Apple CEO Fires Encryption Warning Shots at UK Internet Snooping Bill

The UK Government’s new Investigatory Powers Bill, which aims to expand the United Kingdom’s Internet snooping laws by forcing broadband ISPs to log a bigger slice of everybody’s online activity, has taken fire from Apple’s CEO, Tim Cook, over its “very dire” move to damage encryption.

Among a huge swathe of changes the new bill, which was officially unveiled last week (details), will also place an “explicit obligation” on British communications providers / companies to help law enforcement agencies access devices with encrypted content in order to acquire information.

Government Statement on Encryption (Extract from Bill Summary):

“[The law] will provide an explicit obligation on CSPs to assist in giving effect to equipment interference warrants. Only intercepting agencies will have the ability to serve such warrants, which must be authorised by the Secretary of State. The draft Bill will not impose any additional requirements in relation to encryption over and above the existing obligations in RIPA.”

In fairness the original Regulation of Investigatory Powers Act 2000 (RIPA) also contained a similar clause, although the new wording could be interpreted as being both stricter and wider in scope. Mind you RIPA was also declared “invalid” by the European Court of Justice (here) and the same temporary replacement legislation is currently being disputed as part of a Judicial Review case.

Apple, which is very influential given the huge popularity of their iPhone and iPad computers, is trying to ensure that its hardware also has a good reputation for security. One of the ways they do that is by providing end-to-end encryption, where the keys are generated automatically for each conversation between individuals and thus not even Apple can read what has been said.

However Apple’s position, which is also adopted by many other companies and communications services, presents a point of conflict with the new law.

Tim Cook, Apple’s CEO, said (Telegraph):

“To protect people who use any products, you have to encrypt. You can just look around and see all the data breaches that are going on [ISPr ED: For example, the cyber-attack on TalkTalk]. These things are becoming more frequent. They can not only result in privacy breaches but also security issues. We believe very strongly in end to end encryption and no back doors.

We don’t think people want us to read their messages. We don’t feel we have the right to read their emails. Any backdoor is a backdoor for everyone. Everybody wants to crack down on terrorists. Everybody wants to be secure. The question is how. Opening a backdoor can have very dire consequences.

It’s not the case that encryption is a rare thing that only two or three rich companies own and you can regulate them in some way. Encryption is widely available … If you halt or weaken encryption, the people that you hurt are not the folks that want to do bad things. It’s the good people. The other people know where to go.”

Encryption is of course used all over the place, for everything from securing your credit card transactions to keeping private messages.. private, as Apple do. It is an essential tool and one that only works if the decryption keys are kept hidden, sometimes even from the service owner. Similarly if we weaken encryption then the software and systems supplied by UK firms may be perceived as unsafe and that could hurt international businesses.

Admittedly terrorists and criminals can use these features too and the Government are naturally worried about that, although security experts warn that you can’t allow one state or group to have special access and expect that not to be abused by others (e.g. hackers or less democratic countries). It’s a catch-22 sort of problem.

On the other hand UK law cannot extend too far outside of its own borders and thus there will always be remote servers and services that cyber criminals and terrorists can use, including those that aren’t controlled by any country, company or government. No law will cover the entirety of the problem and instead you end up weakening the security of ordinary citizens in the process.

Ironically perhaps Ciaran Martin, Director General of Cyber Security at GCHQ, just told UK companies to improve their security because the country faced a “chronic, advanced and persistent” threat from hackers and attacks on critical infrastructure, which Martin suggested could bring the nation to a standstill. Mixed messages?