Apple has filed a legal appeal against a secret Home Office order to provide ‘back door’ access to its users encrypted data in a case that will test the limits of how far the government can lawfully go to access the public’s private messages and emails.
The Home Office’s pursuit of Apple is widely seen as a “stalking horse” for more significant targets, including WhatsApp, Signal and Proton Mail, which provide the public with encrypted messaging and email services.
Apple has fought back against the Home Office by filing an appeal to the Investigatory Powers Tribunal to challenge the lawfulness of the Home Office’s order which requires it to provide UK law enforcement and intelligence services with access to encrypted files stored by Apple users on its iCloud service.
The Home Office appears to have chosen Apple as a test case to test the limits of government powers under the Investigatory Powers Act 2016 to issue Technical Capability Notices (TCNs) requiring companies to give government agencies the ability to obtain and read encrypted communications.
Ministers will be watching the public’s reaction carefully to see whether people understand or care about the loss of their privacy of iCloud and if they do care, whether they care enough to vote against the government in future elections.
Apple’s iCloud service is seen as and easy and relatively uncontroversial target compared to platforms like WhatsApp or Apple’s own encrypted iMessage service.
Apple’s ADP cloud encryption service is an opt-in service, which is not widely used and might not be missed by those Apple customers that rarely think about their privacy and security.
Spy Catcher revisted
When the case reaches the IPT, which could be as early as this month, the first argument will be whether the case should be heard behind closed doors for national security reasons or whether the normal principles of open justice can and should apply.
For the Home Office to continue to neither confirm nor deny the existence of the Technical Capability Notice issued against Apple will be hard to sustain when its existence has already been widely leaked and reported in the Washington Post and the Financial Times.
The Spy Catcher case in the 1980s proved that it is pointless for governments to attempt to ban the publication of material that is already in the public domain. In other words, once a secret is no longer a secret there is no need for secret hearings.
The courts took a dim view of MI5 when it emerged that the spy agency had falsely told three courts that the name of its agent had to be protected through secret court hearings without mentioning that it had already disclosed the agents’ name to a BBC journalist.
Having a public hearing would allow the IPT to hear expert evidence from cryptographers and technical specialists who can properly explain how an order to break encryption could expose individuals and businesses to cyber security risks.
For example, over 200 cyber security experts, companies and civil society groups, signed a letter in February calling for home secretary Yvette Cooper to drop demands for Apple to create a backdoors to its iCloud service.
They pointed out in an open letter that ‘back doors’ introduced for the government could just as easily be exploited by hostile nation states or cyber criminals, placing the UK’s national security at risk.
“For national security professionals and government employees, access to end-to-end encrypted services allows them to safeguard their personal life,” it said. “Ensuring the security and privacy of government officials is vital for helping prevent extortion or coercion attempts, which could lead to greater national security damage.”
Apple’s application to the Investigatory Powers Tribunal is believed to be the first time that a technology company has challenged a government Technical Capability Notice.
Although similar notices have been issued in the past against traditional telecommunications companies, such as BT or Cable & Wireless, the companies have chosen to quietly implement them rather than to challenge them in court.
Are the Home Office’s actions proportionate?
The IPT will need to decide whether the Home Office’s order against Apple is proportionate, which will mean weighing up the impact of breaking Apple’s encrypted services on security and privacy against the claimed benefits of the government having access to encrypted data on Apple’s cloud storage.
The argument is largely academic. Apple withdrew its Advanced Data Protection (ADP) service – which allows users to opt-in to use encryption to protect their iCloud data – from UK users in February, rather than comply with the Home Office’s demands.
That means that if police want to retrieve data from a UK registered phone, for example after a suspect had thrown their phone into the sea, they can ask Apple to retrieve the data from the phone owners’ iCloud account.
For an overseas phone the task would be more difficult but far from impossible. GCHQ or the National Crime Agency for example have the ability to apply for equipment interference warrants to obtain data by lawfully hacking of a suspects’ phone.
That leaves the only real case for introducing the order against Apple – to test the waters for issuing TCNs against big tech companies like WhatsApp, Signal and Telegram that appear to be the government’s ultimate targets.
UK law enforcement agencies and the Home Office have been claiming for years that such services pose a risk because they can be used by terrorists or paedophiles, regardless of whether they are used by millions of people for lawful purposes.
Home secretary sparks tension with US
The UK’s action has created tensions with the US, however. President Trump told the Spectator on 28 February that the UK’s actions were something “you would hear about in China” and that he had warned the UK “you cannot do that” during talks with prime minister Keir Starmer.
A few days earlier, the US director of national intelligence, Tulsi Gabbard raised concerns that UK’s order against Apple could “undermine Americans’ privacy and civil liberties” and represented a “clear and egregious violation” that could undermine intelligence sharing between the US and the UK.
Rebecca Vincent, Interim Director of Big Brother Watch, a civil society organisation that has successfully challenged the government over its use of intrusive surveillance in the courts, told Computer Weekly that the move against Apple would impact millions of people.
“The government’s latest escalation towards Apple is alarming, as is the fact that the legal proceedings around this may take place in total secrecy. This is a matter of high public interest that will impact the privacy rights of millions in the UK,” she said.
“If the government wins at the Investigatory Powers Tribunal, we will no doubt see similar orders to other platforms in the very near future. We will all pay the price, leaving the door to access our personal data wide open to the government and malicious actors alike,” she added.
Home office neither confirms nor denies
A spokesperson for the Home Office said, “We do not comment on operational matters, including for example confirming or denying the existence of any such [TCN] notices”.
“But more broadly, the UK has a longstanding position of protecting our citizens from the very worst crimes, such as child sex abuse and terrorism, at the same time as protecting people’s privacy,” the spokesperson added.
Security Minister Dan Jarvis told the Commons on 24 February that it was not the case that privacy and security were at odds and that “we can and must have both”.
“The Investigatory Powers Act contains robust safeguards and independent oversight to protect privacy and ensure that data is obtained only on an exceptional basis, and only when it is necessary and proportionate to do so,” he said.
In response to questions about its legal appeal, Apple referred back to a statement it issued last month announcing its withdrawal of ADP services in the UK
“Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will,” it said.
#Apple #IPT #appeal #door #encryption #order #test #case #bigger #targets