> Otherwise, please make sure you de-Apple, de-Google, and de-American Stack yourself when you have time, clarity, and focus to do it. Start today.
I don't understand the core of this advice. So if you're in the UK and do all the above, can you suddenly get similar E2EE cloud storage from a different provider without a UK government-mandated backdoor?
The first two are reasonable positions. The third, on the merits of the argument in the article, is absolutely bonkers. It's the UK government that is unleashing this stupidity on the world. There is no European alternative that is any safer, and it's the UK's own hands that are at fault in the first place.
Not that there aren't other reasons to be skeptical of American companies' right, but it's just so easy to fall into nationalistic prattle instead of fixing the real problem.
> but it's just so easy to fall into nationalistic prattle instead of fixing the real problem.
Right. This, right now, is 100% a UK problem. De-Americanising your tech stack isn't going to fix the political issues domestically. Hence Apple pulling ADP out, they made the choice of not complying with the UK and not offering the service instead of compromising the service for everyone else in the world.
UK citizens need to direct their attention inwards against their own government.
Scary stuff: they've just handed the EU a reason to go after ADP. Turns out no back door is needed, you just force their position into making ADP unavailable in the EU.
Last time I was in the UK, the news (BBC) was bizarrely 90% American politics. Trump this, Trump did that, etc. People there knew American politicians better than the people who actually represent them.
Trump is a chum with Farage, far right con man and Putin's buddy.
For the reasons unknown BBC is *massively* promoting and platforming far right in the last few times (airtime, framing of the events, promoting party lines as facts, etc).
So Trump in the BBC might be considered beneficial to the far right. This would explain it.
>The first two are reasonable positions. The third, on the merits of the argument in the article, is absolutely bonkers. It's the UK government that is unleashing this stupidity on the world. There is no European alternative that is any safer, and it's the UK's own hands that are at fault in the first place.
Disagree. Australia and also likely Canada have identical these laws. And once the capability is in place, its likely that the US can all writs access to the same tool. Apple is unique in that it has a semi legal canary, in choosing to withdraw the services instead of complying.
You cant trust any tech company that remains located in the 5 eyes nations.
I am not aware of good alternatives, but worst case you can run up a VPS with Owncloud or something.
> There is no European alternative that is any safer
How do you figure that? If you're worried about your privacy in the UK, keeping your data in a Five Eyes country cloud provider is a very bad idea, arguably even worse than keeping it in a UK cloud provider where it becomes a domestic legal matter where you at least get a day in court, not a foreign intelligence matter where you don't. And the US is a pretty bad place for anyone's data given a) its lack of robust privacy laws (and large commercial data-trafficking ecosystem) and b) the National Security Letter system.
While there is no perfect country, somewhere like Germany or the Netherlands seems a much better bet.
It's not a backdoor per se. UK just banned using E2EE (at least for Apple users' data). I don't think though they can ban E2EE in general - like, if I upload a binary blob to a data store, how would they know whether it's encrypted or not? Short of banning all strong encryption completely (which even UK yet is not stupid enough to do) it's not possible to prevent. But they did not build a "backdoor" into encryption - they demanded that, and Apple refused, so there's now no encryption at all for UK users. There's no door.
They are just going for service providers that make E2EE easy for users - clearly betting on the fact that people they want to surveil would be too lazy/incompetent to use a custom solution providing strong E2EE encryption. And they may be right - most iphone users would keep using the same services even with the knowledge that the data is now widely open - and eventually of course will be breached and available to every kind of criminal, as it happened many times already with other massive data warehouses.
But I believe even is the UK you still can encrypt your own backup and upload it, e.g., to rsync.net and nobody would be able to stop you. Just most people won't.
E2EE cloud storage is not some kind of magic that only tech bigcorps can provide. I de-Dropboxed a few years ago, replacing it with Syncthing running on a local NAS with e2ee backups in Backblaze and Wireguard VPN out to my mobile devices. Sure, this is not the sort of thing most people can set up for themselves, but I don't think that's particularly relevant in context.
Syncthing and e2e is great but the issue is that the law force you to give away your phone and your password if asked. Meaning, they have the encrypted data on your phone and the password to unlock it.. same for computer ofc.
If you're in England and have to keep things secured (including from government eyes), i have no idea how you can do. They soon will be allowed to put a camera in your small room and watch you take a dump.
Memorize a long passphrase for encryption, dont keep it anywhere and when forced to give it up, say "I forgot it". This is partly a joke but only partly.
it definitely is. talking to non-tech people, even a password manager or adblock extension for a browser are magic. installing a basic OS is magic. freaking debugging something which isn't working is magic.
i've had to show people that they have to plug in their HDMI cable into their GPU instead of the motherboard, that they have to manually set the Hz in windows settings. how to install basic drivers.
so many more easy examples we IT-workers or nerds just take for granted. taking this to the extreme, my grandma asked me if i could search recipes online for her, because [insert your favorite search service] seemed too complicated.
So next to these examples, setting up syncthing with a VPN is next to impossible :( and even if they manage to set it up, good luck when you run into issues after a couple of months.
On personal level, you have to choose whether your priority is privacy or convenience. If its privacy, no whining about 'I want this and that and I am too lazy to rollback' is relevant.
Never trust US services, 3-letter agencies are endlessly greedy to fill your profile with another tens of thousands of data points. As do all advertisers all around the globe. As do (with various success) all other governments and private companies who have something to gain, HDD storage has never been cheaper and all personal data are worth gold and beyond.
Or if you have to use them, use your own encryption with strength to not be broken for next few hundreds of years, to stand a chance. That is, if you actually have something to hide, but I have never met a person who really doesn't :)
My new high-privacy, high-control data management solution revolves around pen & paper. As far as I am aware, these implements have not yet been banned in the UK.
I don't know why everything must be digital. If you don't put it on a computer, it's almost as if it doesn't exist. If you do this often enough, it is almost as if you don't exist.
Party members were supposed not to go into ordinary shops ('dealing on the free market', it was called), but the rule was not strictly kept, because there were various things, such as shoelaces and razor blades, which it was impossible to get hold of in any other way. He had given a quick glance up and down the street and then had slipped inside and bought the book for two dollars fifty. At the time he was not conscious of wanting it for any particular purpose. He had carried it guiltily home in his briefcase. Even with nothing written in it, it was a compromising possession.
The thing that he was about to do was to open a diary. This was not illegal (nothing was illegal, since there were no longer any laws), but if detected it was reasonably certain that it would be punished by death, or at least by twenty-five years in a forced-labour camp. Winston fitted a nib into the penholder and sucked it to get the grease off. The pen was an archaic instrument, seldom used even for signatures, and he had procured one, furtively and with some difficulty, simply because of a feeling that the beautiful creamy paper deserved to be written on with a real nib instead of being scratched with an ink-pencil. Actually he was not used to writing by hand. Apart from very short notes, it was usual to dictate everything into the speak-write which was of course impossible for his present purpose. He dipped the pen into the ink and then faltered for just a second. A tremor had gone through his bowels. To mark the paper was the decisive act. In small clumsy letters he wrote:
In the latest Janus Cycle video he explained how he started carrying an IBM WorkPad c3 around to manage his contacts and appointments. I found that a great idea for people like me that struggle with deciphering their handwriting an hour later.
I've thought of going back to a palm pilot for the same thing. There are tons of Handspring and Palm Pilot Tungsten versions on ebay for under $40.
I believe the Palm T2 and T3 had bluetooth so would be interesting if you could connect the two to keep contacts and appointments off your smartphone. I'm seeing Handspring Treo 650's for under $100 as well.
If you're making money in the UK, they have a lot of legal authority over you.
If you're based in the UK, they have a lot of legal authority over you.
If you're neither of those things, they might complain, but the actual consequences are close to nil.
And they're not banning the tools (this is arguable, but they "can't" logically, as you point out). They're banning businesses from providing the tools.
Thats reassuring...but still frightening, just less so I guess.
Most of my homelab is self-hosted (Cloudflare and Tailscale stop me short of saying it's 100%, plus an Oracle VPS for a Minecraft server if you count the WHOLE stack I guess)...and you tell yourself its 'better to own your own data' or whatever your personal mantra is, but it's bizarre to see this play out
Because no US corp can promise you true E2EE. Even an app like Signal - are you sure the version you're getting from the App Store is always the one with "unbreakable E2EE"?
With Signal they provide a toolkit you can use to verify that the checksum for your App Store download matches that of the public build or one that you compile yourself.
edit: This is apparently currently not working for Apple and MS builds.
You may think you're being sarcastic, but you are just stating a true fact here. For about 99.9% of this planet's population, it's not just hard, it's something they'd never ever know how to do and have no intention to ever learn. Like it or hate it, but that's what it is.
And, for 99.9% of people who know how to do that, they'd still be too lazy to do it properly (hint: where do you keep secret.txt exactly? What happens if your dog eats it?) and will use some third-party solution instead.
Reminds me of using Ansible Vault and preciously encrypting every secret (so we can say that repos doesn't contain any secrets), then just putting ~/.vault_pass in plaintext on every Ansible controller to be taken by anyone with access to the servers.
The author of AGE has a great point in the below blog post [0]:
If you use something like SOPS or just check age secrets into a git repository next to source code, you need an authentication story for the whole repository. Having authentication for the secrets will do nothing if the attacker can change the source code that decrypts and uses them.
That story can simply be “we trust GitHub” like most projects. Encrypting secrets with age will keep them confidential even if the project is Open Source, and anyone wanting to replace them will have to make a PR even if they can generate a new valid age file.
Hidden. Encrypted. And the passphrase is: at 5,21 which is the 5th line on page 21 of your favorite book. Which you have more than one copy of, because you like it that much. And you need copies to lend. Or you have the PDF from Gutenberg.org?
And 5/21 might be the birthday of your first child, or your wedding day, or whatever?
It might be a favorite quote, like "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." Augmented by the above date if needed?
Hidden where? Are you writing it on a post-it and putting it on top of your screen? Are you keeping it in your wallet? In a safe? What if you lose it or your house is flooded?
> And 5/21 might be the birthday of your first child, or your wedding day, or whatever?
How sure are you that you'd remember all that scheme for 20 years? How about 50 years? Some documents may be relevant for a very long time. What about if you need more than one key? What about if you need to give access to one document to specific set of persons?
Once you consider all the scenarios that can happen through a lifetime, you start to understand why managing all those complexities correctly is not trivial. And that's why people pay third parties to do it for them. It's not because encrypting a bag of bytes is hard. It's because of all the things that surround it.
A post it with master password on the fridge seems much safer to me than simple repeatedly used passwords. Computer can get hacket but the post it on the fridge is harder to hack.
Some people are lucky with memory that works extremely well with numbers. My memory is average but when it comes to numbers, I remember serial numbers of certain products, enrollment numbers etc from more than a decade ago.
HP-L170 (A monitor I bought)
QW4HD-DQCRG-HM64M-6GJRK-8K83T (Windows XP key)
10396-9 (My enrollment number for board exam)
I remember a bunch of long-ago-abandoned phone numbers as well.
I could probably remember one or two things like that key, but retaining it over the years would be questionable... I used some of my favorite quotes as the passphrases for some of my crypto wallets, and once spent an annoying week when it turned out I misremembered one of them and lost access to some bitcoin. Not a huge value - it's about $1k worth now - but still unpleasant, and I had to spend quite some time figuring out how to recover it (fortunately, it worked). So since then I'm more careful about "I'll surely remember it" thing.
As of now I have to care for my (digital) backups, that is, I cannot ignore them for N years. I had to copy things from discettes to magnetic tape, from tape to hard drives, etc. I have to periodically check my backups if they are restorable. That's life.
It's the same for documents, as for secrets, which I have to transfer from one medium to another, I have to check that I remember secrets and passphrases. And places. As I already said, that's life.
There are hundreds of millions of people who have memorized megabytes of baseball statistics, pop song lyrics, celebrity relationship trivia, vehicle model data, sitcom character biographies, comic book plots, makeup shades, travel routes, mixed drink recipes, MtG card modifiers, etc.
At a certain point, one has to realize that pulling the "normie card" is not a viable excuse, given the wide array of knowledge that humans routinely pack into their brains.
The double entendre occurred to me, I don't disagree.
But the relative ease does not merely apply to users, but to the barrier of entry for alt products as well.
Consider that the current paradigm is contingent on the "blind trust" users have held in tech for a long time. It's possible that a new kind of app will thrive in a different paradigm.
For example, is there any reason we couldn't have a simple "message wrapper" which only sends encrypted payloads via SMS or Email and decrypts on the fly in a secure sandbox? Easy for the user and hard to regulate.
Threat modeling is important of course. The UK government does have tools with which to punish people who don't turn over the cleartext of targeted documents once it's directly investigating them, but that's not scalable. The method the grandparent comment proposes greatly reduces one's exposure to mass surveillance, criminals, and abusive service providers.
It seems like the real solution is de-UK'ing, a wise move for a number of reasons. Move to the continent, to Ireland, or the US (or Australia for that classic British expat experience), but leave the sinking ship. Ideally the time to leave was when the passport was still in the EU, but now is better than never.
>Not all of those companies will loudly object in the way Apple does.
This assumes that Apple has loudly objected to every government request for backdoor access and also that they have never acquiesced to any of those requests.
Of the major consumer tech companies, isn't Apple still the leader in terms of privacy? (yes, that's a low bar)
And, it's just ADP being affected by the UK mandates? What % of users bother enabling ADP? I probably should, but haven't bothered (am I being foolish?).
I guess it depends on the individual’s threat model. If government is the primary concern and they are a UK person, then maybe not. If it’s their employer or random hacker then maybe so.
Hopefully pretty soon Apple will have to provide the same functionality iCloud monopolizes so you can have an equivalent service. But right now you can do an encrypted transmission to a privately-owned NAS like Synology and then E2E cloud storage provider of your choice, with the caveat that things like background syncing are strategically monopolized and no app may backup your full phone.
It's a bit like the famous HN post where somebody said that Dropbox is not needed if you have rsync and friends.
Technically this can even be correct. You can build and operate a good, secure solution for yourself if you have time and skill to build. Could make sense for a company handling sensitive data. Would hardly make sense for most individuals who are not professional SREs / SWEs. (To check how it feels, an engineer can try to sew themself a pair of pants to wear daily, or do something similarly mundane in what they are not skilled.)
A solution that can reliably work for non-experts is very important.
Sure but in this case most of the difficulties are artificially imposed by Apple, depending on how the tribunal responds to their alleged iCloud monopoly it could become as simple as choosing a compatible provider and putting your username/password in.
And as soon as you have "a provider" as a business entity, UK government can ban them from providing E2EE solutions to Apple users the same way they did ban Apple. Or the provider would just silently bend over hand hand all the keys to the UK govt.
They can't police every online server you can possibly rent, and they can't police them "all at once" like they can with the Google/Apple duopoly, all they can do is go after them one-by-one as they need access and as we see with 4chan, rejecting their assertions on jurisdiction is certainly an option.
They can't. But they can police any service that has substantial number of users. And that's what most of the people would use. So, the hardened criminals would use their own underground darknet services which the government couldn't breach, but the regular people would have no privacy at all.
> 4chan, rejecting their assertions on jurisdiction is certainly an option.
4chan can tell UK regulators to take hike because 4chan has no business presence in the UK. Any service that does want to serve UK users and is successful in doing so, will eventually find itself in UK regulators' crosshairs. For services that are based outside UK, they'd just stop serving UK users because that's the easiest way to handle it. Which is completely fine with UK regulators, in fact, that's exactly what they want - so that nobody would be able to provide privacy to UK subjects.
I have done all this. All inhad to do was provide my passport scans, fingerprints, photos of my face, phone number so now I can use tencent cloud in china! /s
> Otherwise, please make sure you de-Apple, de-Google, and de-American Stack yourself when you have time, clarity, and focus to do it. Start today.
I don't understand the core of this advice. So if you're in the UK and do all the above, can you suddenly get similar E2EE cloud storage from a different provider without a UK government-mandated backdoor?