Encryption & Key Management , Governance & Risk Management , Privacy
Facebook Pressured Over Encrypted Messaging PlansUS, UK and Australia Push for Law Enforcement Access
Facebook is falling under renewed pressure for its plans to make its messaging platforms fully encrypted, which several countries say will make it difficult to detect child exploitation and terrorism.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The U.S., U.K. and Australia were sending a joint letter to Facebook Friday asking it to ensure that law enforcement can access messages. Buzzfeed first published a draft of the letter, which says Facebook should include a technical capability for lawful access.
“Companies should not deliberately design their systems to preclude any form of access to content, even for preventing or investigating the most serious crimes,” the letter says. It is signed by U.S. Attorney General William Barr; Riti Pratel, the U.K.’s Home Secretary; Peter Dutton, Australia’s Minister for Home Affairs; and Kevin K. McAleenan, the acting chief secretary of U.S. Homeland Security.
Computer security experts say it’s impossible to build in a capability – often referred to as a backdoor - that allows for law enforcement to access encrypted content but doesn’t raise the risks of hackers or nation-states discovering or exploiting the same capability. The letter fell under immediate criticism from technology civil liberties groups, including the Electronic Frontier Foundation.
“This is a staggering attempt to undermine the security and privacy of communications tools used by billions of people,” writes Andrew Crocker, a senior staff attorney, and Joe Mullin, a policy analyst at the foundation. “Facebook should not comply.”
The Center for Democracy & Technology says the letter “should set off red flags for citizens ... who care about their governments monitoring their communications and distributing their personal information to foreign law enforcement agencies.”
The CDT notes that U.S. law enforcement access to encrypted messages could be far more reaching than expected due to the Cloud Act, which was passed last year by the U.S. Congress.
The Cloud Act makes it easier for foreign governments that have agreements with the U.S. to gain faster access to stored electronic content rather than by using the Mutual Legal Assistance Treaty process. The first agreement was signed between the U.S. and U.K. on Thursday, according to Voice of America. The Cloud Act also makes it easier for U.S. investigators to obtain content held by U.S. companies on servers located overseas.
Although technology companies such as Google, Microsoft, Apple and others supported the Cloud Act, groups such as the American Civil Liberties Union have argued it doesn’t have enough legal mechanisms to prevent abuse.
Facebook: Against Backdoors
In a statement, Facebook says it strongly opposes “government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”
“End-to-end encryption already protects the messages of over a billion people every day,” Facebook says. “It is increasingly used across the communications industry and in many other important sectors of the economy.”
The U.S., U.K. and Australia are part of the so-called Five Eyes alliance, which shares electronic signals intelligence. The three countries have sought to unify their messaging about their opposition to end-to-end encryption systems, which only store decryption keys on the devices of message senders and recipients.
Australia and the U.K. have modified their national laws to give law enforcement and securities agencies more tools to pressure technology companies to access content. While the laws stop short of mandating backdoors in software products, they include mechanisms to compel companies to provide technical assistance (see: Australia Passes Encryption-Busting Law).
The U.S. has yet to create those kinds of laws, but some anticipate they may be coming (see: Attorney General Barr Argues for Access to Encrypted Content).
“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping,” says Hannah Quay-de la Vallee, the CDT’s senior technologist. “It’s ridiculous, it won’t work and it puts us all at far greater risk of serious injury.”
Crucial Crime Tips
Facebook implemented end-to-end encryption in WhatsApp three years ago. The application employs the Signal protocol developed by Open Whisper Systems. Facebook only has access to encrypted messages and does not centrally store the keys.
To access unencrypted messages, law enforcement would need to seize the devices of either the recipient or the sender and then unlock the device, which likely would be passcode protected.
"Our understanding is that much of this activity, which is critical to protecting children and fighting terrorism, will no longer be possible if Facebook implements its proposals as planned."
—letter from U.S., U.K. and Australian officials
In light of growing concerns about Facebook’s privacy practices, CEO Mark Zuckerberg wrote in March that the company would increasingly focus on private messaging. That entails adding end-to-end encryption into Messenger.
Facebook’s enormous worldwide user base means it is a fountain of tips for law enforcement. The letter from government officials in three nations emphasizes the key role the company plays in reporting child sexual abuse. Last year, more than 90 percent of the 18.4 million reports filed with the U.S. National Center for Missing & Exploited Children came from Facebook, the letter says.
U.K. law enforcement made 2,500 arrests last year based on Facebook’s reports to the NCMEC, resulting in 3,000 children safeguarded. The NCMEC estimates it would lose 70 percent of the reports if the encryption plans proceeded, the letter states.
“Our understanding is that much of this activity, which is critical to protecting children and fighting terrorism, will no longer be possible if Facebook implements its proposals as planned,” the letter says.