In the name of security, the UK government may well have put a cybersecurity target on the nation’s back, with Apple once again warning that proposed changes to the Investigatory Powers Act 2016 are a “serious and direct threat to data security and information privacy.
“We are deeply concerned about the amendments to the Investigatory Powers Bill currently before Parliament, which will put the privacy and security of users at risk," Apple said in a statement. “This is an unprecedented overreach by the government and, if implemented, the UK new user protections could be secretly vetoed globally, preventing us from ever delivering them to customers.”
The Act is being debated today in the UK House of Lords. Of course, civil liberties groups worldwide condemn these proposals.
So, what’s the problem?
The law, allegedly intended to make people safer, will undoubtedly make UK digital infrastructure a tempting target as the regulations will be weaken security there. The biggest problem for Apple, other than the steady erosion of encryption, is that essential security and privacy updates might be delayed or never appear — and without any transparency or scrutiny at all.
There isn’t even a right of appeal to these Orwellian admonitions.
Snooper's charter is hacker's heaven
If passed, the law would mean that every tech security update must be reviewed by UK authorities before release, which will immediately delay distribution of vital security patches.
Hackers will immediately see this means any patched vulnerabilities will be secured in the UK last, making the nation an incredibly attractive target to attack. Hackers are organized enough to spot and exploit weakness. It's what they do.
But that’s not the only impact of this foolish law.
Putting users at risk
Apple first warned against these dumb proposals in July 2023, when it said they would stifle innovation, commerce, and make the Home Office the “de facto global arbiter of what levels of data security and encryption are allowed.
“The new powers the Home Office seeks — expanded authority to regulate foreign companies and the ability to pre-screen and block innovative security technologies — could dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk,” Apple said.
The mechanics of what's proposed include, but are not confined to:
- Giving the UK Home Office the power to disable certain encryption services by issuing a Technical Capability Notice.
- Empowering the Home Office to block security and privacy updates without notifying the public.
- Requiring tech firms to submit security changes for Home Office approval before launch.
- Creating new powers for blanket surveillance of internet activity, including far less protection around the use and inspection of bulk data sets.
And if the UK rejects an update, that update cannot be released in any other nation and the public would not be informed of the decision.
Apple has already said it might abandon the UK market if it is forced to provide such advance notice of product updates, which would have a chilling impact on everyone in the UK. Apple now employs more than 8,000 people across the country, while the iOS economy supports an estimated 550,000 jobs there.
A move to exit the UK would certainly dent an already ailing UK economy that is still enduring only a lukewarm post-pandemic recovery.
Apple made its threat before, when it stood with other messaging apps vendors to insist the UK government abandon attempts to prevent end-to-end encryption of messages.
The UK government said in a statement, "Ultimately, this is about public safety and ensuring that those tasked with keeping the public safe have the necessary tools to do so.”
A draconian overreach that should be opposed
That these proposals do nothing but weaken public security seems to have escaped the architects. After all, without timely software updates, how will tech firms protect us against disgusting attacks against digital civil liberties such as those committed by the NSO Group?
These tools are a draconian overreach that threaten security — not just of subjects of the Crown in the UK, but also citizens across the world.
This ill-judged legislation, if passed, will damage the digital economy and will be seen as carte blanche for other repressive governments to deploy similarly retrogressive laws in nations across the world. One can only hope tech firms manage to push this back.
Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.