hckrnws
The "only used in exceptional cases" argument is the same tired line every government uses before mass surveillance becomes the norm. Once a backdoor exists, it's not just "good guys" using it; it's an open invitation for abuse.
Indeed. During the pandemic, restaurants in Germany were required to track customer's information including addresses, so people could be informed in case of a confirmed CoViD infection of another customer who was there at the same time. Of course, this information was never to be used for any other purpose whatsoever.
In one case, however, there was a capital crime near a restaurant (or similar venue) and police and prosecutor used this information illegally to track down witnesses. They were sued after the fact and lost, but got nothing more than a slap on the wrist.
Once information is available, it will be used for purposes other than the intended one, even by the "good guys".
Better to simply not collect the data in the first place. It's like the hierarchy of controls used in risk management, from most to least effective:
- Elimination – physically remove the hazard
- Substitution – replace the hazard
- Engineering controls – isolate people from the hazard
- Administrative controls – change the way people work
- PPE – protect the worker with equipment
Only with hazardous data, or things like moral hazards rather than physical hazards.
Offtopic, but do you know some good sources to read on that matter?
Here's a nice OSHA doc on this: https://www.osha.gov/sites/default/files/Hierarchy_of_Contro...
Might want to save it locally though.
> Might want to save it locally though.
The real hazard is the infohazard of knowing how to deal with hazards. Hopefully some genius will eliminate it and increase efficiency.
I used the following query in your favorite ai powered search engine, "what knowledge would I need to able to make an intelligent post similar to <insert above comment>, please give me some high quality reading sources"
https://en.wikipedia.org/wiki/Hierarchy_of_hazard_controls
https://en.wikipedia.org/wiki/Data_minimization
https://www.ccohs.ca/oshanswers/hsprograms/hazard/hierarchy_...
https://epic.org/data-minimization-is-the-key-to-a-meaningfu...
I won't shovel the rest in here, but this is a good start.
Damn, you used an LLM to tell you that to learn more about "hierarchy of hazard controls" you should google "hierarchy if hazard controls" :) Truly a revolutionary technology!
You don't know what you don't know! Did I open myself to a sweet hindsight bias attack, luckily my saving throw worked. I used a search engine in a high dimensional space, not a fax machine.
I remember reading a similar story in Ireland on Reddit, where a guy started receiving newsletters and advertising texts that he only ate at once during the pandemic. Turns out the restaurant were using the contact details for Covid tracking for advertising purposes… diabolical stuff.
I visited US once, for a week. I went through an E-ZPass controlled interstate once as a passenger, and gave no e-mails to anyone.
Yet, I received "Pending E-ZPass payment" scam for a year.
I have no further comments.
>I went through an E-ZPass controlled interstate once as a passenger
>Yet, I received "Pending E-ZPass payment" scam for a year.
I think you're overestimating how precise scammers' targeting are. They're playing a numbers game, so they're going to spam every who might have used ezpass, not carefully curate their spam list by buying real time location data from data brokers. I received phishing texts for banks that I don't have accounts for, so next time I get a phishing text for a bank that I do use, I'm not going to think my bank got breached.
So how do you think the connection was made?
The best I can think was your location data was sold by a company behind one of the apps on your phone.
Possibly sold by an insider through unofficial channels?
They might have correlated my shopping data plus with my location (the state/shop I'm in), and possibly went from there.
Some of my phone apps might have betrayed to me, too, but I have no idea what I had installed at that time.
> was a capital crime
> track down witnesses
Am I too naive that I think that's a worthy use of that information?
It probably was. It was also illegal. As much as you, I, or even public opinion may agree that something is right, we can't have public servants knowingly violate the law when it is convenient. To accept that would be to forfeit many of your liberties.
In my state the law said that this checking information could only be used for contact tracing. So when the law says this and the cops drive over it in in a bulldozer, it's a bit shit.
That said, in my state the cops recruited and flipped a criminal lawyer who then back doored her high profile clients and gave confidential and privileged information to them them in order to build cases.
I'd agree that is a good case. But I'd still object to this tracking. It's a slippery slope. Who determines what is worthy?
We might like one government administration and highly expect them to respect the privacy. But what about the next administration? We've just seen Trump say he will withhold funding for universities with "illegal protests". I'd fully expect his administration to abuse this tracking, in the name of law and order.
> It's a slippery slope. Who determines what is worthy?
Who determines if a wiretap is worthy? Or a search and seizure? Or a simple arrest?
We have an answer for this, it's called Law and an independent judiciary.
You're right in theory but history shows us it's not black and white and rarely has an effect after the fact.
Well. That's actually a good example. Because contact tracing can (and was) implemented in a completely anonymous way, at a technical level, storing no personally identifiable information.
You can do this, just like you can do e.g. video surveillance, in a secure and privacy-respecting way. There is just no political will.
>restaurants in Germany were required to track customer's information including addresses
Ironic they went along with this considering how chest-pumping Germans are about their government being all about protecting their citizens' "privacy".
>They were sued after the fact and lost, but got nothing more than a slap on the wrist.
Government workers don't care about doing a good job since if they break the rules they won't get fired and the fines are not paid from their pockets but from the taxpayers pockets anyway so there's no incentive to be competent at your job.
I'm not really all that surprised. Public opinion is easily swayed with good marketing.
The government mandated contact tracing, but not how it was to be implemented. There was a publicly developed open-source app for contact tracing that was perfectly privacy preserving.
Unfortunately, many restaurants instead used a commercial solution that was none of these things. What it did have was support from a mildly famous German musician and great lobbying. Most people didn't care, they just wanted to go to the restaurant.
It’s always a mistake to generalize about a population as large as “employees of the German government”.
Some people are meticulous about their jobs. Some are not. Both types are present in any large organization.
I once naively believed that us "good guys" have little to fear or to lose by yielding a little privacy for the greater good. Then I grew up and realized that governments routinely fail to wield such power responsibly.
And even if the current government does wield such power more-or-less responsibly, the next one may not.
It also always lead to the same downward spiral of prosecutors complaining that the data they need to investigate drug trade is right there, but they can only access it for terrorism reasons, so why not add drug trade to the list of exceptions. Repeat with homicide, then fraud, all the way down to traffic infractions.
> it's an open invitation for abuse.
And I refuse to believe that the politicians behind that travesty don't know that.
Also, if you already go to prison for not handing over your decryption keys when asked, the one purpose left for a backdoor can only be criminal abuse.
The patriot act stayed in place 3 times longer than initially said.
It removed the habeas corpus for 15 years.
I am very glad they are doing this as a UK based ADP user. Waiting to see how long before they forcibly turn it off for existing users. I will of course just remove everything from iCloud at that point.
> I will of course just remove everything from iCloud at that point.
The iPhone's backup utility doesn't seem to support anything other than iCloud, so you'd probably have to individually set up some kind of automated scheduling that (no idea how) for your main apps.
Not sure if you'd be able to backup system stuff though. :(
On a Mac, creating encrypted local backups of your iOS device is built into MacOS.
On Windows, you create an encrypted local backup of your iOS device using iTunes.
It backs up everything. OS, Apps, and data.
> It backs up everything. OS, Apps, and data.
I’m not claiming you’re wrong, but I think the backup includes the list of apps and versions and excludes data that can be easily downloaded from AppStore.
I don't backup my phone anyway. There's nothing I can't replace in about 30 minutes work.
Do you save photos and messages somewhere?
It's not automated but you can certainly still use iTunes to create a local encrypted backup of the entire phone, apps, and data. Works over USB and Wirelessly on the same network. People who decide not to use iCloud can certainly still keep their data safe.
Comment was deleted :(
It's not like you can use an alternative without facing jail time if you don't give up the keys.
The penalty for not giving up keys is max 2 years in prison. Most offences that they're trying to use the encrypted data to use as prosecution evidence (for example, child pornography), have penalties that are way more than 2 years in prison.
If you're genuinely innocent, the 2 years is horrid. If you're actually guilty, it's a cheap way to serve your time.
It's a weird and perverse law that shouldn't exist, but it's likely in time the government will need to move the needle one way or the other, as habitual criminals are getting used to doing the maths.
When you are released from prison, they can simple ask you to decrypt the data again, and if you refuse or can't, you have broken a law with another 2 years in prison (5 if they think you could have anything to do with 'terrorism').. Its theoretically an infinite prison sentence for forgetting your passwords.
I believe double-jeopardy laws wouldn't allow this, but I could be wrong.
This comes up every time someone wants to give the death penalty for rape.
If the punishment for rape is harsher than the punishment for murder than anyone committing it may as well remove the evidence by using a blender.
Is there a academic study of the heuristic of choosing between option A versus option B?
People (even criminals) are not perfectly economic thinkers. That's probably a good thing. I have this terrible thought of a quant rapist: juggling their risk that the victim stays quiet or otherwise acts (police or revenge). Deciding on the Kelly Criterion for losing 20 years in prison.
I'd watch a movie about a killer using statistics properly. It is annoying when muderers are cast as being idiots. I imagine the protagonist runs a hedge fund and gets bored of getting away with white collar crime.
In this modern age, I'm rather interested in the inverse: lawmakers doing proper scientific research, and legislating based on that; attempting to discover the sociological or economical truths rather than chasing slogans and acting on beliefs and agendas.
They do that in many countries. Basically they check the likelihood of being a repeat offender and try to minimize that. Tax crimes become harsher than violent crimes because of it, for example… it is not popular amongst the population though.
I've only heard rumors that Scandy countries do this, do you have any references?
>Is there a academic study of the heuristic of choosing between option A versus option B?
I don't know of a paper on that specific question, but for example, Gary Becker got his Nobel prize because he applied economics to a wide range of human behavior including crime and punishment. Here is a famous paper of his on crime:
> I'd watch a movie about a killer using statistics properly.
At the start of the movie Heat, one of the hot head robbers kills one of the guards. De Niro, the leader of the robbers, immediately kills the other guard and says something along the lines of 'it's capital murder either way so may as well not leave any witnesses'. Ultimately, it's Di Nero being non-rational and driven by emotion that leads to the final scene in the movie.
But if criminals are not perfectly rational economic thinkers, harsher prison sentences may not be morally justified!
A behaviorist perspective on justice, punishment, and rehabilitation does not require morality.
1. Pragmatism - Justice can be effectively framed around practical outcomes and societal safety, it requires no moral framework.
2. Remorse and Emotional Response - Feelings of remorse can be understood as conditioned responses shaped by environmental influences rather than as reflections of moral responsibility; remorse does not necessitate moral weight as they can arise from societal conditioning and past experiences.
3. CBT - Cognitive Behavioral Approaches demonstrate that behavioral and emotional changes can occur without delving into moral implications, and requires no moral reflection.
4. Behavioral Accountability - Individuals can be held accountable for their actions based solely on their observable behavior and its consequences, without the need for moral judgments. The focus is on modifying harmful behaviors through interventions and reinforcements rather than assigning moral blame.
So, this framework provides a rational and effective approach to understanding and managing human behavior, focusing on the pragmatic aspects of justice, rehabilitation, and accountability, it does not require an already shaky and subjective moral judgment or moral accountability, and as thus, need not be morally justified.
If you want me to elaborate (with examples, too), I am willing to as my time allows.
I know a woman who was raped by her father. The state is going to release him in a few years, so now her family lives in terror of that day. Where is the justice in that, and what does the rapist bastard being or or not being a ""rational economic actor"" have to do with any of it?
> People (even criminals) are not perfectly economic thinkers.
This imperfection feeds into the argument for not punishing rape as harshly as murder: the rapist is likely to misjudge the chances of the murder being discovered and traced back to them, when doing the risk math to decide how to proceed. If their imperfect thinking leads them to overestimate their chance of pulling off the perfect murder (or the perfect coverup after one) then that pushes the chance of equal punishment leading to more murders higher.
"Doing risk math" oversells it for crimes of opportunity, where decisions about how to keep the action quiet after it has happened is going to be very emotion/panic (rather than facts/stats) driven, but for premeditated attacks I suspect things will flip the other way.
> People (even criminals) are not perfectly economic thinkers. That's probably a good thing.
why is that a good thing?
Perfect economic thinkers are good, because they'd be predictable and can be reasoned with. Providing economic incentives to such means you can direct behaviour in an easy and efficient way.
Irrational thinkers cannot be reasoned with via economic rationality. Therefore, either you have to stack the incentives so high that the cost becomes overbearing, or you use some other means of control that's less nice.
Perfect economic thinkers will kill one guy so his organs can save three others.
Utility is a flawed way to capture ethics.
Being perfect economic thinkers doesn't mean they are all powerful. How does one go kill one guy without consequence? The only person this perfect economic thinker has access to is himself, and surely, he values his own life at infinity.
Ethics is an agreement between people in society, which cannot be captured via economic rationalism alone, but economic rationalism can take into account current ethics, as well as other actors' propensity for more or less ethics.
Except that rape and murder are separate offenses and both would be charged, not one or the other.
they can't execute a criminal more than one time.
Not everywhere has the death penalty. Some countries are civilized.
Like Germany and the UK? However, it's no problem at all for them to supply Israel with support in their murder of 18,000+ children. Remote killing good, local killing bad?
this subthread was about how if rape has the death penalty then s rapist may decide to commit murder to lessen the chance of being identified.
Right, and my point was that if rape doesn't have the death penalty, then murder is less likely.
Would be rapists and murderers simultaneously aren't deterred from committing their crime in the first place by the threat of execution, but also will escalate their crime in response to the threat of execution. Very curious.
Liberal Europeans and Americans like to say that no civilized country executes criminals, but in fact several developed democratic countries in Asia do, and to say they aren't civilized seems absurd. Executing criminals seems to work well for them. Very curious.
> no civilized country executes criminals, but in fact several developed democratic countries in Asia do, and to say they aren't civilized seems absurd.
If you're saying the first bit, you're saying that it's a disqualifier from the second.
I lost some braincells reading this one
Thank you.
This is correct - but I’d rather my law enforcement had a pre-existing reason to investigate me rather than just stumbling upon something in random hidden searches. Innocent until proven guilty is key here.
I have nothing to hide, but I’m still not giving you access to my photo library.
Whether the data is encrypted or not, they still need a warrant.
For now. Once the means are there it's only a matter of time until everything is scanned automatically.
Those warrants are secret. We don't even know if they're following the rules they lay out.
In the US, the secret FISA court hasn't turned down a single warrant. Either the government is only coming to them with completely justified cases or they're just a rubber stamp. Either way, there's no oversight so we have no way of knowing.
[flagged]
You seem to think that the indexing and searching happens only if there is a reason. Why do you think that? There are all kinds of cases where government agents were found to have abused access to data for reasons that had nothing to do with illegal or immoral behavior by a target.
Irritatingly naive
Because they can.
So they randomly picked a person to search?
They have a jealous ex who is a LEO.
Never been across an international border?
Speaking of which, iOS needs to finally support user accounts, ideally hidden ones as well.
That’s not necessarily true.
RIPA notices do indeed assume you’re in possession of the keys of anything encrypted and you must disclose when asked nicely.
You just need an airtight provable way of showing you have a way to destroy that key when you push a button and do that before the notice arrive. I suspect that’s after they seize your stuff.
That's still a big improvement. A backdoor can be exploited by criminals who want personal gain, not just used as intended by police.
Indeed. But you can of course say "show me the court order" and defend yourself.
Not in the UK. In fact there's precedence they can arrest you for not unlocking your devices, without a warrant[0]
[0] https://www.independent.co.ug/activist-convicted-uk-terror-o...
They can arrest you for anything. I’ve been arrested twice. And questioned once. And apologised to twice.
I was stopped and questioned twice within a span of about ten minutes while walking around near Parliament in the middle of the night because someone _supposedly_ called in some sort of a threat. I was severely jetlagged and had never been to London before, so I figured it wouldn't be any different than walking around NYC but that may have been naive on my part.
You can walk around 99.9% of central London at any time of night and nobody is going to raise any eyebrows no matter how jet-lagged you look. But there's always a chance you're going to attract some attention outside Parliament, or certain embassies, especially if there's an "elevated threat level" or whatever.
apologised?!
Surely you're joking!
No way that really happened or it was an empty apology like.
> I'm sorry you made yourself suspicious
First time I was arrested for being next to a fight until I was cleared of any involvement. This required some explaining and the policeman was an idiot.
Second time some busybody reported to the police that I was carrying a knife. This was a Santoku knife that I'd literally bought and was still in the plastic packaging but you could see it through the plastic bag I was carrying it in. We had a bit of a laugh about it and they apologised for wasting my time. They did however arrest me so that they could do a formal search and had right to as they had reasonable suspicion I was carrying it as a weapon. I'm not bothered they were very reasonable and so was I.
Comment was deleted :(
Nothing about either of those is reasonable.
In the US both of those would have been handled with an Investigatory detention - same as being pulled over for a traffic stop. Not even remotely an arrest.
> They did however arrest me so that they could do a formal search and had right to as they had reasonable suspicion I was carrying it as a weapon.
What "reasonable suspicion"? They could see the "weapon" that had been reported and at that point it should have been "have a nice day" and then them trundling themselves over to whoever called it in and charged them with making a false report.
I swear, UK police seem generally nicer than US cops but infinitely dumber and the shit you brittons put up with in terms of having your rights violated is astounding.
"Reasonable suspicion" is the UK equivalent of what Americans call "probable cause" i.e. jargon for when the police are allowed to search you.
The police have to conduct stops in a certain manner, because of the law that gives them the power to stop people: They are legally required to tell the person they're being detained for the purposes of a search, the purpose of the search, the grounds for the search, and the legal power used.
Getting a load of jargon thrown at you about "detained" and "offensive weapon" and "Police and Criminal Evidence Act" sound a bit officious, but once they've stopped you they've got to give you the officious jargon, it's required by law.
Also, while it's rare that the police will have occasion to stop and search a middle class, middle age white guy like myself, when the situation does come up, it's reasonable for them to do it thoroughly and by the book. They should treat a report of me carrying a knife the same as they'd treat a report of a black teenager in a bad neighbourhood carrying a knife.
> In the US both of those would have been handled with an Investigatory detention - same as being pulled over for a traffic stop. Not even remotely an arrest.
I'm not from the UK, but it seems likely that this is just a question of semantics. Many US traffic stops are far more stressful—and handled in a way that is far less conciliatory—than the "arrest" that OP describes. It doesn't sound like they were taken to a police station or even necessarily handcuffed, more just formally detained.
As for US detentions: It doesn't especially matter if they're not technically "arrests" in US parlance, you're still being stopped by the police and you still can't go anywhere until they let you because there's a too-high probability that they'll find an excuse to make your life miserable if you don't cooperate.
Because of the increase in knife crimes in the last couple of years the UK police have become incredible aggressive towards anybody in possesion of even small purpose knifes in public. I'm honestly surprised OP got away with it.
> I'm honestly surprised OP got away with it.
Buying a knife and carrying it home is 100% legal, so there's nothing to "get away with" here.
Carrying a Santoku knife in public is only illegal if it's being carried without a "good reason" and carrying a newly purchased knife home is certainly a good reason.
The police have the power to stop and search people when they have "reasonable grounds" to suspect they're carrying a weapon; if the knife is clearly visible that's certainly reasonable grounds. So the search was not illegal.
A stop-and-search means being "detained" in the sense that you are not free to leave until the search is completed, but it's not an "arrest" that would appear on your arrest record. Perhaps there was a miscommunication about the distinction between being 'detained' and being 'arrested' ?
UK police are nothing more than legal mobster. If they don't like your face they can just decide the good reason is not good enough.
https://professional-troublemaker.com/2018/04/10/u-k-knife-c...
> If they don't like your face they can just decide the good reason is not good enough
The article you linked does not support the claim that the UK police not liking someone's face is sufficient for them to be allowed to stop and search someone.
In fact, this goes directly against the PACE guidelines as described at https://www.college.police.uk/app/stop-and-search/fair
> A person’s physical appearance [...] cannot be used as the reason for stopping and searching them [...] unless there is information or intelligence giving a specific description of a person suspected of carrying an item for which there is a power to search.
At the same time they don’t tend to blow holes in the victim here.
He didn't even explain why he was arrested or what he was suspected of
If you are stopped at the border then you don't have such a right. British border force can just demand you give them keys to all your devices and hold them for 7 days, no court order needed.
Watch this if you're curious how that looks like:
The part that stood out to me, copying from the automatic transcript:
> they're sitting there with these like blank A4 Bits of Paper writing down everything I'm telling them like you know bits of interest and it's exactly the same thing the Russians did when they interrogated me [...] to be honest interactions with the Russians have been pretty much the same as inter with the British government
I didn't do my research before going to the UK for the first time two months ago and just went with my gut feeling, that is, deleting files from my phone that I don't want to end up in a government system through Cellebrite's "accelerated justice" or whatnot. Never done this for any other country before (I cross borders on a weekly basis). Seeing this video and the Ugandan article from the sibling comment, that was definitely the right move
I get bagged and tagged at least once a week when I go shopping in the UK in the last 50 years. You don’t want to come here at all. I’d rather hang around in Russia these days.
Facetious comment aside the only time I’ve had problems with border security anywhere is getting a large carpet back home from Azerbaijan. This was very interesting and required them to examine every square centimetre of it. China, US, UK, Europe all really boring. Russia was incompetent. They didn’t even check anything at all (2012)
I don’t know of any country where border guards don’t have the authority to seize your device if you’re trying to cross.
I just use devices with ephemeral storage for crossing borders to save myself from having to do any research on any particular country’s device privacy practices.
Then I'm not sure what we're criticizing China for, if no country has such fundamental rights for the people under its control. The warrant system exists for a reason. I'm not more likely to be carrying something illegal when going between countries than within the jurisdiction where my registered place of residence is; less if anything because there might be spot checking indeed
Some firms routinely forbid carrying company data (including encrypted data) across five-eyes and PRC borders, this is why.
Imagine you're a citizen and say no.
Are they arresting you?
Because they have to let you in.
This depends on who the Border Agency officer is:
An Immigration Officer may search you until they are satisfied you are a citizen. As long as you have a passport (or emergency travel document) listing you a citizen, this should be straightforward and they're unlikely to have grounds for any further search. At that point, you have been let into the country.
Customs Officers are much more likely to have grounds for a search — if they believe you are bringing prohibited material on the electronic device into the country (and "reasonable grounds" is low, as it typically is for customs — "you're acting kinda sus" is a reasonable ground), they can search your device. It is an offence to refuse a search, so while you've been admitted to the UK, you could be arrested for that offence.
This is all broadly comparable to most other countries immigration and customs laws; the UK is not an outlier here.
The problems with the UK are primarily things that apply to everyone, not just at the border — for example the Terrorism Act 2000 and Regulation of Investigatory Powers Act 2000. But again, in the border case — that's basically all going to be _after_ you are admitted to the UK.
You don't have the right to say no or even stay silent. If you refuse to give up your passwords they will charge you with the whatever the legislation around it is, it's 2 years behind bars for refusing.
God this is scary. What if this "authority" figure is abusing their position? Do you have any recourse?
Probably not, just a waste of money and time, but hopefully someone can provide a reasonable recourse.
What if you say you forgot? I actually had times (after not having used my phone for a month or two) that I (& my muscles) forgot my PIN (not for the SIM card) and I had to do a factory reset.
Well it's not automatic 2 year prison sentence. The state charges you with a crime, it goes to trial, and then you have to defend yourself - if your argument is that you forgot, then it would be an interesting case - ultimately the prosecutor would need to prove that it's unlikely you forgot, say if they had proof (say CCTV recording at the airport) showing you using your phone 5 minutes before it was confiscated - it would be pretty hard to argue that in the space of those 5 minutes you forgot the password. But if you had a device in your suitcase and could successfully argue that you haven't used it in ages and the password was long and complex then yeah, I guess you'd be found not guilty - up to the judge/magister/jury depending on where exactly in the justice system you end up. But yeah, while stopped at the border saying "I forgot" is not a good card to play.
It probably won't end well but I'm curious what would happen if you give them a password that resets the device. Theoretically it unlocks it, it's just that it takes a minute and it's factory new at that point.
They would image the device and try the password against the image, if possible.
They'd charge you with destroying evidence, or "perverting the course of justice". They aren't stupid, they would know that you gave them a password that wiped the device.
Is a court order explicitly needed in the UK to demand a key?
Yes there has to be magistrate approval and you can challenge a notice with legal representation.
A warrant is required - can be issued by the Secretary of State.
I can be criminally charged for encrypting my data (and keeping it encrypted)? That’s mental!
Guess, I better delete that big file of random numbers from my computer.
> I can be criminally charged for encrypting my data (and keeping it encrypted)? That’s mental!
That's the UK.
But then you will know they are spying on you - they won't be able to do it secretly.
Really? So you can have your own Nextcloud server, connect over Tailscale and you’d face jail-time? I can’t imagine that.
The law is about making sure the UK government has access to your encrypted data if they want it. It doesn't only apply to big corporate solutions.
Wtf. What is next, my thoughts? Who are these people? Thinking they can outlaw basic maths operations.
Look up "decolonize math" or "critical mathematics".
Yes, and they have the resources to go after every (former) user of ADP. </s>
I wonder how the metadata comes into play here. Metadata is fair game even with ADP. Apple retains it and could probably be compelled to pass that along
Yet I don't have much faith that the UK government will back down
[dead]
How do we know there are not back-doors already in Apple's cloud storage (that the 5-eyes cult has access to)? This fight may just be theater the goal of which is to legitimize the view that Apple's cloud storage is secure and free from government snooping.
Trust, then verify. No ability to verify? No trust.
This fight is about providing encryption to the masses. If you want to use your own open source security solution, you should definitely do that (really!). But you will be one of a small number of people doing so. And a society where only a small number of "wizards" have freedom isn't a free society at all.
I am very sympathetic to the idea that more components should be open source, and Apple's systems should be much more open (particularly backup.) But at the end of the day if Apple is compromised there is no open source solution that can save you. They design the silicon.
> This fight is about providing encryption to the masses
If apple cared about providing encryption to the masses, ADP would be enabled by default and you'd have to opt out of it.
As-is, all your messages, photos, and so on are backed up unencrypted to apple's servers where they can read them at will. End-to-end encryption is opt-in, and I doubt most "the masses" even know a setting for that exists.
>If apple cared about providing encryption to the masses, ADP would be enabled by default and you'd have to opt out of it.
Apple is also a company that needs to cater to its customers. If they enabled ADP by default and customer locks themselves out and goes to Apple, they want to be able to help. ADP is intended for people who understand what it is but nit savvy enough to run their own system.
You can't have it both ways. Either you're providing encryption to the masses, or you're not.
Providing encryption to the masses would in fact be telling people who lost their phone, or forgot their password "no, all your photos are gone forever, tough luck. Also, you have to make a new apple account and re-purchase all your apps".
You must have a different definition of "providing" because offering a service is definitely providing it. Apple makes "smart" devices that do what people want them to, and encryption is second to that. I think it's a fair compromise to have it easily available but not default.
This is correct, apple has a very customer first support culture which has a famous history of blowing up in their faces.
Internal metrics for support teams are almost entirely customer satisfaction focused, which built a culture of getting a result for the customer at all costs, which was very exploitable by social engineering.
It doesnt surprise me that they dont want to let customers encrypt and lose all their baby photos by default.
I didn’t say it was Apple fighting. I’m referring to the broader fight. Getting Apple to deploy encryption by default is one outcome I’d like us to fight for. But if we give up and start poo-pooing Apple’s encryption because it’s not pure enough, that fight is over.
Is the society that relies on everyone else to make the decisions that serve their best interests free either?
It’s impossible to live without depending on other people’s decisions unless you live completely isolated. It’s not “free” but most people are fine sacrificing some freedom for other gains. This has already been discussed for centuries, see Thomas Hobbes and the social contract.
Partly because they document the doors which are there for LE : https://www.apple.com/legal/privacy/law-enforcement-guidelin...
They also switched a few years back to provide signed firmwares rather than encrypted firmwares to ease independent verification, and have the Apple Security Research Device program to do runtime exploration with certain security walls turned off. (Supposedly creating these devices requires a partial factory retooling)
Apple also only has per-device global builds, rather than regional builds which might obscure requested features. My understanding is that they take transparency measures to make sure it can be detected if a firmware was released out-of-stream, and anonymity measures to prevent targeting a specific device with a custom firmware.
The Secure Enclave also requires the device passcode as part of an approval process for installing new device/enclave firmware; the underlying OS and security enclave are not meant to have the capability of being transparently updated/modified.
We can never truly verify, because there is no such thing as perfect security [1].
However there is "Deterrence through Accountability. We can attempt to legally prosecute the attackers" [1].
That is what is happening here. The attackers are being prosecuted.
[1] https://www.cs.cornell.edu/courses/cs5430/2017sp/l/03-princi...
Agree, blind trust in any big tech company is naive. But if Apple already had hidden backdoors, why would the UK government be pushing so hard for one now?
Yeah its a concern of mine.
Australia introduced the concept of these laws with the Access and Assistance bill. The politicians were adamant it was necessary, however there were so many potential users of the system (Politicians, police, spy agencies) it never made a lot of sense.
Fast forward a few years and ASIO gave a press conference where they admitted to only having used the powers under the bill twice. Which makes me concerned about who the bill was for and what it has been used for. Unlike the British version, any public information release leads to instant jail time, and it was unclear whether this extended to briefing legal counsel.
I feel like, if the 5 eyes wanted to breach iCloud they would use Australia rather than Britain where it can be publicly contested like this.
I understand that's not your point, but the government is a massive entity: it's entirely possible that the intelligence community has capabilities that wouldn't be admissible in court and therefore are of limited use to law enforcement. Or that they might be unwilling to share them with law enforcement.
"Trust but verify" was political double speak from the start, it's fascinating how it still lives on for so long.
And yes, we shouldn't put trust in corporations in the first place.
"Trust but verify" is a description of speculative execution.
We more need FOSS (and supply chain) hardware, software, and (distributed) cloud platforms with encrypted all at rest and in-flight with zero knowledge storage (minus specific private keys and offline authoritative key locations, of course). The problem, of course, is the main platforms are ultimately owned by single point-of-failure (SPoF) corporations that can be leaned on, banned, or raided. This would require immense, deliberate investment to avoid compromise/slowly replace closed choices and to avoid supply chain attacks. And then, ultimately, it requires a socio-political bargain to decide whom to trust and why, such as, based on interests and leadership team.
"In 2021: No (IPT) cases were found in favour of the complainant": https://en.wikipedia.org/wiki/Investigatory_Powers_Tribunal#...
This sounds like something Douglas Adams would have written about.
From a leadership personality angle, who do you think initiated this brilliant marketing/messaging campaign — sue a country because ”it infringes on human rights and Apple upholds it.“
Do you think this kinds thing comes from someone in Marketing, Legal, a C-Suite, or is this kind of thing a thing by community at Apple? If it is the last, it would be brilliant to read that protocol/process/flow.
I don’t know, but it feels like the UK gave them the softest pitch, straight over the plate, and all they had to do was hit it. (Maybe a cricket metaphor would have been better)
Good. Even if they lose, they should make as much noise as possible before giving up on the UK market. Maybe it will start to turn the tide of public perception.
The more awareness there is, the harder it becomes for governments to quietly erode encryption without pushback. If nothing else, it might make other companies think twice before rolling over.
Can't see much coming of this. At the very least the largest two parties are all for this kind of encryption backdoor and regardless of what the 'court' decides parliament can just legislate around it.
Apple will do it for the attention, PR and to hurt the idea generally even if they lose. Mindshare and ire towards the government are as strong as any legal judgement over time.
> Mindshare and ire towards the government are as strong as any legal judgement over time.
Much stronger.
Yup, the Courts are ultimately there to fulfil the will of Parliament: if there's a clear power granted by Parliament to do this sort of thing, and there's no compelling objection from other areas of law, then this is more just a delaying tactic.
Essentially true however judicial review can expose legal flaws, incompatibilities, or breaches of higher legal principles (e.g. the Human Rights Act 1998) essentially compelling (not forcing) the government to amend or adjust legislation.
A notable example being section 23 of the Anti-terrorism, Crime and Security Act 2001.
There's an interesting talk involving Baroness Hale, who'd later go on to be President of the Supreme Court, where she mentions the Belmarsh case: https://www.youtube.com/watch?v=pYR414Q8v6A&t=2605s
Fun facts about the UK supreme court:
- It was created by an Act of Parliament
- It is a government department
- It can not overturn primary legislation
- Parliament could dissolve the court if it so wished
I see from your comment history you're British, so I don't get why you describe this as surprising. There's the Commons, Lords, and the King. Who or what else would be creating or dissolving the court? Why would it be able to overturn primary legislation that's received royal assent? That would just be swapping things around so you'd be saying 'fun fact about parliament, supreme court can...' anyway, surely?
Not having a judicial body that is fully independent of the legislative branch (parliament) and not being able to strike down laws is interesting/surprising to me shrug. I've always liked the idea of strong judicial oversight. But I guess without a strong constitution, where parliaments laws can't be ruled unconstitutional, it doesn't matter much... the public will be fully at the whims of parliament.
UK judicial oversight is actually pretty good. The government at the time lost numerous important cases when trying to implement Brexit. While Parliament can create legislation to overrule the courts decisions it's not typical and in the case of EU legislation they were stuck because they couldn't easily change that. The UK does have a strong constitution despite the fact it's not codified. In my opinion the US Supreme Court is farcical compared with the UK one. The fact it has lifetime appointments and is accepted as politically biased astounds me. NB: I know you didn't mention the US but it's my only point of comparison.
> But I guess without a strong constitution
Aren't US SC judges picked by the president? Can't he override everything with pardons and executive orders anyway? Can't the US constitution be, uh, amended?
Aren't US SC judges picked by the president?
They're nominated by the president, but approved by the Senate. There have been cases throughout history where a nominated judge doesn't get through the approval process. Of course when the president and the Senate are aligned and in agreement this approval process is largely a rubber stamp.
Can't he override everything with pardons and executive orders anyway?
Not at all. Despite what it sometimes looks like, the president's executive order powers are quite limited. But again, if congress isn't willing to challenge the order and the Supreme Court isn't willing to rule on it, these limits are more theoretical.
Can't the US constitution be, uh, amended?
It can, but it is a slow and difficult process, requiring 2/3 support of both the house and the senate, plus support from 3/4 of the States. There have apparently been over 10000 attempts to amend the constitution since the founding, of which 27 have passed. Furthermore the president has no power to suggest or approve constitutional amendments.
Basically a president that doesn't have the support of Congress and the Supreme Court has surprisingly little power.
I was speaking to the wider audience here
Our supreme court is different to the US supreme court for example
Well, the British system is particularly unique because there is no formal Constitution, and thus we have no Judicial Review for Constitutionality. There's a pretty interesting talk about this here: https://www.youtube.com/watch?v=YIlkY90Cck8
This is basically a "the Emperor's new clothes" situation where the UK's constitution can only be seen by smart and educated people. (Yes, you have QCs [now KCs] saying otherwise, but that's exactly my point.)
Face it, if the constitution is "whatever the prevailing political elite class says it is", then you don't have a constitution.
I’m not sure how a written constitution that is anyway interpreted by “the prevailing political elite class” is functionally much different?
At least there are words.
The Brits have nothing.
> At least there are words.
> The Brits have nothing.
There are words in the British constitution as well. Acts of Parliament that define how the Parliament and the courts function are constitutional laws, such as the Parliament Acts of 1911 & 1949 and the Constitutional Reform Act 2005. If we are going by words, there are a lot more words in these multiple constitutional documents than in the constitutional documents of many countries that only have one such document.
Yup. What Parliament giveth, Parliament can taketh away. It is scary to think what Parliament can do with a simple majority.
> It is scary to think what Parliament can do with a simple majority.
Good question.
Mostly self preservation I guess. It's not unheard of for a party to get wiped out.
I feel the Queen made moves behind the scenes to keep the government in check too. As much as she could. Not sure about Charles
I'm sure they're looking at Trump and realising they can get away with anything if they want to.
Ministers used to resign in disgrace over far less severe things than we've seen the past 2 decades. Now you can just easily distract the public with scandal after scandal or issue after issue. Then they can re-enter politics
Probably the pitchfork risk. Governments have gotten good at keeping safe distance from the point where things might get violent.
I'm not sure that's entirely true, the UK government gets sued regularly and loses a fair amount.
Sure, but that's because the government acted in ways contrary to what Parliament willed.
It will be good to have a test of the legislation, the last government spat out some horrifically written legislation, so it might not even say what they think it says.
I wonder if this case will be dropped by the uk, now that it's more clear that trump/ us gov serves (or is aligned with...) russia
The global landscape has changed significantly since (last week) this case began
As they should. You can’t throw an ultimatum for something that benefits nobody but the govt. and kick everyone around.
Would like to see other companies who were affected by similar situations also take this to court
How well it’ll do in court is debatable, could go for either side, but regardless of the outcome it’s always good to see resistance and pushback
Apple will lose, because the government didn't break any law.
If the British government insists on this applying to non-british citizens in other jurisdictions, they are likely to be in conflict with privacy laws in those countries and that will trigger an international court case.
I don't know what they are arguing in this case, but there is a chance that the government violated the US-UK Bilateral Data Access Agreement 2019, which governs data access requests from either country's government to technology companies based in the other country.
It's completely disgraceful what the U.K. is doing to freedom of expression. Very happy to see Apple like this.
I think that the people who want to use encryption should use their own software for encryption, which is separate from the cloud service. (This alone might not do, because you also need to implement other security, but it will be one thing to do.)
You are suggesting people be able to insert an encryption module into other services?
Or that everyone has to constantly manage a non-default set of tools, and deal with all the interoperability issues of all the mish-mashes of choices others make?
Or, ...?
Personally, I cannot see a safe online world that doesn't have hard privacy.
Why not give people easy ways to report "very bad behavior" online, to authorities that build up a reputation of responding responsibly. Including bounties for the most egregious stuff.
Then every recipient of anything rotten becomes a honeypot for the criminals.
Breaking everyone's privacy is going to attract every nefarious and security conscious actor in the world to the buffet. Every state actor, "good" or "bad" is going to want to have access to everything that can theoretically be accessed. Worst possible kind of honeypot.
And this whole situation just reinforces the fact that relying on a provider's encryption means trusting that they won't be forced to weaken it later
Remember software can be banned or regulated via export control.
Exactly. Just like the pirate bay.
That ban seems to be incredibly toothless considering a simple DNS/IP change can bypass it.
at least Apple should provide a way of inserting a module to encrypt decrypt files. and say, we just store the bytes user provide us.
This is the issue. If you encrypt your own, then the software will not be able to use it as it's not a file it expects. So all of the software that you want to use your encrypted files will need to have this type of module.
At that point, I feel like we've opened pandora's box. If every single app had to be able to decrypt/encrypt with your personal key, we just know someone will roll their own and fuck it up for everyone else.
It depends on where you put that module.
In NT you can have modules that sit between various operations on the file system. It’s how AV works without having to hook into every single application that reads and writes from storage.
There’s no technical reason why this kind of approach couldn’t be applied by Apple for encryption. But it would require relinquishing some control over their platform, so it would never happen.
Microsoft gets that excuse, because it lets you run anything at all on your computer. Apple doesn't, because it only lets you run things approved by Apple. Instead of "why did you make this encryption system we can't break into? Trillion dollar fine!" it'd be "why did you let XYZ Corp install this encryption system we can't break into? Trillion dollar fine!"
I've been wondering. What would happen if Tim Cook personally 'leaked' the notice on twitter?
How would the UK government reasonably sanction Apple?
Force cell carriers to block imei of apple handsets
That surely wouldn’t sit well with the public?
I'm fairly certain this would impact a large part of the government itself.
Why would the UK government limit itself to being reasonable?
I can imagine most CEOs pausing before picking a fight with the intelligence services.
If Apple had the wherewithall, theyd give up on the UK and be done with it. Should they not prevail legally. Pipe dream, I know.
I never get this perspective. Firstly we do give them a crap load of revenue. Secondly it'd probably trash any of their non US business almost immediately as people start looking for contingency in case they pull out of other countries. Thirdly they didn't pull out of China. And fourthly there are a lot of Apple engineering staff here in the UK - it'd cripple them because they won't move to the US.
They will comply with the law and make a lot of noise and not a lot else.
How can a company the size of Apple be crippled by employees in the UK?
Literally a large chunk of the ARM core team are in Cambridge including most of the GPU folk and there are a ton of infra and software team in a couple of other UK locations.
On top of that, a big chunk of the follow the sun on call engineering (SRE) are here that look after global infra and most of the European support operation are in Northern Ireland.
Fruit Engineering Ltd. hires brits and contracts with offshore Apple Inc. The former does not have the keys and cannot be forced to do anything iCloud-side.
It's not like corporate doesn't know all the tricks already. The only reason they need is whether the UK market is worth the hassle. That's all.
The perspective is that if Apple bricks its devices for a couple days in the UK the pitchforks will come out considering they have the moral high ground and the better marketing team to pitch it to the general population.
Whether it's good for a US corpo to interfere with the stable 1984 progression of the UK is another issue. If I were in a decision making position at Apple I wouldn't want to bother with this either. Just take the easy marketing W and move on. Maybe prepare a plan for market exit just in case they're not satisfied with disabling encryption and demand a global backdoor.
Define a “crapload.” My understanding is that it’s actually a number that could be walked away from.
8000 staff including very high level engineering and technical.
Isn't that potentially devastating to the UK, not Apple in the long run? Choosing to walk away from the market in terms of supplying goods does not mean needing to walk away from high level engineering staff.
Of course, you may mean these staff are only required to service the UK market...but it sounds like you mean they are valuable to Apple, at which point I am unsure as to why they would not be retained/shifted as appropriate.
Also my apologies, I assumed revenue here. Also thank you, I had not considered staffing, but it makes sense.
Yes it’s more critical staff. And it’s more a cultural thing. I know a couple of Apple folk and they will definitely not relocate to retain the job. Especially in the current political climate.
You don’t actually need as much money to survive in the UK as the US for example. So there isn’t the motivator to retain high level salaries other than luxury.
It would be “no thanks” and take a 30% cut to go and work somewhere else.
The Apple engineer staff can keep their jobs.
What happens when Australia blocks this next? Then Japan? Then Brazil? Then Sweden? Then the US?
"What if every country on Earth violated everyone's rights" isn't really much of an argument against standing up to countries that try. If that actually happens then we're all screwed anyway. Until it does actually happen, why roll over and allow it to happen without even trying?
If Apple gives in, it will certainly happen in dozens of countries. China alone would be a dealbreaker.
Apple gave in to China years ago. Apple gave operation of iCloud servers to a chinese company.
According to Apple, everything in their system still works the same and they still have control of their own hardware, even if it’s in a Chinese data center. Systems like iMessage are still fully end-to-end encrypted even in China. Maybe they’re lying but it would be a huge opportunity for devastating leaks if that’s true.
> Systems like iMessage are still fully end-to-end encrypted even in China.
The simplest answer to your question is "it exists" and "iMessage isn't important," but instead, you chose to write a whole fiction for your brain. If that's critical thinking, I'd call it hallucination.
See, I don't see just withdrawing from the country as 'standing up to'. It's just giving up in a more disruptive way, especially when It seems very likely to me that other countries will start demanding the same.
Actually taking them to court and objecting seems more productive to me.
> I don't see just withdrawing from the country as 'standing up to'. It's just giving up in a more disruptive way...actually taking them to court and objecting seems more productive to me.
"objecting" alone does nothing. Objecting + lawsuits or objecting + withdrawing might accomplish something.
I'd agree that lawsuits are a good idea but they are also entirely dependent on the courts (of the same country that already wants to violate people's rights) to do the right thing. If the lawsuit works and the government forces the government to back off it's a good thing, but if not a company keeps the power to take their technology and leave. They can choose to do that regardless of what the laws or courts of another country thinks.
Walking away might be seen as a company "giving up" on the corrupt country that wants to violate people's rights, but it's certainly not a company giving up on their principles. A nation full of people angry that they won't be able to get highly sought after products and services can change policy too.
I wish this issue were playing out in Australia right now, rather than the UK. It would be hilarious to see Apple walk out of the Australian market right before a federal election.
Isnt that their soft plan? They plan on just removing the encryption for all UK users to make the point moot domestically if this gambit doesnt bare fruit. If they want to continue to push that they want it for all users globally, Apple can attempt to leave the market fully.
Apple pulls data protection tool after UK government security row (bbc.com) - 1769 points , 1105 comments https://news.ycombinator.com/item?id=43128253
I hope for the same. Likely not for the same reason as you, but we are together in hoping.
I wish they placed a red warning on every phone instead: "Your government is forcing us to weaken your security because it wants to snoop on you."
One of the problems of digital surveillance is that is doesn't feel intrusive, indeed it can be fully hidden from the users. With a message like this displayed every time you unlock your phone, plenty of people would start asking questions.
> "Your government is forcing us to weaken your security because it wants to snoop on you."
They're not allowed to actually tell you about the UKGOV order. That's the point of it being a secret order.
And yet
Apple can't discuss any of the details, but I'm sure they could point their customers to a person who can.
"This feature is no longer available in the UK.
For further information, contact:
Mr Xxxxx Yyyyyy
UK Home Office
02070 xxx xxx
xxxxx.yyyy@homeoffice.gsi.gov.uk"
> red warning on every phone instead
This is silly. The average consumer will just avoid Apple products.
Honestly think they should just disable all iPhone functionality but phone calls and the politicians will fold within hours.
End of the day people love their devices more than their rulers and it’s a tangible way to action citizens who would normally sleep though this into having their privacy protected.
Until people start to really feel what losing privacy mean, nothing much will happen.
Right now, there is still a strong support in the UK for the gouvernement crusade against encryption and overall ending of privacy.
Because "why should I care, i have nothing to hide". It takes time and tragedy for populationd to educate themselves on matter, maybe in a few years or a decade the trend will invert.
Until then, there isn't much apple can do. They haven't the law with them, they haven't the population with them, they got the money but they aren't going to spend it on educating people.
Taking UK gouvernement to court is just the best they can do right now, a big pr stunt, like a giant ad to say to the rest of the world 'we care about your privacy, buy iphone'.
Government backdoors to devices not only allow governments to manipulate their people in domineering ways, but make it easier for hackers to steal form users. This will always be true.
How do you guys interpret the fact that the UK hasn't requested such backdoors for Android-based stuff ? Ie. is this an indication that they already have such thing ?
The UK "laws" are extremely evil when it comes to violating basic rights, they can essentially force companies to shut up, "gagging orders", etc...
This is about end-to-end encryption. Google doesn’t do that.
Where did you hear that?
A quick search tells me google does end-to-end encryption since at least 2021 [1].
https://www.androidcentral.com/how-googles-backup-encryption...
Fuck the UK government
any qualified opinions here on tresorit? i'm using them now for about three years and the service is alright and reliable afaiac. supposedly they don't have the private key. that makes using it sometimes a little slow compared to other options. but i decided to go with them after reading numerous horror stories about dropbox et al.
Was Tarsnap evaluated? Those behind it are well known and the construction is simple and explained clearly. My general rule: never make technology recommendations without throughly vetting/testing multiple candidates and digging deep into support, the company, and demoing close to intended use.
[dead]
Imagine a Chinese company sued a Westoid nation over some national security feature.
HN would be calling for world war.
smells like PR/marketing
Sure, but it’s the only thing they really can do in the situation, i.e. cause as much stir as they can to hopefully draw public attention to the matter.
[flagged]
Apple should be celebrating Stammer for his proud tradition of freespeech not taking him to court.
Crafted by Rajat
Source Code