Google won’t say whether the UK gov’t is breaking its encryption

The surveillance-loving UK is in the news again, as Google refuses to deny it received a demand from the UK government to install backdoor access into its services (the same demand it’s made of Apple).

It’s yet another illustration of the extent to which the UK, which makes more subject-access requests per head than any other Western nation, has become a leader in state surveillance. The inference is that by refusing to deny that it received the same instruction as Apple, Google is effectively confirming it did.

What makes this so much worse is that under UK law, neither Apple nor Google can say whether the UK has made such a demand of them.  

We don’t know and they can’t say

Apple is known to have appealed the demand, but the final result of that appeal (which was heard behind closed doors) remains unknown. One thing we do know is that Apple ceased to offer Advanced Data Protection services once it got the UK demand, and as of now has not made that service available again.

The appeal is expected to be heard at the Investigatory Powers Tribunal later this year.

No comment has been made however, because the UK government doesn’t seem to want to tell its subjects that it has forced the tech companies to install backdoors into their encrypted data.

It’s reasonable to imagine that every foreign intelligence service worth its salt will now be digging deep into Apple and Google code to locate those back doors, of course. It’s only a matter of time before those designed-in vulnerabilities will be exploited. And as neither Apple nor Google will be permitted to secure those backdoors without explicit permission from the UK state, it is highly probable that protecting against those future exploits will leave most users at risk.

That’s because, far from protecting people, weak data protection threatens everyone — and does so on a global scale.

Insecurity UK

The global nature of the UK government’s authoritarian overreach is ruffling feathers all over the place, with the Trump Administration particularly concerned. Sen. Ron Wyden (D-OR) recently wrote to US Director of National Intelligence Tulsi Gabbard asking that she put pressure on the UK to step back from its stance.

“When my office asked Google about backdoor demands from the UK, the company did not answer the question, only stating that if it had received technical capabilities notice, it would be prohibited from disclosing that fact,” Wyden wrote.

His concerns are being echoed by everyone who understands the need to protect people’s lives online. Jim Killock, executive director of Open Rights Group, said: “Senator Wyden’s letter highlights that the government’s attacks on encryption affect people around the world, not just in the UK. Google’s refusal to answer Senator Wyden is extremely worrying for Android users who rely on encryption for their privacy and security.”

Real nosey-parkers

This is just one of a range of deeply intrusive surveillance measures to emerge from the deeply unpopular UK administration, despite reportedly determined opposition from the US administration. Most recently, the UK introduced the Online Safety Bill, a new set of laws to demand age verification from users of many popular services. 

Ostensibly, it’s a child protection measure. But the government appears deaf to the many arguments against the way it is implementing these new laws, which are already being used in ways that appear to exceed their stated objective, stifling open discussion. 

It is also concerning that the implementation of these laws sees sensitive identification data being shared with unaccountable private age verification services, which have already been seen to place personal data at risk.

Meanwhile, the link between sharing such personal data and the introduction of vulnerabilities in the data encryption used to protect it in transit to those verification services adds yet another layer of uncertainty about UK digital data security.

This seems particularly counter-intuitive in conjunction with the nation’s big investments in artificial intelligence and digital services. Given we know the UK’s National Health Service (NHS) to be among the most frequently attacked government entities in the world, the opportunity to exfiltrate valuable personal data is growing, not being mitigated against.

No one is safer

No matter how much the UK denies reality, by undermining anonymity online at the same time it’s weakening protection around personal data, the government has placed its citizens under intense digital threat and failed to equip them with the tools or any early warning about the impact of these moves. It’s an absolute triumph of stupidity that will leave the UK a far less safe place to be.

Meanwhile the criminals and perverts these laws claim to target are sufficiently well-resourced they will be able to deploy their own alternative technologies (such as proxy servers, fake identities, SD-WAN) to protect themselves. That means those most at risk to the negative impacts of these inept changes in law will be the innocent, rather than the perpetrators.

Effectively, it’s a sacrifice of digital security and liberties that poses serious risks, will likely put UK citizens at risk, and undermine digital commerce.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.