UK Is Ordering Apple to Break Its Own Encryption

The Washington Post is reporting that the UK government has served Apple with a “technical capability notice” as defined by the 2016 Investigatory Powers Act, requiring it to break the Advanced Data Protection encryption in iCloud for the benefit of law enforcement.

This is a big deal, and something we in the security community have worried was coming for a while now.

The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand. An Apple spokesman declined to comment.

Apple can appeal the U.K. capability notice to a secret technical panel, which would consider arguments about the expense of the requirement, and to a judge who would weigh whether the request was in proportion to the government’s needs. But the law does not permit Apple to delay complying during an appeal.

In March, when the company was on notice that such a requirement might be coming, it told Parliament: “There is no reason why the U.K. [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption.”

Apple is likely to turn the feature off for UK users rather than break it for everyone worldwide. Of course, UK users will be able to spoof their location. But this might not be enough. According to the law, Apple would not be able to offer the feature to anyone who is in the UK at any point: for example, a visitor from the US.

And what happens next? Australia has a law enabling it to ask for the same thing. Will it? Will even more countries follow?

This is madness.

Tags: , , , , , , ,

Posted on February 8, 2025 at 10:56 AM48 Comments

Comments

Who? February 8, 2025 11:24 AM

“Apple can appeal the U.K. capability notice to a secret technical panel…”

…where it will be automatically dismissed.

Nice to see this NSL-style request has been published. I ask myself why it is a criminal offense to reveal that the government has even made such a demand. The only answer I can think about is that it is a completely illegal request.

It is time to stop governments to act this way. The only way to achieve this goal is by means of technology and mathematics, as ever.

People should wake up.

Who? February 8, 2025 11:33 AM

To be more clear, I understand [somewhat] why a NSL requesting information about someone or an organization must be keep secret, as it may interfere with an investigation. However, this one is a general request that will not difficult a research. It is just a generic request to provide a backdoor, not a request targeted to someone under active investigation.

In other words, it is keep secret because it is an illegal request.

As I said in other cases, governments and citizens play on the same league, but are not on the same team.

Wake up.

Anonymous February 8, 2025 11:38 AM

The law, known by critics as the Snoopers’ Charter, makes it a criminal offense to reveal that the government has even made such a demand. An Apple spokesman declined to comment.

Well, all Apple needs to do here is break the law in a limited and specific way.

The government won’t have any right to complain about that.

Larry Seltzer February 8, 2025 12:12 PM

How would the UK punish a company for violating a secret law? A person they could grab and hold a secret trial.

M February 8, 2025 1:10 PM

Looking beyond all of the security, privacy, and human rights reasons that backdoored encryption is a bad idea, how is this not an international incident? The UK is demanding Apple backdoor their encryption worldwide, not just in the UK. The UK is demanding backdoor access to the data belonging to Americans. They’re basically trying to strongarm an American company into performing covert espionage against the United States. This wouldn’t just impact ordinary Americans, but presumably also the personal iCloud accounts of American diplomats and high level officials.

And the U.K. is supposedly America’s ally? The United States needs to retaliate.

Alice February 8, 2025 1:10 PM

if the data is encrypted in the cloud, it’s from a key that is stored in the phone (and if done properly, in a secure anti-tampering chip secure enclave on the phone). what the UK is asking for should get the reply : we cannot. we do not have the key. the key never leaves the device itself”

apple should turn icloud off in the UK and display the message “sorry, the UK government does not allow iCloud in your country unless we give them full access to your data, all the time. your current icloud data is no longer available, please ask the UK government for a solution for this”

governments have NO right to have access to any information on a device or cloud unless there is a judge behind and “probable cause” justifying it.

what the UK want is full access, so every time they have a new keyword in mind they can get to iCloud, and search EVERYONE’s data for anything related to it, and grab it.

Stasi dramed of it
UK wants it implemented.

i am not surprised. the UK is no democracy. they are the country when several thousands of underage girls have been raped, everyone from the police to the services in charge of child protection KNEW and they did NOTHING.

UK is also the coutry where a law has been voted where you can be prosecuted for anything they dont like you discuss at home, in a private setting (it’s a scotish law).

the world has no lesson of democracy or individual freedoms to receive from the UK
they are a disgrace to anything called “democratic”

Roland February 8, 2025 4:53 PM

@M “This wouldn’t just impact ordinary Americans, but presumably also the personal iCloud accounts of American diplomats and high level officials.

And the U.K. is supposedly America’s ally?”
This is the UK being an ‘ally’. The act contains provisions to handle US requests for interception so long as information gained that way isn’t used to prosecute a capital crime. It may also not be coincidental it’s happened now when the US has a new president. The legislation has been in place since April last year.

American diplomats, high level officials, it even allows the British Prime Minister to authorise interception of other MP’s communications.

Clive Robinson February 8, 2025 6:43 PM

@ Bruce, ALL,

With regards,

“Apple is likely to turn the feature off for UK users rather than break it for everyone worldwide.”

Err no, you need to read UK legislation going back to the original “Regulation of Investigatory Powers Act”(RIPA) and more recently.

As written the “notice” applies “World Wide” to “Every entity” be they “legal or natural”.

The only way Apple can avoid this is by completely withdrawing from all markets and places “world wide”.

Look on this UK legislation in the same way as that Russian Law that allows the most senior Russian politician to have executed any person any where in the world and it be legal.

The minimum punishment for not complying with this UK legislation for a “natural entity” is a “closed trial” and upto more than half a decade in isolation in prison with what is effectively “torture” both physical and mental.

If you want to see what the effect of that can be, have a think back to just a short while ago and Julian Assange[1].

Remember why Julian Assange was in prison? Likewise why the daughter of a Major Chinese Telecommunications company was held illegally by Canadian Authorities. And why Ed Snowden is we think still in Russia,

https://www.bbc.co.uk/news/business-46462858

https://time.com/7211737/tulsi-gabbard-hearing-snowden/

Then have a thought about all those people in Gitmo for whom there is no evidence against and for political reasons are unlikely to ever be released.

Contrary to what people might wish to believe, these are the sort of things that are going on, on a daily basis though you generally don’t get to hear about it.

So what can the UK-Gov do to one of the Worlds largest Companies?

Well freeze all their bank accounts world wide and grab any assets they can at which point Apple Corp in effect stops existing.

All the Apple Execs can have Interpol “Red Notices” issued against them for Extradition to the UK, any that hold UK or Commonwealth IDs / Passports can have them revoked and any property they own taken and sold.

As a “stateless person in penury” your life style is likely going to be worse than being in a prison like Belmarsh and consequently quite short and brutal…

[1] Read the words of UN special rapporteur on torture and other cruel, inhuman or degrading treatment or punishment, Nils Melzer in,

https://www.thesaturdaypaper.com.au/news/media/2025/02/01/life-after-julian-assanges-release#mtr

Paul G February 8, 2025 7:50 PM

I have a vague memory of reading an article about how the US government required telcos to put backdoors in their equipment. To the surprise of no-one (except people who still use Cuneiform and similar advanced communication technologies), some people who others dislike figured out how to access those backdoors.

Do the people who think requiring backdoors is good not see the dangers? Are they willing to make themselves (or their estates) personally liable to fix any damages if unauthorized people access the backdoors?

FakeFrenchSpyINideho February 8, 2025 8:41 PM

Who remembers the “Signal Incident” in the UK? I think it was last year when Signal was “asked” by the UK Gov’t to hand over encryption keys, they didn’t comply and as a result pulled out of the UK. I may not remember it all 100% so please do fill in, anyone who recalls otherwise. So, be it UK or USA, the Gov’t pretty much has it their way or the highway. Why are the children thought in schools that we, or they should be thankful to live in Western Democracies? Sound like Brainwashing?

Mark Nottingham February 9, 2025 1:50 AM

Australia’s law has an explicit prohibition on systemic weakening of security. How effective that would be at blocking something like this is anyone’s guess.

As to what’s next, I’ve put down some thoughts here.

tfb February 9, 2025 4:32 AM

An interesting question is how this stupid idea might be implemented. Assuming people have existing data which is encrypted (and the encryption is actually encryption) then Apple can’t, themselves, decrypt it. They could do several things.

(1) Update the device in such a way that it round-trips all the data through the device for decryption and then turns off encryption. Disaster for people’s data usage.

(2) Update the device in such a way that it reveals its secret keys to Apple and turns off encryption. They then decrypt the data themselves. If they can do this at all it tells everyone just what this encryption is worth, which is ‘basically nothing’.

(3) Update the device in such a way that it asks the user to do what is needed to reveal the key, then proceed as (2).

(4) Update the device so that future data is not encrypted, but leave the existing data encrypted.

By ‘not encrypted’ above I probably mean ‘encrypted with an additional UK government key’ or whatever stupidity is required by the idiots.

For all of these options they either need to lie to their customers (because, I suppose, the UK government tells is forcing them to lie)or tell them that encryption is no longer supported.

Perhaps there are other options I have missed.

If I was Apple I would do (3) as it’s the most intrusive and will cause maximum outrage.

And then, of course, since you can get general-purpose programming languages for phones (there is at least one Python environment available as an app), people will write programs to encrypt sensitive data on the phone before storing it, which people with things to hide will start using as they will be widely available: Apple can only prevent this by preventing any access to a general-purpose language on the phone, since the programs themselves do not need to be in the app store: they’re just text files of (say) Python code you can cut and paste. These programs will be less good than what can be done at the OS level and will certainly be subject to attack if the phone is compromised. The encrypted data will be just as immune to attack once it’s in iCloud though. So to get at a bad person’s data you will need to compromise their phone … which is what you need to do now.

So this whole exercise is, in its entirety, a waste of time and of my taxes, which apparently are being paid to employ people who are both stupid and malign.

tfb February 9, 2025 5:01 AM

@FakeFrenchSpyINideho: Signal is available in the UK today. I think that what you are remembering is that they said that, if forced to weaken their encryption, they would simply become unavailable in the UK. I presume what that would likely mean in practice is ‘unavailable unless you use a VPN with an end-point outside the UK’, at which point I suppose the UK government starts banning VPNs.

Clive Robinson February 9, 2025 7:01 AM

@ Bruce, ALL,

A further point that should be considered.

The UK Gov has –as far as we know– started with Apple and people should ask,

“Why?”

I would argue it is wrong to think of it as being specifically “Apple”. That is it could have been any organisation that “sets an example”.

Thus the real question to ask is,

“What is the real target?”

Well obviously atthe end of the line it’s “user data”, but that is a bit like saying “sugar” is why kids eat sweets.

The current target is actually how user data is stored, and how stupidity has made it so easy for governments.

Back in the early days of “Something as a Service” I warned that it was in effect an “all your eggs in someone elses basket” nightmare, not only because you could be held to ransom by the Service provider, but from a security and privacy aspect as well.

Our host @Bruce has also warned of the dangers of large data stores and how they in effect become not an asset to an organisation but actually toxic with all the resources needed the costs quickly overcome any profit etc.

However just about every one has “Gone to the cloud” these days, regardless of if they wanted to or not. And in point of fact Microsoft appear to be making the forced upgrade to Win 11 also a forced connection to their cloud that you can not avoid.

But consider much if not the majority of data on these large cloud servers is “user data”…

The very data that bad entities within Governments want to desperately get their hands on.

The fact that “user convenience” makes “cloud aggregation” of all “user data” in just one or three places predictably what has happened. Just makes the bad entities inside Governments life easier.

There is no solution to the problem of this type of “Cloud Storage and Bad Government” you can not put legislation or anything else in place to stop “Bad Government” history shows this with way way to many examples. Likewise try as you might you are not going to get rid of “Bad Government”.

So the only solution to the problem is,

“Get rid of the Cloud Storage of ‘user data'”

Because as long as it exists it will be a “Government Target”. Whilst Apple may be the first we’ve heard about publicly, I suspect Alphabet, Amazon, Microsoft and many others have been or will be approached and most will just “throw open the door”.

For the sake of society in the near future people should not use centralised “Storage as a Service” unless they “mitigate”.

Unfortunately the only mitigation that will work is not to use any operating system, application, or service that uses communications to an Internet central service.

Because even if you encrypt all of your data “Device Side Scanning” plus “External Communications” means you are “Insecure by Default” as either the “Plaintext or KeyMat” will be whisked away.

Two things will aid this,

1, AI in everything.
2, Automatic backup and restore of user state and actions.

Why? Because to be able to keep a session open or restart a session from where it was the “Plaintext and KeyMat” needs to be stored virtually continuously “off device”.

Thus for alleged “convenience” the future of Privacy looks nonexistent, and in turn our current society that has Privacy as it’s foundational keystone will nolonger have a foundation thus will in practice collapse.

The mitigation is of course users taking a little “responsibility” not just for themselves but others around them. Which is “pull the plug on centralised cloud” and actually “do things in private” not with agents in your computer OS, Apps and services looking over your shoulder 100% of the time.

By the looks of Win-11 and Microsoft’s other products the old joke of,

“Whatever the question the answer is not Microsoft!”

Has come true not just for Microsoft but all Silicon Valley Corps and their international equivalents due to those “Bad Government” elements.

Not so long ago Cory Doctorow[1], posed a varient of the question,

“Why can we not have nice things?”

To which he indicated corporate greed via neo-con neanderthals and their like with,

“HERE IS HOW platforms die: First, they are good to their users; then they abuse their users to make things better for their business customers; finally, they abuse those business customers to claw back all the value for themselves. Then, they die.”

And he then said the phrase everyone remembers,

“I call this enshittification”

Well he kind of left out the issue that even if corporate greed was some how removed, the hidden driver for it to exist is “Bad Government” forcing it ever onward.

Because “Bad Government” is an “equal opportunities parasite” it cares not what or who you are good or bad. It cares only that it can climb on board and feed at your expense. Obviously it’s also a low hanging fruit feeder, thus it wants an easy life thus going for the fattest and largest plumb gives most immediate reward.

Thus in all probability Apple is not the first to receive the attention of UK “Bad Government”. That is the likes of Alphabet and Microsoft have most likely given the parasite house room, with neither care or concern for their users, just as AT&T did with the NSA and their users. We’ve probably only heard about this because Apple at a sufficiently high level do care and are concerned and in some manner the information has “slipped the embargo” of UK “Bad Government”.

[1] It was the opening for an article he wrote for his own site, that Wired reprinted to a much larger audiance in Jan 2023,

https://www.wired.com/story/tiktok-platforms-cory-doctorow/

It’s still very worth reading and gives an insight as to why “social media” and similar are so bad and always on the edge of self extinction.

However he made the mistake of only considering the two visible sides of the market, and did not discuss “The hidden hand” of “Bad Government”.

Andy February 9, 2025 8:41 AM

Since the story led the BBC’s Six O’Clock news here in the UK, it’s presumably safe to discuss.

Apple latest/greatest products are fairly expensive, the choice of: lawyers, doctors; politicians , business – point being, I don’t see Apple sacrificing its brand to comply with this utterly outrageous demand to access personal storage. It would certainly violate US law.

Background context:

In 2020 the ECJ ruled against UK surveillance practices – and that ruling simply related to bulk metadata collection, not content. In May, 2021 the Grand Chamber of the European Court of Human Rights (ECtHR) today ruled that the UK government’s bulk interception of communications powers “did not contain sufficient ‘end-to-end’ safeguards to provide adequate and effective guarantees against arbitrariness and the risk of abuse”, thus violating the rights to privacy and freedom of expression.

Winter February 9, 2025 1:05 PM

What is perfectly clear is that the UK government wants to weaken people’s privacy and security with a backdoor while not being able, or even wanting to, protect said people from abuse due to this backdoor.

There is neither effective remedy nor any option of relief or reparations for victims of abuse. There is not even a notion of responsibility for the safety and privacy of the subjects of this measure.

A short summary would be: The people are forbidden by the state to protect themselves and the state refuses to protect them.

I do not feel any inclination to care for those who do not care for me.

YOU are not anonymous! February 9, 2025 4:48 PM

How has this even leaked? Surely high level people in Apple are going to prison because this leaked?

Apple cannot refuse to comply with such an order, and cannot reveal it under any circumstances whatsoever. If they do refuse to comply, they to go prison and the company gets shut down. If they even “threaten” to not comply, they all to go prison and the shareholders fire them all, put in people who will preserve their stock value by complying secretly. If they comply openly (i.e. not secretly), they go to prison, everyone stops using them, and the shareholders fire them all, and elect new people who will comply secretly (because that’s the only thing that will preserve shareholder stock value) The only solution is: comply… and do it completely secretly. There is no other option. All other options are very bad for apple and/or all its leadership.

Since it’s been leaked, the only solution that doesn’t result in prison and/or bankruptcy is gone. The only one left is prison sentences and firing all the heads of apple by shareholders, etc…

This is an all-or-nothing thing, because the governments have made it so. I’m not just over-reacting… Generally all-or-nothing thinking shows a cognitive disorder, with a few exceptions such as life and death situations. But this is actually life or death for the company, and freedom or prison for its leadership. And for every other company in the world as well, who dares to have cloud anything. Which is any web site that provides user accounts at least to some small degree, and to a larger degree anyone who stores more than just logins or billing info…

It’s because of crazy extremes like this that I’ve always assumed every large company has already complied secretly…. to every country’s similar requests (at least to the most big and powerful countries of the world)…

Clive Robinson February 9, 2025 7:19 PM

@ tfb,

“Perhaps there are other options I have missed.”

You know that in an “infinite universe” the answer to that would be “inevitably” 😉

But a question for all to consider,

“I present you with a plain text file of syntactically and grammatically correct English… How do you tell if it contains hidden data or not?”

The correct answer is,

“There is no reliable way by observation.”

Because the issue is,

1, That to transfer information the file would have to have a fair degree of redundancy (basic information theory[1]).

2, Where there is redundancy, you can create a “subliminal channel” with it (as Gustov Simmons pointed out[2]).

3, Where there is a channel from redundancy you can use a “Perfect Secrecy” system that is “equiprobable” thus any sequence might or might not be an enciphered message.

4, A Code book converts plain text strings to the equivalent of integers and the opposite.

I’ve shown in the past how you can send bits of information with plain text salutation strings an similar.

That is,

0 = “Hi”
1 = “Hello”
2 = “Good day”
3 = “Hope you are well”

And so on the above gives two bits of information but the third string could have multiple second words so form “Good Morning”, “Good Afternoon”, “Good evening” as well.

So it would not be difficult to get eight strings and have three bits of information sent.

However “codes” suffer from “correlation attacks” as you get messages in depth.

The way to break this correlation is with a variation of “super encryption” using a Perfect Secrecy cipher such as the OTP. Thus the integer you send gets encrypted by the OTP and the resulting number then selects the code phrase to send.

Thus the messages and the code strings they use become fully independent of each other…

Whilst the bit rate to character rate is quite small in many cases that might be sufficient.

During WWII the BBC used to transmit “Messages for our friends” that were just random sentences such as,

“The Robin perched on his nest”

Yes they were codes or nulls, but as they were “One Time Messages” they may have no meaning (null) or a lot of meaning for an individual agent behind the enemy lines. Nobody except the agent and the agents SOE handler knew what a code ment.

Knowing this somebody monitoring messages has no idea if a message ment something or not.

Thus the obvious answer is to either,

1, Not allow a message to be sent.
2, Modify messages.

Either way the person monitoring “tips their hand” to the second party in the communication.

Because a message can be used to carry it’s own private channel, that indicates if a message is genuine or not. They are called “check messages” and “duress messages” and many similar names.

The point is they force an opponent “to be honest” with the “sending of messages” lest they “tip off” those they are surveilling etc.

You can read more about such things in a book written by the cryptographer and signals master of SOE[3].

[1] Claude Shannon, “”

[2] Gustov J. Simmons, “The prisoners’ problem and the subliminal channel.” Advances in Cryptology—CRYPTO’83, 1983.

[3] Leo Marks, “Between Silk and Cyanide: A Codemaker’s War 1941–1945”

Is the war time memoir of former Special Operations Executive cryptographer Leo Marks and his battle against rigid “Military thinking” so that he could keep SOE agents in the field alive longer. He was not as successful as he would like to have been and this comes across quite painfully in the book.

VADIM LEBEDEV February 9, 2025 7:33 PM

I wonder that nobody is mentioning the fact that if this backdoor will be implemented – all individuals (and they loved ones) who potentially or actually
will have access to theses keys will become targets for most world spy agencies and criminal organizations.

mw February 10, 2025 1:33 AM

The are no democratic states araound the world. All nations fool there citizens. It’s time for a (non bloody) revolution.

Bauke Jan Douma February 10, 2025 3:42 PM

Apple will be very happy to comply, as long as it is ensured indefinite non-accountability-by-legal-order.

Clive Robinson February 10, 2025 4:08 PM

@ Bruce, ALL,

It needs to be remembered that this may be struck moot by Apple’s own design decisions.

I mentioned a little while back an article on ARS about what Kaspersky had discovered in Apple’s CPU Design (and another more recently about AMD Microcode).

It appears as though it’s one of those “Xmas Gift that keeps giving” hardware design faults most got to hear about first time with Spectre and Meltdown that hit not just Intel but AMD and ARM devices in one way or another. Back then there were “work arounds” but no fixes were put out.

From a security perspective this new design fault is however a disaster as some think it’s a deliberate NOBUS put in at the behest of the NSA or similar. Either way it is of very major consequences, yet it appears not to be at all “newsworthy” in the trade or MSM press…

Why might be a good question, but my answers will probably be seen as “paranoia” or some such by the peanut throwing types.

So I’ll just post a link to another persons musings about it,

https://www.xstore.co.za/stuff/2024/01/kaspersky-finds-hardware-backdoor-in-5-generations-of-apple-silicon/

But I will say that what Kaspersky found means that malware on Apple CPU’s for quite some time (5 years) is a very definite yes to achieve, and may carry on being so for quite some time to come.

I’ll let others come up with theories that the release of the UK Bad Gov behaviour is “a cover story” etc to keep the more serious “CPU Hardware” out of the press and similar…

Just one last thing to consider now that the war on E2EE is kind of over and mostly “they” have admitted they were wrong, and with “Device Side Scanning or AI” being slow to take off. The likes of various SigInt agencies will have foreseen the need for one or more “another ways”.

Is this one such way?

I can not say, but if it is I would not be in the slightest surprised.

What I will say is because of what it can do,

“Do not be surprised if other just as well hidden attacks are already out there with quite a few more on the way.”

As I keep saying the entire consumer / commercial “secure device” model is wrong from a system point of view. Due to where the security and communications end points are, and the almost entire lack of segregation allowing easy “end run attacks”.

The only thing to do is “mitigate” by getting the “security end point” off of the device and very well segregated from any “communications end points or systems”.

Yes I know it’s not “convenient” or “easy” and you need to practice good “OpSec” but you do not know right now where your life will take you, and not doing the right things now may have very bad consequences for some later.

If you doubt that just remember some of those youngsters working for “Hell-On Rusk” in his DOGE agency are cyber-criminals with records of being blackmail / ransomware types. They are apparently getting “unfettered access” to highly confidential Private and Personal information that they are just “walking out the door” to not even heaven aboves knowledge.

“Would you have thought that even remotely possible three months ago?”

Well it’s happening, right now…

ResearcherZero February 11, 2025 12:14 AM

CVE-2025-24200 – unlock USB Restricted Mode for ACE3 USB-C without a passcode

‘https://www.forbes.com/sites/daveywinder/2025/01/14/apple-iphone-usb-c-hacked-what-you-need-to-know/

Discussion of ACE3 and ‘backdooring’ ACE2

‘https://media.ccc.de/v/38c3-ace-up-the-sleeve-hacking-into-apple-s-new-usb-c-controller

Bowman February 11, 2025 4:27 PM

@Clive Robinson
The only way Apple can avoid this is by completely withdrawing from all markets and places “world wide”.

But surely they could gamble and ignore the request, and act like nothing was requested? Force UK government to a situation where they have to threaten Apple to not to operate in UK. They might not want to do that considering the size of the userbase.

This would make users credentials to banking and other sites vulnerable as well, if they store their keychain in iCloud.

Clive Robinson February 11, 2025 7:35 PM

@ fib,

I’m finally back on my feet, but my steps are like those of a crab still, so it has a certain amusement value I guess :=()

Hopefully you are getting a few of the important things in life of a little leisure and pleasure of good food and company and of course fine conversation.

I wonder how other friends from here are getting on, I hope they are also well and drop by.

ResearcherZero February 12, 2025 1:52 AM

@YOU are not anonymous!

Spy fantasy and X File inspired soap operas add to the confusion. Politicians do not help the situation by only showing interest in intelligence that can be exploited for their own self-interest and political convenience. As they often make the decisions surrounding the release of classified material, the vast bulk of information is left ignored, underacted upon or not further investigated at their request, then withheld from the publication.

Rather than a cognitive disorder, some of the folks in congress, the senate and their followers watch television series and movies. As 90% of “the plot” of certain programming revolves around conspiracy theory, you can hardly blame them for their misleading belief in the fanciful ideas portrayed in the storytelling, myth creation and stereotyping provided to them. This is compounded by the restrictions that classification impose on information.

As fact and details surrounding real operation of many departments is not viewed as compelling subjects for television production, the closest thing to reality is customs and borders, police chases and other moral panic caused by viewing through a narrow lens. When establishing the causes of events, people have a tendency to detect agency, when in fact there may be none at all. Looking for patterns and identifying patterns that don’t exist is normal. We all do it and it is the foundation of many of our own irrational beliefs.

In times of disorder and rapid change people seek to identify causes for events as a coping mechanism. Being able to point to a cause or detect agency provides comfort when the real cause or chain of events which lead to a particular outcome remain unknown or might have been a random set of events without anyone exerting influence over them.

Dopamine may play a role in the associated cognitive processes, according to research.

This type of thinking could be a product from our past, which served to help us predict the behaviour of new and previously unmet groups and individuals. When making decisions regarding their trustworthiness, their motivations or whether or not they held alliances with other possibly hostile groups. Also in ancestral storytelling and myth creation.

The unfortunate side effect is that in today’s world which is flooded by information, certainty either takes time to determine, cannot be obtained or may not exist at all.

In a rapidly changing information environment, conspiracy can lead to yet more conspiracy.

Clive Robinson February 12, 2025 7:23 AM

@ Bowman,

Yes Apple can try to “force the hand” of UK “bad gov”.

But we’ve already seen a few years back how that can play out.

Remember a certain Chinese Telco manufacturer, that the US Executive, decided had to die so that next to non existent US manufacturers could dominate the world of telecomms?

Part of that was John Bolton having the company founders daughter arrested and detained in Canada on the equivalent of an international “Red Notice” pending clearly phoney extradition proceedings.

Then there was that German car design engineer involved with “dieselgate” who made the mistake of traveling and got grabbed.

Well the same sort of mentality behind that is now clearly exhibiting it’s self as UK Bad Gov feels emboldened.

Thus if Apple did as you suggest, any senior Apple Exec is in danger of the same if traveling through UK air space / International ground space or equivalent in UK Friendly or influenced nations.

As Apple has so “off-shored” it’s self, it can not realistically “go back” to “safe haven” and nor can it’s seniors. That is they are not like Chinese, Iranian North Korean, Russian entities “safe at home” against foreign “Bad Gov” behaviours.

Oh interesting note, despite John Bolton’s “best efforts”, the Chinese Comms Company is apparently doing better than ever, as for that “Bring it home” manufacturing jobs etc supposably behind it… I’m not hearing very much other than talks about talks about maybe’s in the semiconductor and electronics sectors. You might find this Perun talk on “trade wars” of interest as to why,

https://m.youtube.com/watch?v=fSXGUGFncgk

What does not get mentioned publicly that much is what has gone on with Tic Tok and the legislation some call “The US War Act” where by the US can just start yet another “War on XXX” and use it as an excuse to grab any manufacturing, trade secrets, etc it wants to without compensation or having to face litigation.

If you were a major non US corporation thinking about investing a big fraction of a trillion dollars in the US over five or more years before it shows any returns, just to have it nabbed by “US Interests”…

But consider also what national interests are on the line and how the will actually effect the US and UK.

China has made fairly clear it’s intentions to grab what it can from the South China seas and West of the Pacific nations. This is not political rhetoric they are clearly building up significant war capability. The US has in the past made “promises” to defend these nations, that are now looking less and less like they will be honoured.

Thus if you are a national government and have something the US is highly dependent upon within your threatened borders such as semiconductor and most other “HiTec” design, manufacturing, and production, as a government are you really going to allow the little leverage you have to be stolen away from you?

I’ve been warning about the consequences of “off shoring”, “Out Sourcing” and essentially “gifted” technology transfer to China for as long as this blog has existed (look back if you doubt). You would be right if you said I saw this coming, it was to be blunt “more than obvious” because the US is all about “short term” grab and run” neo-con thinking whilst China has almost always been about “the long game” thinking…

Clive Robinson February 12, 2025 8:26 AM

@ Bruce, ALL,

In the UK there is a Barrister who has a couple of YouTube channels.

One of which ” BlackBeltBarrister” he has put up a video,

https://m.youtube.com/watch?v=Bi_QDKueszc

That covers some of the legal aspects.

However he is not as well informed on the technical aspects as he appears unaware of the Apple attempt to apease certain US voices over “CSAM” via the attempted “Device Side Scanning”.

To say it again for those who are new to this, “Device Side Scanning” is in effect the “ultimate spy on your device”… It has access to everything you can see and access on your device and in fact probably more than the device user can. Because it has access via the lowest levels of the OS to everything on your device, including I suspect any “Key Material”(KeyMat) used for “End to End Encryption”(E2EE). Thus it can “End Run” attack any encryption you may use on the device.

The only way to mitigate –as you can not stop it– Device Side Scanning is not to have any,

1, Plaintext you want to keep private.
2, Any Cryptographic keys (KeyMat)
3, Any non OS encryption programs.

Whilst this might appear to stop you using encryption and sending it, it does not (this has been known since long befor computers were even thought of).

You do any encryption or decryption “off device” well away from the range of it’s “sensors” and only enter the “ciphertext”.

There are other things you also need to do but they are “Field Craft / OpSec” that take a lot of “column space” to go through in depth and are also situation dependent (for instance saving “encrypted backups” to an on line service as a first party only, needs different OpSec to sending “encrypted messages” to second parties, that might “betray you” to third parties as appears to have happened with the WhatsApp messages mentioned at the begining).

Mike McGitt February 12, 2025 10:30 AM

Honestly, why doesn’t the UK manufacture its own cell phone and force everyone in the UK to buy it? It’s a lot simpler than regulating public companies.

Julian February 13, 2025 5:21 AM

@Mike McGitt

The UK has enough difficulty building simple things like a ship or a railway line.

Something as advanced as building a phone is probably beyond them.

Clive Robinson February 13, 2025 5:34 AM

Mike McGitt,

With regards,

“Honestly, why doesn’t the UK manufacture its own cell phone and force everyone in the UK to buy it?”

Don’t think that the “General Post Office”(GPO)[1] as it once was did not try this back in the “Plain Old Telephone Service”(POTS) days.

Although their chosen way of earning with it was by “endless rental” at high price (about a workingman’s wages for a week each year).

For my sins I designed the software and much of the electronics for “The only Cordless Phone” that BT ever put on it’s rentals list whilst working for a South Korean Company.

The “I designed” “the only Cordless Phone that BT ever” sounds very ego… but it’s not, it’s just “market forces at work”.

The devolved market place “Mad Maggie Thatcher” had pushed onto the GPO did not like BT and went to the courts over the “last mile markets” and effectively killed the BT regulated and controlled equipment rental market “beyond the Demarc[2]” leaving BT holding a lot of near worthless copper cables in the ground and scrap metal cabinets along the road sides.

In the US things are slightly different which is why you do not have a “free market” but effectively a residual non competitive monopoly or cartel and as a result pay monstrous sums of money to “the incumbents” that rose out of the “Baby Bells” or “poisoned dwarfs” that Judge Harold H. Greene split AT&T / Westinghouse up into very badly back in the latter half of the 1970’s[3].

[1] The “General Post Office” was actually a UK Government run agency that covered most forms of “communications”. It got split up in the 1980’s into quite a few parts. The three big ones being British Telecom, Royal Mail, Post Office the last of which has been in the trade and more recently in the NSM news over “Horizons Scandal”. BT tried to “go big or go home” but totally misjudged market after market and tried “oppressive profiteering” and well mostly failed. It’s why those in the US are shocked why in the UK we pay so little for mobile phone service compared to the US pricing.

[2] Part of the denationalisation and freeing up of the UK communications industry was “dividing up the cake” to stop monopolistic behaviour, except where there was reason for it like officially “Health and Safety” but unofficially it made surveillance on the masses so much easier. Thus the battle for where network and customer responsibility changed hands. In the end BT got everything upto a box on the wall inside your “premises” and you got the freedom to plug anything that had been independently approved (via BABT) into it via a horrible plug. This box was the visable representation of the “Demarcation Point” or Demarc.

[3] Way back in the early 1980’s I worked for a “poisoned dwarf” of “Pacific Telesis” who had a subsidiary in the UK trying to grab a “fat slice” of the “International Telex Market”. Few these days know what the “Telex Machine” was and how they were networked together. If they see one they think incorrectly it’s an old mechanical computer terminal even though there is usually a big hint by the telephone style rotary dial on the front. Telex was the “legal business” communications and the paper print outs were treated by courts as “instruments” hence easy fraud. What kind of killed Telex other than it’s very very non competitive nature was it took for ever to get installed and was outrageously priced. Thus FAX “eat it’s lunch” and in turn Email “eat FAX’s lunch” and in turn Email is getting eaten by other more diverse technologies. The one thing that appears to be common is how the “incumbents” jump the wrong way and use lobbyists and court cases to try and prevent change, or as others call it “evolution”. You are seeing this happening right about now with the current AI LLM and ML systems and history tells us what is most likely to happen in the US. It appears to some that China has “eaten the US AI lunch” whilst the US Bratz were squabbling before even having had breakfast and are now trying to grab all the balls and bats and take them home. History tells us how this is probably going to end and US voters will not be at all happy.

Gilbert February 14, 2025 9:30 AM

Please remember that Apple has signed the PRISM with NSA and they are already sending the NSA anything they ask for and they will not tell you, a court, the press, or anyone when they do.

EVERYTHING you have as data in Google, Microsoft or Apple is already available on simple request from the NSA.

UK is part of the 5-Eyes (and there are several levels to the n-Eyes, it is much more than 5 nations sharing).

You are looking at the finger instead of looking at the moon laughing at you on this.

Who? February 14, 2025 11:40 AM

At the risk of stating the obvious, the only way to stay safe is to manage your own services. Use strong encryption, and run your own services on your own hardware.

Clive Robinson February 14, 2025 2:13 PM

@ Who?

Sadly,

“Use strong encryption, and run your own services on your own hardware.”

Is unfortunately these days not enough.

That is you really have to,

“Consider and mitigate the entire system.”

Because a fair bit of the whole system will not be 100% under your control, unless you mitigate sufficiently / fully. The first step of which is “acquiring sufficient knowledge” of all potential “side channels” through which information might be communicated or leak.

A number of years ago it was reported that Apple amongst others were putting tiny microcontrollers in the likes of removable batteries that communicated with the computer.

Such a system could and in fact was used to,

“Cross a security air or energy gap.”

(Supposedly it was to protect the user but in reality was used to help force users to “upgrade”).

Today more modern systems use USB-C for power and data in a single socket. Again such things can bridge security segregation gaps.

Now consider due to the level of power those USB-C chargers can deliver and the Switch Mode PSU’s inside them come with built in “Power Faction Correction”(PFC). This PFC is supposedly there to minimise phase losses on the mains power wiring and utility generators.

The chips used to do PFC you will find on reading their data sheets, effectively “modulators” thus can put information on the mains wiring.

This PFC modulation can be clearly seen by the chips in your “Smart Meter”. Whilst as a communications channel it might be “low bandwidth” it is however more than sufficient to send any crypto “Key Material”(KeyMat).

This low bandwidth communication to the Smart Meter can in turn be sent across the local smart grid radio or GSM phone network and back via that to just about anywhere in the world…

Which is why in part the UK RIPA and later legislation / statutes / regulations acts say what they do. And might be what is behind the recently reported “allegations” of what has been claimed to have happened to Apple.

Whilst it might sound like “conspiracy theory thinking” it is actually technically all to easily possible. Which means,

“Unless you are aware and mitigate correctly, you are insecure.”

Which is why “securing your hardware” is these days way way harder than many realise.

Big Halls February 15, 2025 5:08 PM

Whats the big deal? Apple stores the Chinese iCloud keys in China, allowing the communists to decrypt the iCloud accounts through the Chinese “legal process”…

Clive Robinson February 16, 2025 12:45 AM

@ Big Halls, ALL,

With regards,

“Whats the big deal?”

I guess you’re not familiar with the UK legislation, because you go on to say,

“Apple stores the Chinese iCloud keys in China, allowing the communists to decrypt the iCloud accounts through the Chinese “legal process””

What you are saying is you believe China,

“limits it’s legal process”

To inside China.

Well the UK last century with RIPA took the view point –much like the US– that UK law applies everywhere without legal limit (ie any entity, any time, any place, no limit).

And codified that, if the data could be reached from the UK then the UK had full rights on it (a cyber-ransom dream).

Thus under UK legislation, even the musings of POTUS made in the Oval Office, or at 4AM in the bathroom attached to the “second floor bedroom” in the “Private Residence” are covered by the UK legislation, as are yours wherever you live.

Do you think that is not a “big deal”?

Because if you don’t then either,

1, You’ve not thought it through .
2, You’ve given up any hope of having a private life.

No matter where you are, all your data, spoken words, typed information and that others have created about you including all your passwords, financial, health and other records.

All as they say in the UK arrest caution,

“You do not have to say anything. But, it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence.”

Which in the case of the electronic information –data– held anywhere in the world on you,

1, Anything –data– collected or inferred may be given –used against you– in “evidence” (if it harms, not helps you as you have no presumed innocence under RIPA etc).
2, You have no right to have anything –data– not used against you regardless of it’s truth or falsity (Maggie Thatcher’s “computer print out is irrefutable evidence” rule).
3, You have no right to see or hear anything –data– the UK Gov has relating to you (nor does your legal representative).
4, You thus have no right to rebut anything –data– given in evidence.

Oh and that,

“You do not have to say anything”

Is not true, you are “required to hand over” anything or everything “data” such as passwords and encryption keys when asked. Not doing so is automatically a crime for which you face a substantial imprisonment and fine…

There is no defence to offer other than “proving you can not do so”. That is not only did you “never know” but could “never have known”…

So far UK judges have been very cautious with regards these parts of the several acts. Unlike the law enforcement and intelligence authorities who jump on it at every opportunity, grab any electronics and all to often fail to return them or return them in a damaged state, including having spyware and worse installed (in one case files that showed up as CSAM got put on a persons storage device by a self proclaimed expert forensic examiner).

Big Halls February 16, 2025 1:51 AM

@ Clive Robinson, I was being sarcastic. China’s “legal process”… it’s almost a joke. This was a sarcastic comparison of the UK following the communist’s lead. It’s a dark day when your own government can pass laws that turn you into a criminal. Governments evolve, and with those shifts come changing policies and priorities. What’s seen as “acceptable” oversight today could easily be weaponized for oppression tomorrow. Allowing governments access to encryption keys would give them unchecked power to spy on private communications and sensitive information, opening the door for authoritarian regimes and bad actors to use that power for political persecution, silencing opposition, and controlling dissent. History has shown us that this is always where it leads.

Who? February 20, 2025 5:55 AM

@ Clive Robinson

You have a very good point about Power Factor Correction (“PFC”) modulation being a problem here. It is a possible way to jump air gapping (obviously not energy gapped systems), however I think that it is limited to a single branch circuit. I guess it may be some sort of covert channel, but transmission should end at the electrical circuit breaker panels, if I am not wrong here.

There is some research on broadband over power lines (“BPL”), I am not sure the status of this technology right now, but I guess both ends of the communication channel should be nearby. I hope a fully fledged BPL PSU will require enough additional hardware to be noticed by the owner of the bugged device.

In any case, it seems it is time to buy a good on-line UPS if we are worried about the abilities of PFC devices to do a “too much efficient work”.

Clive Robinson February 20, 2025 10:39 AM

@ Who?, ALL

Re Power Factor side channel.

“It is a possible way to jump air gapping (obviously not energy gapped systems), however I think that it is limited to a single branch circuit. I guess it may be some sort of covert channel, but transmission should end at the electrical circuit breaker panels”

Your thinking on “single branch circuit” is I’m assuming that you think that additional devices with Power Factor Correction will null or obscure the modulation.

To a certain extent yes, but it’s dependent on the load they draw. When they are off or in standby low load conditions additional devices will not really have much of an effect on the modulation.

Further the type of modulation will also give greater or lesser immunity to other devices. To see why consider a quadrature phase modulation, it can work in one of two ways fixed phase or differential phase to transmit each pair of bits.

But also consider the information being leaked to the mains power line. Let us assume it is a 1024bit length message that contains an identifier, the symmetric key, and some kind of error correction or checksum.

Such a message could be sent over and over again and averaged in some way. It can also be reverse phase modulated to overcome certain types of asymmetric error “in the channel”. This in turn allows a very “slow code” using a form of “spread Spectrum”(SS) that significantly lowers the “noise floor” by the “chip rate” which in turn improves the signal to noise thus “Bit Error Rate”(BER) by trading increased time for improved signal to noise rate.

The interesting thing about using a form of SS is that it allows multiple devices to send in the same channel but effectively be independent of each other so have reduced if minimal interference.

With “Forward Error Correction”(FEC) systems, it’s usually considered that sending the whole message just three times is sufficient. Other types of FEC suitable for error correction that approaches closely to the theoretical minimum are Reed-Solomon”(RS) and modified Gallager “Low Density Parity Check”(LDPC) codes.

For this type of communication the message can be sent over and over with the Signal to Noise and BER improving with time.

With regards the “Circuit Breaker” or “Consumer Unit” panels, these are usually at the grid drop point into the building or floor where the phase is determined. This is also the same place a “Smart Meter” instrumentation head goes. Importantly such heads can tell the power factor difference across them and in absolute terms and they usually sense by taking readings at least 12 times the mains frequency.

So more than adequate hardware is in production and being installed. So all the physical pieces are “in place” already to set up such a communications channel they just need a “software” patch / upgrade to enable it…

[] For a description of “error floors” see,

https://web.archive.org/web/20170811015651if_/http://ldpccodes.com/papers/ErrorFloors.pdf

Rontea February 20, 2025 11:54 AM

@Big Halls
“This was a sarcastic comparison of the UK following the communist’s lead.”

ceausescu and the queen

Rontea February 20, 2025 1:13 PM

@Clive Robinson
“I wonder how other friends from here are getting on, I hope they are also well and drop by.”

I am wondering about an economy that is based on surveillance, and advertising especially after realizing that advertising is surveillance.

lurker February 23, 2025 12:23 AM

It looks like whoever was pulling the strings has got what they wanted.
Of course Apple users were free,and are still free, to do their own encryption, look after their own endpint separation, keymat, &c. and still store the cypher-text on iCloud.
But my guess is that most Apple users wouldn’t know where to start, and those that do know wouldn’t be trusing Apple’s infrsstructure for the job.

‘https://www.bbc.com/news/articles/cgj54eq4vejo

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.