How much authority should democratic governments have to “snoop” on citizens’ online data and communications? The UK government has used new legal powers to demand that Apple create a “back door” enabling law enforcement bodies to access users’ encrypted data uploaded to the cloud. Apple has responded instead by withdrawing from Britain its most secure cloud storage service — which uses end-to-end encryption that Apple says means even it cannot access the data.
Britain is not alone. Sweden’s government wants encrypted messaging apps such as Signal and WhatsApp to open a similar back door. Signal is threatening to leave Sweden if this becomes law. The cases amount to the biggest confrontation yet between western governments’ understandable desire to police crimes such as terrorism and child sex abuse online, and the gold-standard encryption now widely used to protect user privacy in messaging apps and the cloud.
Both cases echo the battle when the FBI tried to compel Apple to help it break into an iPhone used by a terrorist in a California shooting in 2015. Apple said if it created an iPhone back door for the FBI, malicious actors might discover it and use it to crack other phones. A hacking firm eventually unlocked the phone for the FBI, ending the stand-off.
The British and Swedish demands are much wider. Using its Investigatory Powers Act — which critics have dubbed a “Snoopers’ Charter” — the UK Home Office has issued a notice requiring Apple to allow British law enforcement, armed with a court order, to tap encrypted back-ups and other cloud data, anywhere in the world.
But the underlying dilemma is the same. When millions of people are sending or storing online sensitive data on, say, their finances or health, data protection is paramount. End-to-end encryption, where only the user and not the service provider holds the key, is the best safeguard.
Most cyber security experts argue government bodies cannot be given access without creating a vulnerability that hackers, including authoritarian states, could abuse. Something like this has already happened. In an attack called “Salt Typhoon”, Chinese hackers last year exploited a US government-mandated back door in US telecoms networks to access call and text data and even phone calls of top politicians.
In the UK, some 239 civil society groups, companies and cyber security experts have called on the government to rescind its demand to Apple, saying it “jeopardises the security and privacy of millions”. Using similar arguments, bipartisan members of two US congressional oversight committees have asked Tulsi Gabbard, the new national intelligence director, to demand that the UK retracts its order — and to consider limiting US-UK intelligence sharing if it does not.
This is without doubt a thorny issue. No one wishes terrorists and child abusers to be able to evade detection. Some UK security officials have insisted privacy protections can coexist with “exceptional lawful access”, and argued that tech companies could find a clever workaround. Tech experts counter that no foolproof compromise yet exists.
But almost all big tech companies rightly co-operate with legitimate law enforcement requests that do not involve “back doors” on a routine basis; Apple’s latest UK transparency report shows it complied with 93 per cent of emergency requests. If a solution is developed enabling this to happen safely with end-to-end encryption, co-operation should extend into this area too. For now, though, governments should treat this kind of protection as a common good. Efforts to police the criminal minority should not undermine the safety and privacy of the law-abiding majority.