Apple says that plans to increase the scope and powers of the UK’s Investigatory Powers Act is “a serious and direct threat to data security and information privacy” – not just to British citizens, but to all tech users worldwide.
The company says that the British government is trying to make itself “the de facto global arbiter of what level of data security and encryption are permissible” after a report last week noted that companies like Apple could be banned from issuing security updates without permission …
17 years of trying to ban privacy
I said last week that the British government has been threatening to ban the end-to-end encryption used in messaging apps like iMessage and FaceTime for at least six years. However, a friend reminded me that, while the names of the various proposed laws have changed, the efforts actually go back much further than this – some 17 years, in fact!
It was in 2006 that a previous government first put forward the idea of banning strong encryption, under what what was then known as the Intercept Modernisation Programme.
The Investigatory Powers Act 2016 (IPA) actually implemented many of the proposed powers, including granting the government the power to issue orders to tech companies to break encryption by building backdoors into their products. Apple strongly objected to this at the time.
The company has also said that it would withdraw iMessage and FaceTime from the UK market rather than drop end-to-end encryption, but it seems even this might not be enough.
Britain thinks it is a world government, says Apple
Apple shared with us its response to the consultation process, stating that the existing act already claims worldwide jurisdiction.
The IPA’s existing authorities are broad and already pose a significant risk to the global availability of important security technologies […] The IPA purports to apply extraterritorially, permitting the Home Office to assert that it may impose secret requirements on providers located in other countries and that apply to their users globally.
The additional powers proposed would make matters even worse.
The new powers the Home Office seeks—expanded authority to regulate foreign companies and the ability to pre-screen and block innovative security technologies—could dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk […]
Under this proposal, it’s possible that a non-UK company could be forced to undermine the security of all its users, simply because it has a UK user base.
Indeed, says Apple, the government is claiming that it would have this global power even if a company completely withdrew from the UK.
The Home Office proposes that the extraterritorial scope of the IPA should apply to providers in any country, regardless of whether the provider has any physical presence in the United Kingdom.
Apple agrees the law could ban security updates
Just Security argued that the expanded powers of the IPA would mean that companies like Apple would require permission from the British government before they could issue security updates. Apple agrees with this assessment.
In effect, the UK seeks authority that no other country has — to prohibit a company from releasing a security feature unless the UK receives advance notice. The result, inevitably, is that a company must choose whether to subject itself to the preferences of the Home Office or deprive users around the world of critical security features.
The iPhone maker points to the conflicts that would be created with numerous privacy laws worldwide, including Europe’s GDPR and the US CLOUD Act.
Proposed amendments must be rejected
Apple says that the proposals represent a serious privacy threat, and should be rejected.
The Home Office’s proposals to expand the IPA’s extraterritorial reach and to grant itself the power to pre-clear and block emerging security technologies constitute a serious and direct threat to data security and information privacy. To ensure that individuals have the tools to respond to the ever-increasing threats to information security, the Home Office’s proposal should be rejected.
FTC: We use income earning auto affiliate links. More.
Comments