Susan Landau
In particular, since users only rarely supply their own cryptographic systems, this means that Apple’s Advanced Data Protection for iCloud (ADP), which provides end-to-end encryption with user-supplied keys, must be breakable by Apple. This is a contradiction in terms; end-to-end encrypted communications are designed so that only the sender and the receiver can read them. ADP is set up so that the user’s devices—and only the user’s devices—have access to data stored in the iCloud. It’s a terrific form of security. But that’s not how His Majesty’s government sees it. The order, issued in the name of national security, requires that Apple provide access to iCloud data no matter where in the world the data resides.
Were Apple to accede to the U.K.government’s requirements, we would all be less secure. Sophisticated criminals would take the extra steps necessary to secure their data; after all, there is nothing that any government can do to prevent that. Instead, it would be the general public—those for whom data security isn’t a top priority in their daily lives—who would be at risk.
This would set a terrible precedent for cybersecurity. It is, however, the U.K. law. So Apple has responded in the only sensible way it could: new U.K. users no longer have access to ADP protection and current ones will lose ADP protections soon. This doesn’t necessarily satisfy the U.K. requirements, which is access to iCloud data for any user in the world. But if the U.K. government is able to receive the data with the electronic protections stripped off, then so is any other nation in the world. History shows that if a backdoor is put into a “secured” communications system, then adversaries can find a way in. Two instances are wiretap-compliant switches in Greece and a commercial firewall—but there are many, many more. Our partners across the pond appear not to have taken to heart those lessons or that of Salt Typhoon.
No comments:
Post a Comment