Stay informed with free updates
Simply sign up to the Cyber Security myFT Digest — delivered directly to your inbox.
The writer is president of encrypted messaging service Signal
Imagine a government telling a car company to secretly weaken the effectiveness of the brakes on all the cars it sells, recklessly endangering the safety of millions. It would be an unthinkable undermining of public safety.
Sadly, this is what’s happening in the UK in cyber security, where Apple was forced to strip the vital privacy and security protection of end-to-end encryption from its backups storage service — exposing people and infrastructure to significant vulnerabilities.
Apple is not the villain here. This wasn’t a choice made lightly. The company has invested billions of dollars in cryptographic research and development and markets itself as a privacy-friendly company.
But Apple was boxed into a corner after receiving a UK government order demanding it rewrite and weaken core privacy technology, deliberately engineering vulnerabilities not just in the UK, but globally, in order to grant the government “back door” access to customers’ encrypted cloud storage data.
The government also ordered the company to tell no one, using the so-called “Snoopers’ Charter” to keep the order, and the safety degradation it mandated, secret.
In lieu of complying, Apple stripped encryption from backups in the UK alone and launched a legal complaint. This is harm reduction, but it’s still harmful. If you’re in the UK, your iCloud backups — full of things like sensitive business documents, intimate photos, evidence and financial records — are now vulnerable to hacks, breaches, theft, and hostile government requests that Apple may or may not resist.
For those outside the UK, the news is still bad. Communication doesn’t stay within jurisdictional boundaries. Anything you’ve shared with friends or peers in the UK now lacks the protection of end-to-end encryption. That photo you’ve sent a friend, or the confidential information you’ve shared with a counterparty, is now vulnerable.
If this is what Apple can be subject to, we should also pause, and shudder, as we contemplate which other tech companies may have received such a secret order, and instead of fighting, silently complied. Business leaders in particular should be concerned about what this might mean for them, and the trust they put in cloud servers, software and other critical systems that could be secretly subject to reckless endangerment.
The UK is part and parcel of a dangerous trend that threatens the cyber security of our global infrastructures. Legislators in Sweden recently proposed a law that would force communication providers to build back door vulnerabilities. France is poised to make the same mistake when it votes on the inclusion of “ghost participants” in secure conversations via back doors. “Chat control” legislation haunts Brussels.
Core infrastructures like air traffic control, medical devices and emergency operations rely on computational hardware and software. Using strong encryption to protect security and privacy is therefore a matter of national security.
The threat is not hypothetical. Last year, the US government revealed the Salt Typhoon attacks on US telecommunications systems, in which nation-state hackers affiliated with China gained access to call records, text messages and other more intimate information of millions of Americans. Potential victims included President Donald Trump. How did hackers do this? They exploited “back doors” integrated into telecommunications systems.
The fundamental issue is simple: encryption is mathematics and mathematics doesn’t discriminate between a government investigator and a criminal hacker — a back door is a back door and if it’s there, anyone can enter.
There’s also an contradiction at play. If politicians dream of making the UK a technology hub they should not be working to undermine the foundations of cyber security, on which a workable tech industry relies.
The government should withdraw its misguided mandate. Instead of surreptitiously cutting the brake cables on the technological car, it should be working to strengthen security and privacy of the technology that forms the nervous system of our world. Business leaders must also take a role, making it clear that these dangerous moves are unacceptable, and pushing the companies they license technology from to deploy encryption, and other protections, without which their interests and those of their customers will be vulnerable.
We have ceded so many of the core operations of our lives and institutions to tech, we must recognise that strong encryption isn’t the enemy of security — it is security. The argument that weakening encryption will make any of us safer is as wrong as it is dangerous.
