The encryption debate was back in the news this week as Attorney General William Barr railed against “warrant-proof” encryption that he argued protects criminals and terrorists, continuing the same arguments that have been made for almost 30 years. As the cybersecurity community dismissed Barr’s demands and outlined the myriad ways in which such backdoors could be exploited by criminals, the sad reality that most of the cybersecurity community has missed is that the encryption debate is already over – Facebook ended it earlier this year.
The encryption debate is typically framed around the concept of an impenetrable link connecting two services whose communications the government wishes to monitor. The reality, of course, is that the security of that encryption link is entirely separate from the security of the devices it connects. The ability of encryption to shield a user’s communications rests upon the assumption that the sender and recipient’s devices are themselves secure, with the encrypted channel the only weak point.
After all, if either user’s device is compromised, unbreakable encryption is of little relevance.
This is why surveillance operations typically focus on compromising end devices, bypassing the encryption debate entirely. If a user’s cleartext keystrokes and screen captures can be streamed off their device in real-time, it matters little that they are eventually encrypted for transmission elsewhere.
Historically, compromising end devices was an expensive and complex process, powered by a cat-and-mouse game with hardware manufacturers and software vendors to find vulnerabilities that could be used to remotely install them and acquire the necessary device privileges.
Such efforts are hard to scale and the more devices that are compromised, the more likely the vulnerability is to be discovered and patched.
To solve this problem, Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users’ devices where it can bypass the protections of end-to-end encryption.
In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.
Facebook’s model entirely bypasses the encryption debate by globalizing the current practice of compromising devices by building those encryption bypasses directly into the communications clients themselves and deploying what amounts to machine-based wiretaps to billions of users at once.
Asked the current status of this work and when it might be deployed in the production version of WhatsApp, a company spokesperson declined to comment.
Of course, Facebook’s efforts apply only to its own encryption clients, leaving criminals and terrorists to turn to other clients like Signal or their own bespoke clients they control the source code of.
The problem is that if Facebook’s model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape. Embedding content scanning tools directly into phones would make it possible to scan all apps, including ones like Signal, effectively ending the era of encrypted communications.
Governments would soon use lawful court orders to require companies to build in custom filters of content they are concerned about and automatically notify them of violations, including sending a copy of the offending content.
Rather than grappling with how to defeat encryption, governments will simply be able to harness social media companies to perform their mass surveillance for them, sending them real-time alerts and copies of the decrypted content.
While some phone manufacturers could distinguish themselves by offering bespoke phones with custom operating systems that do not include such scanning, such devices are likely to be rare, used only by those who are willing to go to great lengths to escape government scrutiny and thus automatically drawing substantial attention to themselves. Over time, it is likely that many governments will simply pass laws banning the possession and use of such devices, much as many jurisdictions ban devices that help speeders escape traffic tickets.
Putting this all together, the sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook. If the company’s new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption.
In the end, encryption’s days are numbered and the world has Facebook to thank.