Cyber Security Insights Data Protection Special (Part 2)

Last week we wrote about the UK government's unprecedented attack on UK citizens data protection rights remains unresolved a week later, however, the cyber security and data protection industry, UK Intelligence community and international governments response is gathering strength.

I have written to my MP protesting about the Apple case. Unsurprisingly, I have not received a reply. The UK government action causing Apple to withdraw end to end encryption is the behaviour of digitally illiterate people.

Recap of What has Happened?

The UK government has, for a number of months, been trying to force Apple to grant them access to users data on iCloud for every user around the world. Apple has refused to build a back door into their operating systems and "compromised" by withdrawing their Advanced Data Protection service from the UK. This means that in the UK we will not have end to end encryption of documents, photographs, videos and other data stored in Apple's iCloud data storage.

The Response

The government has refused to confirm or deny the existence of a Technical Capability Notice (TCN) served on Apple saying it does “not comment on operational matters, including for example confirming or denying the existence of any such notices”. This lack of transparency is unsustainable and is damaging the reputation of the UK for cyber security, data protection and free speech.

In Parliament last week Security Minister, Dan Jarvis, declined to respond to to a question raised by an MP and said that not doing so was “a long-standing position held by successive Governments for obvious reasons of national security.”

Although the UK government has consistently refused to confirm the existence of the TCN, in the US Tulsi Gabbard, Director of National Intelligence, has ordered a legal review of the secret notice and said she had grave concerns over its implications for data privacy for US citizens.

Those national security reasons are being challenged by the intelligence community. Sir Jeremy Fleming, former head of GCHQ, said for the intelligence services license to operate the government must have more transparency because the way in which the intelligence agencies operate is changing.

Two of the UK's leading cyber security academics are to deliver evidence before Parliament’s Joint Committee on the National Security Strategy argued the government’s approach was? “unjustifiable” and “unsustainable” and “needs urgent address.”

Tim Stevens, head of Kings College London Cyber Security Research Group, said the default position of no comment does not allow the government to control the narrative about its operations that maybe disclosed in the future. This is an opportunity for the government to get ahead of the narrative, to explain what it is doing and what it wants to do.

Andrew Dwyer, a lecturer in information security at Royal Holloway, University of London, said if the UK wishes to be perceived internationally as a responsible cyber power, there needs to be greater transparency and accountability for the UK’s operational activity. There is a risk that the UK’s actions in cyberspace are considered to be using ‘responsibility-washing’ to obscure underhand practices. Potentially banning a service where there is an unclear process of balancing competing interests should not have the same protection as securing ongoing intelligence service operations. There is intense public interest into why Apple has been forced to withdraw their ADP service.

More widely data privacy experts have roundly attacked the action of the UK government pointing out that not only will the UK government be able to request access to the data but Apple will also have access to the data. This increases the risk of Apple employees abusing their access to the data. Threat actors will also target the data because it is now low hanging fruit.

Conclusion

It is clear that industry and international pressure to allow Apple to continue to offer ADP in the UK is building. Until the government are transparent about why they need this access they will continue to lose trust with their electorate.

In parallel to this happening in the UK a global operation led by Danish law enforcement led to 25 arrests and the identification of 273 suspects for the generation of AI powered child sexual abuse material. This shows what can be achieved without diminishing data protection capability.