RIPA Request to Apple by UK

[Eddie99]

Hosting your own data isn’t an effective countermeasure for this, RIPA takes care of that as they can compel you to hand over the keys or put you in prison.

You could argue that you don’t don’t have the keys but I doubt it would ever stand up in court for the simple fact that a judge is never going to believe that you can’t access your own data which you created and host.

They will ask themselves why would you be saving it if you can’t access it yourself and likely conclude your version of events isn’t plausible and draws suspicion and the law enforcement agencies accusation that you are not telling the truth will be more credible.

I guess the only thing you could do is move your data to a services which is outside the scope of U.K. law. There is probably plenty to choose from which kind of defeats the purpose of the law.

You could use something like VeraCrypt which has the hidden volume feature, which essentially allows you to hand over a dummy password if required and it's not possible to prove the existence of a second hidden encrypted volume.

 

[dowie]

Well yes, we thats literally the substance what I wrote using different words isn’t it?

Not really - nullifying the main selling point implies there are others - it just makes the whole thing redundant.

Not sure why you mentioned gmail because it’s not relevant to this power. Your gmail isn’t ‘secure’ if Google can mine it for data as they do. By the very notion, someone else has access to it and Google can (and do) hand it over in an un-encrypted form to law enforcement agencies in the U.K. on a regular basis.

That isn’t what this notice is about, the authorities don’t care about Google because Google can hand everything over with a warrant.

No, this is incorrect too Goggle can't mine it for data as of 2017.

Google literally does the very thing being discussed re: Gmail. Google Drive etc.. the data is encrypted but they hold the keys and can respond to warrants - it's a pretty relevant comparison to make. Ditto to say Dropbox or indeed the default settings for iCloud if you don't select advanced data protection.

 

[stuman]

Hosting your own data isn’t an effective countermeasure for this, RIPA takes care of that as they can compel you to hand over the keys or put you in prison.

You could argue that you don’t don’t have the keys but I doubt it would ever stand up in court for the simple fact that a judge is never going to believe that you can’t access your own data which you created and host.

They will ask themselves why would you be saving it if you can’t access it yourself and likely conclude your version of events isn’t plausible and draws suspicion and the law enforcement agencies accusation that you are not telling the truth will be more credible.

I guess the only thing you could do is move your data to a services which is outside the scope of U.K. law. There is probably plenty to choose from which kind of defeats the purpose of the law.

It’s not the legitimate investigations that are the worry, it’s the inherent problem of creating a backdoor or not allowing people to protect their own privacy against non-officially warranted intrusion.

 

[Werewolf]

It’s not the legitimate investigations that are the worry, it’s the inherent problem of creating a backdoor or not allowing people to protect their own privacy against non-officially warranted intrusion.

This is exactly the problem.

If you create a backdoor for "official" use it is automatically a weakness that is going to be targeted by "non official" elements (not to mention any mission creep by the official user).

You create a master backdoor code and you can bet that every major ciminal group in the world will start looking for it, as well as state actors, you keep a copy of the the key per account and you can bet those same groups will be trying extremely hard to get into the list of those keys.

We know that the government (any government) can't stop hostile access to it's own systems, and that every almost every major private firm that handles our data has been breached (often repeatedly), with the ones that hold the most personal/most important data being higher value targets.

A backdoor is always a deliberate weakness just awaiting exploitation.

 

[stuman]

It’s the reason the death star had an exhaust port.

 

[Grim5]

Criminals and enemy states cannot easily intercept phone calls.

Apparently they can because there are so many phone network providers globally that are willing to sell their access into the global phone network for a fee

Plus there is Pegasus if they are prepared to pay a lot

 

[dowie]

If you create a backdoor for "official" use it is automatically a weakness that is going to be targeted by "non official" elements (not to mention any mission creep by the official user).

But they're not creating a backdoor - a backdoor is the default already for Gmail. Google Drive, Dropbox, iCloud.

This extra encryption is an optional setting most users don't make use of and isn't offered by Apple's rivals.

A few times in this thread people have made vague references to "backdoors" but it might be useful if they were more specific with the objection and what they feel are the issues with say opting to use Google's services or Apple's default services vs specifically wanting this extra layer of "advanced data protection"?

I think this is perhaps getting conflated with the worries that arise re: people deliberately creating a backdoor in some encryption algo itself so as to allow interception of otherwise secure communication or leave open a "backdoor" that anyone with knowledge of it could use/abuse. But the "backdoor" in this case in the standard case (not using Apple's "advanced data protection") is simply that say a few Google/dropbox or apple staff can access keys in response to a warrant etc..not that there is some gaping flaw in the encryption itself.

 

[Rroff]

is simply that say a few Google/dropbox or apple staff can access keys in response to a warrant etc..not that there is some gaping flaw in the encryption itself.

But to make that possible means weakening the effectiveness of the encryption, which is essentially a backdoor for all intents and purposes even if you want to argue over the specifics of the definition.

 

[dowie]

But to make that possible means weakening the effectiveness of the encryption, which is essentially a backdoor for all intents and purposes even if you want to argue over the specifics of the definition.

No, it doens't impact the encryption at all, it's just a case of who has access the the keys.

 

[Rroff]

No, it doens't impact the encryption at all, it's just a case of who has access the the keys.

But then you have to generate and/or transmit an extra set of keys, if the organisation's systems are compromised then it exposes that data, it effectively erodes how worthwhile the encryption is and opens new attack vectors for compromising it.

 

[dowie]

But then you have to generate and/or transmit an extra set of keys, if the organisation's systems are compromised then it exposes that data, it effectively erodes how worthwhile the encryption is and opens new attack vectors for compromising it.

It's the standard already for most services the "advanced data protection" offered by Apple is the change.

You could say the same about almost all your data anywhere - whether that's the NHS, your bank account, your criminal records, your tax records - all of that is compromised in a similar way in so far as an insider can access it - in fact it's far worse for that sort of data in that multiple insiders can and do access it.

But somehow messages and iCloud photos are what people are up in arms about - I'd bet half the people posting about "backdoors" in this thread don't even have the setting turned on, the majority of apple users don't make use of it and it doesn't cover email either.

 

[SupraWez]

It's the standard already for most services the "advanced data protection" offered by Apple is the change.

And the user has to enable it, most people wont even have it turned on

Easy enough to check, go to settings, your account, icloud and there is a toggle option Advanced Data Protection