UK government demanding access to encrypted iCloud

milicent_bystandr@lemm.ee

Thanks for the well-meaning advice.

The recovery password in iCloud to stop even Apple accessing it is exactly what the UK is trying to undermine. It protects you - for now.

I tried to start using pgp for email years ago, the problem is of course adoption by everyone you're communicating with, be that personal, corporate or official. I got one friend to make a gpg key! And most email servers, as I understand, pass to each other with TLS, and the connection from your computer to your email service is encrypted. The problem is the emails at rest on both ends, including hosted by the email provider. Moving my email off Fastmail, whether to something like Protonmail or stored only on my computer, would remove one particular attack surface.

milicent_bystandr@lemm.ee

And yet the other day I read an account of researching tracking for ads, and the iPhone used sent a request to Facebook even before anything was installed

A bit of a different thing, but still.

I'm thinking CalyxOS for my next phone.

milicent_bystandr@lemm.ee

Smaller attack surface and fewer leaks. If you specifically are targeted, the government will look for a warrant for the data in your account, rather than the one you sent to. Gmail also I think there's a concern that text will leak via AI - I remember hearing this concern even when it was just that associations in search terms might build from private email content.

I don't think gayhitler is entirely correct about reading all the plaintext emails. If I understand right, major (most?) email providers use TLS (encryption) between each other and and to your laptop. The difference is the email is available on their servers somewhere, if someone were to get access.

nursery2787@lemmy.ml

Last I heard it’s the only phone with a dedicated encryption chip, so encryption of everything doesn’t burn your battery. Is this still true?

gayhitler@lemmy.ml

Here’s hoping Apple sticks to their guns and pulls adp instead of caving.

In case you didn’t see it a few weeks ago, 3.3 million servers are doing unencrypted transport.

The way email delivery is handled also means you’re not safe just because you aren’t talking to those servers.

telorand@reddthat.com

They're not anonymous, contrary to common perception. They're encrypted, but they know things like your IP address and which IP addresses you're communicating with, even if they don't know the content of your messages. Some of them explicitly state as much.

Depending on the local laws of the company or servers, they might be compelled to share whatever data they do have, which could be enough info to assist law enforcement in making an arrest, even if they can't see the message itself.

If you want anonymous email use, you have to use a logless VPN at a minimum every time you access a third party encrypted email service. That way neither side of the email exchange can tie your IP address to you.

catloaf@lemm.ee

Crypto instructions have been standard in CPUs for decades now. I don't know about mobile CPUs specifically, but the AES instructions have been around since 2008.

gayhitler@lemmy.ml

Of course, I only meant that unlike Gmail and such services like proton don’t actively impede your anonymity and build a profile on you as far as we know.

pika@sh.itjust.works

Proton does require you to have a dedicated phone number to sign up though, like that was my main thing that swayed me away from making a protonmail account was when I went to sign up I was met with a phone number requirement and I'm like "oh well this isn't going to be helpful"

gayhitler@lemmy.ml

I think I got in before they started doing that.

Actually I don’t think they require that. I just set up a new proton account on a device with a fresh wipe from a vpn endpoint I never used before and they offered to record a phone number or recovery email but didn’t require it.

pika@sh.itjust.works

Can you tell me which endpoint that you used? Cuz I just tried using a VPN endpoint from Switzerland Sweden and Ukraine and all three of them brought up a requirement to have a verification email

engineergaming@feddit.nl

Secure? Idk, maybe. But definitely not private.

gayhitler@lemmy.ml

Mullvad us Denver 205.

I’m also using their encrypted dns though that shouldn’t matter. Recording an email might be a regulatory requirement of the intelligence sharing treaties of the eu and broader eurozone.

Try an endpoint outside of the western world and see what happens!

milicent_bystandr@lemm.ee

Wow, thank you for this! But it looks like IMAP and POP, not server-to-server. And how would one of these severs compromise security if not one of the end points?

pika@sh.itjust.works

Yeah weirdly enough it ended up being a browser issue, Firefox wasn't able to use anything but email verification but Chrome was able to offer a captcha in place of it

nursery2787@lemmy.ml

Yeah but phones have had a problem where using the main chip for encryption would basically use all the battery. For a while Apple was the only one who didn’t have this issue because they included dedicated chips to handle the encryption. So they were even able to jump in to the “whole phone encryption” by default. While android phones had to leave it as a checkbox in settings that would eat your battery.

I just don’t remember if google ever got around to addressing the issue.

zerush@lemmy.ml

In 2026 good old steganographic messages, like in North Corea

catloaf@lemm.ee

I've always Android phones with encryption enabled, since about 2014, and I've never noticed any issue, nor had I heard about this before.

reversalhatchery@beehaw.org

Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.

While that's usable for files, they cannot use it for the app backups and conta ts and such that the system creates on iCloud