
The UK's Proposed Spy Law Would Force Apple to Secretly Hack its Phones Too - dannyobrien
https://www.eff.org/deeplinks/2016/02/investigatory-powers-bill-and-apple
======
ascorbic
Whenever you hear about a violation of privacy by the US government, you can
guarantee that GCHQ laughs at how much easier it is for them. We have no
constitution to tie their hands, and the Human Rights Act is a hopelessly weak
substitute. The public doesn't complain, because the government and media have
managed to convince them that human rights are something only used by
terrorists and paedophiles. There's no separation of legislative and executive
branches either, and the Human Rights Act has no special status and can be
repealed like any other act of Parliament. The one saving grace is that our
Supreme Court is not political, so doesn't rule on partisan lines.

~~~
libeclipse
Preach. Most people are sheep, and worse than that, they are naive. The
biggest delusion they have is that we as citizens actually have a say in the
running of our country.

~~~
ascorbic
We do have a say inasmuch as we can vote them out every five years. This
doesn't help if the rest of our fellow voters are wrong. Human Rights are for
terrorists, immigrants are paedophile terrorists and benefit scroungers who
are stealing our jobs, the EU lets terrorist immigrant scrounging paedophiles
into the country, and so on.

~~~
SixSigma
> we can vote them out every five years

you mean "we can vote another similar group in"

And GHQ will be the same people

------
jensen123
Most modern computers come with a non-free BIOS etc. I wonder if this bill
could be used to order companies like Intel and AMD to make changes to that
proprietary code? When I first heard Richard Stallman talk about a free BIOS,
that sounded kinda extreme. It no longer sounds very extreme.

~~~
na85
Guaranteed Intel has already done so.

~~~
Arnt
Substantiate that, please. Or your guarantee isn't worth the bits it's stored
as.

~~~
Zigurd
That kind of absolute demand is just as useless. One might just as well ask
"Where is the code and the audit?" And until we have that we are left with a
strong motive on the part of snoops to force Intel and every other technology
provider to create back doors.

Moreover there is evidence that at least some makers of mobile baseband
systems included the ability to parse and execute special commands to turn
phones into room bugs. This was revealed in a federal case against mafia
activity. So it's not unprecedented for very large technology companies to
comply with requests of that nature and keep them confidential.

~~~
Arnt
Sorry, I suppose I'm guilty of the same thing that I objected to.

I didn't mean that as an absolute demand. Rather, I disapprove of the absolute
x-sucks attitude, along the lines of "guaranteed Intel did <name bad thing>,
after all <some other bigco> did <some other bad thing>".

------
studentrob
Wow. They must think there's a way to let government officials have secure
communications without letting criminals have secure communications.

Either everyone can have access to locks, Mr. Cameron, or nobody has locks.
And by the way, since locks already exist, and since they are in the form of
software which can be replicated across the world in seconds, and in the
brains of people across the world, it's going to be _impossible_ to enforce
the no-locks law without introducing the world described by George Orwell in
his seminal work, 1984.

~~~
SixSigma
> the world described by George Orwell in his seminal work, 1984.

The world where management was under constant scrutiny but proles not ?

~~~
acqq
> The world where management was under constant scrutiny but proles not?

In "1984" the "proles" weren't constantly monitored, but they also had no
influence to anything.

But you are right, the techological capabilities of today seem to surpass the
imagination of the author writing the book 70 years ago.

------
gardano
As a thought experiment: What would the repercussions be if Apple _did_ pull
iPhone sales out of the UK?

I'd guess that there would be huge complaints from the populace. I'd guess
that Android providers would swoop in.

However, given Google's support of Apple's position here, would they too try
to influence the hardware providers to pull out too (not bloody likely, I'd
hazard.)?

Given that this election cycle seems to be leaning toward a 'burn the place
down' mentality, I wonder if now is not the perfect time to be drawing lines
in the sand…

~~~
jensen123
> As a thought experiment: What would the repercussions be if Apple did pull
> iPhone sales out of the UK?

> I'd guess that there would be huge complaints from the populace.

Probably. Most people seem to care more about the latest Apple status symbol
than about privacy. They don't seem to realize that the surveillance systems
that are being put in place now, could for example be used against labor
activists, who are simply fighting for decent wages and safe working
conditions for ordinary people, in the future.

------
colejohnson66
I wish Apple (and other tech companies) would have the guts to actually pull
out of a place that mandates backdoors. Then the public outcry would finally
be enough to cause a repeal of the law.

~~~
bogus-
I feel like that would be a financially detrimental move in the case of the
US.

~~~
studentrob
It would be financially detrimental for any country. Technology is going to
play a bigger and bigger role in the future of all businesses, and stifling it
now will hurt its growth in whatever countries try to limit it in this way. I
say try because encryption and mathematics are not governed by human laws.

Plus, the government relies on encryption for communication too. Are they
going to say that only certain government officials should be allowed to use
secure devices? What happens when someone in government wants to have a
private conversation with someone in the private sector? The private sector
person will need a secure device too, and we're back where we started.

The fact is our government needs to figure out how to keep us safe without
relying on backdoors.

------
studentrob
A similar US bill is being drafted and is expected to appear in March [1]

The press is asking questions about Apple vs. DOJ daily in the White House
Press Secretary's briefings [2] [3]

[1] [http://www.politico.com/tipsheets/morning-
cybersecurity/2016...](http://www.politico.com/tipsheets/morning-
cybersecurity/2016/02/march-is-encryption-bill-month-hackers-going-after-
japans-infrastructure-a-mixed-final-2015-tally-212865)

[2] [https://www.whitehouse.gov/the-press-
office/2016/02/24/press...](https://www.whitehouse.gov/the-press-
office/2016/02/24/press-briefing-press-secretary-josh-earnest-2242016)

[3]
[https://youtu.be/j469gTWuk0g?t=19m30s](https://youtu.be/j469gTWuk0g?t=19m30s)

------
tehwebguy
There's one way to stop them from keeping tons of cash in the UK!

~~~
ascorbic
They don't keep it in the UK. It's all in Ireland, the Netherlands or
Luxembourg.

------
DavideNL
In other words, avoid UK tech products...

------
pbhjpbhj
>"And authorities can exploit a high-profile event, like a terrorist attack,
to do just that." [the OP] //

The EFF always seem to go just that little bit too far and make their
arguments silly. Do they really seek to convince us that the UK authorities
are "exploiting" terrorist attacks to gain access to people's everyday inane
communications?

People don't care about government seeing their communications because their
communications aren't worth seeing.

If it saves one life for the a GCHQ analyst to see all my inane texts (SMS)
then I'm absolutely fine with that [in practice of course it's more like, they
check the metadata and decide to ignore me, then delete all the data after a
year or two].

They also mention 'the legislation will let them do this and that' but they
don't mention the restrictions, like needing warrants or court orders, or
signed permissions from the Secretary of State, or whatever. The way it's
couched is 'all your communications will be accessed whenever the gov want' \-
if there really aren't any preconditions then the EFF should have shouted
about that more, if there are any then they appear to be being deceptive by
not mentioning them.

We've enough politicians not being straight with us already, we don't need
pressure groups doing the same.

Looking for example at S189 [1] of the IPB one sees that (though I only took a
cursory look) the requirement for a telecoms/postal company to take action
needs first a warrant from the court (warrants tend to require evidence of
criminal activity, not just suspicion, but again I haven't looked in detail
about the specifics here - the EFF lawyers presumably have). The the Secretary
of State (SoS) needs to make consultations with relevant parties including the
Technical Advisory Board and representatives of the manufacturers/service
operators.

People are talking about infringement of HRA/ECHR or generally held moral
rights but there is a balance between the right to privacy and the right for
the populous to use the mechanisms of state to enable the proper investigation
of criminal activity (and other non-beneficial actions). Whilst I have rights
not to have my family life impinged on by the state they only extend so far as
it is not necessary to limit those rights to protect my children, say, or
prevent me committing crimes. I'm pretty much OK with that and think the
majority of the populous - who are decried here as sheeple - are OK with the
state having such powers _given the checks and balances built in to the legal
system in the UK_.

If the government see people taking part in criminal activity and solicit a
warrant from the court and in order to perform a search in that warrant the
SoS finds there is sufficient suggestion of a national security issue, or
significant loss of life, and on consultation with the affected companies they
find that access to that information is possible with limited financial cost,
then I consider that the SoS should be able to issue an order that the company
cooperates with the legal system to enable appropriate officers to see the
content that would otherwise be hidden.

[ 1 - See for example the S189 on p180 and the explanatory notes on pp 285+,
[https://www.gov.uk/government/uploads/system/uploads/attachm...](https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473770/Draft_Investigatory_Powers_Bill.pdf)]

~~~
josephlord
>>"And authorities can exploit a high-profile event, like a terrorist attack,
to do just that." [the OP] //

>The EFF always seem to go just that little bit too far and make their
arguments silly. Do they really seek to convince us that the UK authorities
are "exploiting" terrorist attacks to gain access to people's everyday inane
communications?

Yes, just watch the interviews of a Home Secretary on the news after any
terrorist news.

> If it saves one life for the a GCHQ analyst to see all my inane texts (SMS)
> then I'm absolutely fine with that [in practice of course it's more like,
> they check the metadata and decide to ignore me, then delete all the data
> after a year or two].

Bully for you but it isn't just you. It is people with legitimate needs for
privacy; journalists, whistleblowers lawyers, MPs and many others. You also
don't know when you may need privacy in future.

> They also mention 'the legislation will let them do this and that' but they
> don't mention the restrictions, like needing warrants or court orders, or
> signed permissions from the Secretary of State, or whatever. The way it's
> couched is 'all your communications will be accessed whenever the gov want'
> \- if there really aren't any preconditions then the EFF should have shouted
> about that more, if there are any then they appear to be being deceptive by
> not mentioning them.

There may be a government right to access a particular device with appropriate
oversight. The idea that they can force third parties to prevent strong
protections or to weaken their security (for all devices not just those
subject to a warrant) is an entirely separate proposition. Nobody is saying
that the FBI don't have a right to crawl all over the phone, the argument is
about the extent they can force Apple to do work for them, the knock on
consequences of that.

>People are talking about infringement of HRA/ECHR or generally held moral
rights but there is a balance between the right to privacy and the right for
the populous to use the mechanisms of state to enable the proper investigation
of criminal activity (and other non-beneficial actions). Whilst I have rights
not to have my family life impinged on by the state they only extend so far as
it is not necessary to limit those rights to protect my children, say, or
prevent me committing crimes. I'm pretty much OK with that and think the
majority of the populous - who are decried here as sheeple - are OK with the
state having such powers _given the checks and balances built in to the legal
system in the UK_.

Yes a balance is required and rights are not absolute. The UK government can
already imprison you if you don't provide the passcode. The suggestion is that
they can cripple the entire country's security.

Also while you trust the UK government Apple operates across the world. What
about China, Saudi Arabia or even Syria? Don't you see that if Apple takes a
hard line that they don't backdoor their phones it is far easier than if they
do it for the US (or US/UK) but not for others. The global consequences of
Apple bending on this are very significant.

>If the government see people taking part in criminal activity and solicit a
warrant from the court and in order to perform a search in that warrant the
SoS finds there is sufficient suggestion of a national security issue, or
significant loss of life, and on consultation with the affected companies they
find that access to that information is possible with limited financial cost,
then I consider that the SoS should be able to issue an order that the company
cooperates with the legal system to enable appropriate officers to see the
content that would otherwise be hidden.

To what extent and with what side effects? If to access the phone they had to
disable all security for all users would that be appropriate? The reality is
the side effects are not that extreme but they are very significant. Also how
much cost/time is reasonable? Apple think it will take about 10-12 people 2-4
weeks to create the software (and that might be an underestimate). That is
time not being spent improving the software and security for everyone.

~~~
pbhjpbhj
>Don't you see that if Apple takes a hard line that they don't backdoor their
phones it is far easier than if they do it for the US (or US/UK) but not for
others.

>[[...]

>To what extent and with what side effects? If to access the phone they had to
disable all security for all users would that be appropriate? [...] //

I think I must have misunderstood the situation. As I understood we were
talking about Apple having the capability to access their technology and them
refusing to use it for individual cases following issue of a warrant and
personal intervention of the SoS. That is an entirely different proposition to
what you're suggesting - the a company be forced to design a system with a
particular back door. That doesn't appear to be in the information I read
about the IPB but I stand to be corrected as necessary.

If [as it appears to be the case here] Apple, say, have the capability to
disable security on all phones then I can't see how the findings in this case
change the ability of another state - China, SA, Syria, as your examples - to
demand that Apple push changes to disable the security of phones. It's not
like China will say 'oh, USA courts found it unconstitutional so we better not
ask Apple to do it'.

FWIW I don't really trust the government; as you say "Bully for [me]" if I
don't have things to hide. But I was attempting to answer the comments saying
'why isn't everyone up in arms, they're all sheeple'.

Another aspect is, your notional MP being snooped on for unwholesome reasons
means that the entire fabric of the British legal and political system is
corrupt. If we're at that point then I dare say the Secretary of State will
just call in Apple bosses and have their partner's fingernails pulled until
the bosses agree to push a firmware update.

48 man-weeks vs Apple's tens of thousands of man weeks per day [from 115k
employees] seems pretty small cost. There's no reason Apple couldn't/shouldn't
be compensated for that time. TBH in the USA situation it would surprise me if
TLA-agencies wouldn't write the code (if they haven't already), they really
only need Apple for the distribution keys I expect.

Good points but I'm afraid I remain as yet unswayed.

~~~
josephlord
Regarding MPs being monitored you need to pay some more attention. As we know
everyone has been monitored recently and there is plenty of targeted
monitoring of left wing MPs during the 60's and 70's.

The software development teams at Apple are really quite small and they can't
just get new people in for this work because large amounts of knowledge are
needed. The 115k employees are largely not OS engineers.

