[dxf]

>Why would governments push back, when this hole which has already been used will _always_ be available?

I'm not aware of a time when Apple pushed a software update (silently or otherwise) to defeat security for a user (or users). Can you provide a reference?

[bboygravity]

The entire precondition for being able to do that is that you're not aware of it. Ever.

[jodrellblank]

The parent comment said “hole which has already been used”, that’s a claim that Apple has actually done it, not only a speculation that they could. They are being asked to back up that claim.

[eduction]

With Apple's current lack of encryption on iCloud backups, we are very aware of government access because those files end up as evidence in court cases after being obtained by police and prosecutors.

If government were to compromise end to end encryption in the manner described above, it would either be visible when used to prosecute people, or invisible because it would never be used to prosecute people (but presumably for intelligence purposes). Even if it were used for intelligence purposes through the method above, which I don't think is at all established, it would still be a significant improvement over having data in a form that is actively used to prosecute people.

[alldayeveryday]

> Even if it were used for intelligence purposes through the method above, which I don't think is at all established,

The snowden revelations were precisely about information gathering for intelligence purposes. The vast majority of intel gathering is not for prosecutionary purposes.

[eduction]

I didn’t say it’s good that intelligence agencies hypothetically could spy on this data by having Apple push malicious software.

What is absolutely good is that they have e2ee now, and the only way they could even hypothetically open a back door would be one that was completely secret, for the government, which definitionally closes off a whole class of government use of the data, for example in domestic prosecutions of citizens.

This may not be perfect (it’s not open source etc) but it’s a vast improvement over non encrypted data that was openly routinely given to the government.

[alldayeveryday]

I think we are talking cross purposes. I agree with your evaluation that this is an improvement over current state. I did not cite whether you think it is good or bad that intelligence agents could spy on this data. I was referring to the fact that most secret surveillance is expressly for the purposes of intelligence rather than prosecution. Surveillance methods that are secretive are, by their very nature of being secretive, typically not used for prosecutionary evidence gathering due to the fact that such use would reduce the method's secrecy. Until Apple can provide some verifiable proof that my keys cannot be handed off to governmental parties wishing to decrypt my data, I will not feel comfortable using their cloud service for my personal data (not that my family vacation photos and pictures of our dog will be that interpreting to anyone).

[tshaddox]

"You can't prove that they don't already do X, because X is by definition a secret action" is a pretty useless epistemology though. Every electronic device you've ever used could secretly have a cellular modem that can secretly download over-the-air firmware updates that alter its behavior to be maximally evil. You by definition can't prove that your coffee machine doesn't secretly have the ability to change its behavior to start connecting to the internet and DDOSing charities or something.

[Melatonic]

The thing that people always miss is that the damn SIM card is running its own little processor already. If the government really wants to read your shit they can probably just do some behind the scenes work with your mobile ISP and find a way to access your phones screen output or microphone data or something.

[gumby]

The baseband module has a processor too, and you don't have access to it per FCC regulation.

[lilyball]

iPhone 14 doesn't even have a SIM card anymore, it's strictly eSIM (and previous models could optionally use eSIM).

[madars]

If I really wanted a physical SIM and imported a European SKU which does have it (only North American variant is eSIM-only), would I expect seamless support in the US? E.g. would AppleCare just work?

[astrange]

eSIM isn't any different here, it still runs the same applets. What makes it secure is the IOMMU preventing it from accessing main memory.

[lghh]

So there's no level of security that will ever be enough for anyone. The number of people who know the source for the current version of every piece of software, firmware, and hardware they use almost certainly approaches 0.

I don't know what people expect. These moves are good things and everyone is whatabouting situations that there is 0 evidence has ever happened or would ever happen. It's unfalsifiable, impractical, and honestly just annoying.

[smoldesu]

When they migrated Chinese iCloud data to domestic servers.

[shuckles]

Why is data residency law cool and progressive when the EU does it and Big Tech complies, but Bad and Dystopian when China does the same? Tim Cook has said on the record that iCloud is the same regardless of data center.

[sofixa]

Because the reasons for data sovereignty as legislated by the EU and countries within it, and China, are drastically different. Which one is the authoritarian regime which jails dissidents and which one has regulations giving consumers rights over their data? I'm fairly certain the motives for data sovereignty are wildly different.

[shuckles]

I’m not sure if you’re aware, but there are anti-encryption legislative proposals in the EU which are as ill-informed and scary as anything I’ve heard of in Mainland China. It’s very unclear to me if motives matter in this case.

[smoldesu]

China has a reputation for hunting down religious minorities and political dissidents, Europe is known for a more moderate take on those matters. I think there's cause for concern when China demands domestic ownership of iCloud info.

[scarface74]

You mean like the French banning burkinis worn my religious minorities?

https://www.cnn.com/2022/06/21/europe/grenoble-france-burkin...

[vineyardmike]

> Europe is known for a more moderate take on those matters.

Very recently in history. China is bad now, European nations have been bad in the past… but who knows what the future holds.

Once data is released (keys, databases, plaintext messages, it doesn’t matter) it can’t be made private later.

[shuckles]

The technical proposals are equally odious, and Europe is, what, 30 years removed from all sorts of authoritarian hijinks?

In any case, selective support for technical proposals based on broader political vibes is not a particularly inspiring stance.

[scarface74]

You mean the same one that wants to lessen encryption so they can spy on you?

https://www.secureworld.io/industry-news/new-eu-push-for-enc...

[ghostpepper]

You're saying there was a silent update pushed to Chinese iphones? Can you provide more details or a source on that?

[smoldesu]

It certainly wasn't silent, but that wasn't a condition for the parent's question. It was a well-documented (and much derided) decision though: https://mashable.com/article/china-government-apple-icloud-d...

[sbuk]

Seeing as context is conspicuously missing, all cloud services offered by foreign business in China a required to be hosted and controlled by state owned providers. For instance, China has a separate Microsoft 365/Azure region hosted and controlled by 21Vianet. Apple still controls the encryption keys and there is no evidence that they have handed them over to the CCP, but it is largely assumed. Federighi has said that Apple will offer EE2E in China.

[astrange]

You want them to break Chinese laws? Don't think they have popular support for that.

[szundi]

US can always pass a bill or have one that enables them to covertly force apple to comply otherwise Tim goes to jail. Easy

[acdha]

You make this sound easy but look at how that worked for NSLs. They got a ton of pushback for that and there’s no way to keep that a secret for very long – especially since things either end up in court or involve foreign governments who won’t share the desire to keep things secret.

[bee_rider]

What do you mean, “can pass a bill?”

On some level the US could also pass a law that says every iPhone user will be summarily executed. That’s how sovereignty works. Is it a realistic concern? Probably not.

[tinus_hn]

Last time they tried that Apple caused a lot of hoopla and made the case go away. Not easy.

[supertrope]

Are you referring to the Pensacola encryption bypass demand or PRISM?

[acchow]

In the US, this is not easy.

[amelius]

It doesn't matter. You are missing the entire point about E2EE.

[parineum]

That's not the point. The point is that Apple hasn't closed the government out of Apple user's phones. The point of E2EE is to remove the power of the middleman to read the data but that middleman also has complete control over the device and the software running on it with remote root access.

Apple's ecosystem is, by default, design and necessity, insecure to Apple. Keys stored on an Apple device are insecure.

One can easily make a similar argument for Android/Google, however, a security conscious user could still take control over their device and install a more secure OS.