For years, Apple has prided itself on its privacy and security guidelines. That Apple is the benchmark in this area is not an understatement. No matter which product release or update is announced, Apple will invariably touch on security and privacy on stage, with the Vision Pro being the latest example. For those who value these aspects, Apple is the go-to brand. Sadly, though, apart from the end users, not everyone holds user privacy that high of a regard. According to recent reports, that seems to be the case with the U.K. government.
In short, the U.K. is currently in the process of updating its Investigatory Power Act (IPA) drastically, with some challenging demands in tow. These changes include authorizing the Home Office to oversee any security changes, including regular software updates issued by vendors like Apple. Furthermore, these planned changes include granting the Home Office — specifically Ofcom, the telecommunications regulator — permission to access encrypted data via a technology capability notice (TCN) and to monitor services proactively. While it might not sound that dramatic at first, it may be more worrisome than you think.
Is the U.K. government aiming to seize control?
First, it’s important to first understand the motive behind these proposed changes. According to a government spokesperson, these changes were proposed to make the IPA more relevant. The law, which passed in 2016, was initially designed to expand the powers of intelligence and police to counter threats to the public, such as terrorists, child sex abuse, and trafficking. The U.K. government believes that these new changes would allow them to do so more effectively.
“Some of these technological changes risk having a negative effect on the capabilities of our law enforcement and intelligence agencies,” the government claims. “We must ensure that the law enables us to mitigate this risk, whilst still promoting technological innovation and the legitimate interest in increased privacy of the majority of our citizens.”
On the surface, it looks like a plausible claim to make. However, one can’t ignore the fact that the relevant platforms and vendors will be surrendering a sizable chunk of their authority to the U.K. government should these amendments go into effect. Nowadays, end-to-end encryption has become quite integral to many platforms and features. By simply nodding their heads and obliging to these changes, companies will be forced into compromising the end user’s privacy. The only other choice would be simply walking away from the market. Apple has threatened to withdraw security features from the U.K. and implied that services like FaceTime and iMessage would be removed altogether instead of weakening their security. WhatsApp and Signal have also threatened to do so if these changes are approved.
It’s worth mentioning that there is a great level of confidentiality regarding the demands tabled by the U.K. government, which is why not that much is known about the specific details of these planned changes. Also noteworthy is that these changes are still only proposed at the time of this writing, with the U.K. government opening a consultation period for the opposing companies, which also includes WhatsApp and Signal, to express their concerns.
Apple is leading the charge in the battle for privacy
To Apple, privacy and security represent more than just another feature; rather, it’s one of the company’s core values. So, to see Apple snap at the U.K. government for these changes isn’t that much of a surprise.
A lot of what Apple opposes comes down to how these changes mandate immediately disabling any security feature in an app like FaceTime or iMessage to access the encrypted data in question instead of keeping the feature’s functionality while the TCN appeal is being considered. Even more alarming is the fact that this is all done without publicly communicating with the end user, effectively meaning that this gives the government back-door access to end-to-end encrypted data at will.
Apple wrote in response that these proposed changes would “make the Home Office the de facto global arbiter of what level of data security and encryption are permissible.”
Meta (the owner of WhatsApp) and Signal, along with other service providers, also issued an open letter voicing their own concerns over the new bill, citing that this bill renders end-to-end encryption null and void should the bill go into effect as written. To proactively scan private messages on platforms using end-to-end encryption to secure this data could only mean compromising the privacy of all users.
“As currently drafted, the Bill could break end-to-end encryption, opening the door to routine, general and indiscriminate surveillance of personal messages… which would fundamentally undermine everyone’s ability to communicate securely,” the letter said. “In short, the Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world.”
While it might not seem that dramatic that a few social media platforms abandon the region, a company the size of Apple pulling out would be a much bigger blow, perhaps too big for some to bear.
It also doesn’t make any sense from a business perspective. According to WhatsApp head Will Cathcart, only 2% of WhatsApp’s users are inside the U.K., so lowering the product’s security for a minority of the platform’s users globally seems preposterous.
While it might not seem that dramatic that a few social media platforms abandon the region, a company the size of Apple pulling out would be a much bigger blow, perhaps too big for some to bear. There is no denying how popular their devices are and, by extension, some of their core services, such as FaceTime and iMessage. Disabling these features would completely alter not only the user experience but also how an Apple product is perceived by the customers in the market. And if Apple would comply with the new rules, it would be devastating for its image. Seeing a company that prides itself on never developing any backdoor access going against that principle is not the best look.
Looking over to the other side of the argument, it doesn’t get any better. Despite claiming that the motive behind the new bill is only to protect the public, the new bill only serves to undermine the end user’s data privacy. The U.K. government has shown its opinion on data privacy in the past, going as far as planning a publicity campaign just to paint encryption in a bad light.
The U.K. government could inadvertently thwart data privacy everywhere
Perhaps the worst consequence of such a bill would be to influence other governments to propose similar changes. Many could exploit this seemingly reasonable claim to create new powers to utilize the weakened security measures for a not-so-good cause. In fact, this would bring us to a very important question: What’s the point of having end-to-end encryption and other similar security features if governments and similar entities can simply tap into the encrypted data by law at their own will?
In the end, we have a complex dilemma to resolve that, quite frankly, shouldn’t have ever been brought up in the first place, even when considering the views of both sides. Under no circumstances is it acceptable to completely do away with the user’s right to data privacy. It must be emphasized that not all the details are available at this point, as well as the fact that this is just under review at this stage. However, when considering Apple’s stance on the matter, it’s hard to argue against its concerns. Hopefully, Apple’s powerful position, as well as the stance of the rest of the concerned services, will force the U.K. government to rethink. Otherwise, the repercussions will be hard to deal with.