The UK government’s push to force Apple to backdoor its end-to-end encryption always looked like a miscalculation; both as a policy and politically. The Financial Times’ front page reports that, facing heavy pressure from Washington, the UK government is scrambling for a diplomatic exit from its flawed stance on end-to-end encryption (E2EE) and using its Investigatory Powers Act to allegedly* issue a Technical Capability Notice (TCN) on Apple.
The UK government has long been an outlier in the global debate on E2EE (dating back many years; this is not a party political issue), consistently taking a more dogmatic stance than its democratic counterparts. While countries like Germany and the United States have acknowledged the privacy benefits and security necessities of strong encryption, parts of the UK political system are simply opposed to end-to-end encryption.
The UK has repeatedly pushed for mechanisms that would allow law enforcement to access encrypted communications. Its instinct to surveil everyone even led to The Online Safety Act including a provision that, in certain circumstances, end-to-end encrypted communications can be accessed when the ‘accredited technology’ to enable it exists. In case you’re confused, yes, the UK government included the theoretical use of something that it acknowledges doesn’t exist as part of the sprawling Online Safety Act.
The Apple crunch
The UK’s Investigatory Powers Act 2016 (IPA), often referred to as the "Snooper’s Charter," is the other prominent example. Under the IPA, the UK allegedly* issued a Technical Capability Notice (TCN) on Apple to force the company to backdoor its own end-to-end encryption used by iCloud. As anyone with a working knowledge of encryption should understand, Apple physically and technically cannot install a backdoor in its end-to-end-encryption without introducing a way that could be then used to breach the system. We have now seen this happen writ large with the Salt Typhoon attacks exploiting the ‘lawful intercept’ backdoors on the US phone network, or the Juniper breach where an NSA backdoor was exploited by unknown attackers - we must learn from history.
In response to the alleged TCN Apple withdrew its Advanced Data Protection (ADP) feature for its iCloud service from the UK marketplace, sending a pointed message to the UK government that you don’t raise national cyber security standards by weakening them globally. There will be a hearing of this case at the Investigatory Powers Tribunal which will be unprecedentedly made public, following a civil society intervention, and will count on contributions from various sectors to demonstrate how damaging TCNs can be - and how much encryption means to us all.
Meanwhile, the US has moved to clearly indicate that it supports end-to-end encryption. For instance, the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have both been encouraging US citizens to use end-to-end encrypted communications in the face of Salt Typhoon and other challenges, and senators are calling for more use of Matrix to aid sovereign, secure and interoperable communications.
In addition, the US government has little time for foreign governments dictating what US headquartered companies can and can’t do. While in this instance that is to the benefit of end-to-end encryption, it’s another reminder that the US government holds considerable influence over US-headquartered companies. It’s why so many governments around the world are pushing for digitally sovereign systems to ensure that they are not at the mercy of US vendor-controlled technology solutions.
Acceptance at last?
The UK government’s bruising Apple encounter has, inadvertently, underlined the global support for end-to-end encryption in democratic countries. It makes it quite clear that the US - home to the majority of the world’s tech firms - supports end-to-end encryption unequivocally, and will protect its US headquartered firms from other governments’ attempts to undermine encryption.
Given the global nature of technology, and the fact that modern-day end-to-end encryption has been around for more than 30 years (we’d point to PGP in 1991), it looks as though we can finally accept that end-to-end encryption may be here to stay.
*We write allegedly as the serving of a TCN is meant to be a secret, and indeed Apple has still never confirmed or denied receipt, even though journalists openly cite attending court for the hearings.
