As long as Apple has a business presence in the UK, they are subject to the laws the UK imposes on them even if they're vastly overreaching and impose on other government's citizens. Not supporting cloud services wouldn't be sufficient to avoid the compliance requirement, they would have to formerly stop doing business in the UK.
Looking at the market size that might be a decision that Apple is willing to make as it would most likely be a temporary stick. The government can spin it anyway they want, but Apple devices do not work basically at all without the deep integration of their services. A geoblock would effectively mean UK citizens would be left with unusable devices and I can't see the resulting outrage being directed exclusively at Apple.
It'll be interesting to see how this plays out for sure.
I think this is the most solid answer I’ve seen so far that makes any sense. Could they still go through with it , I’m not sure, they want to project some influence but I still feel this is like haggling for half price to get cost.
Someone else here said something spot on for me, we’re all focusing on how bat sh*t this is because it’s global without even considering how human privacy obligations are just ignored.
Humans have a right to privacy, feels unbelievably pretentious and privileged to even say that. But it’s still true
> As long as Apple has a business presence in the UK, they are subject to the laws the UK imposes on them even if they're vastly overreaching and impose on other government's citizens.
I wonder if this means that Apple would ultimately take the same approach that they have in China, where the iCloud data and services are entirely localized within China and allows the Chinese government unrestricted access.
china had leverage because of the manufacturing happening over there and the incredible market opportunity, UK doesn't have much.
technically i believe apple could get out of the UK market to provoke a backslash on the government.
If they concede, other government will use the exact same blackmailing technique and one can say it will be the absolute end of their "privacy" marketing campaign they spent so much money into.
Apple offers the same escrowed key and non-escrowed key (advanced data protection) features in China as far as I'm aware. The extra capability GCBD has would be access to protected at rest data like iCloud email.
Apple still has legal entities in the UK. Pulling out cloud services would be insufficient to prevent the UK authorities from interfering with their activities.
> prevent the UK authorities from interfering with their activities
I'm still missing how this could be enforced ? To my layman understanding, this reads the same as if China said : "Meta, Tesla, Valve etc has entities in China therefore we get to see all data they store in the EU and the US.
The UK has Zero jurisdiction in Ireland for example where a lot of EU data may be stored.
I have lived to the day that we give an example on china not doing something stupid a western democracy does about rights and freedom. Wild times to be alive. I am also surprised that they demand worldwide access and not just UK users data or all the data stored in UK jurisdiction. But this is going too far.
China has forced Apple to outsource iCloud in China to a state run company, so all data is just directly controlled by the government there. It’s an even worse situation.
That is just China's general rules around tech. Awful? Yes. But not a global issue. Most non-chinese companies are forced to have their chinese properties ran by a chinese company.
This is shown by companies like VW having cars made in china with effectively a license model, these cars are designed and built by a third party with a few interesting exceptions (VW actually licensed a design, the Taos, back and shipped it worldwide)
The insane overreach was the UK wanting data on people not in the UK
We literally tried to do this with TikTok. We can't exactly stand on a high-horse when the highest level of government in the US was totally fine with it.
Our noble "we can't have American data in the hands of our enemies," their savage "forcing American companies to turn over user data."
Edit: I misread the comment tree, I thought this comment was equating the TikTok situation to the UK's request.
I agree that the TikTok demands are pretty similar, though I might quibble over whether they're literally the same, since arrangements like that are the status quo in China but not in the US
Original comment below:
How is "remove foreign control of data on our nation's users" remotely the same as "give us access to foreign users' data"?
They're not even figuratively the same, despite you literally misusing that word
It's not clear which scenario you are referring to.
If by "give us access to foreign users' data", you mean TikTok, then ByteDance is only required to sell the US portion of TikTok to American buyers. If you mean iCloud, then Apple is only required to keep Chinese users' data on local servers.
Oh my bad, I misread the comment tree and thought this comment was a response to the grandparent.
"give us access to foreign users' data" referred to what the UK is asking for, I thought the post i was replying to was equating the UK's request to the US'
It is worse than that, I never expected that most democracies would go back to foregone days, because people get sold out on populism and decided to ignore history lessons.
As a child of Portuguese revolution, I am aware of plenty of stories, apparently many folks nowadays think those are stories to scare misbehaved kids.
Those who are charged with stopping cyber crime are very must against this. End to End encryption is one of the better protections they can give you against foreign hackers and they want you to use it.
Meanwhile down the hall are people who are charged with investigating crimes someone in the country commits and they are want this. It is a lot easier to prove someone is involved in some crime if a warrant can get their data, but end to end encryption means they can only get random bytes. (of course they don't want warrants either, but that is a different issue not relevant here so they will specify warrants in this debate)
The difference is that China and Russia have the sense to spy on foreign citizens with hackers, trackers, and other covert means. Somehow the UK feels entitled to Apple doing their espionage for them, and has the gall to ask publicly.
Note that this is not China apologia: they do the same brazen shit locally, but they're an authoritarian regime. I have lower expectations for human rights there.
It can be enforced in this way: police raids the local headquarters and jail a bunch of people because their company didn't comply with the law.
The only way to prevent that is not having any local office, no employees, nothing. Sell physical objects only by the means of local 3rd party resellers which will import goods. Same thing for services. Of course they can ban imports and services or go after those 3rd parties. It depends how nasty they want to be.
I suspect the UK government would back down way before Apple. People aren’t politically active as those of years pass, but brick their iPhones you’d have a riot.
The US used a similar strategy decades ago to break Swiss Bank Secrecy laws (either Swiss banks had to give up the info or they were going to be kicked out of the US).
As someone else here said, Apple would 100% call this bluff. And you can be certain the UK won't have the US to put pressure on Apple for them. All the would happen is the UK Apple users would be with an expensive paperweight.
That assumes that Apple's shareholders believe that Apple's privacy reputation (relative to other companies) is more valuable than access to the UK market.
All evidence that I have seen suggests that consumers by and large do not care about this kind of privacy. They do not buy iPhones instead of other phones due to the privacy properties.
Therefore Apple's shareholders could order Apple to stay in the UK market.
And if not, then Apple's customers could be compensated with money and other UK-held assets that the government could confiscate.
This is usually true of any corp. However, Apple is the one big tech company that has built its reputation on privacy more than any other, and Cook in particular is very strong on that -- and he's not prone to Zuck-like flip/flopping, at least not so far.
You may be right, of course. But if there's one tech company who _might_ say "no", it's Apple.
According to NASDAQ [1] the two main investors are Vanguard and Blackrock, but the two of them together are far away from 50%. There are a number of other large investors. I didn't do the sums but there must be probably 30 of them to get to 50%. Do some of them care about privacy of common people? Probably not. About the people in their boards? Probably yes.
Most users don't care about that stuff, but I think a small but significant percentage do. I have never been an Apple fan but I am aware that they are significantly better than Windows and Andorid for security and privacy.
Swiss banks didn't care - they didn't have a large Us presence anyway. Until the US started enforcing this by proxy, other banks couldn't do business with you and the US and overall the US is more important to the world than Swiss banks.
Not so sure. Yeah, they didn't have a large US presence but they did a lot of business with US banks and securities markets -- that's what was threatened. It's wasn't the ability to have branches in the US but the ability to conduct business in US markets.
Yep, and the US had a lot more leverage; out of the US translates into no access to US dollars either directly or via a correspondent bank, which essentially means bankruptcy.
I really hope so. I would love to see that showdown. Hopefully, "can't buy an iPhone in the UK and everyone knows why" makes the Snooper's Charter a radioactive mess that legislators fall all over themselves to repeal.
Then they can vote in a board of directors that agrees with them, and have that board fire Tim Cook.
I would hazard to guess that you'll see an exodus of a lot of folks leaving Apple either because (a) they won't follow that order, or (b) in solidarity with those that are fired.
Reminder that privacy is feature that Apple touts (how much you believe them is up to you):
> On January 28, 2021, Apple CEO Tim Cook delivered remarks at Computers, Privacy & Data Protection Conference: Enforcing Rights in a Changing World. The virtual conference — hosted annually in Brussels, Belgium — is one of the foremost international privacy and technology conferences bringing together leaders from academia, government, civil society and the private sector. Learn more about the features and controls Apple provides users to safeguard their privacy at http://www.apple.com/privacy
I don't know where your ideas are coming from - Apple easily folded and gave all data to Chinese government when commanded to do so under leadership of Tim Cook.
Where does your thinking that they'll suddenly forget about revenue from UK over this come from?
This is not just a case of the British intelligence services secretly “tapping into” Irish telephonic and internet traffic via land and maritime cables. Rather in most cases they are being provided free (or commercial) access to the information by companies associated with the use, ownership or maintenance of these cables.
Post-Snowden the Irish government retroactively legalised it...
There are lots of different ways to do business. UK is unlikely to be able to ban the iphone, and I doubt Apple has much business in the UK. As such they can lay off all workers in the UK "because of legal issues" and the workers feel the pain. They can still sell in the UK through third parties, and go to the EU if you need warranty work
The phone itself is only a piece. Apple sells multiple services, without them the phone is useless. If you can't access the appstore, the backups, etc. what good is an iPhone? Now, the UK can say that UK citizens' data can't travel outside of the UK without the UK government permission.
So it's still a problem. This seems like a looming PR battle.
Except perhaps for people living near the border in Northern Ireland, "going to the EU" for warranty work is a completely unfeasible suggestion. It's not exactly a short or cheap journey for most of us!
You don't have to go in person. Put it in the mail. In person can get same day service though. Next day mail is expensive, but you can get it (and if Apple is serious they can partner with the next day mail and do overnight repairs.). It isn't uncommon for someone to ship you are replacement device and then you ship your broken one back after the new arrives (if the old is only partially broke this can be useful). Apple has a lot of options to make this not too inconvenient.
Though will Apple blink is still unknown. Just because they can doesn't mean they will.
The UK public would never accept this. There's basically almost no interest in E2EE at all, but the idea of not being able to take your iPhone to the Apple Store would be riot-inducing. And I think the average Brit would be more comfortable posting their phone to the US than to France.
If Apple really has the guts to stare this one down, then I would expect it's the government who blinks.
That got me curious. Google maps says that from London to the Apple store in Lille, France is about 4 hours by car, and the same for the return trip. Googling suggests that it would be about £120 for round trip transport through the tunnel.
It says that by train it is about 90 minutes each way and would cost about the same as the car trip.
If the reseller is also an Apple authorized service provider that should find. They have genuine Apple parts and can do warrant and AppleCare work.
Not sure it would be worth it though, unless you are in Northern Ireland. If you are someplace more like London it would be a lot faster to go to the nearest Apple Store in France and a lot cheaper.
It is a relatively small market, and if Apple decides to shut down while flooding the streets of London with posters saying “We are forced by your government to shut down in order to uphold your privacy”, the UK
Government would take a massive blow.
Imagine Russian Oligarchs on android devices! Polonium will roll, I tell you!
So if British voters get to chose between having access to iPhones or voting for a government that wants to spy on them at whatever the cost surely the choice must be clear?
Note that it the bar is having the ability to access the server, so this law is completely incompatible with most GPDR solutions: It's illegal to store European user data and then refuse to hand it over to US law enforcement, regardless of whether the data is stored in Europe or the request breaks European law.
I imagine they would fine apple a large sum of money. If apple refuse to pay they send high court sheriffs to confiscate any property they have in the UK to pay the debt.
It would be enforced by fining the UK legal entities (or worse, like charging their legal representatives) if they don't comply. If the UK is serious about this, the only alternative for Apple would eventually be to completely cease operations in the UK.
By the way, this is similar to why for true GDPR compliance, data centers should be operated by EU companies that aren't subsidiaries of US companies, because even if the latter operate data centers located in the EU, they would still be bound to secret orders by the US government.
The most horrible part of the discussion we're making is that we're arguing that UK intelligence should be able to access only UK related data, and not that UK intelligence should not undermine privacy of people
The Clipper Chip died a quick death back when the Clinton administration wanted it, as the push back against it was pretty strong. Now? Seems like a matter of time before every form of electronic communication has a dozen different back, side, and front doors into it.
I don't think that was mandated to be used for every device though. It was also shown to perform key escrow in secret and had its security defeated before it launched.
The Overton window is the range of subjects and arguments politically acceptable to the mainstream population at a given time.[1] It is also known as the window of discourse.
[…]
The political commentator Joshua Treviño has postulated that the six degrees of acceptance of public ideas are roughly:[7]
unthinkable
radical
acceptable
sensible
popular
policy
The moral thing to do would be to resist obeying such laws as much as is feasible. If that fails close all your legal entities and continue offering services to the citizens of that country to the extent that is feasible.
Of course it wouldn’t be very profitable. So unfortunately you really can’t expect a major public company to take a stand like in a case like this.
Fully agree. Imagine giving your data to company XYZ which promises you full encryption privacy. The company XYZ opens a subdivision in country CBA and all's okay unless CBA's law is changed to mandate all companies to give all their data. Now your data is lost to CBA's agents.
Surely if the current government were dumb enough to try and ban Apple from the UK over something like this it would it would make even Truss look competent in comparison.
Not so much because British people love their iPhones to such a extreme degree but because they willing to waste money and resources over something this stupid.
IMHO Apple could bring down the government that tried this if they really wanted to.
> By the way, this is similar to why for true GDPR compliance, data centers should be operated by EU companies that aren't subsidiaries of US companies, because even if the latter operate data centers located in the EU, they would still be bound to secret orders by the US government.
This is interesting, I know GDPR does not mandate data localization but I was under the impression that the requirements are a bit more difficult/stringent for transferring data out of the EU region ? While not perfect, it's a bit less 'open door' than it would be if it was hosted in the US.
The EU has a law saying "don't transfer data out of the EU without the right paperwork, but of course if your American sysadmins have SSH access to servers in the EU to do maintenance that's no problem, just tell them not to copy the data off it"
The US has a law saying "If our spies tell American sysadmins to SSH into a server in the EU and copy data off it, they must do it and they must keep it secret"
I’ve never worked in a company with data the gov’t cared about that wouldn’t have sirens going off. Why is Joe SSHing into the EU data center? And now why’s he trying to turn off the GuardDuty rule that caught him? And why is he trying to delete that from CloudTrail? And why is the SOC 2 auditor asking why he has access to delete things from CloudTrail in the first place?”
You’d have to get a surprising number of people to go along with it.
That's why it's important to choose a sysadmin who has the authority to SSH to servers. Joe SSHes in all the time, it's not an anomaly.
If you think a SOC2 auditor would spot something like this, in a company the size of Apple or Google - you've probably never been through a SOC2 audit :)
I wish that I had not been through many SOC 2 audits. But the point was just that in a sufficiently large org that might have cross-continent data centers, it’s not common to have one person who can access remote data and cover their trail and turn off the alarms and all the other things required to do it surreptitiously. Possible? Maybe. Likely? Probably not.
In my experience, every sufficiently large org with data centres on multiple continents has an accretion of legacy systems and special exceptions.
And a heuristic anomaly detection system that generates masses of false alarms, and enough different teams and documents and policies to bury an army of SOC2 auditors. And so many log lines almost anything can get lost in the noise.
The janitors always have keys to everything. Especially when it’s required by law.
More importantly, apple has customers in the UK. The business from captured apple users is more valuable than apple's privacy reputation.
This all seems very similar to RIM and the aftermath of the riots in the UK. The backdoors became too obvious for customers to ignore. Did not go well for RIM in the market afterwards.
> More importantly, apple has customers in the UK. The business from captured apple users is more valuable than apple's privacy reputation.
Is it though? I wonder how much of Apple's revenue is from the UK, probably around 5-6%? Apple isn't exactly as popular in the rest of the world as they are in the US.
Would damaging their privacy reputation globally be more valuable than the UK market? I honestly don't know, but my hunch says no - they are likely to want to keep their reputation and dump the UK market. I think more likely is Apple is going to be able to get the UK to cave in. Apple is extremely competent with PR, and would be able to spin any kind of pull-out or degraded service in the UK as the government's choice and fault, to the ire of UK citizens.
Who has more to lose though? I mean any government that would do something as stupid as banning Apple because Apple didn’t allow it to spy on its citizens wouldn’t be very popular or last that long..
I mean this would be even more stupid than Partygate and the whole Truss debacle put together.
It seems apparent to me that Apple leaked this information to US press in an attempt to get the UK to back off. Wouldn't Apple also try to subvert the attempt for US intelligence to get a backdoor? Or do we think Apple has less of a leg to stand on with US and would be more likely to roll over?
> Or do we think Apple has less of a leg to stand on with US and would be more likely to roll over?
Apple has no leg to stand on at all. When the NSA comes to your door and demands access to everything you have you don't get to say no. There is no court you can appeal to, and they'll take whatever they want and order you to keep your mouth shut about it. They'll walk right into your headquarters and data centers, force you to move your employees so they can set up an office for themselves on your property, insert their equipment into your network directly and take everything just like they did with AT&T decades ago (https://en.wikipedia.org/wiki/Room_641A)
Your only options are to comply or shut down (https://en.wikipedia.org/wiki/Lavabit) and I'm not even sure the US government would allow "shut down" as an option in some cases. It seems likely that they'd keep a massive target like Apple running even if the owners of the company wanted to cease operations, but lets be honest, Apple makes a lot of people very very rich so they'd never walk away from that. They'll keep making their money and just try to convince themselves that the US are the "good guys" and so it must be okay.
Obviously, Apple is going to comply with US federal law, given that their headquarters and employees are there, as well as their most profitable market. But when possible, they have shown themselves willing to fight against intrusion.
First, that's notably the FBI and not NSA. As gp says, NSA has greater powers with less legal oversight on national security grounds.
Second, a cynic might argue that Apple put up a noisy, principled fight that one time precisely to create the perception that you have here. It could be the FBI learned data requests to Apple are a dead end!
Or the two came to a mutually beneficial understanding: "don't come in the front door waving a court order for the cameras and we'll see what we can do when our reputation isn't on the line, see? And maybe if we help out, that antitrust investigation isn't necessary after all!"
I can't imagine all cloud providers weren't leaned on heavily to provide this access long time ago. Its a treasure trove too juicy to be ignored. Pro quid pro of course.
Anything else is highly illogical or outright stupid, imagine CIA or NSA having meeting on this decade and a half ago and deciding 'well if they won't give us full access when we asked nicely I guess that's it, we have to respect the law and their wish'. LOL. They don't respect basic human rights at all if you don't hold US passport, and even then the list of cases breaking laws and constitution is endless.
Apple is good with their PR, but why do folks accept their every word literally and not as part of marketing spin to sell more services is beyond me. Rest of the market is not even trying to spin it that way which is actually more respectable behavior.
You're including end-to-end encrypted content in that as well, like from Advanced Data Protection?
> If you choose to enable Advanced Data Protection, the majority of your iCloud data – including iCloud Backup, Photos, Notes and more – is protected using end-to-end encryption. No one else can access your end-to-end encrypted data, not even Apple, and this data remains secure even in the case of a data breach in the cloud.
I have no opinion on whether US intel has a backdoor into this e2e encryption or not. It seems like the sort of thing where people non-chalantly state that it must happen, but of course no one ever has actual proof or a source.
I mean, you're right. People think "end to end" encryption helps them, but they forget that Apple controls both the server and client more than the user does.
No. Whistleblowers are extremely rare. Snowden did it, but he also worked with thousands of other employees who had knowledge of some, if not all, of the abuses Snowden told us about, but not one of them came forward. This is pretty much always the case when it comes to whistleblowers. For every one who came forward there were many many more who knew and stayed silent and it's hard to blame them. Whistleblowers are harshly punished, and sometimes killed in retaliation.
Being willing to sacrifice everything you have, including your career, your freedom, and potentially your life, just to let the public know the truth is not something you should expect people to do. It's a huge amount of risk and sacrifice while the only reward is knowing that you've done the right thing even though you'll be vilified and punished for it. That's what makes whistleblowers heroes.
Not necessarily. There's a lot of people absolutely unwilling to risk loosing their salary and career. If you are doxxed as the leaker, what other company would hire you? I'm not even considering if there could be criminal charges involved as well.
Snowden left an example of what kind of lifestyle is possible after leaking, and I doubt snowflakes at FAANG would be down for that. Or how about other examples of leakers that have turned up dead? That's a cheery thought to consider.
So yeah, at this point in time, I do believe there's a lot of people that might not agree, but are not up for the task.
Snowden chose that lifestyle. If he had stayed in the US, he would be out of prison already, just without a security clearance. The longest sentence anyone ever got for leaking government information to the media is 63 months, with a release after 50 months on good behavior.
Manning was released early from her 35 years prison sentence only because there was Obama who had balls to do it and go against extreme far right part of society and government employees. Not going to happen again anytime soon in US.
I am actually surprised she survived this and wasnt suicided or sent to Guantanamo for water boarding till heart stops, I guess thats only for those without US passports.
Apple is famous for keeping projects secret from its own employees. To be clear, I think it's unlikely that this has already been set up for the US, but it would be easiest to do at Apple.
> a back door that allows UK security officials unencumbered access to encrypted user data worldwide
As far as I can tell, China is asking to keep Chinese data in China and have access to it, but it is not asking to access data of American or European citizen and if it did we would be pissed off.
I think it’s a cultural issue. The British have an inflated sense of national self worth as a result of being the world’s largest power during the British empire. While this has not been the case for some time now (since Suez in 1948? Longer?) the people still carry the memory and national myth of great importance. This is likely what drives a sense of entitlement that British demands should bypass the laws of every other country in the world and give them unfettered access to everyone’s data. Think about that, literally everyone who has an Apple device!
MI6 probably gutted the cybersec division. Probably don’t have many viable sploits in their cache against Apple.
I suppose this is _good_ but more competent and well funded groups out of Israel, Israeli military complex, Cyprus don’t need to “ask” for a back door.
How could this even be enforced if Apple pulls out cloud services of the UK ?
It's such a ridiculous request, the British Intelligence agencies must be bored coming up with new ways to make Apple look good.