Notices by Matthew Green (matthew_d_green@ioc.exchange)

Update to this story: I’ve now heard reports that Wang’s students have been unable to contact him since mid-March. His website was taken down on the 19th.

Some early non-Indiana coverage of this story. https://talkingpointsmemo.com/edblog/sketchy-first-reports

I am jumping down with frustration at our academic community. People: we cannot do anything if everyone is unaware of professors getting arrested for multiple weeks.

Xiaofeng’s profile is no longer available on IU sites. So here’s his Google Scholar. https://scholar.google.com/citations?user=pONu-5EAAAAJ&hl=en

House belonged to Xiaofeng Wang.

I just heard that a cryptography professor at Indiana University had his house raided and was fired. Don’t know much more. https://www.heraldtimesonline.com/story/news/local/2025/03/28/fbi-department-of-homeland-security-agents-search-house-in-bloomington-indiana/82710451007/

Money quote(s) from the article. Note that there is no “you can’t deny” clause in the U.K. law.

Senator Wyden asked both companies to confirm or deny that they’d received TCNs. Both parties said, essentially, “if we got one we wouldn’t be allowed to tell you under U.K. law.” https://www.wyden.senate.gov/news/press-releases/bipartisan-members-of-congress-to-uk-spy-court-uk-gag-orders-for-surveillance-backdoors-threaten-americans-security-and-privacy-impede-congressional-oversight

This maybe confirms a bad feeling I was getting a few weeks back. https://ioc.exchange/@matthew_d_green/113929669316823012

So I am getting the distinct feeling that Google (in addition to Apple) got a Technical Capability Notice from the U.K.

So here’s a simple request to Apple. Apple iMessage needs to enable “disappearing messages.” And they need to do it soon. https://blog.cryptographyengineering.com/2025/03/01/dear-apple-add-disappearing-messages-to-imessage-right-now/

This move will not affect:

iMessage encryption (though backed-up messages will now be available at Apple)
iCloud Keychain
FaceTime
Health data

Other services like iCloud Backup and Photos and text message backups will not be end-to-end encrypted.

Additionally:

"Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users and current UK users will eventually need to disable this security feature. ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices. We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy. Enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before. Apple remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom. As we have said many times before, we have never built a backdoor or master key to any of our products or services and we never will.”

Apple has yanked Advanced Data Protection in the U.K. https://www.bbc.com/news/articles/cgj54eq4vejo

Let’s be clear about what this article is saying. The U.K. has a law that allows it to issue “technical capability notices” to companies. These notices require the company to effectively disable, or secretly backdoor, their encryption mechanisms.

The U.K. may be preparing to issue Apple an order that forces them to (secretly) disable encryption. https://www.washingtonpost.com/technology/2025/02/07/apple-encryption-backdoor-uk/

This is a company that has cloud backup E2E encrypted as a default. And so at first I assumed that this was just a business demand — that it was costing the company a lot to keep this service running. But now I’m getting more worried about it. Maybe I’m paranoid.

So why am I tweeting about this on a Saturday? Because something funny happened recently.

I heard (thirdhand) from a person at Big Company X that they were under pressure to disable end-to-end encryption for cloud backup.

So maybe it would be good to give a lay of the land on this issue. Here is what I know about fully-E2E backup in major services:

Apple iCloud: available as an opt-in (called ADP)

Google: on for Android backups, if you use Google/Android backup (caveats)

Meta/WhatsApp: available opt-in, sometimes by default (for texts)

Things have been relatively quiet on the “crypto wars” front, which makes me think we’re going to see something dramatic soon. Maybe not here in the US, but probably from another US-allied country.