Encryption continues to be a hotbed of debate, with the public and private sectors at odds. Meta, formerly Facebook, reinforced its 2019 commitment to bring end-to-end encryption to all its users when it published a report on encryption protecting basic human rights. While this is recent news, it is just the latest episode in the long-standing encryption saga between Meta and the federal government, and in the wider encryption debate at large. Let’s look at the history of this debate and what it means for encryption going forward.
“Facebook” v. Government encryption fight
The fight for encryption can be summarized by the arguments of two sides: government and business. Both agree that encryption is useful - the question at hand is, what is the cost of using encryption?
Meta took a stance on encryption when it released “A Privacy Focused Vision for Social Networking” three years ago. Since that time, it has made significant pushes towards fully encrypting all its platforms, on the basis that “implementing end-to-end encryption for all private communications is the right thing to do.”
The Zuckerberg-written manifesto states, “in a world of increasing cyber security threats and heavy-handed government intervention in many countries, people want us to take the extra step to secure their most private data. That seems right to me, as long as we take the time to build the appropriate safety systems that stop bad actors as much as we possibly can within the limits of an encrypted service.”
To this end, they are doubling down on encryption as a fundamental way of protecting consumer privacy rights, and arguably free speech rights at large, while still trying to honor “a responsibility to work with law enforcement and to help prevent [truly terrible things like child exploitation] wherever we can,” as Zuckerberg states.
This working with law enforcement is where government comes in. However, the opinions within the US Congress are often as mixed as the public vs. private debate itself, with key players fighting on both sides. Senators once backing encryption leaning legislation like the Consumer Privacy Protection Act and COPRA spun around to endorse the EARN IT Act, a government attempt to orchestrate backdoors.
SSL/TLS Certificates and Their Prevalence on the Dark Web
Arguably, allowing backdoors into encrypted data begs the question: “is it encrypted after all?” Australia adopted backdoor laws in 2018, with mixed results. In some cases, government has even tried to take advantage of encrypted platforms, Meta and otherwise, such as when the UK sanctioned WhatsApp as an official communication tool in 2020 to deal with the Covid-19 crisis, and the US had to turn to cryptographically protected video calls so that Congress could remain active during the same time. In the UK, lawmakers struggled between implementing backdoors and using technologies without them to secure their own private communications.
It’s a difficult struggle, with points for both sides. Ultimately, the question of whether public privacy is sacrificed for public safety - or if the two are one and the same - is one that is still being answered. However, Meta’s actions this month have sent an unmistakable reply.
Meta commits to encryption
With the decision to fully encrypt Facebook Messenger and Instagram Direct Messenger, the company moves decidedly to break the standing encryption deadlock. To support that decision, Meta commissioned a report by the nonprofit Business for Social Responsibility, following up with their own response. The report weighed the pros and cons of encrypting public messaging platforms and stated that while it does give criminals an undetected space, the fundamental right to privacy outweighed the costs and that Facebook would continue rolling out end-to-end encryption (E2EE) across all platforms.
Meta outlined three fundamental conclusions regarding encryption.
- Expanding E2EE protects a diverse range of human rights
- Adverse impacts should be addressed without undermining E2EE
- The Meta approach to integrity and safety should continue to be implemented
That approach includes implementing 34 out of the 45 suggested recommendations put forth in the BSR report. Four will be partly implemented, six are being investigated and one (relating to homomorphic encryption) will be ignored (due to the technology still be largely developmental). The Meta implemented changes include:
- Increased options for user reporting: including increasing the prominence of reporting options, reducing the number of steps in our reporting flow, and allowing users to explicitly flag the most severe violations, such as those involving children. Workshops to test user reporting features with children [to prevent unsolicited interactions with adult that lead to kidnap and grooming] and new ways to verify authenticity of user reports.
- Investing in processes to make sure those that have violated platform policies do not return, such as those who have violated Community Standards across Messenger or Instagram
- Simplifying in-app support and education features for vulnerable groups, such as those with low-literacy or children
- Adding “friction” to the process of messaging strangers to slow the spread of unsolicited interactions, hate speech, destructive coordinated behavior and other actions that would lead to an infringement on human rights.
- Placing parental controls above E2EE for kids or only implementing fully encrypted Messenger Kids and Instagram for Kids if it allows the same parental controls.
- Non-mandatory account linking to protect user anonymity, as Meta states, “Meta does not and has no plans to require users to link their existing accounts across Messenger, Instagram, and WhatsApp if they do not wish to do so.”
- Investing in harm prevention strategies that work with E2EE, such as metadata analysis and behavioral signals to catch bad actors without having to add backdoors.
What this means for encryption
While criminals can always increase their subtlety to evade detection, the recommendations implemented above attempt to address law enforcement’s concerns about hiding bad actors in end-to-end encrypted spaces, while supporting the public’s desire for fully encrypted communication platforms. It is a delicate balance. As Meta attempts to walk the line between public safety and individual privacy, they have definitively come down on the side of defending the privacy that protects basic human rights; or, of defining privacy as a basic human right.
Why Do You Need a Control Plane for Machine Identities?
Related posts