Apple is hitting back against against a bill in the UK that could require tech firms to give British authorities a back door into encrypted communications services — a fight lawmakers in Congress hint could be coming to the United States.
The iPhone maker submitted an eight-page letter to the British Parliamentary Scrutiny Committee Monday highlighting what it believes are flaws in the Investigatory Powers Bill — legislation aimed at increasing the scope of online surveillance in the UK.
Revised and proposed by Home Secretary Theresa May in early November, the bill would mandate Internet service providers keep the web browsing histories of their users for one year and give British authorities access to their connection records without having to obtain prior judicial authorization — allowing them to see the websites users have visited, but not the particular pages or content viewed.
The bill has gained traction across the Atlantic since the Islamic State-inspired attacks in Paris last month.
Investigators revealed last week at least some of the suspects in the attack used encrypted messaging apps Telegram and WhatsApp to plan their assaults, reigniting the debate surrounding governments’ inability to surveil end-to-end encrypted communications, accessible to the sender and receiver exclusively.
Apple has offered such encryption on all iPhone software since last fall, and warned British lawmakers Monday the new surveillance powers being weighed by Parliament, which could compel Apple and others to build encryption back doors into their products, threaten the cybersecurity of all its users.
“The bill threatens to hurt law-abiding citizens in its effort to combat the few bad actors who have a variety of ways to carry out their attacks,” Apple told lawmakers.
While the law doesn’t specifically mandate back doors or state companies must alter the code of any products, it would compel tech firms to comply with warrants for data, which in Apple’s case would mean having to build a back door into encrypted devices that the company currently can’t access without a users’ password.
“The creation of back doors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers,” Apple wrote. “A key left under the doormat would not just be there for the good guys. The bad guys would find it too.”
The Cupertino-based company went on to warn the bill threatens to open a Pandora’s Box that would “likely be the catalyst for other countries to enact similar laws, paralyzing multinational corporations under the weight of what could be dozens or hundreds of contradictory country-specific laws,” and puts companies like Apple in legal purgatory by having to choose between breaking the privacy law of one country to comply with the surveillance law of another.
“What the British are attempting to do, and what the French have already done post-Charlie Hebdo, would never have seen the light of day in the American political system,” former CIA and National Security Agency Director Michael Hayden told Reuters last month.
While it’s true the debate over criminals and terrorists “going dark” online via encrypted communications services was largely shelved earlier this year after the administration stepped back from a policy of compelling Silicon Valley to cooperate, the Paris attacks and the ISIS-inspired shooting in San Bernardino earlier this month have re-energized the issue.
The resurgence is nowhere more apparent than on Capitol Hill, where lawmakers including Senate Intelligence Committee Chairman Richard Burr, ranking Democrat Sen. Dianne Feinstein, Republican Sen. Tom Cotton and House Homeland Security Committee Chairman Michael McCaul spent the last weeks of the legislative calendar slamming companies’ lack of cooperation and advocating the need for legislation to address the issue.
“If they communicate in darkness and you can’t shine a light on it, quite honestly you just can’t stop it,” McCaul, who helped usher the first cyber bill aimed at expanding surveillance in years through Congress’ year-end budget deal, said earlier this month. “People say why didn’t you see Paris? It was under the radar because they were using an app called Telegram and they were communicating through an encrypted application.”
While hearing testimony from FBI Director James Comey on the issue two weeks ago, Feinstein revealed she’s working on legislation with Burr that would compel companies to cut through encryption for authorities.
“Well, I’m going to seek legislation if nobody else is, and I know Senator Burr thinks somewhat similarly,” Feinstein said. “If there is conspiracy going on over the Internet, that encryption ought to be able to be pierced.”
On Monday, Cotton called out Apple CEO Tim Cook directly, saying he “omitted critical facts about data encryption” during a recent interview.
“He claimed that Apple does not comply with lawful subpoenas because it cannot,” Cotton wrote. “While it may be true that Apple doesn’t have access to encrypted data, that’s only because it designed its messaging service that way.”
“As a society, we don’t allow phone companies to design their systems to avoid lawful, court-ordered searches.”
Senate Majority Leader Mitch McConnell has already indicated the upper chamber will look to re-examine the surveillance debate during the next Congress via legislation from Cotton, endorsed by Florida Republican Sen. Marco Rubio, to roll back recent restrictions and expand NSA surveillance powers.
“Based on what’s going on in the world, I think we can’t put blinders on here,” McConnell said last week. “This is a growing and serious problem, and to the extent that our intelligence capabilities — which in my view have never been inconsistent with American privacy concerns — are weakened, you have to ask the question: Is that a smart thing to do? I don’t think it is.”