Tech giant Apple has added new security and privacy tools to its ecosystem including end-to-end encryption for iCloud data and contact verification for messages. The move will likely place it at loggerheads with the UK government, one analyst told Tech Monitor, as the upcoming Online Safety Bill legislation demands backdoor access to any system for law enforcement and counter-terrorism efforts.
The advanced security features are focused on protecting users against threats from state and malicious hackers. This includes full end-to-end encryption for user data in the cloud, both active and back-up data, as well as iMessage contact key verification where users can verify they’re communicating only with the person they intended.
When combined with a third new tool that allows users in high-risk groups to add a physical security layer to communications the move is being seen as a way to combat spyware such as NSO Group’s Pegasus, which is used by government security agencies around the world.
“As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market,” Apple wrote in a statement adding that it is “committed to strengthening both device and cloud security, and to adding new protections over time.”
Apple security is built directly into its custom chips and devices include “Lockdown Mode”, which the tech giant says offers “an extreme, optional level of security for users such as journalists, human rights activists, and diplomats.” All three groups have been targeted through Pegasus software, according to a major international investigation into the software’s use that took place last year.
Under the Online Safety Bill, which is currently being debated in the House of Commons, companies will be compelled to weaken security and provide “backdoor access” that bypasses encryption and provide access to any encrypted data in messages, cloud storage or logs on request. Failure to do so would result in “large, disabling fines”, the bill says.
This has been heavily criticised by security experts and campaign groups including Big Brother Watch and the Electronic Frontier Foundation which wrote to the government last month urging Rishi Sunak not to "undermine end-to-end encryption" as it would leave businesses and individuals less safe online.
Some MPs have raised the issue in the Commons, with Windsor MP Adam Afriyie, who chairs the Parliamentary Office of Science & Technology, comparing moves to ban end-to-end encryption to King Canute trying to pass a law to stop the tide coming in and said the rules should be more targeted towards criminal behaviour.
We should be extremely wary of an effective blanket ban on end-to-end encryption, given the importance of online privacy to individuals and wider society. Instead, we should target genuine criminals directly. My comments on the #OnlineSafetyBill. pic.twitter.com/BmpORBzcyp
— Adam Afriyie (@AdamAfriyie) December 8, 2022
The EFF praised Apple for adopting advanced end-to-end encryption, stating in a blog post that “companies should stop trying to square the circle by putting bugs in our pockets at the request of governments, and focus on protecting their users, and human rights. Today Apple took a big step forward on both fronts.”
“There are a number of implementation choices that can affect the overall security of the new feature, and we’ll be pushing Apple to make sure the encryption is as strong as possible. Finally, we’d like Apple to go a step further. Turning on these privacy-protective features by default would mean that all users can have their rights protected,” the organisation continued.
Apple end-to-end encryption could be banned under Online Safety Bill
Apple said it was “unwavering” in its commitment to provide users with the best data security including mitigating emerging threats to their personal data on the device and in the cloud, but didn’t respond to a question from Tech Monitor on whether it would adhere to the Online Safety Bill if implemented as written.
Javvad Malik, lead security awareness advocate at KnowBe4 believes the bill “will definitely cause issues, if enforced in its current state, to many organisations and in the way they handle data". This could be particularly salient for Apple, which has previously stood firm on issues that would undermine privacy. "It is likely that Apple will not consent to a blanket backdoor. But perhaps offer alternative methods for law enforcement to investigate cases," Malik says.
Dr Felipe Romero Moreno, senior lecturer at the University of Hertfordshire’s Law School told Tech Monitor the Online Safety Bill would create a backdoor that could be abused by hackers and other adversaries, not just by law enforcement, adding that it would “outlaw fundamental privacy protection measures adopted by big tech companies like Apple”.
“Where there is an identifiable potential illegal harm (as listed in the Online Safety Bill), those harms should be the focus rather than the forums on which the message/content is posted,” he said.
“The Online Safety Bill should not impose any legal obligation on Big Tech companies such as Apple to scan or monitor illegal content on private channels, as this risks compromising the overall security of these communications (e.g. encryption). It will also leave a ‘back door’ for potential abuses by hackers and other adversaries (again something, which the government seems to overlook as well).”
Ian Porteous, regional director for security engineering, UK and Ireland, at Check Point Software says this is the latest move from Apple to "put users in control of their own privacy and security" but adds that comes with a major drawback in that "the end user is now responsible for storing, backing up and securing their own encryption keys".
He warns that despite the encryption efforts "message phishing and zero-day threats will be unaffected by these measures."