Here we go again.
US Attorney General William Barr is leading a charge to press Facebook and other Internet services to terminate end-to-end encryption efforts—this time in the name of fighting child pornography. Barr, acting Secretary of Homeland Security Kevin McAleenan, Australian Home Affairs Minister Peter Dutton, and United Kingdom Secretary of State Priti Patel yesterday asked Facebook CEO Mark Zuckerberg to hold off on plans to implement end-to-end encryption across all Facebook Messenger services "without including a means for lawful access to the content of communications to protect our citizens."
The open letter comes months after Barr said in a speech that "warrant-proof" cryptography is "extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes" and allowing "criminals to operate with impunity, hiding their activities under an impenetrable cloak of secrecy." The new message echoes a joint communiqué issued by the US, UK, Australia, Canada and New Zealand (the "Five Eyes") from July, which stated:
…it is imperative that all sectors of the digital industry including Internet Service Providers, device manufacturers and others to continue to consider the impacts to the safety of children, including those who are at risk of exploitation, when developing their systems and services. In particular, encryption must not be allowed to conceal or facilitate the exploitation of children.
Facebook has played a significant policing role on social media, providing reports of child abuse imagery and attempts by offenders to groom children online to the National Center for Missing and Exploited Children (NCMEC) in 2018, for instance. And there is no doubt the child pornography problem has exploded in recent years. A recent New York Times report revealed that the number of images of sexual abuse of children has been growing exponentially over the past two decades, with investigators flagging over 45 million images and videos last year. Facebook's reports were 90 percent of the 18.4 million cases reported to NCMEC in 2018—a number double that of 2017 and 18 times greater than the number reported in 2014.
Barr and his cohorts noted that NCMCE "estimates that 70% of Facebooks reporting—12 million reports globally" for content related to child sexual exploitation and terrorism "would be lost" if all Messenger traffic is protected by end-to-end encryption and Facebook cannot screen the content through its safety systems. "This would significantly increase the risk of child sexual exploitation or other serious harms," Barr and the others claimed.
The letter also broadened its message beyond Facebook to the entire tech industry, stating:
We therefore call on Facebook and other companies to take the following steps:
- Embed the safety of the public in system designs, thereby enabling you to continue to act against illegal content effectively with no reduction to safety, and facilitating the prosecution of offenders and safeguarding of victims;
- Enable law enforcement to obtain lawful access to content in a readable and usable format;
- Engage in consultation with governments to facilitate this in a way that is substantive and genuinely influences your design decisions; and
- Not implement the proposed changes until you can ensure that the systems you would apply to maintain the safety of your users are fully tested and operational.
There are some major problems with this plan. First, backdoored encryption is fragile at best and likely to be quickly broken. Second, encryption is available in enough forms already that blocking its use by major service providers won't stop criminals from encrypting their messages. If secure encryption is a crime, only criminals will have secure encryption—and it will be really easy to be a criminal, since all it takes is a download or some simple mathematics.
The stupid criminal argument
Much of the reasoning behind the need to prevent end-to-end encryption by default—an argument used when Apple introduced it as part of iMessenger and repeated multiple times since—is that criminals are inherently stupid, and giving them protection by default protects them from being stupid and not using encryption.
Facebook has offered end-to-end encryption as an option for Messenger conversations for years now, and it offers the service as part of WhatsApp as well. But because encryption requires an extra (and non-intuitive) step to turn it on for Messenger, most people don't use it—apparently even criminals sending messages they think aren't under surveillance. It's like the Dunning-Kreuger effect in that case—the belief is that criminals think they're "using the juice" and it's concealing them from being observed.
The problem is not all criminals are idiots. And while Facebook may have contributed massively to the reporting of child pornography in recent years, there are other services that even the idiots could move to if it becomes apparent that they're not out of sight. Take Telegram, for instance—where much of 8chan moved to after the site lost its hosting—or WhatsApp or Signal, which provide end-to-end voice and messaging encryption. On top of those, there are a host of "dark Web" and "deep Web" places where criminals, including those exploiting children, operate.
Based on conversations I've had with researchers and people in law enforcement, there is a significant amount of tradecraft related to these types of crimes floating around in forums. Not all of it is very good, and people get caught—not because they didn't have end-to-end encryption but because they used it with the wrong person.
Laws dont change mathematics
Four years ago, when the focus was on catching terrorists instead of child pornographers, then-FBI Director James Comey decried the "cynicism" toward government spying and insisted that mathematicians and computer scientists just hadn't tried hard enough to create encryption with a "golden key" for law enforcement and intelligence organizations. But as I pointed out then, all you have to do is look at what happened when the US government tried to push backdoored encryption onto phone communications in the 1990s to understand why a government-mandated backdoor would be risky at best. As Whitfield Diffie (half of the pair who brought us the Diffie-Hellman Protocol for encryption key exchange) put it in 1993 when warning against implementing key escrow and the "Clipper Chip":
- The backdoor would put providers in an awkward position with other governments and international customers, weakening its value
- Those who want to hide their conversations from the government for nefarious reasons can get around the backdoor easily
- The only people who would be easy to surveil would be people who didn't care about government surveillance in the first place
- There was no guarantee someone else might not exploit the backdoor for their own purposes
To reinforce these points, a group of leading computer science and cryptography researchers—including some who actually broke the Clipper Chip's keRead More – Source