The amendments to the Investigatory Powers Bill, allegedly intended to make people safer, will undoubtedly make UK digital infrastructure a tempting target as the regulations will be weaken security there. The biggest problem for Apple, other than the steady erosion of encryption, is that essential security and privacy updates might be delayed or never appear — and without any transparency or scrutiny at all.
If passed, the law would mean that every tech security update must be reviewed by UK authorities before release, which will immediately delay distribution of vital security patches.
Hackers will immediately see this means any patched vulnerabilities will be secured in the UK last, making the nation an incredibly attractive target to attack. Hackers are organized enough to spot and exploit weakness. It’s what they do.
And if the UK rejects an update, that update cannot be released in any other nation and the public would not be informed of the decision.
So,… say, I find a major bug in a widely used software and inform the vendor. Said vendor informs the UK bodies and they reject the update and it is bound by the decision to stay silent and don’t patch it. What stops me now to go full public disclosure of the matter? From my perspective I told them the big, I might even have confirmation, that it’s worked on and then… silence. The only way to get this patched in a timely manner would be massive public pressure.
Police knocking on your door stop you. This is clearly an attempt to protect their own backdoors from being patched so they can continue eavesdropping
First - if I’m not from the UK, thats very unlikely. At least because the UK wants it to happen and not for other reasons.
Second - the moment the information is out, it’s too late. Their zero day is burned.
Third - the police needs to know where to knock. If I publish the information in a way that can be associated with my identity and I’m the one that alerted the vendor, sure. But even if I’m a completely random person that immediately goes full disclosure - doing so may in a way that identifies me might hurt me anyways, depending on my jurisdiction. So for individuals it might be the smarter play to make it less traceable.
Fourth - imagine Google’s Project Zero or another “huge player” finds the Bug and alerts the vendor. Google e.g. has a policy to fully disclose the bug, if there’s no fix within a specified time-frame. This might be extended for reasons, but only of there’s a good reason. If the vendor cannot say why they don’t patch, well that’s none of these reasons.
You’re missing the point. They are blocking the security patches themselves. “Google has a policy to…” is invalid when a nation state, especially not one with one of the strongest intelligence gathering apparatus in the world, has a law telling them what to do.
Google already works with the intelligence agencies. It would be naive to assume otherwise
A completely random person anonymously putting the information out online is not the person releasing the security patch. That’s probably why they are focusing of the updates themselves. Easier to hold someone responsible