5mo ago

UK government demanding access to encrypted iCloud

www.bbc.co.uk /news/articles/c20g288yldko

UK government is trying to get into iCloud end-to-end encryption. (Again?)

Makes me think about email servers too. Most of my private information is in emails, and not only I use a service where the host machines access the email, so do almost everyone I email to/from.

50 comments

Set an iCloud recovery passcode. It removes the ability to recover your iCloud account by verifying that you’re the owner but it also removes the ability of Apple to be compelled to access it.
Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.
Email was never intended to be private. It was never designed with privacy in mind and your use of a client employing an encrypted connection to your mail server does not solve the problem because tens of thousands of mail servers use unencrypted connections.
No one needs your iCloud to read your email, they can just look at the plaintext mail coming to and from the server.
- People don’t want to hear this but an iPhone, with the right settings, is the most secure phone outside of a pixel running GrapheneOS. This is something that Daniel Micay himself would say often.
  
  And yet the other day I read an account of researching tracking for ads, and the iPhone used sent a request to Facebook even before anything was installed
  A bit of a different thing, but still.
  I'm thinking CalyxOS for my next phone.
  
  Secure? Idk, maybe. But definitely not private.
- Then what’s the point of services like Proton and Tuta over Gmail?
  
  Anonymity and not being google or one of the other big mail providers.
  Email is not an easily selfhostable service either. Modern spam filtering systems require the maintainer to jump through a bunch of hoops intended to defeat their anonymity and establish a recourse in case of problems.
  
  Smaller attack surface and fewer leaks. If you specifically are targeted, the government will look for a warrant for the data in your account, rather than the one you sent to. Gmail also I think there's a concern that text will leak via AI - I remember hearing this concern even when it was just that associations in search terms might build from private email content.
  I don't think gayhitler is entirely correct about reading all the plaintext emails. If I understand right, major (most?) email providers use TLS (encryption) between each other and and to your laptop. The difference is the email is available on their servers somewhere, if someone were to get access.
- https://www.latacora.com/blog/2019/07/16/the-pgp-problem/
  
  If the op has their information in emails and doesn’t want to move it somewhere else then pgp is a good way to at least secure those emails a little.
  I don’t think it’s a panacea, but as methods of encrypting email go it’s widely supported enough that a person whose private information is stored in email will be able to figure something out.
- Thanks for the well-meaning advice.
  The recovery password in iCloud to stop even Apple accessing it is exactly what the UK is trying to undermine. It protects you - for now.
  I tried to start using pgp for email years ago, the problem is of course adoption by everyone you're communicating with, be that personal, corporate or official. I got one friend to make a gpg key! And most email servers, as I understand, pass to each other with TLS, and the connection from your computer to your email service is encrypted. The problem is the emails at rest on both ends, including hosted by the email provider. Moving my email off Fastmail, whether to something like Protonmail or stored only on my computer, would remove one particular attack surface.
  
  Here’s hoping Apple sticks to their guns and pulls adp instead of caving.
  In case you didn’t see it a few weeks ago, 3.3 million servers are doing unencrypted transport.
  The way email delivery is handled also means you’re not safe just because you aren’t talking to those servers.
- Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.
  While that's usable for files, they cannot use it for the app backups and conta ts and such that the system creates on iCloud
  
  Disable iCloud backups, and do backup manually with iTunes plus the backup password set.
  
  Yeah people affected by this would have to turn on adp (iCloud recovery key) and be vigilant about how precisely Apple chooses to remove that feature assuming the uk government doesn’t back down.
  Worst case scenario you’d need to be doing local backups and have iCloud turned off.
  Metadata is a bigger worry at that point though.
Again?
- Forever.
- I couldn't remember if UK gov have been trying to get access into iCloud e2e before; I'm sure they've been getting to mandate access to other encryption previously.
  
  Did they tried to ban Signal to ?
- it's a never ending cat-and-mouse game
do we think the uk government is just full of morons? like i feel like being evil doesn't justify this... a back door for the UK would quickly turn into a back door for literally anyone
- It’s not just the government. Most of us are morons.
Only possible as iOS fails to include a libre software license text file. We do not control it, anti-libre software.
In 2026 good old steganographic messages, like in North Corea
- Whitespace steganography in markdown ;-)
  
  Also innocent cat photos, a piece of music or in a voice message, in all of these you can encrypt hidden messages.
For people recommending Tuta or Proton.
If only one party uses those services one would have to trust Tuta/Proton to not save a copy of an incoming unencrypted mail. If a government wants access, they have to obey or shut down. Asking the unencrypted email provider from the other party is the obvious other way to access your data.
Only open source E2E for both parties is is trustworthy
aaaaa you're not me!
- aaaaaare you sure!?

50 comments