If they say they don't, and they do, then that's fraud, and they could be held liable for any damages that result. And, if word got out that they were defrauding customers, that would result in serious reputational damage to Apple (who uses their security practices as an industry differentiator) and possibly a significant customer shift away from them. They don't want that.
The government would never prosecute a company for fraud where that fraud consists of cooperating with the government after promising to a suspected criminal that they wouldn't.
Cooperating with law enforcement cannot be a fraud. Fraud is lying to get illegal gains. I think, it's legally ok to lie if the goal is to catch a criminal and help the government.
For example, in 20th century, an European manufacturer of encryption machines (Crypto AG [1]) made a backdoor at request of governments and never got punished - instead it got generous payments.
> Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order.
Nope. For this threat model, E2E is a complete joke when both E's are controlled by the third party. Apple could be compelled by the government to insert code in the client to upload your decrypted data to another endpoint they control, and you'd never know.
What is your proof they don't have a duplicate key that also unlocks it? A firm handshake from Tim?
You should watch the whole BlackHat talk (from 2016!) from Apple's Head of Security Engineering and Architecture, but especially this part:
https://www.youtube.com/watch?v=BLGFriOKz6U&t=1993s
Lot of trust in the words that cannot be verified.
If they say they don't, and they do, then that's fraud, and they could be held liable for any damages that result. And, if word got out that they were defrauding customers, that would result in serious reputational damage to Apple (who uses their security practices as an industry differentiator) and possibly a significant customer shift away from them. They don't want that.
The government would never prosecute a company for fraud where that fraud consists of cooperating with the government after promising to a suspected criminal that they wouldn't.
1 reply →
Cooperating with law enforcement cannot be a fraud. Fraud is lying to get illegal gains. I think, it's legally ok to lie if the goal is to catch a criminal and help the government.
For example, in 20th century, an European manufacturer of encryption machines (Crypto AG [1]) made a backdoor at request of governments and never got punished - instead it got generous payments.
[1] https://en.wikipedia.org/wiki/Crypto_AG
Absent the source code, it's incredibly difficult to disprove when the only proof you have is good vibes.
9 replies →
Apple has the number 1 marketing team in the world. They got away with PRISM and terrible security.
They are immune to reputation damage. Teens and moms don't care.
1 reply →
> Apple's solution is iCloud Keychain which is E2E encrypted, so would not be revealed with a court order.
Nope. For this threat model, E2E is a complete joke when both E's are controlled by the third party. Apple could be compelled by the government to insert code in the client to upload your decrypted data to another endpoint they control, and you'd never know.
That was tested in the San Bernardino shooter case. Apple stood up and the FBI backed down.
It's incredibly naive to believe apple will continue to be able to do that.
Yeah and Microsoft could insert code to upload the bitlocker keys. What's your point? Even linux could do that if they were compelled to.
> Even linux could do that if they were compelled to.
An open source project absolutely cannot do that without your consent if you build your client from the source. That's my point.
7 replies →