My NHS records, knock yourself out, my bank details not so much. I don't bank online but I suppose my debit card could be compromised. However clever people think that they are, there is always someone cleverer and when you are run over in the street an awful lot of server space dies with you. My 2p worth.
RIPA Request to Apple by UK
- Thread starter Richie
- Start date
Basically some of the people who have been flaming me have taken the position of "you either agree with my opinion or your stupid", they are taking the position that because I am in favour of prioritising national security over prioritising letting people encrypt data which they chose to store on the internet for their convenience.
You see it a lot with American gun nuts who think any type of gun control is wrong.
To be blunt mate, if Deno stored any of that in the cloud he deserved to have his identity stolen and his house robbed.
The first part can be mitigated by forcing legitimate cloud providers to reject uploads of encrypted files, this doesn't stop criminals using more nefarious providers but denying access to the common ones does make it harder for them. The second is a problem but depending on the the location they are hosted it allows the authorities to seize physical servers or demand copies of VMs, and also to monitor traffic.
The simple solution to this is to keep a copy of every users key, in a different location to the storage/main data. To make it secure the target location could be write only so that even if hackers compromised the entire system and got a hold of all the encrypted data they wouldn't be able to read the keys or even access their location (not within a completely unrealistic timeframe of going without getting detected anyway). That way if a nations authorities got a court order to access the cloud storage of Joe Bloggs they could demand his data and decryption key (which could be manually retrieved by a member of staff at the could storge company, with a second member of staff monitoring that he didn't retrieve anything else from the secure vault).
This isn't actually all that dissimilar to something we used to use in enterprise 30 years ago, and while time has moved on the method is just as robust.
Regardless of any encryption I'm not stupid enough to put copies of stuff like that in the cloud.
Oh and to be clear as well, I also think paid personal VPNs services should be banned, because they only reasons to ever use a VPN are for business (in which case they can be provided/licensed by your employer), paranoia, or because you're up to no good.
Last edited:
How would this work in practice? From an encryption PoV and not a tech side, you could just use a plain text file with the contents being encrypted. How would the cloud provider know it's encrypted vs random junk letters?
How does a file with its extension removed state what it is? For example, if you have a music file you've deleted the extension to but it's encoded in more obscure codec, does the file state what it is in some way? Or does this file now fall foul of it being unreadable so must be encrypted?
I appreciate you were't replying to me but...
Even if this was possible there would be many countries willing to host storage without constraint. It would not stop criminals but would take away another liberty from those of us who are law abiding. But regardless, I don't think it's easy to detect if a file is encrypted. For example how would it tell if I wanted to backup my .exe file to my cloud storage, or backup a database. They aren't plain text files. How would this system detect it was an encrypted file or if it was simply not a plain text file?
1. Geo-spoofing to watch something in a different region is against the terms and conditions of most streaming services but is not illegal. The policy you suggest just ends up enforcing a company policy.
2. I use a VPN to remotely access my own home based NAS. That is 100% legal and legitimate. Why should I be stopped from doing that? The only alternative is to expose the NAS to the internet and risk all my data so I'm not doing that, especially if there are keys and private data on it.
3. A while ago my son and his friend wanted to play a game that had a LAN networking mode but no internet play. They both VPN'd into our house to be on the same LAN.
None of those are for business, paranoia or being "up to no good". Perhaps point 1 is borderline if you count breaching civil contract terms and conditions as no good, but it's certainly not a criminal matter, and the other points are completely legitimate.
Even if this was possible there would be many countries willing to host storage without constraint. It would not stop criminals but would take away another liberty from those of us who are law abiding. But regardless, I don't think it's easy to detect if a file is encrypted. For example how would it tell if I wanted to backup my .exe file to my cloud storage, or backup a database. They aren't plain text files. How would this system detect it was an encrypted file or if it was simply not a plain text file?
1. Geo-spoofing to watch something in a different region is against the terms and conditions of most streaming services but is not illegal. The policy you suggest just ends up enforcing a company policy.
2. I use a VPN to remotely access my own home based NAS. That is 100% legal and legitimate. Why should I be stopped from doing that? The only alternative is to expose the NAS to the internet and risk all my data so I'm not doing that, especially if there are keys and private data on it.
3. A while ago my son and his friend wanted to play a game that had a LAN networking mode but no internet play. They both VPN'd into our house to be on the same LAN.
None of those are for business, paranoia or being "up to no good". Perhaps point 1 is borderline if you count breaching civil contract terms and conditions as no good, but it's certainly not a criminal matter, and the other points are completely legitimate.
Apologies I should have been clearer, I was referring to a personal VPN service commonly used for accessing blocked content, avoiding tracking, accessing regional content, etc. Not running a VPN connection to your own network for remote access to devices.
I actually don't know how they detect it, however right now cloud providers can flag executable, compressed and encrypted files. It's common in enterprise for one or all to be banned from upload/sync, changing the extension doesn't get around it either.
Last edited:
Doing so is literally advice from the Foreign & Commonwealth Office, as posted on gov.uk (granted that is quite an old page):
Of course "secure data storage site" is key. Having it in your emails is almost certainly a bad idea, having it in an encrypted archive on Dropbox/Google Drive is not going to pose an issue (unless some pesky government comes along and tries to make that illegal...).
Except there are plenty of legitimate reasons to want to upload encrypted files (see above for just one basic example).
The authorities can already seize physical servers, demand copies of VMs, and monitor traffic, there's no need to make life more difficult for everyone else to achieve this.
So... every time a new user creates an account, someone has to physically travel over to the storage facility with a USB stick containing the user's decryption key?
And yet in the same breath you accuse others of being paranoid?!
Translation: I can't think of a use case, so therefore it must not exist. You've already been given a couple of legitimate reasons for this (at which point you've rapidly backpedalled and changed your definition of "private VPN").
To be honest, it sounds like you'd be better off in China or North Korea than in the UK, that way you can be subject to all the government surveillance and control you want without needing to inflict it on those of us who value our freedom and privacy
No, only if they were tasked with retrieving it due to a court order for it, and that's only one possible method of achieving the governments objective while still maintaining security for users.So... every time a new user creates an account, someone has to physically travel over to the storage facility with a USB stick containing the user's decryption key?
Not storing important/confidential data or stuff that could embarrass yourself if leaked on a cloud service is not paranoia it's basic internet practice and has been for decades.
There's a reason there's entire websites dedicated to various kinds of leaks.
I didn't backpedal I merely clarified the original statement as I admit it was poorly worded. I also did it two and a half hours before your reply.
Last edited:
No they haven’t, as has already been explained they've taken the opinion that if you can't explain how, for example, forcing legitimate cloud providers to reject uploads of encrypted files would work that you're offering an opinion on something you don't understand.
That if you say something like...
It's clearly an uninformed opinion. That in itself isn't a bad thing if you're receptive to new information and/or as long as you're not in a position to have such an opinion effect other people, when that's applied to those in positions of power that when such things become a problem.
It wasn't an opinion, it was an explanation of what the current policy is in one of the largest enterprise organisations in the country/continent. There's nothing stopping cloud providers from applying the same policy to normal users if the government were to demand it.
If you don't understand how they do it then it's an opinion.
It's an opinion because you have no idea how wide ranging such detection is because you don't know if they're just scanning for extensions, scanning the headers of known common files types, or scanning entire files.
Last edited:
How does the key get to this totally isolated storage facility in the first place?
It's also completely* safe if done correctly.
* obviously nothing is ENTIRELY safe, and if you were a big enough target then you'd want to take additional measures over us plebs, but then someone could just as easily break into your house and steal your actual passport, but for all practical purposes, storing a properly encrypted copy of your personal documents in secure online storage is every bit as secure as in a safe in your house.
That's the thing though, if I open up a word processor, write some stuff in it that I've applied say a caeser cypher to and save it, I've literally got a text document which can be opened and read by anyone but not understood by anyone as it's encrypted. Sure it can be broken easily, but that doesn't mean I can't use a different method to encrypt it.
Code:
l.n. sprl aopzNow imagine if instead of sending written text in encrypted form, I send written text that can be decrypted into something else. The text document can still be opened and read, but it'll just look like jumbled letters and numbers. Whatever is scanning it will need to understand the message context, and if it decides that it's literally nonsensical, then other forms can be applied.
Random words can be used where specific letters can be the actual encrypted message, it'd bloat the file size but that's not an issue if security is a priority.
If random words are too random and flag - numbers in a spreadsheet can be used.
Specifics sounds in an mp3 file.
Shifting certain pixels in photos.
Everytime encryption comes up, I always want to pull my notes out and have a read - not that'd I'd understand them now.
Does this organisation block all jpgs, mp3s and mp4s?
Edit: I'll rephrase this as it's a bit specific, does it use any photos, audio or videos?
Last edited:
maybe UK is only requesting this/ripa to be a friend/test-case for Trump, like the current UK standoff from the eu AI act;
Despite usa discussion on citizen free speech by trump/musk they don't really want that - do what I say not what fbi/homeland need.
If AI could chew through such apple data we'd have been able to profile Amess's killer too mentioned in todays news (minority report)
Despite usa discussion on citizen free speech by trump/musk they don't really want that - do what I say not what fbi/homeland need.
If AI could chew through such apple data we'd have been able to profile Amess's killer too mentioned in todays news (minority report)
I hope Apple tells them to swivel. I have 2TB with them and I tend to put my more private documents on iCloud and things I don't care about being compromised as much on Google Drive.
I have been itching for an excuse to build a NAS for years but maybe this is the push I needed.
I have been itching for an excuse to build a NAS for years but maybe this is the push I needed.
Have you gone in and enabled ‘advanced data protection’ which is off by default?
It’s funny - people should also look at swiss cloud providers. I know of at least one that provides cloud space to very lofty Saudi and Middle Eastern individuals, accessed via vpn so that their data isn’t available to local law.. that same pattern exists globally.
If Apple wants to maintain it’s premium brand it will continue to prevent governmental eyes.
Behind this, I suspect is the US using it’s ties through the five eyes. It would mean US access via UK law into US organisations.
I wonder how much will end up in DOGE AI..
If Apple wants to maintain it’s premium brand it will continue to prevent governmental eyes.
Behind this, I suspect is the US using it’s ties through the five eyes. It would mean US access via UK law into US organisations.
I wonder how much will end up in DOGE AI..
Last edited:
I don't believe so, i will now though!
The stuff I have on there isn't exactly incriminating but it's bits I'd still rather only I have access to!
Well if you haven’t, this request has absolutely zero impact on you because the authorities can already access your data with a warrant.
But I can still enable it?
I mean it's minimal impact to me. I'd make them get a warrant just for them to see it's lots of old reviews from years gone by.
For keeping things secure I like Nord Locker.