I think this is an unquestionable overreach on the UK's part. If you live in any country that isn't the UK, you should feel the threat from this: the UK government believes that it is entitled to a backdoor on your hardware, even if you've never stepped a foot on UK soil or intend to. Mass surveillance is a threat to everyone, but this is not an instance of that, which has guards against it, like encryption. This is the UK asking for an encryption backdoor to everything, including for phones that never traverse its soil or internet boundaries, or even cross anywhere near FVEY collection devices.
It applies to content stored using ADP, Apple's E2EE tech. A backdoor into that would mean applying a backdoor into iOS on the phone itself, which is a much larger attack surface than anything centralised.
All of which highlights the clownish nature of these regulations. They are so easy for bad actors to circumvent (eg using their own E2EE), resulting in the ridiculous situation where the innocent get their data stolen and the very people you're targeting being completely unaffected.
Since it seems to be illegal to even reveal if one of these requests was received, it's also worrying that, by extension, it would be illegal to declare a data breach once the backdoor was inevitably exploited by another bad actor.
So, how would anybody know that a foreign government was spying on them? Nothing would stop them installing Pegasus on your phone and exfiltrating even your 'secure' data.
The stupid thing is that these laws always find a way to say that people in government are exempt from the provisions, and everybody except them is allowed to be spied on, but they are obviously going to be the first people to be targeted. Not some randomer hoarding CSAM.
This is a government that believes in thought crimes.
They will likely arrest people for having illegal memes on their phones or for texting messages to friends of which the government does not approve. If there was prequal to 1984, it would look something like this.
By "thought crimes", would you mean firing people for holding positions responsible for DEI policies which were assigned to them and which there was a legal obligation to enforce?
Because that would NEVER happen in the US, certainly no government agency would fire its own people for having following legally enacted government policy just because that policy was no longer in fashion (though still legal government policy, because Congress hadn't yet changed the law).
I really don’t like the UK governments stance on cyber security / counter-terrorism / et al either. In fact, as a UK citizen I’ve actively campaigned against a great many of their policies.
However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
What actually happened was people were arrested for instigating riots. This is no different to what happened in the US regarding the Capital Hill riots — people who helped organise it online were arrested too.
The UK has a long history of shitty policies invented to “protect people” but we need to be clear on what’s actually fact and what’s fiction. Otherwise you end up wasting energy protesting against things that are imaginary.
You are focusing on one set of incidents. There are lot of others not connected to any violence at all. People arrested for standing still because of what they admitted thinking and their motive for doing so. Police investigations of 'non-crime incidents'. Hate speech laws that can be very widely interpreted. Increasingly restrictive laws on public protests.
Just link to a report of an incident that you think proves your point. It’s impossible to have a sensible discussion about this issue when comments are so vague.
People have been arrested for perfectly legal anti-royalist propaganda, and threatened with arrest for such things as protesting by holding a blank sheet of paper, so I don't agree.
> In London, a barrister who held up a blank piece of paper in Parliament Square was asked for his details by Metropolitan Police officers, and told that he would be arrested under the Public Order Act if he wrote "Not My King" on the paper.
Nothing actually happened to the guy with the blank sheet of paper (or at least, if it did, that’s not reported in the article).
Certainly you can find examples of the British police overpolicing protests, and that’s something that people rightly get angry about. It’s just that there’s a huge distance between that kind of thing (which happens pretty much everywhere from time to time - do US police forces have an exemplary record of policing protests?) and the kind of wild claims you can see in this discussion that the UK has become an Orwellian police state.
Perhaps, but I am not comparing it to American forces. I'm Swedish and while I have some things to do with America, mostly indirectly, it's not my centre of reference.
It feels like the UK is in many ways leading the charge, though. The only other country that would be a contender is Australia. It was the UK for example that introduced that barbarian law that conceivably allows imprisoning people that genuinely forget the passwords to their encrypted volumes, and that was I think over a decade ago.
Lots of things are troubling. I am complaining about wild exaggerations, not saying that there is nothing to worry about or that the UK is perfect.
Unfortunately a lot of people are getting their news from Twitter, from accounts that are obsessed with painting a particular picture of the UK. Have you spent any time in the UK yourself? The impression of it that you’d get from reading HN is unrecognizable to anyone who lives here.
I don't disagree that there are wild exaggerations being made, my point was just that the UK seems further along the path than its peers.
> Have you spent any time in the UK yourself? The impression of it that you’d get from reading HN is unrecognizable to anyone who lives here.
I lived in Scotland for a while and have been to London often enough. It's it's mostly just a normal country, but things can change slowly until all of a sudden it's unavoidable. The cops showing up to peoples houses for opinions tweets is certainly frequent and concerning.
You say that but I’ve shared several examples of the same things happening in other countries like America too.
So I don’t think the UK is any further along in that regard.
There are other areas where the UK is further along though. Such as CCTV surveillance in London. There are also areas where the UK is far less Orwellian, for example our open-mindedness about abortion and gender identity.
The UK’s legal system isn’t just defined by what Musk tweets about. ;)
> You say that but I’ve shared several examples of the same things happening in other countries like America too.
You've shown some protestors getting arrested, but I don't believe you can show any equivalent of cops acting as thought police for tweets.
> for example our open-mindedness about abortion and gender identity.
Funny you say that, because there isn't so much open-mindedness as a forced viewpoint. I'm trans, FWIW, but I don't at all agree with sending cops to peoples houses because a ciswoman has doubts about accepting a transwoman completely as a woman.
I'd also say it's other western countries being compared to here, and I don't think the UK is particularly further ahead than other first world nations, aside from the US where it is very much a red/blue state issue.
> You've shown some protestors getting arrested, but I don't believe you can show any equivalent of cops acting as thought police for tweets
I have elsewhere.
> Funny you say that, because there isn't so much open-mindedness as a forced viewpoint. I'm trans, FWIW, but I don't at all agree with sending cops to peoples houses because a ciswoman has doubts about accepting a transwoman completely as a woman.
I wouldn’t say it’s a forced viewpoint here either.
Quite the opposite in fact, there’s a lot of really vocal people in the UK who publicly denounce transgender people.
> Could you relink them? I don't see anything, and I don't think you could show it is to the same extent as in the UK.
No. I’ve said my piece and I’m done.
And it isn’t even happening to extent you keep claiming. There’s been lots of evidence posted to prove that point.
> Then why do cops keep showing up for wrongthink?
They don’t.
And I know you’ll follow up with some unverifiable linked to highly disreputable sources which are several years out of date.
So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK nor reading either up-to-date nor reputable sources.
And this is precisely why this meme of the UK policing thought persists: because people form an opinion based off silly headlines and then are too singleminded to listen to the full facts.
I honestly can’t be bothered any longer on this. I’ve been actively involved in politics around precisely these kinds of issues, but of course you know better than me because it fits your own narrative about how your own country can’t also be going down the shitter.
You said this, but then continued to go out of your way to reply to another unrelated comment. Copying and pasting some links would have been less effort.
> And it isn’t even happening to extent you keep claiming. There’s been lots of evidence posted to prove that point.
Actually my llast reply showed quite the opposite. The scale is much larger, about 2,500 incidents.
> They don’t.
They do, at least 2500 times. See a recent reply for sources.
> And I know you’ll follow up with some unverifiable linked to highly disreputable sources which are several years out of date.
> So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK nor reading either up-to-date nor reputable sources.
It's a shame here to see you assuming bad faith. This reeks of tribalism, not objective argument.
The source I found was from the UK government, so I think that you preemptively dismiss that really shows who is being rational and objective and who is not.
> So let’s just close this argument off by saying you think you know better than everyone else despite not living in the UK
You keep looking for reasons to dismiss my argument fro reasons other than merit of the argument. This is telling.
I lived in the UK for years, actually, and the evidence speaks for itself, no personal experience is necessary.
> I honestly can’t be bothered any longer on this.
Maybe. You say and wrote this, yet you have a second reply you posted after this that I am about to respond to.
I won't be surprised if I end up responding yet again.
> It's a shame here to see you assuming bad faith. This reeks of tribalism, not objective argument.
Because your comments are bad faith.
And I’ve addressed all your other nonsense already.
What you’re not grasping is the cultural differences between our two police forces.
In America, the police go relatively unchecked. They buy ex-military hardware, lie in interrogations, literally kill their own innocent citizens because of their skin colour, and at no point face any repercussions. So laws in the US need to be water tight to prevent abuse — and even then, they still get flouted by those who should be upholding them.
Whereas Europe have a hell of a lot more checks and balances for our police forces. Bad cops get struck off. Good cops cannot place charges without approval from a whole other department, and thus not emotionally connected to the case. If police lie or exaggerate in those reports then they’re up for a plethora of serious charges themselves. So UK law often feels more ripe for abuse but that’s because we have stronger processes in place to protect against abuse.
Coming back to your original point, you don’t know the seriousness of the comments shared. We’ve already given examples about how online comments can have real and damaging physical consequences. Such as organising riots. People in the US have been charged for doing just the same thing. In the UK the law is called “hate speech” but that’s doesn’t mean that people are being investigated just for saying “I hate x”. Just like how there are multiple different names for different types of reasons and severity of killing someone, “hate speech” is just a term that covers a wide plethora of circumstances. And if — and when — those “hate speech” laws are abused, the police are raked over the coals for overreach.
So when you claim “whataboutism” what’s actually happening is I’m demonstrating the cultural differences that you seem oblivious too.
When you claim “thought crimes” you’re completely missing the nuance in these cases.
And when you’re claiming the police are abusing their powers you’re being, at best, deeply ironic. At worst, deeply ignorant.
In fact this whole argument and your single mindedness can be entirely summed up as “deeply ignorant”.
So why do UK citizens defend this claim against “thought police”? Because it literally isn’t happening. It’s just some bullshit concocted by right wing media (the same people who talk about rigged elections, “out of control immigration” and other made up bullshit) and Americans who want to feel better about their own shitty police force.
Are you not wildly exaggerating when you suggest that the ‘cops’ frequently show up at people’s houses based on things that they’ve tweeted? There aren’t even enough police officers in the UK for this to be feasible if they wanted to do it.
I didn't mean to imply that it's happening any time anyone tweet something, but there have been an alarming number of cases of cops showing up at peoples houses for tweets they've made. A far greater number than anything happening in other western countries, which doesn't even have anything close to compare it to.
Just to be clear, even 20 times is significant here, I think the actual number is much higher, but even a low number as 20 is concerning when the tweets don't promote violence, terrorism, CSASM or anything illegal.
What exactly is it that you are saying has happened 20 times? Described in objective terms, not using vague and emotive language like “thought police”, etc etc.
It’s still not clear where you’re getting the number 20 from or which incidents you’re talking about. But it sounds like these are cases of people being questioned by police and then…not getting arrested because they weren’t committing a crime. I’m not sure what is supposed to be concerning about that in the abstract. Maybe there’s something concerning about the specific incidents, but you don’t seem inclined to give any details about them.
> But it sounds like these are cases of people being questioned by police and then…not getting arrested because they weren’t committing a crime.
The problem is cops showing up at all for people sharing an opinion. The tweets were visible at cop HQ. Sending cops out reads like intimidation which is something cops do in authoritarian societies.
Were you not aware of the subsequent court judgment in favor of the guy in the 2019 article? https://www.bbc.co.uk/news/uk-england-lincolnshire-59727118.... No country can prevent all police officers from doing stupid things at all times, but it’s painting a very one-sided picture to leave out this important context.
Incidentally, the Daily Mail is not a news source.
There have been some instances of people being inappropriately contacted by the police over things they wrote online. I think that this has largely stopped following the court judgment that I mention downthread. I think there's broad agreement here on what the police should and shouldn't be doing. The issue is whether it's actually accurate to paint a picture of the UK as a country where the police regularly harass people about their online postings. If people in the UK strike you as unduly unconcerned, consider the possibility that it's because this isn't actually happening to anything like the extent that some people on Twitter would like you to believe that it does.
By the way, you seem to be using 'the government' in a very broad 90s internet libertarian sense. The police in the UK are operationally independent of the government of the day. As Wikipedia explains:
> Police officers [in the UK] hold office and are not employees. Each officer is an independent legal official and not an "agent of the police force, police authority or government". This allows the police their unique status and notionally provides the citizens of the UK a protection from any government that might wish unlawfully to use the police as an instrument against them.
That’s not really the same as what’s being discussed though it’s still troubling.
Thankfully common sense prevailed and those people weren’t convicted. meanwhile in other “less Orwellian” counties people are getting charged for similar actions:
> That’s not really the same as what’s being discussed though it’s still troubling.
GP mentioned anti-royalist protester arrests and threats of arrest, you asked for a citation, I provided a link to a BBC article discussing those. How is it not "what's being discussed"? (At least in the context of this subthread.)
Fair point. But as I said, there was more to that story. And under relatively similar circumstances people are charged for protesting under similar laws in other countries too. Including ones that have freedom of speech written directly into their constitution.
So while I don’t agree with the UK arrests, it doesn’t prove that the UK is any more Orwellian than any other country.
> Thankfully common sense prevailed and those people weren’t convicted. meanwhile in other “less Orwellian” counties people are getting charged for similar actions:
>However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
Are you for real? These accusations are not merely memes.
While I don't endorse terrible people, it is note worth sometimes awful people are the target of even more awful laws. For example, you can do research into a person named "Adam Smith-Connor" who was literally convicted for standing in public while introspectively praying silently. The conduct of standing while appearing to pray was deemed as a form of illegal protest too near an abortion clinic. The same exact thing happened to another person "Isabel Vaughan-Spruce" who was not convicted.
There are also well documented incidents in the UK involving the prosecution of people making remarks online, which could arguably cross into thought-crime territory. I'll leave it to you to actually research these incidence, Google is your friend.
As usual in these HN threads on the UK, there’s a reasonable point that could be made about whether or not this restriction correctly balances the right to free speech against women’s right to access healthcare. But instead we see a lot of wildly exaggerated talk about “thought crimes”, etc. etc.
> For example, you can do research into a person named "Adam Smith-Connor" who was literally convicted for standing in public while introspectively praying silently. The conduct of standing while appearing to pray was deemed as a form of illegal protest too near an abortion clinic.
Those people are not trying to genuinely prey, but to intimidate women considering or wanting to get an abortion.
> There are also well documented incidents in the UK involving the prosecution of people making remarks online, which could arguably cross into thought-crime territory.
>However this “thought police” and “arrested for posting memes” comment that often gets pointed on here is itself a nonsense meme.
>What actually happened was people were arrested for instigating riots. This is no different to what happened in the US regarding the Capital Hill riots — people who helped organise it online were arrested too.
One of the "instigators" was sent to prison for tweeting "every man and his dog should smash [the] f** out of Britannia hotel (in Leeds)". While I agree such tweet might be illegal under US law (it plausibly meets the "imminent lawless action" standard), it's a stretch to equate that to "organise [the Capital Hill riots] online" (whatever that means). A tweet by a nobody who got 6 likes isn't "organising". It's shitposting.
Did you actually read that article. In there it even stated there was a pattern of behaviour and that his comments on Facebook had been shared with thousands and directly resulted criminal damage. Not only that, that his comments were intended to cause criminal damage and result in physical attacks against immigrants.
What you’ve done is selectively quoted a small subset of portions from that article to misrepresent the full trial.
Which is exactly why I had to write my comment defending the UK government earlier. Believe me, I really don’t want to defend the government.
The UK government get a lot wrong when it comes to legislation regarding technology. In fact they get nearly everything wrong and I’ve frequently had to have words my MPs about it (not that that’s done any good). But they categorically do not lock people up just for shitposting. At best that’s just an exaggeration. At worst it’s an out right misrepresentation of the facts.
>Did you actually read that article. In there it even stated there was a pattern of behaviour and that his comments on Facebook had been shared with thousands
Are you talking about this?
"The initial post received six likes. However, it was sent to your 1,500 Facebook friends and, because of your lack of privacy settings, will have been forwarded to friends of your friends."
"shared" is doing a lot of the heavy lifting here, and likely used in a misleading way. Given how facebook uses algorithmic timelines, and the wording (the judge was seemingly unwilling to use a stronger word like "seen" or "read"), my guess is that was the upper bound of people who could have seen his post, not how many people actually seen it. It certainly doesn't mean 1,500 people actually clicked the shared button next to his post (or otherwise make a conscious effort to disseminate the post), as "his comments on Facebook had been shared with thousands" implies.
> and directly resulted criminal damage.
Is there any evidence that people who has committed crimes even seen his post? Or are you simply claiming that because he made such tweets, such tweets called for riots, and riots happened, that those tweets "directly resulted criminal damage"?
>Not only that, that his comments were intended to cause criminal damage and result in physical attacks against immigrants.
This doesn't contradict my prior comment, which specifically admits his behavior is illegal under even US law. My complaint was with the characterization that his tweets counts as "organising".
And let’s not forget that the Capital Hill riots were just a small few who took things out of hand - like with this guy. So it doesn’t need to be thousands to be a criminal offence.
The guy in question pled guilty too. So he clearly admits responsibility for the attack on the hotel. And that in itself should indicate that there’s more to this story than just “shitposting” on Facebook.
The problem here is folks like Elon Musk are focusing on the “freedom of speech” aspect (and if course he is, he’s got a vested self interest to) and given Elons media reach, this story gets skewed into a different debate.
The ironic thing is the biggest voices arguing that the UK is Orwellian don’t even realise that arrests have been happening in their own county for the same things and for much longer than in the UK.
And that’s my biggest complaint about this discussion on HN: The UK is singled out when this is happening in every country. And the cases people refer to in the UK are being distorted to sound like it’s harmless memes when the actual comments are far from what any sane person would call “shitposting”.
2. Given the issues I outlined above with the word "shared", can you clarify what exactly is meant by that? Are we talking about the act of him posting to a group chat, or that other people made an conscious effort to disseminate his post?
This doesn't provide any information to refute the points I presented in my prior comment.
>The guy in question pled guilty too. So he clearly admits responsibility for the attack on the hotel.
Don't confuse pleading with guilt. He faced years/decades in prison, along with any fines/legal bills. Pleading out could be a rational choice even if he was innocent.
>And that in itself should indicate that there’s more to this story than just “shitposting” on Facebook.
This is circular reasoning. If the thing being discussed was whether prosecutors were overzealous in prosecuting such tweets, you can't use the fact that he was prosecuted in arguing that arguing prosecutors weren't overzealous.
>The ironic thing is the biggest voices arguing that the UK is Orwellian don’t even realise that arrests have been happening in their own county for the same things and for much longer than in the UK.
I'm not sure why you're still trying to argue such acts are criminal, when a few comments ago I specifically agreed with the possibility that such acts are criminal.
>[...] I agree such tweet might be illegal under US law (it plausibly meets the "imminent lawless action" standard) [...]
It's not that bad. I think the demanding a backdoor from Apple is over the top / stupid. But I haven't heard mention of thought crimes yet (brit here).
I'm entirely against what the UK government wants, however I would say:
Although you're right that tech people would still be able to choose secure encrypted options, the fact is that the majority of criminals by pure numbers are not very sophisticated - so while this sort of backdoor obviously wouldn't be a guarantee that every criminal conversation could be snooped on, it would work on the 90-99% (I'd guess towards 99) who aren't both cautious enough to try to be secure and tech savvy enough to make the right choices.
(But it's still a terrible idea, both for the sake of general privacy principles, and for the risk that current or future governments or personnel will abuse the access, and for the risk that criminals outside government will be able to take advantage of the same backdoor.)
The idea that criminals are not sophisticated is a weak excuse for this system.
Once the government starts mining data from iPhones, criminals will quickly adapt while every law-abiding citizen gets caught in the crossfire. It opens the door for abuse: officials could easily spy on their partners, dig up dirt on rivals, or target those they dislike without breaking any laws. Meanwhile, cybercriminals will have an easy target since every phone comes with this built-in vulnerability.
This system is likely to snag small-time offenders, not the real masterminds behind organized crime. This isn’t a smart solution for crime. It just sacrifices our privacy for a few token arrests.
Criminals don't need to be all sophisticated anyway. They just need to know how to reach one of the sophisticated criminals and pay them to extract whatever they need.
Incidentally, as a non US and non UKer, my data with the major tech firms has no protection anyway. Welcome to the club, US citizens :)
Most GSW victims are killed by one or two bullets, not hundreds of them.
You don't need a "vast majority" of criminals to break down a system and exfiltrate data when just a single, possibly state-backed, criminal operation can break your system down and do the job.
SMS is already known to be insecure and easily snooped on with a warrant, and has been used by police around the world in many cases, yet a surprisingly high number of criminals still use it.
The majority of criminals have no idea that their their iMessage encryption keys and iMessages are synced into the cloud and available to law enforcement with a warrant. No need to break devices security, no need for back doors.
There are already replies with sound arguments against the ideology that 90 of criminals arnt that sophisticated.
Secondly, I will also point out that criminals in general watch whats happening to other criminals. If people start going to jail because there mobile communications are being targeted, others will catch on and stop using mobile tech altogether for criminal activities.. People copy what works successfully, you don't need to be smart to do that. So yeah this argument is complete bullshit.
We should not normalize the idea that it's acceptable within a country's borders either.
It's a massive overreach to demand a backdoor to phones within the country. Don't allow the even bigger overreach to move the Overton window and make it seem like it should ever be acceptable.
I think it's reasonable here to differentiate between acceptable and legal. It's completely unacceptable, but the British people have proven time and time again they're more than happy to make horrifically unacceptable things completely legal in the pursuit of "safety."
As with the US, I would not equate "British lawmakers passed" with "British people are happy to". British people are not given direct referendum on this issue specifically, and all of the mainstream British parties currently support the Snooper's Charter.
It's easy to sell people that "we just need this one more bit of access to your private data, it helps us stops paedophiles and terrorists", but each step takes us further down a bad path.
I'm sure everybody would agree that having full camera surveillance inside every UK home is too far, but no oversight at all is also bad.
There is a point along that line where society would say "no, that's enough", but successive governments have realised that they can slowly push that point further right and nobody seems to notice, or care.
I'm not aware of British people rioting in the streets over living in a society with multiple cameras on every corner of every street, where police knock on your front door based on social media posts. They seem to accept it, even welcome it.
If the people were strongly against the Snooper's Charter there would be politicians willing to stand against it. The parties do not impose their will on the people, they do and say what they must to gain and keep power.
(Note: nothing in this message should be construed as support for the US thinking that non-US accounts or non-US income of US citizens should be any of their business.)
There's a large difference between backdooring end-to-end encryption and accessing financial records that are already by design available to the financial institution.
Why would the IRS need to access my records? Or need to impose non-US citizens to sign affidavits outside the US?
FYI I am not a "US Person", whatever that means, yet when I signed up with my bank account in an EU country I had to sign an affidavit claiming I am not a "US Person", although that designation has no meaning in the local laws.
(Note: this is an explanation, not an endorsement or any form of support.)
These requirements are in place in part because the US wants to tax the income of US citizens no matter where they are in the world. So, they make requirements like FATCA and make requirements on foreign banks that amount to "we won't do business with you unless you impose these requirements on all US citizens (which inherently also means asking everyone if they're a US citizen)".
These decryption requirements are being put in place in part because the UK wants to find potential criminals no matter where they operate from in the world. So, they make requirements like back doors and make requirements on companies that amount to "we will fine you a % of your global revenue unless you impose these requirements on all potential criminals" (which inherently also means decrypting everyone's messages)".
A similar law passed in Australia a few years ago; various Australian law enforcement agencies can request or even demand companies to make changes to their code (read: introduce backdoors).
Until people and companies start treating Australian-made software as dangerous to the extent that it affects the economy, other countries will probably follow with similar laws.
That should include being hesitant to use American software as well. There's a good reason EU companies aren't allowed to store data on American servers.
Note that it's seemingly unclear whether it's OK for EU companies to store data even on EU servers of US parent companies. Although very little has actually been done about this and everyone, governments included, is still using Microsoft 365.
In principle as long as a state has legal hooks into a large enough part of the business it’s probably ok. Data centers are less tricky than phones because they don’t move.
I’m also not sure there’s so much practical difference between a company headquartered in the EU vs USA. The relevant thing would seem to be where operations happen, and what legal and practical hooks each side has into the company, including physical location of servers and the people who operate and write code for them.
It’s not just at Australian made hardware or software. You think Australia won’t try to assert this against a global company with presence in Australia?
"TCNs are orders that require a company to build new capabilities that assist law enforcement agencies in accessing encrypted data. The Attorney-General must approve a TCN by confirming it is reasonable, proportionate, practical, and technically feasible."
It's a step above a warrant, as an order, when building a new capability. But yes, its focused in on one case. As to "reasonable" - our current AG is a strong supporter of expanding government powers as a way to fix any new problem that appears. He's done some good. And some bad. It isn't hard to see him rubber-stamping these, if someone across the hall needs it done.
Also... If a TCN order comes through, you're not permitted to tell the business that you've been ordered to create a backdoor in them. And they can order random anyone in the company to comply - it doesn't have to go to the C-level.
The general public either don't know about growing mass surveillance and privacy invasions, or don't care. "Terrorism and child abuse = bad, and if this prevents it and I have nothing to hide then why would it be a problem for me?"
How do you know that? Similarly to the UK, USA has a process to force companies to add back doors. For all we know it might the USA wanting access and using its five eyes allies to get it done.
> Compelled speech, and compelled work, are both disallowed by the US constitution... Apple successfully used this argument several years ago when the FBI tried to demand that they break a phone for an investigation.
I'm not sure this is how the San Bernardino case actually panned out:
"Apple declined to create the software, and a hearing was scheduled for March 22. However, a day before the hearing was supposed to happen, the government obtained a delay, saying it had found a third party able to assist in unlocking the iPhone. On March 28, the government claimed that the FBI had unlocked the iPhone and withdrew its request."
The arguments were never actually tested in court, the whole thing was quietly put away once the FBI found another way to unlock the phone.
The expectation was that FBI would lose in court. But that was not guaranteed, certainly.
FBI had multiple reasons to abandon the effort, but one was that if legal precedent was established at that time, for that case, it would be harder to bypass in future cases.
I expected the FBI to win in court because the FBI had precedent on its side. The judge had asked Apple to provide reasonable technical assistance to access data on the phone, and modifying one line of code fits well within the judge's request.
Heres an example of when Apple got caught giving the US government all users push notifications, and then quite openly said they had been bound by law to keep quiet about it.
Apple has a history of giving the US government whatever user data they want, lying about it, then when it leaks publicly they are able to say 'Well we couldnt tell you because it would have been breaking the law, sorry about that'.
Have an example, of when it leaked that apple was secretly syphoning off all push notifications to the US government:
Fundamentally not the same thing. Notifications aren't encrypted. Apple has made no claim that they're secret from the govt.
Apple has very loudly and prominently and specifically stated that their encrypted is ecrypted and not even available to apple. They list which portions of icloud this applies to and not.
Huge different between an omission and a large, positive lie.
They reason they have 'very loudly and prominently' proclaimed that they will never break encryption, is to make the general public believe their data is safe with Apple. Its purely a marketing stunt. The push message syphoning to governments is only one of many ways they willingly hand over data to governments on request.
Well there is still a HUGE difference between some backroom dealing that blows up in government’s face in the most scandalous, generation defining way when it gets exposed, and a bunch of power-hungry troglodytes saying they want to play Orwellian villains in the open.
The US, through the Intel ME software, already got a backdoor in most laptop. Using PRISM, it also had one on most big Saas, and now that it's over, it probably has a similar one we don't know about given Snowden's revelations about xkeyscore and how it works.
It's very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM and we can't check their proprietary system.
We also know China has backdoors to any software or hardware product you want to sell there.
So it is a problem that the UK is asking for this for us, but from their perspective, they are just catching up with the current horrible state of things.
> very likely they also have a backdoor in Apple phone with a gag order, given Apple was part of PRISM
People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program.
PRISM was no such thing. PRISM was the US govt snarfing up whatever data they could (under questionable legal authority), but no one has ever alleged that the data they were snarfing was provided willingly or knowingly by Google, Apple, etc.
These companies are also victims of PRISM, not participants.
All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
> People keep repeating this as if PRISM was a voluntary, or even secretly cooperative, program. PRISM was no such thing.
Wheres the evidence to say they had no idea about it and it was purely an external hacking effort?
> All have explicitly refuted claims of any backdoor into their systems. There is no evidence that they are lying, or being forced to lie.
Except all the previous times they have lied because the government asked them to. Like the time they willingly gave all users push notifications to the US government and then lied and said they didn't, until it leaked and they admitted they did and then openly spoke about how the government had forced them to keep quiet about it.
PRISM collects stored internet communications based on demands made to internet companies such as Google LLC and Apple under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms.
Sorry, I should have been more explicit. Of course all US companies comply with US court orders.
The controversial new revelation re: PRISM, via Snowden, was that NSA was also snarfing everything they could including unencrypted comms over frame relay/etc networks comprising, e.g., Google's internal inter-site networks.
To which all mentioned companies said "we were not aware of this, we never authorized a backdoor for LE at any level, this is a breach of trust and probably not legal, and now we'll encrypt everything between our internal systems too".
If they can ask whatever they want (they had secret courts that could provide any legal request), they have a massive data acquisition apparatus, they had many backdoors they actively used, and big companies complied while being silenced by a gag order, assuming they have direct backdoors provided officially today that we don't know about, and that companies with proprietary systems we can't check can't talk about, is just common sense at this point.
Why would you give them the benefit of the doubt when the 2 last decades of track record have given you all the reason not to, and that the next step is the logical conclusion?
Lions kill gazelles. But not this specific gazelle because I like this one?
But anyway, the point is moot, they don't even need to for this particular debate. They already have a lot. The UK therefor not matching them exactly is just them using a slightly parallel road for the same result.
It's a terrible thing either way for us. But I get the logic for them.
Oh, I don't trust any of the actors. But I trust the encryption math.
If the argument is that the encryption is compromised by weak factors or key escrow etc, then that is a really interesting conversation, on which I'd like to hear more informed opinions.
But if all we can do is speculate, my trust remains in the mathematics.
Right. Who would be the first country the US might go to if it wanted to spy on it's citizens from abroad? Perhaps one who already does this for them using other methods such as wire tapping?
No. Maybe it was their idea, maybe it was the US's. One thing's for sure though we wouldn't be pushing ahead with this without the tacit support of the US, particularly in the current environment.
Tenuous. The UK did not need US approval to make all of its existing privacy-violating laws. Nor did Australia, or parts of the EU.
Don't get me wrong. The only thing holding the US government back from growing all the more monstrous is a patchwork of sketchy laws that might have teeth.
But I don't see any reason to assume that the stupidity of Brits is the fault of Americans. This time.
FWIW, the US govt does not have a back door into the encrypted data held by US companies. A US company is not obligated to create a way to decrypt customer data to respond to a court order.
So this is different, and worse. Not everything stupid in the world can be blamed on the US, as it seems you're trying to do. Plenty can! But not everything. Some stupid is home grown. See also: Brexit.
I run multiple Discourse sites. You can spin that however you want. People have personal data on my sites for sure. Is that “tracking” in your book? What about in the EU’s book? Anyway, I’m not going to read the GDPR to find out whether that’s “illegal,” no matter what they say.
In other words, the EU mandates that I follow their law, even though they have no jurisdiction over me. I can follow it by refusing to track PII, or I can follow it by “blocking” Europe on the WWW. I can’t be bothered to figure out how to do either of those things, so I don’t bother. I just spin up an instance of Discourse and move on. Because their claim that I must follow their laws is just as bogus as the UK’s claim, even if I think the EU had admirable goals and the UK has terrible goals.
This always gets trotted out, usually by people who seem to have never run any web service before. IPs are apparently PII, and all default server configs log them. If you don’t, good luck complying with any security audits that will require you to keep them to make forensics possible.
This is just one of the things that makes GDPR, in practice, an “if we don’t like you, we’ll investigate you and will definitely find something” law.
I am a data controller for multiple companies, I have read the GDPR legislation cover to cover multiple times, I have been through multiple audits. You only need to care about it if you are storing personal data, end of. Downvote me if you like but thats the cold hard truth.
> IPs are apparently PII
It always pains me when people spout stuff about GDPR that they think they know but dont. Go talk to an auditor like I have many times, then you wont need to use words like 'apparently' and you will actually know what you are talking about.
> It always pains me when people spout stuff about GDPR that they think they know but dont.
Are you trying to suggest end user IPs are not PII? There is judgement from CJEU (Patrick Breyer v Bundesrepublik Deutschland, ECLI:EU:C:2016:779) regarding the older Data Protection Directive that IP address is personal data if the service provider can give the IP address to competent authority and that authority has a way to connect it to user. As most (all?) EU countries mandate that ISPs keep logs that match IP address to subscriber and competent authority can get this information, the IP address is almost always PII.
Or is your auditor suggesting that GDPR is less strict than the older directive regarding this case? From my reading the only real difference was that GDPR added a bit more precision on what reasonable actions are ("such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments"). At least to me the example given in the court case would be reasonable when taking those in account.
You can, of course, have legitimate interest to collect it (like many other forms of PII as well), even for cases where the data subject cannot object to it. It doesn't change the fact that it's almost certainly PII.
It’s your job, and you’ve put more time into this than I will ever put into it. True. You (hopefully) understand the law better than me and the commenter you replied to. But you certainly haven’t convinced me to read the GDPR legislation cover to cover multiple times to decide whether and how I can comply! The EU can’t tell me what to do with my Discourse website. I put it online. They can block it for their residents if they don’t like it. That is not my responsibility.
It isn't just UK. This isn't the first time a Nation decided that any company operating on its soil, would have to comply with an order that reach world wide operation and failure to do so would be fined on worldwide revenue.
.jpg){kind=link}
This is a dramatic overreach of authority.