Which is exactly why I’m making this point. If no government had requested a backdoor, they could’ve simply answered “no”. When you have to weight your words, it means you’re not at liberty to say whatever you want. That is itself a signal, and why warrant canaries are a thing.

https://en.wikipedia.org/wiki/Warrant_canary

Simply answering "no" when that's the truth could be illegal too. The ability to say no creates the ability to say yes as well. If I ask Apple whether they got an order and they say "no", then a year later they say "we cannot confirm nor deny", well then that's a yes.

Kinda depends on judicial interpretations of free speech, but that's how warrant canaries work. Are warrant canaries legal in the UK? They seem to be in the US but idk how well established that is.

That concept has always sounded like tech people trying to hack the law without the proper real-world legal knowledge, IMO.

Bruce Schneier wrote in a blog post that "[p]ersonally, I have never believed [warrant canaries] would work. It relies on the fact that a prohibition against speaking doesn't prevent someone from not speaking. But courts generally aren't impressed by this sort of thing, and I can easily imagine a secret warrant that includes a prohibition against triggering the warrant canary.

Lots of similar discussion on HN already, e.g. in https://news.ycombinator.com/item?id=5871541.

You're right to point out how carefully worded these statements are. But I suspect it's rare for companies of Google's status to not have been asked for a backdoor. It's not really an informative question to ask Google.

Of course they were asked. That doesn’t matter, my point is the author is assuming more from the reply than what was said.

It’s like if you conspired with your brother to steal from the cookie jar. He stole the cookies while you distracted your parents. Later on your mother reports to your father:

> When asked whether they stole from the cookie jar, derbOac did not provide a direct answer but suggested they didn’t didn’t know who did it: "I did not see anyone removing cookies from the jar," they stated.

Your statement is factually correct, but it doesn’t say what your mother concluded.

Can you elaborate on why you say it is not informative?

My guess is Google, Microsoft, Signal, Apple, Cloudfare, etc etc etc have all been asked if they could make backdoors. I expect they have all been asked. It's not the same as asking if they have made a backdoor.

So I think a journalist asking an organization like Google if they've been asked isn't really informative, because they almost certainly have been.

I'm not sure how it's relevant other than to say an answer from Google's response might seem oblique, but they're also being asked obliquely and that colors how you might interpret their response.

Presumably because the answer is "of course yes".

How does this work wrt false advertising laws? If I relied upon their end to end encryption and it turns out to be false advertising because there's a secret backdoor, who do I sue?

no one, you'll be in secret prison before you somehow gain standing

If the back door was used the a three letter agency sure.

If the backdoor was exploited by a criminal though?

so in this hypothetical, some blackhat is able to download data in mass from apple servers? And you're worried that the only thing stopping that, or creating a duty to protect the data is encryption?

But they can still notify the public, through those canary statements. (I forgot the name commonly used).

For example (a simplistic one), you can have a statement like "we do not have any backdoors in our software" added to your legal documents (TOS, etc). But once a backdoor is added, you are compelled by your lawyers to remove that statement. So you aren't disclosing that you have added a backdoor. You're just updating your legal documents to make accurate claims.

Such actions, even just the act of deleting text, conveys a message you were ordered to not convey and the government is not likely to take too kindly to that.

That is a fraudulent TOS if you're lying to the customer though

Not exactly the same but I've had a discussion around a similar topic with a Canadian immigration lawyer. We were put in contact by a mutual friend and the lawyer was looking for an email provider that was hosted in Canada and didn't rely on any US-based services (e.g. spam filtering). I asked him about the requirement and he pointed out that it was legally impossible for him to simultaneously comply with the USA PATRIOT Act and Canadian data protection/privacy laws. The US Gov't could compel his email provider to disclose solicitor-client privileged data with a gag order, and by not telling his client he would be breaking Canadian law.

By putting statements like what you're proposing in your TOS or marketing material you are potentially setting yourself up for a situation where it's now impossible to comply with all applicable laws. As others have mentioned, Australia passed legislation preventing you from disclosing the existence or non-existence of specific legal documents; they're at least warning you up front that the canary itself is illegal. The solution is to not make marketing statements that would become fraudulent in a situation where you can't legally retract them, unfortunately.

Edit: since lawyers are mentioned here... if the lawyer who is telling you that you need to remove the line from the TOS is the same lawyer who told you it was ok to put the line in the TOS... you should probably find a new lawyer because they didn't think through the consequences of approving it in the first place.

> if Apple did cede to the UK’s demands then it apparently would not be allowed to warn users that its encrypted service is no longer fully secure.

One would think this runs afoul of other laws though, truth in advertising and similar.

Its such a legal minefield, and the UKs request borders on violating the sovereignty of other nations I can't see Apple complying, but maybe that's hopium talking.