Security Updates

Apple will update iPhones for at least 5 years in rare public commitment

Apple, iOS, iOS 17, iPhone 15 Pro, Security Updates, Tech / Blake Jones / June 6, 2024

finally, something in writing —

UK regulation requires companies to say how long they plan to provide support.

Andrew Cunningham – Jun 6, 2024 4: 50 pm UTC

Apple has taken a rare step and publicly committed to a software support timeline for one of its products, as pointed out by MacRumors. A public regulatory filing for the iPhone 15 Pro (PDF) confirms that Apple will support the device with new software updates for at least five years from its “first supply date” of September 22, 2023, which would guarantee support until at least 2028.

Apple published the filing to comply with new Product Security and Telecommunications Infrastructure (PSTI) regulations from the UK that went into effect in late April. As this plain-language explainer from the Center for Cybersecurity Policy and Law summarizes, the PSTI regulations (among other things) don’t mandate a specific support window for manufacturers of Internet-connected devices, but they do require companies to publish a concrete support window and contact information for someone at the company who can be contacted with bug reports.

As publications like Android Authority have pointed out, five years is less than some Android phone makers like Google and Samsung have publicly committed to; both companies have said they’ll support their latest devices for seven years. But in reality, Apple usually hits or exceeds this seven-year timeline for updates—and does so for iPhones released nearly a decade ago and not just its newest products.

2017’s iPhone 8 and iPhone X, for example, are still receiving iOS 16 security updates. 2015’s iPhone 6S and 2016’s iPhone 7 were receiving iOS 15 updates as recently as March 2024, though these appear to have dried up in recent months. Each of these iPhones also received six or seven years’ worth of new major iOS releases, though not every phone that gets an iOS update supports every feature that newer devices get.

So Apple’s five-year pledge is notable less because it’s an improvement on or departure from the norm but more because Apple virtually never commits to software support timelines in writing.

Take those iOS 15 updates—Apple provided them for nearly a year and a half for iPhones and iPads that didn’t meet the requirements for iOS 16 or 17 but then abruptly (apparently) stopped releasing them. There was never a public commitment to continue releasing iOS 15 updates after iOS 16 came out, nor has there been any statement about iOS 15 updates being discontinued; we can only assume based on the fact that multiple iOS 16 and 17 updates have been released since March with no corresponding update for iOS 15.

The situation with the Mac is the same. Apple’s longstanding practice for decades has been to support the current version of macOS plus the two preceding versions, but that policy is not written down anywhere.

Contrast this with Microsoft, which generally commits to 10-year support timelines for new versions of Windows and publishes specific end-of-support dates years in advance; when Microsoft makes changes, it’s usually to extend the availability of updates in some way. Google has been making similar commitments for Chromebooks and officially certified ChromeOS Flex devices. These public timelines may tie a company’s hands, but they also make it easier for individuals, businesses, and schools to plan technology purchases and upgrades, and make it easier to know exactly how much support you can expect for a hand-me-down used or refurbished system.

Though the PSTI regulations only technically apply in the UK, it’s unlikely that Apple would go to the trouble of releasing iOS security updates in some countries without releasing those updates in all of them. But because a five-year support timeline is so much shorter than what Apple normally provides, it probably won’t matter that much. If Apple exceeds its stated support timeline, the PSTI law requires it to publish a new timeline “as soon as is practicable,” but for now, that date is far off.

Apple will update iPhones for at least 5 years in rare public commitment Read More »

Apple warns proposed UK law will affect software updates around the world

Apple, apple security updates, end to end encryption, Government surveillance, investigatory powers act, Online Privacy, Online Security, Policy, Security Updates, united kingdom / Ari B / January 29, 2024

Heads up —

Apple may leave the UK if required to provide advance notice of product updates.

Ashley Belanger – Jan 29, 2024 9: 08 pm UTC

Apple is “deeply concerned” that proposed changes to a United Kingdom law could give the UK government unprecedented power to “secretly veto” privacy and security updates to its products and services, the tech giant said in a statement provided to Ars.

If passed, potentially this spring, the amendments to the UK’s Investigatory Powers Act (IPA) could deprive not just UK users, but all users globally of important new privacy and security features, Apple warned.

“Protecting our users’ privacy and the security of their data is at the very heart of everything we do at Apple,” Apple said. “We’re deeply concerned the proposed amendments” to the IPA “now before Parliament place users’ privacy and security at risk.”

The IPA was initially passed in 2016 to ensure that UK officials had lawful access to user data to investigate crimes like child sexual exploitation or terrorism. Proposed amendments were announced last November, after a review showed that the “Act has not been immune to changes in technology over the last six years” and “there is a risk that some of these technological changes have had a negative effect on law enforcement and intelligence services’ capabilities.”

The proposed amendments require that any company that fields government data requests must notify UK officials of any updates they planned to make that could restrict the UK government’s access to this data, including any updates impacting users outside the UK.

UK officials said that this would “help the UK anticipate the risk to public safety posed by the rolling out of technology by multinational companies that precludes lawful access to data. This will reduce the risk of the most serious offenses such as child sexual exploitation and abuse or terrorism going undetected.”

According to the BBC, the House of Lords will begin debating the proposed changes on Tuesday.

Ahead of that debate, Apple described the amendments on Monday as “an unprecedented overreach by the government” that “if enacted” could allow the UK to “attempt to secretly veto new user protections globally, preventing us from ever offering them to customers.”

In a letter last year, Apple argued that “it would be improper for the Home Office to act as the world’s regulator of security technology.”

Apple told the UK Home Office that imposing “secret requirements on providers located in other countries” that apply to users globally “could be used to force a company like Apple, that would never build a backdoor, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.” It could also “dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk,” Apple claimed.

The proposed changes, Apple said, “would suppress innovation, stifle commerce, and—when combined with purported extraterritorial application—make the Home Office the de facto global arbiter of what level of data security and encryption are permissible.”

UK defends proposed changes

The UK Home Office has repeatedly stressed that these changes do not “provide powers for the Secretary of State to approve or refuse technical changes,” but “simply” requires companies “to inform the Secretary of State of relevant changes before those changes are implemented.”

“The intention is not to introduce a consent or veto mechanism or any other kind of barrier to market,” a UK Home Office fact sheet said. “A key driver for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which may in some circumstances be all that is required to maintain lawful access.”

The Home Office has also claimed that “these changes do not directly relate to end-to-end encryption,” while admitting that they “are designed to ensure that companies are not able to unilaterally make design changes which compromise exceptional lawful access where the stringent safeguards of the IPA regime are met.”

This seems to suggest that companies will not be allowed to cut off the UK government from accessing encrypted data under certain circumstances, which concerns privacy advocates who consider end-to-end encryption a vital user privacy and security protection. Earlier this month, civil liberties groups including Big Brother Watch, Liberty, Open Rights Group and Privacy International filed a joint brief opposing the proposed changes, the BBC reported, warning that passing the amendments would be “effectively transforming private companies into arms of the surveillance state and eroding the security of devices and the Internet.”

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption, but this cannot come at a cost to public safety,” a UK government official told the BBC.

The UK government may face more opposition to the amendments than from tech companies and privacy advocates, though. In Apple’s letter last year, the tech giant noted that the proposed changes to the IPA could conflict with EU and US laws, including the EU’s General Data Protection Regulation—considered the world’s strongest privacy law.

Under the GDPR, companies must implement measures to safeguard users’ personal data, Apple said, noting that “encryption is one means by which a company can meet” that obligation.

“Secretly installing backdoors in end-to-end encrypted technologies in order to comply with UK law for persons not subject to any lawful process would violate that obligation,” Apple argued.

Apple warns proposed UK law will affect software updates around the world Read More »