Last month in the UK, a bill that could significantly change how Apple is able to encrypt user data on iOS was introduced. Called the Investigatory Powers Bill, it has the potential to require Apple to hold a key to encrypted smartphones and services such as iMessage and FaceTime. While Apple didn’t comment on the bill at the time, it has now, as expected, spoken out against it in a written submission to the UK House of Parliament.
In the submission, Apple argued that the bill would hurt law-abiding citizens in an effort to simply attempt to combat the few “bad actors” who attempt to carry out attacks. The company went on to explain that many think it is possible to create a system that keeps all user data secure, while only allowing data to be accessed when a proper warrant is served. The issue with this thinking, Apple says, is that the government does not know in advance who would be a target of investigation (via Independent.ie).
This written submission echoes Tim Cook’s comments yesterday on 60 Minutes in which he said there is no reason for there to be backdoor access to consumer data. Cook believes that if there is backdoor access, it is inevitable that someone with negative intentions will gain access.
The bill has been supported by UK Prime Minister David Cameron. Should the bill become a law, Apple would be forced to stop encrypting iPhones, iMessage, and FaceTime beyond its access. Apple’s full letter to the UK House of Parliament can be read below:
“The bill threatens to hurt law-abiding citizens in its effort to combat the few bad actors who have a variety of ways to carry out their attacks. The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too.
Some have asserted that, given the expertise of technology companies, they should be able to construct a system that keeps the data of nearly all users secure but still allows the data of very few users to be read covertly when a proper warrant is served. But the Government does not know in advance which individuals will become targets of investigation, so the encryption system necessarily would need to be compromised for everyone.
The best minds in the world cannot rewrite the laws of mathematics. Any process that weakens the mathematical models that protect user data will by extension weaken the protection. And recent history is littered with cases of attackers successfully implementing exploits that nearly all experts either remained unaware of or viewed as merely theoretical.
The bill would attempt to force non-UK companies to take actions that violate the laws of their home countries. This would immobilise substantial portions of the tech sector and spark serious international conflicts. It would also likely be the catalyst for other countries to enact similar laws, paralysing multinational corporations under the weight of what could be dozens or hundreds of contradictory country-specific laws.
Those businesses affected will have to cope with a set of overlapping foreign and domestic laws. When these laws inevitably conflict, the businesses will be left having to arbitrate between them, knowing that in doing so they might risk sanctions. That is an unreasonable position to be placed in.
If the UK asserts jurisdiction over Irish or American businesses, other states will too. We know that the IP bill process is being watched closely by other countries. For the consumer in, say, Germany, this might represent hacking of their data by an Irish business on behalf of the UK state under a bulk warrant – activity which the provider is not even allowed to confirm or deny. Maintaining trust in such circumstances will be extremely difficult.”