Everyone in the tech industry facepalms almost every time legislators try to pontificate on technology, but the British government appears to be trying to set a new record. After putting iMessage and FaceTime at risk, the government is now suggesting that it might ban some Apple security updates.
Under the latest plans, tech companies would need to notify the British government before rolling out a security fix but might be refused permission if it blocks a vulnerability that’s being exploited by security services…
A six-year tale of technical illiteracy
The British government’s desire to ban end-to-end encryption dates back to at least 2017. Even six years ago, the country’s former head of MI5 told them what a dangerous idea that was.
The British government wants to ban end-to-end encryption altogether, arguing that it hampers the work of the security services. Support for Apple’s position – and opposition to that of the British Home Secretary – has now come from an unlikely source.
In a BBC Radio 4 interview cited by Gizmodo, the former head of the Security Service (more commonly known as MI5) has said that while strong encryption does make their job harder, it is the lesser evil.
“I think the way cyberspace is being used by criminals, and by governments, is a potential threat to the UK’s interests more widely – and it’s very important that we should be seen and be a country where people can operate securely. And that’s very important for our commercial interests, as well as our national security interests, so encryption is very positive.”
Since then, the government has persisted in the nonsensical idea that it is somehow possible to allow it to spy on people without also letting bad guys do the same.
Most recently, Apple said that it would remove iMessage and FaceTime entirely from the UK rather than remove E2E encryption.
Apple security updates would require permission
The latest idiocy is highlighted by Just Security.
Device manufacturers would likely also have to notify the government before making available important security updates that fix known vulnerabilities and keep devices secure. Accordingly, the Secretary of State, upon receiving such an advance notice, could now request operators to, for instance, abstain from patching security gaps to allow the government to maintain access for surveillance purposes.
Again, the sheer stupidity of this cannot be overemphasized. In the vast majority of cases, Apple learns about a security vulnerability because someone else discovered it. It might be that a security researcher finds it and quietly notifies Apple before a hacker does the same, or it may be that it comes to light when it is exploited in malware. In either case, the longer Apple waits to patch it, the more dangerous it becomes. And not patching it is not an option.
John Gruber, who drew my attention to the above piece, also returns to the iMessage issue to observe that E2E encryption is not a feature that can be switched on or off but is, instead, fundamental to the design of a messaging app.
Just yesterday, we learned that when Meta decided to switch to E2E encryption for Facebook Messenger, it had to build a completely new version of the app from scratch.
It quickly became apparent that transitioning our services to E2EE would be an incredibly complex and challenging engineering puzzle. We would have to rewrite almost the entire messaging and calling code base from scratch.
Hospital emergency rooms across the UK are likely to be declaring a major incident to deal with the rash of injuries caused by the force of facepalming and banging heads against desks throughout the tech sector.
Photo: Brandon Grasley/CC2.0
FTC: We use income earning auto affiliate links. More.