naito8 - stock.adobe.com

UK and US call on Facebook to walk back encryption plans

The US, Australian and UK governments have asked Facebook to ditch plans to deploy end-to-end encryption across Facebook Messenger, Instagram and WhatsApp

UK home secretary Priti Patel, US attorney general William Barr and homeland security secretary Kevin McAleenan, and Australian home affairs minister Peter Dutton have written to Facebook’s Mark Zuckerberg urging him to reconsider the social media giant’s planned use of end-to-end encryption on messaging services.  

The letter, an advance copy of which was obtained by Buzzfeed News, asks that Facebook ensures that user safety is protected by incorporating a backdoor for law enforcement to access users’ communication data if needed.

It referred to a blog post made on 6 March 2019, entitled “A privacy focused vision for social networking”, in which Zuckerberg revealed plans to amalgamate the Facebook Messenger and Instagram services with its WhatsApp service, incorporating end-to-end encryption across all three.

At the same time, Zuckerberg said there were real safety concerns inherent in implementing end-to-end encryption and acknowledged that the organisation had a responsibility to work with law enforcement where necessary.

But the letter’s authors wrote: “Unfortunately, Facebook has not committed to address our serious concerns about the impact its proposals could have on protecting our most vulnerable citizens.

“We support strong encryption, which is used by billions of people every day for services such as banking, commerce and communications. We also respect promises made by technology companies to protect users’ data.

“However, as your March blog post recognised, we must ensure that technology companies protect their users and others affected by their users’ online activities. Security enhancements in the virtual world should not make us more vulnerable in the physical.”

The letter added: “We must find a way to balance the need to secure data with public safety and the need for law enforcement to access the information they need to safeguard the public, investigate crimes, and prevent future criminal activity. Not doing so hinders our law enforcement agencies’ ability to stop criminals and abusers in their tracks.”

The letter went on to say that tech companies should not deliberately design their systems to preclude any form of access to content for criminal investigations and argued that this put citizens and societies at risk.

Four steps for Facebook

It called on Facebook to take four steps: to embed public safety in system designs to enable itself to continue to act against illegal content with no reduction to safety, and facilitating prosecution of offenders and safeguarding of victims; to enable law enforcement to access content in a readable and usable format; to consult with governments to do this in a substantive way that genuinely influences design decisions; and to not implement the proposed encryption until it can ensure the public safety systems are tested and operational.

TechUK’s head of national and cyber security, Talal Rajab, agreed that a balance needed to be struck between effective encryption and public safety.

“We welcome the government’s recognition of the importance of strong encryption and its support for the tech sector’s commitment to protecting user data,” he said. “Strong encryption is vital for ensuring the security of digital services and any limiting of its use will harm efforts to keep people secure online.

“In a world of increasing cyber threats, government and industry must continue to work together to find good and effective solutions to law enforcement challenges that do not put millions of innocent users at risk by restricting the use of encryption or implementing so-called backdoors.”

But in the wake of the letter’s publication, others were less complimentary. Hannah Quay-de la Vallee, a senior technologist at the Center for Democracy and Technology, said: “Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information.

“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”

Read more about encryption

  • The web is moving to HTTPS. Find out how to encrypt websites using HTTPS to stop eavesdroppers from snooping around sensitive and restricted web data.
  • Explore the differences between symmetric vs asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and cons.
  • Android encryption has evolved over the years, and full-disk encryption isn’t an option in Android 10. IT must learn the best native encryption options for managed Android devices.

In a blog post, Peter Micek, general counsel at global digital rights organisation Access Now, said: “Strong encryption remains the last line of defence against unlawful access to our data, and protects all users from identity theft, scams and fraud.

“Both Facebook and law enforcement already enjoy robust tools to uncover and pursue perpetrators of illegal activities. Weakening encryption only puts innocent lives at risk. Survivors of sexual abuse and exploitation need more protection for the privacy and security of their personal data and accounts – not less.”

Speaking on Twitter, NSA whistleblower Edward Snowden added simply: “If Facebook agrees, it may be the largest overnight violation of privacy in history.”

In a statement emailed to Computer Weekly, a Facebook spokesperson said the organisation believed people had the right to hold private conversations online, and as both the UK and US had acknowleged, the US Cloud Act allows for companies such as Facebook to provide available information when they receive valid legal requests, without requiring them to build backdoors.

“We respect and support the role that law enforcement has in keeping people safe,” said the spokesperson. “Ahead of our plans to bring more security and privacy to our messaging apps, we are consulting closely with child safety experts, governments and technology companies and devoting new teams and sophisticated technology so we can use all the information available to us to help keep people safe.

“End-to-end encryption already protects the messages of over a billion people every day. It is increasingly used across the communications industry and in many other important sectors of the economy. We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”

More access for police

The letter’s publication comes the day after Barr and Patel signed a bilateral data access agreement between the UK and the US – with the intention of speeding up law enforcement investigations by enabling the authorities in both countries to go straight to tech companies to access user data.

This means that they will no longer have to rely on the Mutual Legal Assistance (MLA) process to obtain data through the other’s government, which can take between six months and two years.

“Terrorists and paedophiles continue to exploit the internet to spread their messages of hate, plan attacks on our citizens and target the most vulnerable,” said Patel.

“This historic agreement will dramatically speed up investigations, allowing our law enforcement agencies to protect the public.”

The Home Office said the agreement would accelerate complex investigations into serious crimes, such as those of sex offender Matthew Falder, described by the National Crime Agency as “one of the most prolific and depraved offenders” it had ever encountered.

The investigation into his crimes lasted four years and the NCA has maintained that this process could have been shortened if it had received more co-operation from tech companies.

The agreement will see the US have reciprocal access to any needed data from UK communication service providers (CSPs) in accordance with its own legislation.

The Home Office said the agreement changed nothing about the way companies such as Facebook use encryption, or stop them from encrypting data, and that the UK had received assurances in line with its use in regard to offences that carry the death penalty in the US, although it did not detail these assurances.

Backdoors are a terrible idea, say CISOs

Back in August, a survey produced on behalf of security services supplier Venafi found that 74% of security professionals believed encryption backdoors such as those being requested by Australia, the UK and the US made countries more vulnerable to cyber attack, and 72% believed that letting law enforcement access encrypted personal data would not make people safer.

The firm polled attendees of Black Hat USA 2019 in Las Vegas, and its findings echoed a similar study conducted in March 2019 by RSA.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” said Kevin Bocek, Venafi vice-president of security strategy and threat intelligence at the time.

“The IT security community overwhelmingly agrees that encryption backdoors would have a disastrous impact on the integrity of our elections and on our digital economy as a whole.”

Alex Balan, chief security researcher at BitDefender, said: “Those that remember the clipper chip will know that it was a bad idea then and it will always be a bad idea to punch holes into security systems. While privacy is a key factor in this debate, it goes far beyond this. Big brother spying on you is, quite frankly, the least concern here. It’s about weakening security systems, facilitating easier access to cyber criminals and the impact that can have. Not to mention that it’s outright futile.

“Firstly, governments want to be able to decrypt the traffic of end-users. While much will be done to keep the technology used secret, history has taught us that it won’t be long before hackers will exploit it massively. This means that everyone will have what’s left of their intimate online activities exposed publicly.

“Secondly, it’s impossible to put a break or gag on technology. Not even North Korea, China or, to their eternal shame, the US can do it. It wasn’t possible back in the day when they tried to outlaw RSA encryption and put crypto researchers in jail, and they sure can’t do it now with the number of options to anonymously create and disseminate both information or technology.”

Balan said that, taken together, this would weaken everyone’s security, while malicious actors move on to a different means of communication, or even create something new themselves. “It’s not just damaging, it’s stupid,” he said.

Read more on Privacy and data protection