Five Eyes: Who gets the data first?

This is not the first time a government has tried to weaken encryption under the guise of national security. In fact, the Five Eyes alliance, consisting of the USA, the UK, Canada, Australia and New Zealand, are known for wanting to backdoor encryption.

In the ongoing crypto wars – which started the moment PGP became available to everyone in the early 90s – governments around the world have tried to force tech companies to build less secure communication services so that law enforcement authorities can turn the companies into their little (or big) helpers when it comes to prosecuting criminals. The problem with this is that once a communication method is less secure, it is less secure for everyone – not just for criminals. Regardless, the five eyes take turns in trying to force companies to undermine end-to-end encryption. It looks like whoever gets hold of the data first will help the other countries to achieve the same.

Comic showing Apple CEO Tim Cook unlocking the iPhone while the FBI, hackers, repressive regimes and more stand in line to get access to the decrypted data. In an updated version of this comic, the UK should stand in-between Apple and the FBI.

Public outcry stopped blanket surveillance

Even the EU has tried to introduce client-side scanning multiple times, but so far has not pushed through with it, namely because of opposition, also from Germany that famously said “There is no prosecution at any cost” and the EU must not introduce client-side scanning.

In relation to Apple, the USA has also tried to force Apple to undermine its encryption in 2015/2016. Back then, Apple refused to introduce client-side scanning because of the public outcry.

We have to keep in mind that once encryption is undermined, blanket surveillance – the monitoring of every citizen – becomes possible. Any backdoor for law enforcement would inevitably become a backdoor for malicious actors and authoritarian regimes.

Can the UK decide about your security?

When Apple was first presented with the news that the UK is planning to request backdoor access, Apple said, according to the Washington Post:

“There is no reason why the U.K. [government] should have the authority to decide for citizens of the world whether they can avail themselves of the proven security benefits that flow from end-to-end encryption.”

But does the UK have the power?

An unknown source has told the Washington Post that the UK government is demanding that Apple provides UK law enforcement access to encrypted cloud backups of users worldwide – no matter if they are UK citizens or not. This has been done via a technical capability notice served under the U.K. Investigatory Powers Act of 2016, also known as the Snoopers’ Charter - the most extreme surveillance law in a democracy. This legal mechanism forces companies to assist law enforcement by providing access to encrypted communications, and also making it illegal for them to disclose such demands to the public.

The UK’s order goes beyond targeting specific accounts. It requires a blanket capability to change Apple’s code in such a way that no longer only the user can decrypt their data, but that Apple has the power to decrypt all user data and forwarding it to the authorities upon request, setting a dangerous precedent for global digital privacy.

The power the UK has seems limitless. The WaPo reports that

“One of the people briefed on the situation, a consultant advising the United States on encryption matters, said Apple would be barred from warning its users that its most advanced encryption no longer provided full security. The person deemed it shocking that the U.K. government was demanding Apple’s help to spy on non-British users without their governments’ knowledge.”

This is even more problematic as Apple’s code is proprietary and not published as open source. This means that a change in how the encrypted is done on Apple’s clients might go unnoticed to the public for a very long time.

Precedent for mass surveillance

If Apple gives in to this demand, it will set a dangerous precedent for tech companies worldwide. The UK may be the first to issue such a sweeping order, but it certainly won’t be the last. Once a backdoor exists, other governments will line up to demand the same access. China, Russia, and other regimes with questionable human rights records will undoubtedly follow suit.

Moreover, within the so-called “Five Eyes” intelligence alliance, there is a long history of information-sharing agreements. If the UK successfully compels Apple to introduce a backdoor, it’s highly likely that the other members of this alliance will demand the same monitoring capabilities. As it stands, the UK’s demands are a broad push by intelligence agencies to erode digital privacy everywhere.

Facing opposition

The moment the news about the UK’s demand to backdoor Apple’s encryption, the opposition has started to sound the alarm, even in the USA: Sen. Ron Wyden (Oregon), a Democrat on the Senate Intelligence Committee, said to the Washington Post:

“Trump and American tech companies letting foreign governments secretly spy on Americans would be unconscionable and an unmitigated disaster for Americans’ privacy and our national security.”

His concerns are justified, given that Five Eyes countries have frequently cooperated on surveillance programs, as seen in the revelations from Edward Snowden. A backdoor mandated by the UK won’t be limited to British authorities - it will soon be exploited by intelligence services across allied nations.

Meredith Whittaker from Signal, one of the best WhatsApp alternatives said to WaPo:

“Using Technical Capability Notices to weaken encryption around the globe is a shocking move that will position the UK as a tech pariah, rather than a tech leader. If implemented, the directive will create a dangerous cybersecurity vulnerability in the nervous system of our global economy.”

Matthias Pfau, CEO of Tuta Mail, adds:

“We have seen demands to encrypted data again and again. We have also seen these demands defeated again and again. Together with the privacy-community we unite and stand up for our right to privacy. Governments must not force tech companies to weaken the security we all depend on – particularly now that cyberthreats are increasing continuously. We fight for our users’ right to privacy with end-to-end encryption, and we will continue to do so, no matter what governments might ask.”

Interestingly, the US agency CISA has just issued their loudest endorsement in favor of encryption because of the Chinese hack of American telco providers that allows China to monitor not-encrypted calls and messages of many US citizens, including politicians. This attack on the USA shows why end-to-end encryption is needed more than ever in today’s online world.

Only end-to-end encryption can protect us from data theft and malicious attacks.

Interesting timing of the UK move

The timing of the UK’s demand is also worth analyzing in the context of broader geopolitical developments. Is is noteworthy that Apple tried to introduce the end-to-end encryption function for its cloud storage already during the first term of President Donald Trump – but backed off because of complaints that the company would not help law enforcement agencies with prosecuting criminals such as murderers or drug dealers. The optional cloud encryption was then introduced by Apple in 2022 – and now is coming under pressure again, shortly after Trump has become President of the USA again.

Could this be a coordinated effort between the UK and the U.S. administration? It’s possible that the USA is tacitly supporting this move, using the UK as a testing ground to see whether tech giants will comply with sweeping surveillance orders. Given that U.S. intelligence agencies, particularly the FBI, have long sought backdoor access to encrypted communications, it wouldn’t be surprising if Washington were quietly encouraging this step behind the scenes. Officials from the Trump administration declined to comment when asked by the Washington Post.

Crypto wars continue – but privacy must win

This is just the latest battle in the ongoing crypto wars, the decades-long struggle between governments and privacy advocates over the future of encryption. Since the 1990s, law enforcement agencies have been pushing for backdoors in encrypted communications, using terrorism and child exploitation as justifications. However, time and again, security experts have demonstrated that weakening encryption for one purpose weakens it for all purposes. A vulnerability created for government use will inevitably be exploited by bad actors, including cybercriminals and hostile foreign regimes.

At Tuta, we’ve consistently warned about these dangers. Our previous discussions on government surveillance, such as how governments exploit surveillance laws and why encryption matters, show just how critical strong encryption is to protect sensitive data of citizens and businesses. If we allow one government to force a backdoor into secure communications, it will only be a matter of time before others follow suit.

Fight for encryption is far from over

Apple has a choice to make. It can fight this demand, as it did when the FBI tried to force it to weaken iPhone security in 2016. Or it can comply, setting a precedent that no encrypted service is truly safe. Apple could also stop to offer encrypted cloud back-up to users based in the UK – but this would not satisfy the request put to Apple since the UK officials specifically asked for data from potentially all users, no matter if they live in the United Kingdom or not. If Apple caves, Google, Meta, and others will be next in line.

The privacy of billions of users is at stake.

The fight for encryption is far from over. Governments will continue to push for more surveillance powers, but the public must push back. Privacy is a fundamental human right, and encryption is the strongest tool we have to protect it. Encryption is essential when we want to protect our right to privacy and our right to free speech.

At Tuta, we continue to fight for your right to privacy with encryption.