Comment by sedatk a day ago
> You need to start that because, as we recently learned, at some point in the very near future Apple is withdrawing its Advanced Data Protection (ADP) feature from the UK altogether as a result of the Home Office TCN through the Investigatory Powers Act.
So, a UK-only advice, and it strangely assumes that any other service in UK wouldn’t be bound by the same laws.
The closest I've found is VeraCrypt, which is near the edge of what I'd call layperson-friendly. But if you store a VeraCrypt drive on the cloud, you'll need to re-upload the entire encrypted file--usually quite large--every time you change anything at all. That's a _lot_ of bandwidth, and likely to be quite slow to sync.
https://github.com/restic/restic
not exactly for a "layperson", to be honest, but easy enough for someone familiar with a command line
And you must then give the password to your data.
https://thblegal.com/news/can-i-be-prosecuted-for-failing-to...
https://www.ilfattoquotidiano.it/in-edicola/articoli/2025/01...
etc.
In the extremely unlikely event that I'm compelled to by a judge, yes. Or if someone chooses to beat me with five dollar wrench, of course. And even then A) it can't happen without my knowledge and B) I have the option of refusing and bearing the consequences.
I didn't say it solves every problem, just that it's the only way to have proper end-to-end encryption.
This seems like a job for a truecrypt style system. Either you do it at a file-level, or you have it split into (say) 10MB file chunks, and if you want to access a certain file you have an encrypted local db that acts as a magic decoder ring ("file test.csv is spread across CLOUD1.DB CLOUD3443.DB CLOUD132.DB").
Combine that with steganography (Enter real_password, and test.csv is a list of bank accounts, enter fake_password, and test.csv is a list of apple store locations, enter random_password, and it decodes junk). Maybe combine that with multiple layers of passwords (one ring to rule them all, except certain files).
Obviously, you'd want to steganographize the decoder ring as well.
> So, a UK-only advice, and it strangely assumes that any other service in UK wouldn’t be bound by the same laws.
I suspect it's because whilst other services would be affected we only know about Apple currently and, thanks to iOS and Mac, a large percentage of the population will be using Apple by default for the services impacted. Only Google (Android) and Microsoft (Windows) really overlap in that regard.
> So, a UK-only advice
So what?
> it strangely assumes that any other service in UK wouldn’t be bound by the same laws.
From the linked article:
> I’m not going to tell you where to move your stuff other than to say that if you’re moving it from one big tech company to another, you’re just being daft. Likewise, if you’re moving your stuff to a non-e2ee service, don’t bother. If you need an e2ee service try Proton. They have a Black Friday sale on.
> So what?
The title felt like there was a greater issue with Apple specifically. There wasn't. There was a greater issue with the new UK laws and cloud storage systems. I think people deserved a clarification before getting wound up about it before reading the article.
Yes, it's nothing to do with Apple per se - any major E2E provider would be under the same attack. The problem here is UK government is drunk with power and doesn't want their citizens to have any privacy rights, and UK citizens are largely ok with that, as evidenced by them keeping to elect such governments. Apple is just the most prominent target of the attack - eventually, they will try to attack smaller targets still, and make usage of the strong encryption as hard as possible, maybe outlaw it completely and mandate government key escrow. They already tried it in many countries, and UK seems to be very ripe to try again.
> UK citizens are largely ok with that, as evidenced by them keeping to elect such governments
I don't think that's true. I think plenty of UK citizens do want better privacy rights and data protection, as evidenced by the very large petition against national ID cards for example.
It doesn't win the vote because it's not the most important factor when it comes to voting, because there are bigger issues people care about more.
Many people are somewhat despondent, due to economic decline, ever-increasing pressures and poor prospects for so many people. There's no choice of party which simultaneously supports privacy rights at the same time as other things most UK citizens appear to care about more, which can also survive the intense tactical voting pressure under the FPTP voting system. Consider that most people who voted Labour in the "landslide" last election appear to have done it tactically to "get the Tories out".
So issues like privacy which aren't at the top of people's concerns, end up not having much influence over voting decisions.
The Lib Dems and Greens are the nearest to that, imho. Of the major parties, they seem the most aligned with privacy rights in their DNA, as far as I can tell.
Reform are getting some political benefit from talking up privacy at the moment, and they stand a real chance of winning next time. But I doubt very much if Reform would ever implement real privacy rights. I think it's just opportunistic dodgy politician talk in their case, and that real privacy isn't in their DNA at all, because they don't believe in universality of human rights. They are openly eager to remove the Human Rights Act and strip many people of those rights, after all. Strong online privacy also clashes with one of their core missions, to find and deport vastly more people than before; privacy clashes with that both on grounds of investigative capabilities, and on grounds of principles and rights. I could imagine Reform trying to offer strong privacy only for approved citizens, alongside mandatory reporting on other users, but the contradictions in that are too much.
> It doesn't win the vote because it's not the most important factor when it comes to voting,
This implies there's a vote for and against it, but is there? I didn't see any party or serious political movement raise this as an important issue. Why? Because they assume it won't bring them any additional votes, because their potential voters don't care. If they don't care, they get what they get.
> So issues like privacy which aren't at the top of people's concerns
So, you are agreeing with me. If you say "sure, I'd like some privacy, maybe, but I don't care enough about this to bother to tell my rep that I'm even interested in this" - then you are "ok with that" as I said.
The issue is with Apple specifically in the sense that they have been offering a superior E2EE cloud storage service that will soon be denied to UK residents (IIUC, E2EE isn't offered by their competition e.g. Google, Microsoft). But the article goes out of its way in its first section to note that Apple isn't in the wrong at all here:
> But I will say that the shutdown of ADP is Apple being on the right side of the geopolitical fight, as inconvenient as that may be to you and me.
It is, if you care about the issues the author evidently cares about, "time to start de-Appling". I am a satisfied ongoing customer of Apple and I didn't find this headline to be the least bit inflammatory. It is, at worst, minor clickbait—but it's not really bait at all, since the contents of the article match the headline.
FYI, this is not about a law, this is about a Technical Capability Notice. This is a thing the UK government is able to issue to a specific company or companies, that require them to implement technical measures to enable data collection. This applies only to the company/ies that the notice is issued to.
That could be one of them, some of them or all of them, but it's not really a law that automatically applies to all of them.
Everything a government does is about a law, but, even if only Apple had received this notice, why would it change the unfairness of singling out Apple? Did UK government issue this request as their final request of this kind? Did they forbid any further requests to be made? Did they single out Apple out of something specific to Apple Inc (or, say, United States) or did Apple happen to be just too visible?
Singling out Apple in the article's title sends the wrong message here. The author should have gone with something along the lines of "UK residents should stop using E2EE cloud services". Current title implies there might be a safe E2EE service in the UK. Heck, they even claim that in the article: "If you need an e2ee service try Proton" as if Proton is exempt from getting a notice from the UK. It's not.
I can encrypt anything and store it in anything that provides storage. Why are people acting like "end to end encryption" is a feature you need a cloud service to provide to you. Rather the opposite - it's really something you can only do yourself.