Facebook urged by governments to halt end-to-end encryption plans

Tensions between Facebook and three governments escalated last week after the US, the UK, and Australia officially urged Facebook to halt its plans for end-to-end encryption.

The row concerned Facebook CEO Mark Zuckerberg’s publication of a privacy manifesto in March this year, in which he promised to extend the company’s end-to-end encryption work and introduce the technology into its core Facebook Messenger product.

A thorn in their sides

An online messaging service can encrypt your data in two ways. It can store the encryption key on the provider’s own servers, enabling law enforcement to subpoena it and unlock your messages. Alternatively, end-to-end encryption stores the key to a messaging session exclusively on the participating computers, meaning that the tech company has nothing to give the authorities. This means that even if law enforcement accesses a person’s messages, they wouldn’t be able to read the contents.

End-to-end encryption is a thorn in the side of governments who want to track criminals. On Friday, US Attorney General William Barr published an open letter to Zuckerberg, cosigned by UK Home Secretary Priti Patel, acting United States Secretary of Homeland Security Kevin McAleenan, and Australian Home Affairs Minister Peter Dutton. It laid out its demands clearly in the first paragraph:

We are writing to request that Facebook does not proceed with its plan to implement end-to-end encryption across its messaging services without ensuring that there is no reduction to user safety and without including a means for lawful access to the content of communications to protect our citizens.

Lawful access

The letter called upon Facebook to embed the ability to see message content in the design of its systems, and to give law enforcement lawful access (meaning access to message content on production of a warrant). The company should consult with governments when taking these measures, and avoid going forward with its proposed changes until it can be sure that it is following these principles, the letter warned.

The signatories also warned that Facebook’s proposed encrypted messaging system would be especially vulnerable to abuse:

Risks to public safety from Facebook’s proposals are exacerbated in the context of a single platform that would combine inaccessible messaging services with open profiles, providing unique routes for prospective offenders to identify and groom our children.

The Department of Justice published the letter just as it signed a landmark agreement with the UK government under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act. The legislation, enabled in March 2018, lets the US demand data from technology companies harbouring that data on foreign soil. It’s a response to the 2013 United States vs Microsoft case in which Microsoft refused to give the Feds access to data stored on an Irish server.

The agreement signed between the US and the UK this week is the first under a provision in the CLOUD Act enabling other countries to demand US-based data from tech companies, leapfrogging time-consuming US legal processes. However, this agreement still doesn’t let countries get at end-to-end encrypted messages, hence the open letter.

Tradeoff between privacy and preventing harm

Tech companies such as Telegram and Facebook-owned WhatsApp support end-to-end encryption and include it as a feature in their products. In his March privacy post, Zuckerberg defended the technology, arguing that it protected dissidents in oppressive regimes. Instead of reading message content, he said Facebook looked for patterns of activity that might point to bad actors.

However, he admitted a tradeoff between privacy and preventing online harm, adding:

… we will never find all of the potential harm we do today when our security systems can see the messages themselves.

This tradeoff – and how much each side is willing to give – is the basis for a long-standing crypto-war between government and tech advocates stemming back to the formation of the cypherpunk movement in the mid-eighties. On one side, many tech privacy advocates don’t want to give up their basic privacy rights. On the other, law enforcement officials point to terrorists and child abusers using encryption to “go dark” as examples of the need for lawful access.

Barr has followed governments in the UK and Australia in backing technical measures to try and find a compromise. At the FBI’s International Conference on Cybersecurity in July, he said:

It is well past time for some in the tech community to abandon the indefensible posture that a technical solution is not worth exploring and instead turn their considerable talent and ingenuity to developing products that will reconcile good cybersecurity to the imperative of public safety and national security.

The standoff is likely to continue. Facebook reportedly responded to Barr’s open letter on Friday with its own statement.

We believe people have the right to have a private conversation online, wherever they are in the world. As the US and UK governments acknowledge, the CLOUD Act allows for companies to provide available information when they receive valid legal requests and does not require companies to build back doors.

We respect and support the role law enforcement has in keeping people safe. Ahead of our plans to bring more security and privacy to our messaging apps, we are consulting closely with child safety experts, governments and technology companies and devoting new teams and sophisticated technology so we can use all the information available to us to help keep people safe.

End-to-end encryption already protects the messages of over a billion people every day. It is increasingly used across the communications industry and in many other important sectors of the economy. We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.