Apple unsettled by the UK's draft surveillance bill

"A key left under the doormat would not just be there for the good guys."

Astrid Stawiarz/Getty Images for RFK Human Rights

Apple CEO Tim Cook's position on encryption is pretty clear: it's important and shouldn't be weakened with "backdoors" that would give governments open access to communications. Now, the company has emphasized its stance yet again in a written response to the UK's draft Investigatory Powers Bill, a new piece of legislation that seeks to collate, clarify and extend the surveillance capabilities set out in previous laws.

According to The Guardian, Apple's submission to the Joint Select Committee, which is currently evaluating the draft bill, reads:

"We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat. In this rapidly evolving cyber-threat environment, companies should remain free to implement strong encryption to protect customers."

But it's unclear exactly how the Investigatory Powers Bill would affect encryption. In the opening section of the draft legislation, published in November, the UK's Home Office says there will be no "additional requirements in relation to encryption" above what is already set out in RIPA, the UK's primary piece of surveillance legislation. That law requires companies, when served with a notice tied to an interception warrant, to hand over customer data in a readable, preferably decrypted format. That's reliant on the company having that capability though, which Apple doesn't -- at least not for iMessage, which uses end-to-end encryption.

In its submission, Apple is said to have highlighted a passage in the draft bill that would, it believes, give the UK government the power to forcibly alter iMessage. This, it argues, would break encryption and finally allow agencies like GCHQ to access private communications. Apple's concerns could be referencing the new "technical capability notice" that's mentioned in the draft bill. Such a request could, according to one passage, include "the removal of electronic protection applied by a relevant operator to any communications or data." The full extent of that wording remains unclear, however. Would it stop companies from offering end-to-end encryption in the first place? Or would it mean, like now, that it only applies if the company has the capabilities to remove such protections?

Apple seems concerned that it would lead to required "backdoors." Its submission reportedly reads: "The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers. A key left under the doormat would not just be there for the good guys. The bad guys would find it too."

These comments echo what Tim Cook has said in recent interviews with the Telegraph and the CBS TV program 60 Minutes.

The Guardian says Apple has also slammed the government's proposals which make clear, for the first time, the powers that UK law enforcement agencies have to hack phones and computers. The draft bill includes "a new obligation" to "assist in giving effect to equipment interference warrants." Again, the full extent of this power is unclear, but it could mean that the government would be able to force a company like Apple to tinker with its hardware or software. It reportedly told the Committee:

"It would place businesses like Apple – whose relationship with customers is in part built on a sense of trust about how data will be handled – in a very difficult position."

The company's full, eight-page report should eventually be published by the Joint Select Committee, giving us a better understanding of its complaints and how they relate to specific passages in the bill. The BBC says Microsoft, Facebook, Google, Yahoo and Twitter have filed responses too, most likely with some similar concerns. They'll add to the chorus of companies that are questioning not just the feasibility of the bill's proposals, but the wording and how each policy would work in practice.