process that weakens the mathematical models that protect user data will by extension weaken the protection. And recent history is littered with cases of attackers successfully implementing exploits that nearly all experts either remained unaware of or viewed as merely theoretical.

The bill would attempt to force non-UK companies to take actions that violate the laws of their home countries. This would immobilise substantial portions of the tech sector and spark serious international conflicts. It would also likely be the catalyst for other countries to enact similar laws, paralysing multinational corporations under the weight of what could be dozens or hundreds of contradictory country-specific laws.

Those businesses affected will have to cope with a set of overlapping foreign and domestic laws. When these laws inevitably conflict, the businesses will be left having to arbitrate between them, knowing that in doing so they might risk sanctions. That is an unreasonable position to be placed in.

If the UK asserts jurisdiction over Irish or American businesses, other states will too. We know that the IP bill process is being watched closely by other countries. For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.”