Google refuses to deny it received encryption order from UK government

While not officially known, Google might have been served a notice from the British government similar to what Apple received last month.

Google has refused to deny receiving a secret legal order from the British government, according to a bipartisan group of members of Congress who are concerned Westminster may have demanded that several U.S. technology companies provide its security services with a mechanism to access encrypted messages.

It follows the British government reportedly issuing such a secret legal demand, officially known as a Technical Capability Notice (TCN), to Apple. Apple is believed to be contesting the demand at a closed court hearing on Friday.

Google is not legally allowed to disclose whether they received this order under the Investigatory Powers Act. If this is true, almost every tech company has been forced to comply without the broader public being aware.

“Google also recently told Senator [Ron] Wyden’s office that, if it had received a technical capabilities notice, it would be prohibited from disclosing that fact,” wrote the group.

Well, I would not be surprised in the least seeing how Google in the past has many times set a precedent for having absolutely no morals or a spine.

I’d like to believe they have been served the same. It is more likely than not true based on pragmatism.

If I recall correctly, the only reason we heard about Apple was through a leak.

Right now, the U.S. government is more willing to challenge these orders since it impacts American tech companies. We don’t really know the behind the scenes, but like you said, I would not be surprised if Google did not fight back

Unfortunately it seems only reasonable to assume that most well known encryption software available in the UK will also have received such orders. I think it’s crucial we have a discussion about if/how this should influence our recommendations.

It is probably worth auditing which of our existing recommendations are subject to UK jurisdiction in the first place.

Should we continue to use Element with the Matrix protocol teams based in the UK? Wouldn’t it be amazing if this stupid government approached them?

Not inconceivable but Google does have lawyers too and would be in big legal trouble if they gave info from places other than US.

Now comes the speculation: I think Google would definitely give data from UK users only and probably would avoid giving data from countries with strong enough privacy laws such as the EU via GDPR and US by extension from whatever strict California law it has. The rest of the world is probably fair game, except maybe China because of their Great Firewall.

What E2EE data does Google hold where it’s their clients that have encrypted the data? AFAIK RCS it’s the carriers who hold the encrypted data, and there’s not just Google Messages which can send/receive encrypted RCS. Then there’s encrypted data that Google holds like WhatsApp’s encrypted backups, but that’s WhatsApp who encrypts and decrypts the backup, so not much that Google could disclose there.

How do we know this isn’t the same for all other countries as well?

Swedish 2020:62 allows for both hardware and software backdoors for breaking encryption, no?

Yeah, seems like some govts have boldly ventured there, but the specifics & safeguards vary from one to another.

Never in my life have I used the clown emoji lol. If you have an issue with me or my actions you can take it up privately with Jonah or another team member.

It does not require companies to collude with the government to secretly backdoor encryption, no.

?

“Those providing electronic communication services are obliged by law to cooperate with the police/security police (section 24).”

OK, but:

“Under section 12 of the Act, an authorization can provide for secret entry to premises to plant spyware physically on an information system (e.g. a stationary computer).”

Compromising websites seem to be fair game, too?

“Where the identity of the suspect is not known, but his contacts are known, or a third party (such as a website which the suspects visits) is known, one can permit secret data reading of these contacts, or the third party, but only in order to identify the suspect.”

Breaking encryption is where their focus seems to be at:

“The figures, published since 2020, when the Act was introduced, show that the overwhelming purpose for which secret data reading is granted in Sweden is to break a device’s encryption.”

Quotes from: Clarification on the Swedish Covert Surveillance Act

This has been so glossed over in all the discussions I’ve seen on the topic.

Another point that seemingly hasn’t come up at all is are we even sure that the UK isn’t just asking for the same access the US might already have? It seems very much a sort of British approach to ‘fair’ intelligence sharing because otherwise, the request just doesn’t seem at all a reasonable by itself.

Imagine in the pre-snowden era, this kind of data wasn’t even encrypted at rest and was basically a legal warrant away to all governments of countries where apple did business. With secret courts and untrustworthy institutions, why should we believe that ADP or other tools created since then aren’t already back-doored for the US authorities? Do you believe that the US would allow exports of commercial user-friendly e2e tools without any meddling? I think some healthy doubt is reasonable here.

It would be trivial to force apple to copy all encryption keys to US authorities when ADP is activated, allowing full access without any warning to the users. The features may have even been designed with legal interception in mind and could even be a paid service that apple offers. The apple TOS even states not even apple can read your info… but legal orders can force the sharing of the encryption keys before anything is even made E2E anyway and this would not contradict their TOS.

And what about the new US administration? The violent change and new pay-to-play approach of the current government could easily have shaken up some international intelligence sharing agreements, causing the UK to demand this overreach.

The fact that it was leaked is super interesting because you have to wonder who is leaking this and what is the motivation behind it.

Having never not been privacy conscious… my senses are tingling. There is too much that doesn’t add up here. If you are a criminal or a pedo or whatever, you can just use fully private and independent tools like gpg - no need for signal messenger or apple’s ADP. Technically ADP still shows hash info on files to Apple I believe, so especially if you’re a pedo it seems like a terrible plan to hide your crimes anyway. The people that a functional ADP would protect more likely includes engineers, business people, scientists and business owners with access to material that is valuable for economic espionage or for kompromat purposes.

So many questions…