this post was submitted on 07 Feb 2025
208 points (98.1% liked)

Privacy

33554 readers
270 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
208
UK government demanding access to encrypted iCloud (www.bbc.co.uk)
submitted 3 days ago* (last edited 3 days ago) by [email protected] to c/[email protected]
36 comments fedilink hide all child comments
 

UK government is trying to get into iCloud end-to-end encryption. (Again?)

Makes me think about email servers too. Most of my private information is in emails, and not only I use a service where the host machines access the email, so do almost everyone I email to/from.

top 36 comments
sorted by: hot top controversial new old
[–] [email protected] 39 points 3 days ago (3 children)

Set an iCloud recovery passcode. It removes the ability to recover your iCloud account by verifying that you’re the owner but it also removes the ability of Apple to be compelled to access it.

Op: read about pgp/gpg. Do it now. When you don’t understand something ask questions about it instead of giving up.

Email was never intended to be private. It was never designed with privacy in mind and your use of a client employing an encrypted connection to your mail server does not solve the problem because tens of thousands of mail servers use unencrypted connections.

No one needs your iCloud to read your email, they can just look at the plaintext mail coming to and from the server.

[–] [email protected] 3 points 3 days ago (1 children)
[–] [email protected] 2 points 3 days ago

If the op has their information in emails and doesn’t want to move it somewhere else then pgp is a good way to at least secure those emails a little.

I don’t think it’s a panacea, but as methods of encrypting email go it’s widely supported enough that a person whose private information is stored in email will be able to figure something out.

[–] [email protected] 5 points 3 days ago (2 children)

Then what’s the point of services like Proton and Tuta over Gmail?

[–] [email protected] 12 points 3 days ago (1 children)

Anonymity and not being google or one of the other big mail providers.

Email is not an easily selfhostable service either. Modern spam filtering systems require the maintainer to jump through a bunch of hoops intended to defeat their anonymity and establish a recourse in case of problems.

[–] [email protected] 2 points 3 days ago (1 children)

They're not anonymous, contrary to common perception. They're encrypted, but they know things like your IP address and which IP addresses you're communicating with, even if they don't know the content of your messages. Some of them explicitly state as much.

Depending on the local laws of the company or servers, they might be compelled to share whatever data they do have, which could be enough info to assist law enforcement in making an arrest, even if they can't see the message itself.

If you want anonymous email use, you have to use a logless VPN at a minimum every time you access a third party encrypted email service. That way neither side of the email exchange can tie your IP address to you.

[–] [email protected] 3 points 3 days ago (1 children)

Of course, I only meant that unlike Gmail and such services like proton don’t actively impede your anonymity and build a profile on you as far as we know.

[–] Pika 5 points 3 days ago* (last edited 3 days ago) (2 children)

Proton does require you to have a dedicated phone number or email to sign up though, like that was my main thing that swayed me away from making a protonmail account was when I went to sign up I was met with a phone number requirement and I'm like "oh well this isn't going to be helpful"

They claim it's to prevent abuse of the service, and that it's only the cryptographic hash which can be used to find out if the email has been used on an account before. But I dislike that it requires even going that info

ammendum: apparently this restriction may be based off of your region used and browser. I was able to finally successfully create an account using Chrome, but Firefox exclusively gave me email or phone number requirements

[–] [email protected] 4 points 3 days ago (1 children)

I think I got in before they started doing that.

Actually I don’t think they require that. I just set up a new proton account on a device with a fresh wipe from a vpn endpoint I never used before and they offered to record a phone number or recovery email but didn’t require it.

[–] Pika 3 points 3 days ago* (last edited 3 days ago) (1 children)

Can you tell me which endpoint/region that you used? Cuz I just tried using a VPN endpoint from Switzerland Sweden and Ukraine and all three of them brought up a requirement to have a verification email

edit: disregard apparently it was a browser issue, switched from Firefox to Chrome and reconnected to a Switzerland endpoint and it let me solve a captcha instead of using email verification system

[–] [email protected] 3 points 3 days ago (1 children)

Mullvad us Denver 205.

I’m also using their encrypted dns though that shouldn’t matter. Recording an email might be a regulatory requirement of the intelligence sharing treaties of the eu and broader eurozone.

Try an endpoint outside of the western world and see what happens!

[–] Pika 1 points 3 days ago* (last edited 3 days ago)

Yeah weirdly enough it ended up being a browser issue, Firefox wasn't able to use anything but email verification/phone number verification but Chrome was able to offer a captcha in place of it

[–] [email protected] 2 points 3 days ago (1 children)

But I dislike that it requires even going that info

I never understood this stance... do people really think a corporation is going to risk their entire company over your anonymity when their country's government does not allow this? Nobody is going to jail for you.

Plus, if everyone could easily sign up anonymously, then like they said, it would be overrun with bots and the reputation of their IPs would quickly deteriorate to where most other email providers would just block them, making the service almost worthless.

[–] Pika 1 points 3 days ago* (last edited 3 days ago)

It's a privacy activist stance, privacy and security are always at a constant battle. There was a post about it a few weeks back, every attempt at security compromises privacy, because private info is the easiest way to lock security down, so it's always the route that companies take. Personally I don't think a corporation should have to risk their company over it, but I don't think a company that isn't privacy oriented should pretend to be. It's misleading. I give them credit that they might be good for privacy but, the entire operation gets undermined when in order to sign up, it tries to force you into giving information that could identify you. The less information needed the better, and the less you can tell overreachers. If you don't have the information you don't have the information. That's signals motto, it's also Mullvads motto, and its the direction that proton runs in if you can find your way through it's hoops.

[–] [email protected] 3 points 3 days ago

Smaller attack surface and fewer leaks. If you specifically are targeted, the government will look for a warrant for the data in your account, rather than the one you sent to. Gmail also I think there's a concern that text will leak via AI - I remember hearing this concern even when it was just that associations in search terms might build from private email content.

I don't think gayhitler is entirely correct about reading all the plaintext emails. If I understand right, major (most?) email providers use TLS (encryption) between each other and and to your laptop. The difference is the email is available on their servers somewhere, if someone were to get access.

[–] [email protected] 1 points 3 days ago (1 children)

Thanks for the well-meaning advice.

The recovery password in iCloud to stop even Apple accessing it is exactly what the UK is trying to undermine. It protects you - for now.

I tried to start using pgp for email years ago, the problem is of course adoption by everyone you're communicating with, be that personal, corporate or official. I got one friend to make a gpg key! And most email servers, as I understand, pass to each other with TLS, and the connection from your computer to your email service is encrypted. The problem is the emails at rest on both ends, including hosted by the email provider. Moving my email off Fastmail, whether to something like Protonmail or stored only on my computer, would remove one particular attack surface.

[–] [email protected] 3 points 3 days ago (1 children)

Here’s hoping Apple sticks to their guns and pulls adp instead of caving.

In case you didn’t see it a few weeks ago, 3.3 million servers are doing unencrypted transport.

The way email delivery is handled also means you’re not safe just because you aren’t talking to those servers.

[–] [email protected] 1 points 3 days ago (1 children)

Wow, thank you for this! But it looks like IMAP and POP, not server-to-server. And how would one of these severs compromise security if not one of the end points?

[–] [email protected] 2 points 3 days ago (1 children)

SMTP is only encrypted if the second server responds correctly to the first servers starttls.

The striptls type of attack, which prevents the servers from getting a valid starttls exchange, was in use over a decade ago by some telcom against its own customers.

Even if you know the person you’re emailing has a correctly configured client you can’t control a man in the middle attack between servers which has been in widespread use for years.

[–] [email protected] 2 points 3 days ago

And SMTP/IMAP do not support end-to-end encryption, so a malicious server can still spy on you even if it uses TLS.

[–] [email protected] 14 points 3 days ago (3 children)

Again?

[–] [email protected] 11 points 3 days ago

Forever.

[–] [email protected] 4 points 3 days ago

it's a never ending cat-and-mouse game

[–] [email protected] 3 points 3 days ago (1 children)

I couldn't remember if UK gov have been trying to get access into iCloud e2e before; I'm sure they've been getting to mandate access to other encryption previously.

[–] [email protected] 2 points 3 days ago (1 children)

Did they tried to ban Signal to ?

[–] [email protected] 3 points 3 days ago (1 children)

Not signal specifiaclly, but they said they would shutter operations in the uk if the online "safety" bill passed. @[email protected] has posted a lot about it.

[–] [email protected] 3 points 3 days ago

Ha tanks ! That is what I was thinking

[–] [email protected] 6 points 3 days ago

Only possible as iOS fails to include a libre software license text file. We do not control it, anti-libre software.

[–] [email protected] 4 points 3 days ago (1 children)

In 2026 good old steganographic messages, like in North Corea

[–] [email protected] 2 points 3 days ago (1 children)

Whitespace steganography in markdown ;-)

[–] [email protected] 3 points 2 days ago (1 children)

Also innocent cat photos, a piece of music or in a voice message, in all of these you can encrypt hidden messages.

[–] [email protected] 3 points 2 days ago (1 children)

"Jones, take a look at these cat photos."

"Oh, they're lovely, sir!"

"No, Jones, look at them. What do they mean?"

"Well, sir, this one is hungry, so it's asking for food, but in its native American style. This one is looking at the camera funny, probably because it's been startled by something off camera. This one is looking smug, and the angry people there have been added by the artist, they're not from the same photo. This one--"

"Sit down, Jones. Look at their meaning. The terrorist attack will be at 2pm on the 23rd at South Kensington station, used as a distraction for the simultaneous heist in the Natural History Museum!"

[–] [email protected] 1 points 2 days ago (1 children)

LLO, but this isn't the way how steganography works. In a photo any pixel has a hex value, a minimal change to another value of one or some bits can't be seen by an human and so the change of several pixels to an predefined value can hide an message, beeing invisible by sight, but readable by an corresponding app.

[–] [email protected] 2 points 2 days ago (1 children)

I know, but I liked the idea of sending messages by interpreting meaning in a series of cat memes :-)

By the way, do you know if steganography in an image is truly undetectable? Or if an attacker could, by statistical analysis or pattern analysis, determine that steganography has been used?

[–] [email protected] 2 points 2 days ago

It's not so easy to detect a steganographic message in a photo, soundfile or video, it's only detectable with specific apps. But the main reason is that goverments and security services first need a suspicion that these cute catphoto or an selfi of this guy in a beach is an secret message to make this analyse, much more likely to be suspicious of an encrypted message not feddable. This is surely more interesting to perform an in -depth analysis, instead of wasting time with thousands of vacations, selfies and kitten photos or analyzing the sound archive of your son playing Happy Birthday on his flute.

[–] [email protected] 3 points 3 days ago

For people recommending Tuta or Proton.

If only one party uses those services one would have to trust Tuta/Proton to not save a copy of an incoming unencrypted mail. If a government wants access, they have to obey or shut down. Asking the unencrypted email provider from the other party is the obvious other way to access your data.

Only open source E2E for both parties is is trustworthy