Apple blasts U.K. bill on ‘backdoor’ access to encrypted messages

Alyssa Bereznak
·National Correspondent, Technology
image

(Photo illustration: Yahoo News, photos, Stefan Wermuth/Reuters, Luca Bruno/AP, Getty Images)

In the wake of a renewed debate over the use of encrypted communications, Apple is urging the British Parliament to reconsider its new beefed-up surveillance proposals.

The company submitted a strongly worded objection to the U.K.’s Scrutiny Committee today in a response to a law drafted in November. If passed this spring, the legislation — dubbed the Investigatory Powers Bill —would legally require companies to bypass encryption at the request of the government, among many other provisions.

The eight-page letter, which was provided to Yahoo News by Apple, argues that the bill in question “threatens to hurt law-abiding citizens in its effort to combat the few bad actors who have a variety of ways to carry out their attacks.” The California-based company, which has included encrypted privacy measures in its computers and smartphones for over 10 years, argued that forcing backdoors into products “would weaken the protections built into Apple products and endanger all our customers.”

The move comes amid a heated debate about the use of encryption in consumer technology, spurred by revelations that terrorists may have communicated via encrypted messaging services such as WhatsApp and Telegram prior to the Nov. 13 Paris attacks.

FBI Director James Comey has argued that terrorists are increasingly using this technology — which scrambles the content of a message so that only its sender and receiver can read it — to “go dark.” In a recent Senate hearing, he called on U.S. tech companies that offer end-to-end encryption to rethink their business models, implying they should provide exceptional access to the government when needed. Cryptographers and cybersecurity activists unanimously agree that there’s no way to do this without entirely compromising the security of all encrypted communications. Major tech companies, including Google, Microsoft and Facebook, have fought law enforcement in court and at the legislative level over this issue for years.

The United Kingdom is just one of many countries to propose legislation aimed at regulating encryption. Soon after the attacks in Paris, the French newspaper Le Monde published documents discussing potential legislation to “forbid free and shared Wi-Fi connections” during emergencies and block the use of the Tor anonymity network. (Prime Minister Manuel Valls denies that these proposals ever existed.) In the United States, Sen. Dianne Feinstein, D-Calif., and Senate Intelligence Chairman Richard Burr, R-N.C., recently announced they hope to pass a law that would require companies to decrypt data under court order.

“I think this world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the Internet, that that encryption ought to be able to be pierced,” Feinstein said earlier this month.

Apple’s testimony argued that “increasingly stronger — not weaker — encryption is the best way to protect against” terrorist threats. It also recommended that the bill provide more detail on what might be required of those who are served warrants, and parts of it should not apply to overseas providers.

“This would immobilize substantial portions of the tech sector and spark serious international conflicts,” it reads. “It would also likely be the catalyst for other countries to enact similar laws, paralyzing multinational corporations under the weight of what could be dozens or hundreds of contradictory country-specific laws.”

Though Apple does comply with law enforcement requests by providing certain types of metadata, it has also denied court access to encrypted communications that take place in iMessage and FaceTime. This past summer, for instance, the Justice Department obtained a court order for a case involving drugs and guns, demanding Apple turn over real-time text messages between suspects using iPhones. The company responded by saying it could not technically comply.

In another case this fall, Apple said it could feasibly recover information on mobile devices running iOS 7, but because “public sensitivity to issues regarding digital privacy and security is at an unprecedented level,” doing so “could threaten the trust between Apple and its customers and substantially tarnish the Apple brand” and ultimately cause “a longer term economic impact.”

The document emphasizes the technical restrictions Apple faces in carrying out the requests of Parliament, arguing that it is mathematically impossible to decrypt the data of a few wrongdoers without compromising the company’s entire customer base.

“The best minds in the world cannot rewrite the laws of mathematics,” it reads. “Any process that weakens the mathematical models that protect user data will by extension weaken the protection.”

The company also said that “recent history is littered with cases” in which a backdoor was introduced to a company’s encrypted product and it was subsequently exploited. One example is Juniper Networks, a tech giant that markets networking products. Last week, the company discovered that an unauthorized backdoor had been embedded in a system running on some of its firewalls, resulting in significantly compromised data.

On Sunday evening, CEO Tim Cook underscored the recommendations of Apple’s testimony in a “60 Minutes” interview.

“If there’s a way to get in, then somebody will find the way in,” he told Charlie Rose. “There have been people that suggest that we should have a backdoor. But the reality is if you put a backdoor in, that backdoor’s for everybody, for good guys and bad guys.”

He emphasized that denying access to encryption would not necessary mean the nation would be less safe.

“I don’t believe that the tradeoff here is privacy versus national security,” Cook continued. “I think that’s an overly simplistic view. We’re America, we should have both.”