Last year, Facebook announced that it would stitch the technical infrastructure of all of its chat apps – Messenger, WhatsApp and Instagram – together so that users of each app can talk to each other more easily.
The plan includes slathering the end-to-end encryption of WhatsApp – which keeps anyone, including law enforcement and even Facebook itself, from reading the content of messages – onto Messenger and Instagram. At this point, Facebook Messenger supports end-to-end encryption in “secure connections” mode: a mode that’s off by default and has to be enabled for every chat. Instagram has no end-to-end encryption on its chats at all.
“As you would expect, there is a lot of discussion and debate as we begin the long process of figuring out all the details of how this will work,” Facebook has said – including, of course, the fact that law enforcement would be shut out of viewing messages on yet more chat apps.
That discussion now includes an open letter, signed by 129 child protection organizations around the world and sent to CEO Mark Zuckerberg on Thursday. The groups, led by the UK’s National Society for the Prevention of Cruelty to Children (NSPCC), are urging the company to stop its plans until “sufficient safeguards” are in place.
According to news outlets that have seen the letter, it says that Facebook could be building on “years of sophisticated efforts” to protect children online, but is instead “inclined to blindfold itself.”
More from the letter:
We urge you to recognize and accept that an increased risk of child abuse being facilitated on or by Facebook is not a reasonable trade-off to make. Children should not be put in harm’s way either as a result of commercial decisions or design choices.
The NSPCC said in December 2019 that police in the UK recorded over 4,000 instances – an average of 11 per day – where Facebook apps were used in child abuse image and online child sexual offenses during the prior year.
The group warned that end-to-end encryption on all of its messaging apps will allow child abuse to go undetected, unless Facebook first puts clear safeguards in place, saying that encrypted messaging creates “hiding places” for child abuse.
The platform will no longer be able to see and report illegal content to law enforcement, so police will be left working in the dark.
More serious child abuse will likely take place on Facebook-owned apps as abusers won’t have to move their victims off the platform to other encrypted ones to groom them.
Government pushback against encryption
While some digital rights groups have applauded Facebook’s move to stronger encryption, some governments – those of the US, Britain and Australia – have not. In December 2019, a Select Committee of members of the US Congress told Facebook and Apple that they had better put backdoors into their end-to-end encryption, or laws will be passed that force tech companies to do so.
In their open letter, the child protection groups told Facebook that they recognize users’ legitimate interest in ensuring that their data is protected, but that doesn’t negate the platform’s responsibility to help in investigations:
However, as you yourself have stated, Facebook has a responsibility to work with law enforcement and to prevent the use of your sites and services for sexual abuse.
In January, the UK’s Information Commissioner’s Office (ICO) published a code to ensure that online companies protect kids from harm, be it showing kids suicidal content, grooming by predators, illegal collection and profiteering off of children’s data, or all the “smart” toys and gadgets that enable children’s locations to be tracked and for creeps to eavesdrop on them.
In Thursday’s open letter to Facebook, child protection groups urged Facebook to back off of its encryption plans until safeguards for children’s safety are in place.
Facebook’s response
David Miles, Facebook’s head of safety for Europe, the Middle East and Africa, said in a statement that encryption does, in fact, protect people:
Strong encryption is critically important to keep everyone safe from hackers and criminals.
…and that Facebook will work on protecting children online as part of the long slog to getting end-to-end encryption everywhere:
The rollout of end-to-end encryption is a long-term project; protecting children online is critically important to this effort and we are committed to building strong safety measures into our plans.
Miles said that Facebook is already working with law enforcement, government and tech companies to keep children safe online.
Not the first letter Facebook’s received
In October 2019, three governments warned Facebook that it had better end – or at least pause – its “encryption on everything” plan.
US Attorney General William Barr and law enforcement chiefs of the UK and Australia signed an open letter calling on Facebook to pause until it figures out a way to give law enforcement officials backdoor access so they can read messages.
“No,” Facebook said – with all due respect to law enforcement and its need to keep people safe.
Facebook responded by releasing its own open letter, penned in response to Barr.
In the letter, WhatsApp and Messenger heads Will Cathcart and Stan Chudnovsky said that any backdoor access into Facebook’s products created for law enforcement would weaken security and let in bad actors who would exploit the access. That’s why Facebook has no intention of complying with Barr’s request that the company make its products more accessible, they said:
The ‘backdoor’ access you are demanding for law enforcement would be a gift to criminals, hackers and repressive regimes, creating a way for them to enter our systems and leaving every person on our platforms more vulnerable to real-life harm.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Gavin
Perhaps Facebook could roll out a companion service for testing purposes, “Facebook B” (Facebook Backdoored) and invite Barr and other government and law enforcement representatives to conduct all their personal social media and messaging activities there. For transparency, Facebook B should publicly report all attacks against the service that result in social media content being breached, along with a summary of what data was stolen.
If these officials are happy with the protection (or lack thereof) of their own personal communications they can continue with their arguments against end-to-end encryption.
Obviously this will never happen for a multitude of good reasons.
Bryan
Careful Gavin…
> Obviously this will never happen for a multitude of good reasons
I agree emphatically with the second half of your sentence. However I hesitate to enjoy confidence that “good reasons” will be enough that something won’t happen–this specific situation or many others. We’ve lots of examples lately indicating infallibility’s short supply…
PS: I like the idea of Facebook B. Too bad Zuck never calls me anymore.
:,)
Larry Marks
Lisa wrote: “…the US Congress told Facebook and Apple that they had better put backdoors into their end-to-end encryption, or laws will be passed that force tech companies to do so.”
No, Lisa, no. The US Congress did not say that. One ignorant congressman did. It didn’t get anywhere.
Paul Ducklin
Lisa’s words are correct inasmuch as it was a statement to Facebook from an official part of the legislature, namely a bipartisan Select Committee of Congress. So although it wasn’t a resolution passed by the entire legislature, IIRC it wasn’t just one person’s opinion either. I think it’s OK to use the words “Congress said” here, in the same way we talk about “the government issuing a weather warning” when we are using the word “government” as a metaphor for the public service, and where we actually mean just one small part of the public service, namely the Meteorological Office.
Anyway, we have edited the wording to clarify that this was a case of “Congressional committee said that…”, rather than “Congress has decreed that…” HtH.
Lisa Vaas
Getting anywhere takes a while. At this point, the EARN-IT Act is worming its way through Congress. The proposed bill is seen as a sneaky way to inflict backdoors by undercutting the CDA’s Section 230 protection for publishing online content, likely making it financially necessary for the platforms to adopt whatever “best practices” get approved by GA Barr and the DHS secretary if those platforms want to retain Section 230 protection against a flood of lawsuits.
Hat tip to The Verge for such apt use of the verb worming, BTW.
See:
https://nakedsecurity.sophos.com/2020/03/13/earn-it-act-threatens-end-to-end-encryption/
Anonymous
The problem I have with granting governments a backdoor is that an assumption is being made (by some) that the government is trustworthy. The FBI for example hasn’t had a great track record lately for being trustworthy. One would think the Government would be investigating criminals, but what is stopping them from investigating people that simply share a different political point of view?