View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 8, 2022updated 09 Dec 2022 12:54pm

Apple could soon be at loggerheads with UK government on end-to-end encryption

Apple has strengthened its encryption offering, but new UK legislation will require it to install a backdoor in devices for security services.

By Ryan Morrison

Tech giant Apple has added new security and privacy tools to its ecosystem including end-to-end encryption for iCloud data and contact verification for messages. The move will likely place it at loggerheads with the UK government, one analyst told Tech Monitor, as the upcoming Online Safety Bill legislation demands backdoor access to any system for law enforcement and counter-terrorism efforts.

Apple says its new privacy and data security tools ensure encryption throughout its ecosystem. (Photo by leungchopan/Shutterstock)

The advanced security features are focused on protecting users against threats from state and malicious hackers. This includes full end-to-end encryption for user data in the cloud, both active and back-up data, as well as iMessage contact key verification where users can verify they’re communicating only with the person they intended.

When combined with a third new tool that allows users in high-risk groups to add a physical security layer to communications the move is being seen as a way to combat spyware such as NSO Group’s Pegasus, which is used by government security agencies around the world.

“As threats to user data become increasingly sophisticated and complex, these new features join a suite of other protections that make Apple products the most secure on the market,” Apple wrote in a statement adding that it is “committed to strengthening both device and cloud security, and to adding new protections over time.”

Apple security is built directly into its custom chips and devices include “Lockdown Mode”, which the tech giant says offers “an extreme, optional level of security for users such as journalists, human rights activists, and diplomats.” All three groups have been targeted through Pegasus software, according to a major international investigation into the software’s use that took place last year.

Under the Online Safety Bill, which is currently being debated in the House of Commons, companies will be compelled to weaken security and provide “backdoor access” that bypasses encryption and provide access to any encrypted data in messages, cloud storage or logs on request. Failure to do so would result in “large, disabling fines”, the bill says.

This has been heavily criticised by security experts and campaign groups including Big Brother Watch and the Electronic Frontier Foundation which wrote to the government last month urging Rishi Sunak not to "undermine end-to-end encryption" as it would leave businesses and individuals less safe online.

Some MPs have raised the issue in the Commons, with Windsor MP Adam Afriyie, who chairs the Parliamentary Office of Science & Technology, comparing moves to ban end-to-end encryption to King Canute trying to pass a law to stop the tide coming in and said the rules should be more targeted towards criminal behaviour.

Content from our partners
Why the tech sector must embrace faster, smarter talent recruitment
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system

The EFF praised Apple for adopting advanced end-to-end encryption, stating in a blog post that “companies should stop trying to square the circle by putting bugs in our pockets at the request of governments, and focus on protecting their users, and human rights. Today Apple took a big step forward on both fronts.”

“There are a number of implementation choices that can affect the overall security of the new feature, and we’ll be pushing Apple to make sure the encryption is as strong as possible. Finally, we’d like Apple to go a step further. Turning on these privacy-protective features by default would mean that all users can have their rights protected,” the organisation continued.

Apple end-to-end encryption could be banned under Online Safety Bill

Apple said it was “unwavering” in its commitment to provide users with the best data security including mitigating emerging threats to their personal data on the device and in the cloud, but didn’t respond to a question from Tech Monitor on whether it would adhere to the Online Safety Bill if implemented as written.

Javvad Malik, lead security awareness advocate at KnowBe4 believes the bill “will definitely cause issues, if enforced in its current state, to many organisations and in the way they handle data". This could be particularly salient for Apple, which has previously stood firm on issues that would undermine privacy. "It is likely that Apple will not consent to a blanket backdoor. But perhaps offer alternative methods for law enforcement to investigate cases," Malik says.

Dr Felipe Romero Moreno, senior lecturer at the University of Hertfordshire’s Law School told Tech Monitor the Online Safety Bill would create a backdoor that could be abused by hackers and other adversaries, not just by law enforcement, adding that it would “outlaw fundamental privacy protection measures adopted by big tech companies like Apple”.

“Where there is an identifiable potential illegal harm (as listed in the Online Safety Bill), those harms should be the focus rather than the forums on which the message/content is posted,” he said.

“The Online Safety Bill should not impose any legal obligation on Big Tech companies such as Apple to scan or monitor illegal content on private channels, as this risks compromising the overall security of these communications (e.g. encryption). It will also leave a ‘back door’ for potential abuses by hackers and other adversaries (again something, which the government seems to overlook as well).”

Ian Porteous, regional director for security engineering, UK and Ireland, at Check Point Software says this is the latest move from Apple to "put users in control of their own privacy and security" but adds that comes with a major drawback in that "the end user is now responsible for storing, backing up and securing their own encryption keys".

He warns that despite the encryption efforts "message phishing and zero-day threats will be unaffected by these measures."

Read more: The Online Safety bill is not fit for purpose, say IT pros

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU