UK silence over Apple ‘back door’ is unsustainable and unjustifiable, say experts

The British government’s refusal to either confirm or deny any details about a legal notice targeting Apple’s cryptographic protections for iCloud accounts risks undermining domestic and international confidence in Westminster, experts have warned.

While the existence of the notice has not been avowed by either British officials or Apple, U.S. Director of National Intelligence Tulsi Gabbard has ordered a legal review of the secret directive and said she had a “grave concern” about its implications.

Since the initial report about the notice, Westminster has continued to repeatedly state it does “not comment on operational matters, including for example confirming or denying the existence of any such notices.”

Addressing Parliament earlier this week, Security Minister Dan Jarvis again declined to respond after the issue was raised by an MP, and said that not doing so was “a long-standing position held by successive Governments for obvious reasons of national security.”

But those “obvious reasons” have been challenged by comments from both within the U.K. intelligence community and from academic experts.

At the Munich Cyber Security Conference earlier this month, Sir Jeremy Fleming, the former director of GCHQ, argued in favor of more transparency from the government for the sake of what he called the security and intelligence agencies’ “license to operate.”

“It’s not good enough to have a debate every decade about this sort of stuff, because the way in which the agencies operate is changing. So I firmly believe that this conversation ought to be one that we have in much more depth, much more frequently,” he said.

The comments echo an essay on the topic published by GCHQ officials in Lawfare back in 2018, when they argued that "transparency is essential" and criticized some of the assumptions about the importance of secrecy.

They argued that despite government’s generally attempting to “protect the sensitive details of their investigative capabilities so that criminals can’t easily use that information to try to evade detection,” the reasoning for that didn’t hold up in the modern age of commodity platforms.

“End-to-end encrypted services and modern devices are subject to intense research by the security community in a way that traditional communication systems aren’t,” they wrote.

“So the details of any exceptional access solution may well become public and subject to expert scrutiny, which it should not fail. Given the unique and ubiquitous nature of these services and devices, we would not expect criminals to simply move if it becomes known that an exceptional access solution exists.”

Speaking to Recorded Future News, two of Britain’s leading cybersecurity academics — who are set to deliver evidence on Monday before Parliament’s Joint Committee on the National Security Strategy — argued the government’s approach was  “unjustifiable” and “unsustainable” and “needs urgent address.”

Tim Stevens, a reader in International Security at King’s College London and head of the King’s Cyber Security Research Group, said he thought Fleming was “entirely correct” about the need for an effective debate and called for an approach of transparency “not necessarily be default, but by preference as and when when it doesn’t impact on operational issues.”

“The default position of no comment does not allow the government to control the narrative about its operations that may be disclosed in the future. This is an opportunity for the government to get ahead of the narrative, to explain what it is doing and what it wants to do.”

Stevens said he thought Fleming was correct and “channeling a current of thought within the intelligence agencies themselves,” but that it was “up to the government to change the assumptions around what can be said. And absolutely none of it needs damage sources and methods.”

What’s a back door?

While the original story in The Washington Post described the British government’s demand as creating a “back door allowing [British authorities] to retrieve all the content any Apple user worldwide has uploaded to the cloud,” the British government has historically contested this description.

Westminster instead has historically characterized legal demand — officially known as a Technical Capability Notice (TCN) — requires a company to be able to retrieve content in response to a legal warrant, rather than provide the British government with a surreptitious way to access Apple’s systems without the company’s knowledge — however, no spokesperson has publicly advanced this view in the wake of the media revelations.

“The traditional response just isn’t sustainable, and it’s not justifiable,” added Stevens. “The default position of no comment does not allow the government to control the narrative about its operations that may be disclosed in the future. This is an opportunity for the government to get ahead of the narrative, to explain what it is doing and what it wants to do.”

Andrew Dwyer, a lecturer in information security at Royal Holloway, University of London, said: “If the UK wishes to be perceived internationally as a responsible cyber power, there needs to be greater transparency and accountability for the UK’s operational activity. There is a risk that the UK’s actions in cyberspace are considered to be using ‘responsibility-washing’ to obscure underhand practices.

“As Fleming has stated publicly, operational details cannot and should not always be in the public domain. However, this is distinct to TCNs where there is significant public interest in a wide range of services being impacted in the case of removing an encryption service.

“Unlike, for example, an ongoing cyber operation where there would be an impact on operational outcome or wider aims, potentially banning a service where there is an unclear process of balancing competing interests should not have the same protection,” said Dwyer.

“There is no reason why the UK cannot note how they would use TCNs and other capabilities, even if details are omitted. The concern is that the UK is seeking to shape political objectives through technocratic, and secretive, means. This needs urgent address.”

A spokesperson for the Home Office repeated that they declined to comment on operational matters.

“But more broadly, the UK has a longstanding position of protecting our citizens from the very worst crimes, such as child sex abuse and terrorism, at the same time as protecting people’s privacy,” the spokesperson said.

“As the Security Minister said in the House of Commons, the suggestion that privacy and security are at odds is not correct - we can and must have both. The UK has robust safeguards and independent oversight to protect privacy and privacy is only impacted on an exceptional basis, in relation to the most serious crimes and only when it is necessary and proportionate to do so.”