[cmurf]

It requires the OS/product vendor to enable key escrow though. Apple used to have a mechanism for this. Microsoft has a mechanism for this. And presumably all of them will escrow encryption keys for any products they sell in China.

GCHQ wants this too. So if tech companies comply with China's law, why wouldn't they comply with the U.K.'s? And if they comply with the U.K. law, why couldn't there be one in the U.S.?

[blazespin]

Do you have a cite for that? If Apple has to turn on / enable key escrow that's a very huge freaking deal.

[khalilravanna]

I think the point is that Apple no longer has "backdoor" keys for encryption any longer so that they have no keys to give the government when they come knocking. I'm basing this conclusion off a quote from the article: "While the government insists that there will be no requirement for companies to install backdoor", as well as an interview with Tim Cook off 60 Minutes where he stated they won't be going the backdoor route anymore. I believe there are more quotes available from him if you google "apple encryption backdoor".

[throwaway7767]

Apple can certainly read iMessage conversations and provide that data to goverments. They don't have the private keys, but they run the directory server that distributes the public keys used to encrypt to. So they can very easily provide you with the wrong public key for your recipient, decrypt that data and store/forward, and then re-encrypt on their end with the correct key and forward to the actual recipient.

"Secure" communications systems that rely on a trusted central third party to vouch for keys are no more secure than allowing that same third-party to implement key escrow.

[cmurf]

You want a cite for what? China now has a law requiring encryption keys on demand. What does that mean, what does it refer to? It could refer to the symmetric key (DEK) for disk encryption, and if so Microsoft already escrows that and Apple used to offer to do it. Does it refer to either the private key from these companies used for establishing TLS connections to their services? Or the private key generated on device for services using end to end encryption? I'd say the device private key is a huge freaking deal but still plausible they'd want that and get it upon request, more plausible than Apple, Google, whoever, saying no to China. The company's private key? I'd say no way they'd do that, they'd sooner use a cert issued by China for this purpose.

[zaphar]

Google has been known to say no to China before. Going so far as to pull most of their operations out. Whether they will say no now remains to be seen. I'd wait to see what happens before assuming what is plausible here.

[cmurf]

Well if I wait to see what happens, it's no longer necessary to assume, is it? These are for profit companies, and in theory they're amoral. So any sense of morality of giving up user keys on demand is very plausibly demoted in comparison to profits.

If profits from the rest of the world would increase for any company saying no to China, then companies might do so. But if it'll obviously cost them more, then they'll roll over.

Credit Suisse this year determined China has a bigger middle class than America, and it's growing faster. So I think Apple, Google, etc will roll over. If China actually thought these tech companies would say no, they wouldn't have actually enacted this law, they'd have continued to have conversations. The conversation is basically over.

[zaphar]

It's silly to disregard a companies previous actions when determining what they might do. In theory Google may be amoral but in reality they have shown themselves to act morally in certain situations. Disregarding that historical data means your assumptions are poor.