Maybe it’s because nothing happened last time.
In 2016, a precedent was set. We’ll withhold value judgements, but it’s clear that a landmark opportunity may have been teed-up and missed. Following the 2015 San Bernardino shootings, the Justice Department obtained a warrant to search the suspect’s iPhone. Having denied the DOJ’s initial request, Apple this time stood up a court order. The Department found another way. The case was dropped.
Fast forward to (almost) 2020 and the Department of Justice is finding more occasion to search the encrypted contents of phones, email, and social media accounts. And, not without good reason. Just as the San Bernardino shooting revealed links to terrorism, so Facebook reporting has led to the prosecution of sex traffickers, organized criminals and pedophiles by the thousands. Really. “More than 99% of the content Facebook takes action against—both for child sexual exploitation and terrorism—is identified by [its] safety systems, rather than by reports from users.” Undeniably, the ability to track offenders down their own cyber rabbit holes has proven powerful.
However, the unfinished legalities of 2016 left us with questions to answer.
The Department of Justice aims to put into practice what circumstance failed to cement four years ago. Having dropped the case against Apple, no situational “Apple v. Department of Justice” remains to decide the future of encrypted privacy law. Now the DOJ is left to create their own headwind, and in this climate, they'll row against the tide.
Faced with the relentless assailment of legislators, well-meaning public servants and a blighting accusation of providing a “gift to sex traffickers,” Apple and others are mounting a counter-offensive.
Pending an approaching Senate Judiciary Committee interrogation, Facebook released an open letter explaining the facts of encrypted life: “No one can intercept and read these messages—not us, not governments, not hackers or criminals.” Since catching some bad press over its management of user data with Cambridge Analytica, the company has sought to rebrand as a privacy focused provider. So far, they are sticking to plan.
This proactive letter was in response to the October call to provide encrypted backdoor access, signed by Attorney General Barr, the UK’s Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton.
To date, Facebook has rejected requests from lawmakers to keep Messenger unencrypted (plans roll forward) and continue to push the front by maintaining fully encrypted WhatsApp and setting their sights on encrypting Messenger calls and video.
Jay Sullivan, guardian of Messenger privacy, emphasized “We think it is critical that American companies lead in the area of secure, encrypted messaging.”
It looks like the Department of Defense takes a sympathetic stance when it comes to E2EE encryption, using it (we’d hope) in their day to day operations.
Dana Deasy, the Department’s CIO, recently sent off a letter to Representative Ro Khanna outlining the “imperative” nature of E2EE encryption for the department’s work.
Notably, also this sentence:
“The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.”
Calling out the importance of encryption in a “domestic climate” fundamentally undermines the premise that encryption represents a threat to national defense, as postured by the DOJ.
Representative Khanna forwarded the letter to Sen. Linsey Graham (R-SC), chairman of the Judiciary Committee and an outspoken proponent of encryption backdoors.
It’s not that they don’t mean well. Just over a week ago, the Senate Judiciary Committee held a hearing on “lawful access,” a term which they hope would exclude just the bad guys, and which the EFF refers to quaintly as “fanciful.”
It’s just the incorrect notion that somehow, anyone is above the law. Natural laws. Laws of mathematics. Laws upon which encryption (RSA, AES and otherwise) are based. Laws that can’t break for one without breaking for all.
Their laid-out justifications are admirable, correct even. And very difficult to disagree with. The main claim that encrypted tunnels are used for child exploitation isn’t wrong, and we’ve seen the Sinaloan cartel leverage WhatsApp in horrific ways.
Interestingly, in the hearing though, a few points came to light that could have given pause to pro-backdoor supporters.
Apple’s manager of user privacy Erik Neuenschwander explained that the only two options to give the Committee what they want are to roll back encryption or create a master key. As he explained, Apple implemented encryption on the heels of threats by bad actors and has never held a key—the implications of which would pose a troubling security quandary. It would be undoing the work of the past few years only to leave us exposed to even more sophisticated threats today.
What’s a social media company to do? Essentially, it may be “run the same play as last time.” If Senator Graham gets his way should this come to legal blows (“You’re going to find a way to do this, or we’re going to do this for you”), it would be fair to assume that Apple, Facebook or whoever else could always parlay the court mandate like last time. However, chances are slim that it would receive a similarly innocuous dismissal.
A complicated conclusion
It’s murky task to separate narratives or parse out motives completely. The Department of Justice means well and wants to catch bad guys. Opponents suspect government data collection and statewide surveillance. Facebook wants to rebrand as a trusted encrypted haven and provide open and safe communication. Others point out Facebook’s utility as an unwilling accomplice to some underground crimes. The fact that these questions weren’t answered in-play, when a suitable use case came up five years ago, has only delayed an inevitable decision.
And, this is the decision that could determine the future of our information, economies and policy for the foreseeable future. While there are undeniable tradeoffs to both sides, the tech industry, security analysts and privacy activists all tend to coalesce behind the Bruce Schneir axiom that, in general, “weakening encryption does more harm than good.”
- Battle of the Backdoors in Networking Infrastructure: Intentional vs. Incidental
- Going Undetected: How Cybercriminals, Hacktivists, and Nation States Misuse Digital Certificates
- 86% of IT Security Professionals Say the World Is in a Cyber War
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors