Encryption is a vital piece of technology that everyone uses in their lives. Most websites use HTTPS to serve their website over a secure connection. This secure protocol encrypts the webpage before sending it over the internet to prevent others from reading the contents of the website and any responses. HTTPS is an example of what we call end-to-end encryption, where data is encrypted by the sender and can only be decrypted by the receiver. A number of messaging apps utilize this technology, so individuals can message each other privately. While this technology is great for privacy, it makes law enforcement’s ability to use messages to help solve a case practically impossible without physical access to the device, which isn’t always possible.
Your iPhone is Scanning Your Photos
When it comes to mobile computing, iPhones mostly dominate the market. Many individuals choose an iPhone because of its easy-to-understand, locked down operating system. Apple also touts itself as being a leader in privacy and security when it comes to mobile computing. One example of this is their stance on full disk encryption and setting a precedence when it comes to legal access to decryption keys.
Apple has recently introduced new technology which performs on-device scanning of photos on a user’s iPhone for potential matches to CSAM (Child Sexual Abuse Material). Apple’s summary of this new feature highlights their attempt to protect user privacy, but fails to address the major issue of scanning personal photos. Developing a feature that scans and decrypts user content completely bypasses the encryption that is in place to protect user data from prying eyes at Apple or other parties. Now that this technology is in place, what would prevent a government from requiring Apple to scan for additional content?
WhatsApp Messages Aren’t Always Private
In 2014, WhatsApp partnered with Open Whisper Systems (now the Signal Foundation) to implement end-to-end encryption for all communication in WhatsApp. This means that only you and the recipient are able to decrypt and read the message. No one else is able to read the message because they do not have the key to decrypt it, not even WhatsApp. This allows individuals to communicate with each other without having to worry about another party reading their messages.
Because WhatsApp is owned by Meta Platforms, a number of individuals have expressed their concerns about Meta potentially accessing WhatsApp content. Despite Meta’s claim in 2018 that “We don’t see any of the content in WhatsApp,” a recent report from ProPublica states otherwise. ProPublica reported that WhatsApp employs around 1,000 contract workers to examine and moderate WhatsApp content. While messages are end-to-end encrypted, WhatsApp provides users with a “Report” button which decrypts the current message along with the previous 4 for context and sends them to WhatsApp for review. Decrypting messages and sending them back to WhatsApp defeats the entire purpose of end-to-end encrypting and can create a false sense of anonymity among its users.
The Government’s Stance on Encryption
In 2019, Bill Barr, Donald Trump’s Attorney General, asked Facebook to delay its deployment of end-to-end encryption across its platforms until a solution for lawful access was implemented. Unfortunately for Barr, Facebook had already implement end-to-end encryption technology in the majority of its communication products. WhatsApp has had end-to-end encryption and Facebook Messenger has had “private messages” since 2016. Barr wants Facebook and other companies to implement a backdoor into their messaging.
The FBI held a press conference in 2019 and encouraged companies to implement “lawful access” into their encryption suite. They cite the need for law enforcement to get this access in order to fight various crimes. However, the FBI failed to present any methods for allowing such access while preserving user privacy. Instead, they called for company and software developers to create such solutions.
Conclusion
Encryption is vital for protecting a user’s credentials and personal information, whether it is in transit or stored securely. Introducing a backdoor that can bypass encryption defeats the whole purpose of using encryption in the first place. While a backdoor may only be used in certain scenarios, a backdoor can be exploited by bad actors. Given the possibility of exfiltrating massive amounts of sensitive data, exploitation would be a very serious problem. Because of this, implementing a backdoor is practically the equivalent of storing or transmitting the data in plain text. Instead of undermining the security of basically the entire internet, we should come up with other solutions to solve the legal access issue.
— Jacob Highfield
All opinions expressed are my own.
Sources
- https://www.eff.org/deeplinks/2021/08/if-you-build-it-they-will-come-apple-has-opened-backdoor-increased-surveillance
- https://nypost.com/2021/09/07/facebook-reads-and-shares-whatsapp-private-messages-report/
- https://www.propublica.org/article/how-facebook-undermines-privacy-protections-for-its-2-billion-whatsapp-users
- https://www.fbi.gov/news/speeches/the-way-forward-working-together-to-tackle-cybercrime
- https://www.vice.com/en/article/wjwpmn/ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
RIT Cyber Security Policy and Law Class Blog 