Fancy New Terms, Same Old Backdoors: The Encryption Debate in 2019


Almost every week, we hear about another corporate data breach or government attack on privacy. For anyone who wants real privacy online, encryption is the essential component.

Governments around the world keep trying to break encryption, seeking to enhance the power of their law enforcement agencies. They’ve tried for years to require companies to build backdoors into encrypted software and devices, which would enable them to listen in on potentially any digital conversation. The FBI has coined a phrase, “going dark,” that it has used since the late ’90s to describe their “problem”—the lack of an omnipresent, all-powerful surveillance tool.

But encryption with special access for a select group isn’t some kind of superpower—it’s just broken encryption. The same security flaws used by U.S. police will be used by oppressive regimes and criminal syndicates.

The only innovation in 2019 has been rhetorical—anti-encryption authorities are determined not to call a backdoor a backdoor. Instead, we saw a proposal from UK intelligence agency GCHQ to add “ghost” listeners to encrypted messaging applications. Later in the year, we saw a revival of the idea of “key escrow,” a discredited idea about how to square the circle on encryption.

Other approaches included ideas like “client-side scanning,” which is also sometimes called “endpoint filtering” or “local processing.” This array of terms describes a system where a messaging application maintains end-to-end encryption, but when users upload images or other content, it can be first checked locally against a set of “hashes” or fingerprints for contraband. These strategies have been proposed as solutions to the problem of child exploitation images, a problem that the DOJ highlighted frequently in the latter half of 2019, trying to reframe the use of encryption as enabling criminal behavior.

The promise of end-to-end encryption is, ultimately, a simple value proposition: it’s the idea that no one but you and your intended recipients can read your messages. There’s no amount of wordsmithing that can get around that. It’s high time to start convening conferences and panels of experts to research and publish ideas about how effective law enforcement can co-exist with tools for privacy and strong encryption, rather than trying to break them.

Keeping Promises on Encryption

Government pressure hasn’t caused tech companies to abandon encryption, at least not yet. In March, Facebook CEO Mark Zuckerberg publicly embraced end-to-end encryption for all of Facebook’s messaging products. That sounds great, in theory, but the proof is in the pudding—we still don’t know how Facebook might seek to monetize an end-to-end encrypted service. There are also policy and competition concerns about the company’s intention to merge WhatsApp, Instagram, and Facebook Messenger.

But those policy concerns might be rendered moot if the company backpedals under the glare of increasing government demands. In October, top law enforcement officials in the U.S., U.K., and Australia called on Zuckerberg to simply stop his plan to encrypt the merged messenger products. Again waving the flag of child safety, law enforcement agencies in these three countries made clear their ultimate goal: access to every conversation, on every digital device. Civil society hasn’t been silent. We joined together with more than 100 other NGOs to write our own letter urging Facebook to proceed with its plans. In December, Facebook itself signaled it won’t bow to that pressure.

The stakes couldn’t be higher. Whichever way the social media giant moves on encryption, other companies are sure to follow.

Source: Fancy New Terms, Same Old Backdoors: The Encryption Debate in 2019 | Electronic Frontier Foundation



Comments

comments