GettyEnd-to-end encrypted messaging is a major issue for law enforcement—as the world shifts from easy to crack (for governments) cellular SMS messaging to various flavors of IP messaging, such as WhatsApp, iMessage, Signal and Wickr, governments are exploring their options. The challenge is that such services are provided by technology companies, mostly based in the U.S., making them to a large extent out of reach from lawmakers elsewhere. The messaging services run "over the top," meaning they are not tied directly to the provider of the network or the phone.
All of which means that the powerbroker here, as in most things tech, is the U.S. government. Which is why when Politico reported that "senior Trump administration officials met on Wednesday [June 26] to discuss whether to seek legislation prohibiting tech companies from using forms of encryption that law enforcement can’t break," it was of real significance, "a provocative step that would reopen a long-running feud between federal authorities and Silicon Valley." "Technology is moving fast, and privacy needs to move with it," Joel Wallenstrom—the CEO of uber-secure messaging platform Wickr—told me. "These are all completely legitimate, understandable even predictable concerns coming from law enforcement and elsewhere." Politico cited several unnamed sources in reporting that "the encryption challenge, which the government calls 'going dark,' was the focus of a National Security Council meeting Wednesday morning that included the No. 2 officials from several key agencies." The discussion focused on the lockdown of messaging apps, billed as "a privacy and security feature," which "frustrates authorities investigating terrorism, drug trafficking and child pornography."
The challenge for governments, the U.S. included, is that the privacy of messaging has become a central theme in the ongoing debate around privacy, data security and information integrity. People around the world are shifting from public social media posting to closed groups, and messaging platforms have been a major driver of that. Even Facebook has put messaging security and privacy at the center of its new strategy. "We hope there is really productive dialog and problem-solving," Wallenstrom told me, speaking before the NSC news broke. In his view, "lines in the sand" and "folded arms" on the part of governments need to be avoided, with China, North Korea and Iran "not the countries we want to emulate as far as technology is concerned."
The example of WeChat in China is especially relevant, where the authorities monitor message traffic on a fairly open basis, with immediate sanctions for misbehavior. As the 30th anniversary of Tiananmen Square approached, it was reported that WeChat users found "keywords or pictures related to the event have been almost instantaneously deleted, with their posters sometimes summarily blocked. On the days of the anniversary itself, users were not even able to change their avatars." And there were many similar stories from the recent public protests in Hong Kong.
"We hope this [end-to-end encrypted] technology will exist," Wallenstrom said, "that it's not blockable... That there are providers of this technology that want to work through these issues and tackle the smart path forward and don't become binary and say we won't work with [governments] to work through these debates."
There is no single point of view within the U.S. government on this issue, and even "a well-known fault line on encryption within the executive branch," as reported by Politico. "The DOJ and the FBI argue that catching criminals and terrorists should be the top priority, even if watered-down encryption creates hacking risks. The Commerce and State Departments disagree, pointing to the economic, security and diplomatic consequences of mandating encryption 'backdoors'." And DHS can see both sides of the debate even within itself. "The Cybersecurity and Infrastructure Security Agency know the importance of encrypting sensitive data, especially in critical infrastructure operations, but ICE and the Secret Service regularly run into encryption roadblocks during their investigations."
A collective of companies and civil liberty groups including Apple, Amazon, Google, Microsoft, Facebook, Privacy International, Linux Australia, and the Electronics Frontier Foundation have issued a warning that requirements to silently add law enforcement into encryption chats could introduce vulnerabilities and create new risks to systems.
Wallenstrom referenced the San Bernardino terrorist attack in 2015, which pitched DOJ against Apple to gain access to the iPhone of one of the attackers. And Politico did the same. For governments, terrorism, child trafficking and elements of serious organized crime become something of a trump card when tackling the public debate on privacy, the ultimate "yes, but." Earlier this month, a coalition of technology companies, privacy experts and human rights groups published an open response to a discussion document from U.K. spy agency GCHQ that suggested the idea of a ghost protocol to enable "an extra end" in end-to-end encrypted messaging, allowing governments (when required) to listen in.
The response from the likes of Apple, Microsoft, Google and WhatsApp was blunt: "It would undermine the authentication process... introduce potential unintentional vulnerabilities, increase risks that communications systems could be abused or misused... It will not matter that conversations are protected by encryption. Communications will not be secure." And if the U.S. starts to genuinely debate such legislation, the backlash will escalate quickly. It is one thing to moderate the content shared on social media, quite another to bring total user privacy to an end. But for law enforcement and national security, there are genuine concerns. Where there are terrorists hiding from the authorities on platforms like Telegram there is a serious public interest issue. On this one, cliche or not, there really are no easy answers.
"I believe the future of communication," Facebook CEO Mark Zuckerberg wrote in March, "will shift to private, encrypted services where people can be confident what they say to each other stays secure and messages and content won't stick around forever."