Threat to iPhone security is unprecedented
Apple’s tricky dance with Putin’s henchmen continues. Less than a month after reports it had “silently removed VPN Apps from Russia’s App Store,” the iPhone maker “informed RFE/RL that it has removed Current Time’s app from the Russian version of its App Store at the request of Roskomnadzor,” Russia’s toothy regulator.
Current Time is the Russian language network of Radio Free Europe / Radio Liberty, which is independent albeit funded by a US Congress grant. In February, Russia’s Ministry of Justice declared the network “undesirable.” There is no new statement from RFE/RL on its App Store ban, but its president Stephen Capus had dismissed the “undesirable” tag as an “attempt to stifle us [that] will only make RFE/RL work harder to bring free and independent journalism to the Russian people.”
No surprises on either front, of course. VPNs are the only way the tech savvy populace of Russia—and Iran, China, etc—can tap into non-censored information. And media outlets broadcasting directly into the territories represent a clear risk to the disinformation and misinformation dictating what people know or don’t.
Following the latest purge of VPNs available to Russia’s iPhone users, Fight for the Future’s Evan Greer warned that “the fact that nearly 100 VPN apps are now unavailable in Russia’s App Store highlights a disturbing trend of corporate complicity in state-sponsored censorship… Apple’s actions not only undermine the privacy and security of millions but also set a dangerous precedent for how tech companies may collaborate with authoritarian regimes. It’s imperative that Apple reverses this course and stands up for the rights of its users.”
I have approached Apple for any comment on its removal of apps in Russia.
Putting Russia and other such totalitarian regimes aside, the underlying issue is actually broader and impacts users in the US and Europe. As I have pointed out many times before, Apple’s (and Google’s and Meta’s) core security is based on the principle of can’t rather than won’t. What that means is that with the expanding application of end-to-end encryption, the platforms can’t remotely access your data or your cloud backups whether they want to or not—even if compelled by law enforcement.
This is why the arrest of Telegram’s Pavel Durov was such a watershed. It resulted in the platform appearing to change its approach to the monitoring and supply of user data to the authorities, after years of seemingly refusing to do so. In an instance, the repeated warnings from cyber experts that Telegram’s security marketing is just a veneer was suddenly a nightmare coming true for millions.
And it’s why the current push for end-to-end encryption to be opened up must be resisted. Whether it’s the proposed “chat control” legislation in the EU, Australia’s push to “enable law enforcement access to [E2EE] content in a readable and usable format where an authorization is lawfully issued,” or legislative pressure on big tech to open up platforms in the US over “failure to protect children online.”
Put simply, government agencies want back doors of some sort into secure platforms, or they want screening either side of the encrypted transmission to flag unlawful content. But doing either of those undermines the very principle of E2EE, yet the threat has never been more real than it is now with proposed law changes.
The most acute risk is actually not to those of us in the US or Western Europe, it’s the principle that major technology platforms need to adhere to local regulations. If Apple opens up its encryption to US or UK or Australian or EU agencies based on prevention of CSAM according to their local laws, how does it refuse to adhere to different laws in Russia or China to maintain operations in those countries? We all now use iMessage, WhatsApp, Signal, even Facebook Messenger and Google Messages, taking for granted the lock on our content. Once that goes, it goes.
This was one of the primary arguments against Apple’s device-side content screening back in 2021, which awkwardly coincided with “Apple and Google removing an app meant to coordinate protest voting in Russia’s elections from the country… The decisions came after Russian authorities, who claim the app is illegal, threatened to prosecute local employees of Apple and Google.” Clearly we can see echoes of that with the latest Apple news coming out of Russia.
“Any system that allows surveillance fundamentally weakens the promises of encryption,” EFF warned at the time. “No amount of third-party auditability will prevent an authoritarian government from requiring their own database to be added to the system.” And those risks have not changed. What’s to stop CSAM giving way to breaching local laws on sexual orientation or political dissent.
And so, as Russia (and China and others) clamp down on the apps available in their countries—with big tech mainly complying, Western democracies threaten the very security and privacy protections that still enable those populaces to use technology safely. We are facing down a game-changing problem. Once the can’t becomes won’t, it becomes almost impossible to resist local changes. The won’t becomes caveated and qualified rather than an absolute. And that will quickly become an ugly one-way street to somewhere we should fear, somewhere we really don’t want to be.
