← Back to context

Comment by zahllos

18 hours ago

I don't really understand your comment to be honest. Section 3 of the Regulation of Regulatory Powers Act 2000 allows for compelled key disclosure (disclosure of the information sought instead of the key is also possible). Schedule 7 of the Counter-Terrorism Act allows 9 hour detention, questioning and device search at the border. With these powers it isn't necessary to get access to iCloud backups, as you can get the device and/or the data.

I don't think the e2e icloud backup is problematic under existing legislation / before the TCN. While you can't disclose the key because it lives in the secure enclave, you can disclose the information that is requested because you can log into your apple account and retrieve it. IANAL, but I believe this to be sufficient (and refusing would mean jail).

The Investigatory Powers Act allows for technical capability notices, and the TCN in this case says (as far as we know) "allow us a method to be able to get the contents of any iCloud backup that is protected by E2EE for any user worldwide". This means that there is no need to ask the target to disclose information and if implemented as asked, also means that any user worldwide could be a target of the order, even if they'd never been to the UK.

Relevant info:

- https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...

2 comments

zahllos

Reply
Aloisius  15 hours ago

I imagine they want the ability to look at someone's iCloud backups without notifying the owner that they are doing so or they want to do it when the owner is unwilling or unable to provide keys.

For the latter, there are a lot of cases where jail isn't much a threat (e.g. the person is dead or not in the country).

  • zahllos  7 hours ago

    Also given automatic iPhone backup it might contain information they want as part of an investigation that they'd otherwise have to demand key disclosure for (if cloud backup didn't exist)... Absolutely.

    The jail time for failure to comply with key disclosure is 2 years unless it is national security, then it is 5. But if you're organised crime and facing who knows what for being a snitch it might be better simply to do the time.

    I can see why they want it. I just don't understand why the person I'm replying to said the feature (I think) was problematic. Not really a criticism, I'm just struggling to identify the tone and why 'too right' and 'more problematic than they let on'.