Speaking as the person who pops up to defend the Online Safety Act (which regulates social media), I think the Investigatory Powers Act (which allows for this spat with Apple) is a terrible piece of legislation.
The Online Safety Act is about internet systems that are akin to traditional publishing, and so it holds the operators of those systems to the same standards to which we hold traditional publishers, but the Investigatory Powers Act relates to individuals' private use of computer systems. It represents a serious breach of individuals' privacy, which is a foundation stone in the culture of a country as densely populated as the United Kingdom. The extraterritorial aspect of the legislation is not only uncouth in the twenty-first century, but presently unenforcible given the United Kingdom's diminished Armed Forces. Finally, choosing to pick this fight now was a poor choice given the current state of international politics.
> The Online Safety Act is about internet systems that are akin to traditional publishing
I won't consider myself an expert on this, but from what I've read, that's just not true. Perhaps that's the intent, but the vague wording makes it possible that all sorts of websites could be subject to it, even, for example, a small forum run by a hobbyist that has a few hundred members.
Even if the intent behind the Act is good (debatable!), the implementation of it seems designed to scare everyone and allow for selective enforcement, while people get pushed to the big social media platforms as smaller niche communities feel pressured to shut down.
> Speaking as the person who pops up to defend the Online Safety Act
Do you defend the aims of the Act, the Act itself, or both?
I'm having to figure out compliance for a volunteer run, donation funded forum, and I think the Act itself could (and should) have been better written. I don't think Ofcom can handle it better than they are, because until it's tested in court they haven't the ability to say what the vague and undefined terms mean.
The Online Safety Act is vague because its purpose is not to create a regulatory system, but instead to empower Ofcom to create a regulatory system that can effectively regulate a wide range of business models and online services, including those that do not exist and are currently inconceivable.
If you're looking for advice on how to comply with the act, the go-to person is Heather Burns[0].
> The Online Safety Act is vague because its purpose is not to create a regulatory system, but instead to empower Ofcom to create a regulatory system that can effectively regulate a wide range of business models and online services, including those that do not exist and are currently inconceivable.
And that awful purpose is something you see fit to defend?
> it holds the operators of those systems to the same standards to which we hold traditional publishers
This is not really true though, is it? Involving OFCOM holds the internet to broadcaster standards, which is very different from print standards. We ditched print censorship and "think of the children" in the Lady Chatterly case, long ago.
> I think the Investigatory Powers Act (which allows for this spat with Apple) is a terrible piece of legislation.
It is. Long ago I was briefly involved with the UK Campaign for Digital Rights campaigning against it. Nowadays that work is being done by the Open Rights Group (UK HN readers check it out!)
The deeper problem is the UK security services got stuck in counterinsurgency mode during the Troubles, and then the War on Terror, and that infects everything with paranoia. There's no way to tell these people "you are fighting yesterday's threats".
"Upon initial review of the U.S. and U.K. bilateral CLOUD Act Agreement, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents ("U.S. persons"),..."
OK, I can see that, though even then I could imagine this sometimes being the case.
"...nor is it authorized to demand the data of persons located inside the United States."
Really, even if in the case of individual UK citizens, under all circumstances ?
Demand isn’t the same thing as request. As long as the US is willing to rubber stamp most requests it’s not nearly as limiting in practice as it might seem in theory.
What they've reportedly demanded is that systems be changed, so that later a demand for data may be be effective. As to if any hypothetical later demand for later would contravene the agreement would seem to simply be speculation for the moment.
Surely the UK could just be careful not make a contravening demand at that time? Which would then make this whole "review" a case of PR on the part of the US politician.
Now it is quite bad that the UK has apparently triggered this bit of the snoopers charter, but it would seem to be othogonal to that agreement.*
* Unless someone bothers to review the agreement, and finds that such meta-demand are covered.
I'm thinking in this case there is probably a legal difference between "may not" and "is not authorized", so I would expect the interpretation would be you can request data on a UK citizen in the US but not demand - so up to whoever you request it from.
For any U.S Person you may not say anything about it at all. I mean that is totally reasonable, if they want that data it's basically a diplomatic matter not a demand you issue.
Under no circumstances will UK be authorized to spy on a US citizen; the UK may possibly get authoritarian to spy on a UK citizen in the US, but can't do it merely because it's someone they're interested in or even a UK citizen visiting.
What happens to foreign citizens traveling to UK with encrypted devices? If I have advanced data protection on my iPhone, it surely won't be disabled automatically when I cross the border. How do they handle this case legally?
Yes see the case of the french journalist held under the terrorism act at the request of the french government. Whether you do or don't is up to you and your willingness to spend years in prison.
I think you will agree that not many people will choose this path, doing jail time while waiting for a settlement. At least I definitely wouldn't. So then, what is the point of this strong encryption, when the only time it would matter you can and will be forced to skip it? The xkcd $5 wrench will always look stronger, be it wielded by a criminal or by a government. Encryption is only as good as real life allows, so in this situation if you want stronger encryption against the government, you must have a law permitting that. As for protection from the criminals, good luck.
They detained him for 24 hours instead of allowed 6. Not a big deal. I have no details on what happened next, but to be able to sue he must have been cleared by court. So the remaining question will be if police abuse is systemic or exceptional in the UK?
It is a nation state, even the UK Office for National Statistics describes it as such.
Scotland, Wales and Northern Ireland retain the term country or nation for historical identity reasons, not contemporary practical or relevant reasons.
witholding your password or encryption keys has been illegal since 2000 in the uk under section 49 of the Regulation of Investigatory Powers Act 2000 , and by section 53 refusal can lead to 2 to 5 years in prison.
Is it illegal in response to police request (i.e. immediately, no justification needed) or in response to the request of the court (where due process was followed)?
It has to be in writing, and given a time-frame, but the police are authorised to write such a note, as is the border force, the NCA and I think HMRC as well technically.
There are cases of people being prosecuted under it [1], [2], [3]
In those cases people were subjects of investigation and there was a really good reason to demand the keys. It isn’t abuse of power by law enforcement and it’s very far from random border checks or stops where law enforcement was looking for something incriminating rather than conducting an investigation. And of course it is not the same as making encryption illegal (which would allow mass surveillance).
the first case was literally a border check at an airport, and in which no evidence was ever shown of him committing a crime other than this one. The others yes. The point is no court was required to compell him, no warrant was needed. The point is that the law allows for abuse of power by law enforcement not that it is currently being abused, do not move the goal-posts.
Also if encryption itself is not illegal, but it is illegal to not decrypt something when asked, then encryption is effectively illegal, since you only need to convince a part of the state that you have suspicion to get it decrypted for you, a task which is really not that difficult in the modern day.
I looked deeper into the first case and it doesn’t look like a random border check. He was a political activist who got in touch with a member of terrorist organization, if I understand it correctly. There was a massive media campaign to present this case in a certain way, but at least two courts confirmed the legality of the demand to unlock the devices.
The abuse of power means they could detain him indefinitely etc (as it happens in countries where abuse of power is common). But in this case he had the right to defend himself in the court and he used it.
This is very far from the situation where encryption is illegal, all communications are transparent to the state and it can search for incriminating data without asking.
I guess what OP meant is, the court can compel you to do so - and yes, already. Basically the court can compel you to provide any information it needs in the course of legal proceedings, and until you do, fine and/or imprison you indefinitely.
But, you know, there must be legal proceedings, the court must be satisfied that the information is necessary, etc. The guy at the border can't do that, on their own initiative. But of course, they can just not let you in.
Well, if a court has to decide that, this is good enough for the balance between privacy and the interests of society. If they don't let me in based on my refusal but I'm free to return where I came from, it is also fine.
witholding your password or encryption keys has been illegal since 2000 in the uk under section 49 of the Regulation of Investigatory Powers Act 2000 , and by section 53 refusal can lead to 2 to 5 years in prison.
Not at all. It means that the UK police can compel you to turn over your decryption keys if it is deemed necessary and proportionate to prevent or investigate a crime.
Same as people travelling to the US with encrypted devices: the border police have full discretion to ask you to do anything, and ban you from the country if you don't comply.
As far as I understand, the UK gave Apple an order that has effective worldwide extent to insert a backdoor. Clearly you can't have a backdoor that only works for people in a certain location, since people are not fixed in one place.
Apple chose to partially comply with the order, by disabling ADP for UK users, instead of inserting a backdoor.
Apple is making the distinction here between UK and non-UK, so they can define a "UK user" however they want. A foreign citizen travelling in the UK almost certainly won't be affected.
In other words, they aren't handling this case legally, or at least that is a matter that may be resolved in court if the UK is unsatisfied with Apple's method of compliance. Apple would seek to challenge the UK's jurisdiction in that case.
I'm certainly sure that US is spying on everyone it wants. This is ridiculously hypocritical and I wouldn't be surprised if this was motivated by some politics.
UK is trying to force Apple grant access to any and all persons worldwide not just their own citizens. Practically strong arming an American company to spy on the entire world for them. Why would any other sovereign country allow their own citizens’ privacy to be violated in their own country for UK?
The US is spying on everyone it wants, but is compelled by its own laws to allow strong encryption to exist and be used.
That the country is STILL able to spy is the result of huge amounts of spending and insecure applications. It's pretty well known that most US law enforcement cannot get into a locked iPhone, for example.
If I were Gabbard, I would go further and be more concerned that a UK company forced a US company to downgrade its privacy to suit its politics on privacy, which clearly confict with US ideals of privacy and free speech.
That's nonsensical. Every company has to abide by the laws in the country it is doing business in. It is a costly and complex issue that all international companies need to engage in. To not do so is to not do business.
UK requested access to any and all persons worldwide not just people under UK jurisdiction either by citizenship or physical location.
Why would France, Germany, or any other country should allow their citizens in their sovereign country to be treated like that? And what’s next? “If you want to do business in country X then give us all the user data for country Y?
I don't really see the problem with this specific bit? You want big international companies to follow the local laws of the countries they operate in, or to move out if that doesn't work for them, that's a good thing.
For the most part, yes it does. And really, it's only fair that it does, even if I think laws like these in the UK are complete garbage.
But sure, countries can sign trade treaties that give each other mutually-beneficial things. Some of those things could be what is and isn't allowed to require companies to do in order to operate within the other country's borders.
But in absence of something like that... that's just life. I guess the US could act like a baby and slap tariffs on goods from the UK, but I'm not sure what the upside would be for the US here.
The US government allowing a US company to operate in the US market, while the company enables a foreign country to access all US citizen's data. That's where the government is supposed to step in.
No, that is not the intention. If that were the case US diplomats would have intervened before now. Or maybe they were engaged in writing up what they did last week.
The Online Safety Act is about internet systems that are akin to traditional publishing, and so it holds the operators of those systems to the same standards to which we hold traditional publishers, but the Investigatory Powers Act relates to individuals' private use of computer systems. It represents a serious breach of individuals' privacy, which is a foundation stone in the culture of a country as densely populated as the United Kingdom. The extraterritorial aspect of the legislation is not only uncouth in the twenty-first century, but presently unenforcible given the United Kingdom's diminished Armed Forces. Finally, choosing to pick this fight now was a poor choice given the current state of international politics.