Man, this is really the worst case we've been fearing in Germany as well, i.e. an overzealous government that wants access to the master decryption keys of any app using end-to-end encryption so they can backdoor them anytime they like. I really hope they have enough common sense left to reverse their course, and I have to say kudos to Apple for taking this fight.
Perhaps there is an app that makes using one-time pads simple. It is really the only way to be reasonably certain that your communication is protected. With storage so abundant it is feasible to share a 100MiB pad for each contact which should be enough for a lifetime of messages.
Except, in this case you have a US company that I honestly believe takes privacy seriously, fighting to prevent that stance being undermined by the UK government
The problem is if you want to back up the content of your device securely. Without ADP, you’re stuck sending it into iCloud in a way that allows a government to access the data.
If you wanted to avoid potential prying eyes, you can’t backup the device over the internet to a storage location you own. You can sort of do this with photos, but it’s absolutely a kludge.
Apple is only one US law away from completely shutting down Advanced Data Protection for everyone.
Encrypted backups are an intractable technical problem. The key is on the device you’ve lost, so another copy of the key must be saved somewhere.
There has to be an element of trust, or else the actual use case that 99.9% of users have — I lost my device and want to restore my <whatever> - can’t be met.
It’s not like there’s some great alternative solution they’re intentionally neglecting.
Both will inevitably get lost/forgotten, especially if it's a password that isn't used on a regular basis. Even for regular backups users rarely test recovery protocols. They just turn it on and call it a day. Heck, sometimes even companies don't even bother doing it, and find out that their disaster recovery protocols aren't up to snuff after they've been ransomwared.
There's nothing inevitable about it. If a user would rather risk forgetting/losing a password, than governments covertly and cheaply spying on them, they can do that, and the problem is perfectly tractable. It's only intractable under the demented requirements of delegating all security to someone else, and at the same time expecting to be secure against the entity you have delegated all security to.
>If you wanted to avoid potential prying eyes, you can’t backup the device over the internet to a storage location you own. You can sort of do this with photos, but it’s absolutely a kludge.
Use iTunes backup and then upload the files from your PC to an online storage provider of your choice?
> Apple is only one US law away from completely shutting down Advanced Data Protection for everyone.
The problem with this is that it's universally applicable.
Any cloud service that has end-to-end encryption today can be forced to break it if the jurisdiction in which they're based passes a law requiring it.
"So use a self-hosted open-source cloud backup system with a VPS?" Not a scalable solution. I genuinely do not believe there is a scalable solution to this problem.
All we can do is either pick the service we trust will remain safe the longest, or DIY it for ourselves and maybe those closest to us. And fight at the ballot box to end the era of ever-expanding government surveillance of everyone's digital data.
> So use a self-hosted open-source cloud backup system with a VPS?
then why not? It just needs to be set up to encrypt before upload, and decrypt after download, and have some means of sharing keys to other clients. Unless I'm being dumb and missing something?
> Any cloud service that has end-to-end encryption today can be forced to break it if the jurisdiction in which they're based passes a law requiring it.
If a 3rd party can be compelled to decrypt it, it’s not e2e encrypted.
What else are they supposed to do? Defy court orders? That's why they introduced ADP, which avoids this problem by making it impossible for them to comply.
There is no silicon for useful laptops that isn't US-controlled or China-controlled. On top of that, there is no ISA or reference CPU that isn't US-based.
In the future, we might have RISC-V, but right now, we don't. You can get laptops with Intel, AMD, ARM or IBM, and that's about it. All of the chips that are fast enough to be useful are US-based (in design and manufacturing instructions, but Asia-based in physical construction).
Say you'd be more interested in something that looks/feels like it's not from the US, you are pretty much restricted to stuff that's from ODMs in Asia. But it's the same hardware from the same production facilities, running the same firmware and operating systems.
I suppose that's true. My mind was already on the likes of Qualcomm, Apple, Ampere and Broadcom but the base ISA and some of the reference designs used in public are indeed pure ARM (the company).
Ideally there'd be a player like Fujitsu (also an ARM licensee), they can do an entire laptop where only the manufacturing and software is not in-house (they don't have the capacity to do that AFAIK). If you then slap some coreboot (or U-Boot) and linux on it, you'd be pretty close to a much less US-attached laptop.
You can get pure(ish)-China laptops if you’re willing to go that far to get away from the US. Hauwei have a range of laptops using HiSense ARM cores: https://qingyun.huawei.com/
Your own government is usually the biggest threat to your privacy. And namedropping the UK as some gov you would prefer from a privacy point of view is silly.
I don't have any gov app installed on my phone, though it came with the whole Google suite, Facebook and Instagram installed.
And I can't remove it unless I root it.
If you're in a country where the gov is a threat to your privacy, you're in a dictatorship.
A democratic gov does not really care a lot about personal data, it only wants tax money.
A private company cares a lot about personal data because each bit of personal information is sellable to anyone interested.
Didn't the UK have an issue with Apple the other day, trying to get some "backdoor" to icloud? Which prompted Apple to say they'd remove E2E encryption for those users?
How's that tax related and not caring about personal data? Does that make the UK a dictatorship?
The government or other parties will come and take your data wherever you are without a moment's notice. There is no defence against that.
The objective should be to make that as hard as possible by not putting it somewhere you make it easy for them to do so without your knowledge or without legal due process.
Man, this is really the worst case we've been fearing in Germany as well, i.e. an overzealous government that wants access to the master decryption keys of any app using end-to-end encryption so they can backdoor them anytime they like. I really hope they have enough common sense left to reverse their course, and I have to say kudos to Apple for taking this fight.
Perhaps there is an app that makes using one-time pads simple. It is really the only way to be reasonably certain that your communication is protected. With storage so abundant it is feasible to share a 100MiB pad for each contact which should be enough for a lifetime of messages.
[dead]
[flagged]
Except, in this case you have a US company that I honestly believe takes privacy seriously, fighting to prevent that stance being undermined by the UK government
The problem is if you want to back up the content of your device securely. Without ADP, you’re stuck sending it into iCloud in a way that allows a government to access the data.
If you wanted to avoid potential prying eyes, you can’t backup the device over the internet to a storage location you own. You can sort of do this with photos, but it’s absolutely a kludge.
Apple is only one US law away from completely shutting down Advanced Data Protection for everyone.
Encrypted backups are an intractable technical problem. The key is on the device you’ve lost, so another copy of the key must be saved somewhere.
There has to be an element of trust, or else the actual use case that 99.9% of users have — I lost my device and want to restore my <whatever> - can’t be met.
It’s not like there’s some great alternative solution they’re intentionally neglecting.
> another copy of the key must be saved somewhere
Like a password you memorize? Or write down on a piece of paper and store it somewhere safe?
Both will inevitably get lost/forgotten, especially if it's a password that isn't used on a regular basis. Even for regular backups users rarely test recovery protocols. They just turn it on and call it a day. Heck, sometimes even companies don't even bother doing it, and find out that their disaster recovery protocols aren't up to snuff after they've been ransomwared.
There's nothing inevitable about it. If a user would rather risk forgetting/losing a password, than governments covertly and cheaply spying on them, they can do that, and the problem is perfectly tractable. It's only intractable under the demented requirements of delegating all security to someone else, and at the same time expecting to be secure against the entity you have delegated all security to.
>If you wanted to avoid potential prying eyes, you can’t backup the device over the internet to a storage location you own. You can sort of do this with photos, but it’s absolutely a kludge.
Use iTunes backup and then upload the files from your PC to an online storage provider of your choice?
> Apple is only one US law away from completely shutting down Advanced Data Protection for everyone.
The problem with this is that it's universally applicable.
Any cloud service that has end-to-end encryption today can be forced to break it if the jurisdiction in which they're based passes a law requiring it.
"So use a self-hosted open-source cloud backup system with a VPS?" Not a scalable solution. I genuinely do not believe there is a scalable solution to this problem.
All we can do is either pick the service we trust will remain safe the longest, or DIY it for ourselves and maybe those closest to us. And fight at the ballot box to end the era of ever-expanding government surveillance of everyone's digital data.
That is, by definition, not e2e encrypted.
Sorry, which "that" are you referring to?
If you mean this:
> So use a self-hosted open-source cloud backup system with a VPS?
then why not? It just needs to be set up to encrypt before upload, and decrypt after download, and have some means of sharing keys to other clients. Unless I'm being dumb and missing something?
> Any cloud service that has end-to-end encryption today can be forced to break it if the jurisdiction in which they're based passes a law requiring it.
If a 3rd party can be compelled to decrypt it, it’s not e2e encrypted.
Apple regularly comply with Law Enforcement requests for customer data though...
What else are they supposed to do? Defy court orders? That's why they introduced ADP, which avoids this problem by making it impossible for them to comply.
There is no silicon for useful laptops that isn't US-controlled or China-controlled. On top of that, there is no ISA or reference CPU that isn't US-based.
In the future, we might have RISC-V, but right now, we don't. You can get laptops with Intel, AMD, ARM or IBM, and that's about it. All of the chips that are fast enough to be useful are US-based (in design and manufacturing instructions, but Asia-based in physical construction).
Say you'd be more interested in something that looks/feels like it's not from the US, you are pretty much restricted to stuff that's from ODMs in Asia. But it's the same hardware from the same production facilities, running the same firmware and operating systems.
>On top of that, there is no ISA or reference CPU that isn't US-based.
ARM HQ is in Cambridge & owned by Japan (Softbank group)
I suppose that's true. My mind was already on the likes of Qualcomm, Apple, Ampere and Broadcom but the base ISA and some of the reference designs used in public are indeed pure ARM (the company).
Ideally there'd be a player like Fujitsu (also an ARM licensee), they can do an entire laptop where only the manufacturing and software is not in-house (they don't have the capacity to do that AFAIK). If you then slap some coreboot (or U-Boot) and linux on it, you'd be pretty close to a much less US-attached laptop.
You can get pure(ish)-China laptops if you’re willing to go that far to get away from the US. Hauwei have a range of laptops using HiSense ARM cores: https://qingyun.huawei.com/
Didn't Samsung try to do the same? That'd be a Korean option if amelius has that in scope. Unless they are using Snapdragon for those of course.
> laptop of a non-US origin soon
Maybe NitroPad[1] from Nitrokey (Germany) ?
I don't think Fujitsu Siemens make PCs/Laptops any more, only servers. But that would have been an option as their factory is in Germany.
[1] https://shop.nitrokey.com/shop?&search=nitropad
Thanks, and glad to see a comment that actually answers my question :) rather than telling me things like who Europeans should or should not trust.
Bringing up UK in the context made me worried about you.
Snowden made me worry a lot more about a lot of people.
Yes.
Certainly not the UK, they're spearheading much of the privacy problem.
Your own government is usually the biggest threat to your privacy. And namedropping the UK as some gov you would prefer from a privacy point of view is silly.
I don't have any gov app installed on my phone, though it came with the whole Google suite, Facebook and Instagram installed. And I can't remove it unless I root it.
If you're in a country where the gov is a threat to your privacy, you're in a dictatorship.
A democratic gov does not really care a lot about personal data, it only wants tax money.
A private company cares a lot about personal data because each bit of personal information is sellable to anyone interested.
Didn't the UK have an issue with Apple the other day, trying to get some "backdoor" to icloud? Which prompted Apple to say they'd remove E2E encryption for those users?
How's that tax related and not caring about personal data? Does that make the UK a dictatorship?
> If you're in a country where the gov is a threat to your privacy, you're in a dictatorship.
Really? Nothing to hide?
Any practical democracy does strange stuff.
[dead]
> Your own government is usually the biggest threat to your privacy.
Few people think of this. More should.
[dead]
The government or other parties will come and take your data wherever you are without a moment's notice. There is no defence against that.
The objective should be to make that as hard as possible by not putting it somewhere you make it easy for them to do so without your knowledge or without legal due process.
And that is NOT in some cloud.