The UK's Proposed Spy Law Would Force Apple to Secretly Hack its Phones

The FBI's demand that Apple craft new software to bypass iOS's security protections has ignited a worldwide debate about a government's ability to force tech companies to sabotage their own security. One repeated question has been: will other countries, like China, demand the same powers?

You don't need to look to Beijing—or even the future—to find the answer to that question. The newly proposed British spying law, the  Investigatory Powers Bill (IPB), already includes methods that would permit the British government to order companies like Apple to re-engineer their own technology, just as the FBI is demanding. Worse, if the law passes, each of these methods would be accompanied by a gag order. Not only would Apple be expected to comply, but the IPB would insist that Tim Cook could not tell the public what was going on without breaking UK law. At least in the current fight between Apple and the US government, we're having the debate out loud and in public.

IPB, One, Two, Three:  Multiple Unchecked Hacking Powers

There's at least three parts of the IPB that could theoretically be used against Apple to compel it into undermining the company's own security technology.

First, the IPB would grant the UK the power to issue a “Technical Capability Notice" (S.189). a secret order that the UK would be able to serve on a telecommunications operator (which the bill currently defines so broadly it would include companies like Apple) to force it to "remov[e] electronic protection applied ... to any communications or data" and to "provide facilities or services of a specified description."

Second, the law would also grant the UK the power to issue a "National Security Notice" (S.188)—another secret instrument, even more vaguely drawn, that would require operators to "carry out any conduct, including the provision of services of facilities," which the British government "considers necessary in the interests of national security."

As Privacy International have noted, both of these instruments include gag orders that would prohibit Tim Cook from telling his customers what was happening.

Third, the new bill  provides for "equipment interference"—the UK’s name for tailored access, or hacking in the popular sense of that term. It would allow the UK to break into private devices and insert new code for the purposes of surveillance or extracting data.  Equipment interference orders include a requirement (S.101) that any communications provider (again, this includes Apple) take any "reasonably practicable" steps in effecting a hacking warrant. This requirement, like the other two notices above, is of course accompanied with a matching gag order (S.102), preventing providers from informing others. (We believe the gag could even preclude them from discussing the order with technical and legal advisors they might have.)

A Dangerous Template

EFF wrote at length in our submissions last year to British Parliament about the dangers of granting any state such an unchecked hacking power. One scenario in which we anticipated such power being misused was very similar to the current Apple predicament—i.e., a technology company being secretly forced to act as an agent of the UK government to undermine their own software. We highlighted how a company might be compelled to design an update that would undermine their own privacy protections:

Under the proposed law, a British company could be compelled to distribute an update in order to facilitate the execution of an equipment interference warrant, and ordered to refrain from notifying their customers... Such an update could be targeted at an individual, an organizsation, or many organizsations related to a single investigation... [B]ecause this software runs on end-user systems, there will always be a chance that such a targeted “back door” to private data would be revealed ... Such a revelation would effectively destroy a telecommunication prov