Podcast
Root Causes 468: UK Demands New Backdoor from Apple
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
February 14, 2025
A new demand from the UK seeks complete access to all Apple cloud data housed in the UK, regardless of the data owners' citizenship and residency. We unpack this latest development in Government versus Encryption.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanSo we have the latest chapter in something that we have discussed for years and years and years and years, and we both have predicted that we'll continue discussing it for years and years and years, which, of course, is government versus encryption. So what happened this time, Jay?
Jason SorokoThis time it was the UK's turn to ask Apple for unfettered access to iCloud backups. By unfettered, I mean remove encryption so that we can get access to it anytime we want. When the UK means anytime they want, they mean absolutely without the knowledge of the owner of that data.Tim CallanNo court order required. Not only not without the knowledge of the owner of that data, but the requirement was that the very fact of that requirement itself was gagged. Now this, somehow, this story got leaked to the Wall Street Journal. We don't know how, but Apple, according to what I read, isn't even allowed to tell the public that they're being forced to do this by the UK.Jason SorokoThis seems to be a common tactic by the governments where they don't want anybody knowing that they're even asking for this, and you can understand why from multiple reasons, not the least of which because it might be unpopular, and governments don't like things that are unpopular. But they also don't want to signal to the bad guy that they have these capabilities, either.Tim CallanFrom a pragmatic perspective of them trying to mine the information they're trying to mine, you understand why it's pragmatically advantageous to do that for them. We just have to overlook all kinds of other incredible concerns around this. Like the government is going to force a tech company to allow it to spy on this information and then prevent the tech company from telling anybody that they're being forced to spy on this information. That's all. Nothing to worry about.Jason SorokoThere's a few thoughts here, Tim, one of which is, how many of these have gone through in various Western governments? That we don't know about. We couldn't report on. This is because of basically just leaked information.Tim CallanSomeone leaked. What about the times when nobody leaked?Jason SorokoAnd so I think we have to assume that a lot of this stuff is already happening and it's out there. I think one thing that's also interesting here is the response from Apple, which, in the case of the FBI, back I think what 2015, Apple basically just said, nope. Not gonna do it and things kind of moved on. But I think that what's happening now is Apple saying, look, we'll just make sure that we don't have any backups that are resident in the UK, and therefore they won't fall underneath this law, even though, of course, the UK law, apparently, as it is written, is saying, we don't care whose citizens it is, we want unfettered access to all the data that is stored here.Tim CallanThat was another thing about the law, exactly, is that the UK has got this law that says this applies to anyone, anywhere and as long as the data are within our borders we get to do whatever we want with it.Jason SorokoExactly, Tim. So there it is. I think that's the sum of the news, but we've always promised this, the audience of this podcast, that Crypto War 3.0 would be continued to be reported on. And here we are.Tim CallanSo I mean a couple things. I think regular listeners of the podcast, we will have made these points before, but we can make them quickly.Number one is, of course, the problem with this is, as soon as you weaken security or weaken encryption, it's just plain weaker, and it winds up not just being the “good guys” who can take advantage of it, but invariably, this turns out to be exposure for other uses as well. So that's concern number one, I have.
Concern number two I have is that, when have we ever seen a government spy or law enforcement agency not take everything it can get? So there's this, give them an inch, take a mile problem. Who here trusts that everybody in the UK who potentially can use this is not going to abuse this, especially since it's secret and gagged and nobody is even going to know what they're doing with it. So that's problem number two I have with this.
Jason SorokoThere was an interesting quote. I forget. It was a British government official who had said, the road to good intentions, or the road to hell is paved with good intentions. Very old saying. I think from a pragmatic standpoint to make the point as simple as possible, and this is what you were saying, Tim, is if you make a back door, then even bad guys and unintended people can come through the back door. That’s the point.Tim CallanThis idea they sort of have of well, it's okay. No one's gonna come through this back door except us. Really? When in the history of cybersecurity has that actually turned out to be the case? Then, the third point I was going to make is, I think, we have really seen a pattern going back quite a while, of Apple being a very staunch defender of its individual customers privacy, and we're seeing this here again. They've squared off with the FBI. They've squared off with various governments. Apple is prepared to square off with anyone when it comes to defending their individual users’ privacy. And you see that once again going on here.
Then the trend, last point, really, for real the last point is, I really think we're going to continue to see this trend that you and I have talked about, which is that everything is going to move to an end to end encrypted state where these sort of things just aren't technically possible. So today, you can get a whole series of apps you can run on your phone that are free, and you can communicate with someone else, and you have an end to end encrypted session that is where a government can't find you. They just simply cannot.
Jason SorokoTim, these are the key points. 100%. I think I've said this before on this podcast, and it was a long time ago, at least three or four years ago - when my grandfather was a policeman back in the 1950s because people might say what's the alternative for law enforcement? Like, what happens if we really do want to go after bad guys? My answer has always been this. The legal system has already figured out how to do this properly, which is due process, and the warrant system works. In other words, if a policeman can prove to a judge that there's a bad actor out there and they need to be investigated in this kind of a way, then, in other words, you go through the front door method, not a back door method, and, therefore, it's documented. There's a legal process, and it's much more difficult for governments to just blanket do bad things when you're using due process.Tim CallanI think we've seen an inexorable progress over the last few years, and this will continue, where basically what's going to happen is this is going to be taken out of government hands. Our technology platforms will be built in a way where it doesn't matter who passes what kind of sneaky skeevy clandestine law, because you simply won't be able to get it, period. That is the trend.Now, I know some problems are harder than others. I understand Apple cloud backups are harder to accomplish that than I talk to you on WhatsApp. That's easier to accomplish that. But nonetheless, like we see everything driving in that direction as hard as it possibly can. We're gonna have a lot of great technical minds around the globe seeking ways to make it impossible for governments, like just from a computer programming perspective, impossible for governments to actually do this. Like, it simply won't work regardless of what law they pass. That's the future.
Jason SorokoThose things might even have to be domiciled into interesting locations, because I'm pretty sure - -Tim CallanWe talked a few years ago about Moxie Marlinspike had decided he wasn't going to be a US resident anymore. I'm not sure where Moxie lives, but apparently it's not the US now. For that exact reason.Jason SorokoNo, absolutely, Tim. I think that you're going to continue to see this heat up more and more as time goes on. So we will keep you in tune with what's going on.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
