After the horrifying terror attack in London last week, the familiar debate over government access to encrypted communications has reared its head again.
This time, Britain’s home secretary Amber Rudd—who deals with security, terrorism, and policing, among other things—pointed the finger of blame at companies that make encrypted communications possible. “We need to make sure that organizations like WhatsApp, and there are plenty of others like that, don’t provide a secret place for terrorists to communicate with each other,” Rudd said on the BBC’s Andrew Marr Show yesterday.
She added, clearly nostalgic for the days before encryption, that investigators who obtained search warrants used to be able to “steam open envelopes or just listen in on phones when they wanted to find out what people are doing.”
But that simply doesn’t work with end-to-end encryption, which makes messages unintelligible to anyone other than the intended recipient, including the platform provider. WhatsApp can’t access the attacker’s messages any more than the government can. Her attitude also ignores the vast amount of data that new technology makes available for government surveillance. Those WhatsApp messages may be irretrievable thanks to end-to-end encryption, but smartphones produce all kinds of other data, like location, that law enforcement can still issue warrants for. What Rudd is really after, it seems, is a backdoor to encrypted messages created for the benefit of the government and increased “security.”
The prospect of government officials forcing a tech company to bypass security measures should be overtly familiar to anyone who followed the fight between Apple and the FBI over the San Bernardino shooter’s locked iPhone. While that battle centered on whether Apple had to provide the attacker’s iPhone PIN code to unlock the phone—which was eventually done without Apple’s help—the principle is the same. Basically, the government wants to force companies to provide access to secure data. As in the San Bernardino situation, the response from Facebook, which owns WhatsApp, could set a precedent for future cases.
Rudd argued that this situation is “completely different” to the San Bernardino case. “We don’t want to go into the cloud, we don’t want to do all sorts of things like that, but we do want them to recognize they have a responsibility to engage with government,” she said. And asked directly about the possibility of legislating on end-to-end encryption, she said, “What we have to have [is] a situation where we can have our security services get into the terrorist communications, that’s absolutely the case.”
In reality, creating a backdoor exploit to end-to-end encryption solely for the government isn’t that easy. As security expert and Harvard professor Bruce Scheiner wrote on his blog in 2014, “You can’t build a backdoor that only the good guys can walk through.” Any security exploit, even one introduced to allow the government to combat terrorism, is one that can potentially be exploited by hackers. Even if Rudd doesn’t want to “go into the cloud” or “all sorts of things like that,” once that door is opened, it’s hard to close it again.
Conservative MP Nadine Dorries also criticized WhatsApp, though she spelled it #whatsap:
Last year, the UK government passed the Investigatory Powers Bill, known as the Snoopers’ Charter. The law allows the government to remove encryption applied by a provider like WhatsApp, and could allow the government to require a company not to provide end-to-end encryption in the future for services it’s currently developing.
Zachary Goldman, executive director of NYU’s Center on Law and Security, told Gizmodo that while there is “an undeniable governmental need for these messages,” the question is really whether companies should be forced to build a product that allows the government to access data, as phone companies have been since 1994. Any action on this issue “has a trade-off associated with it,” Goldman said—if we want the government to be able to read these messages, it means dramatically undermining end-to-end encryption for everyone.
Facebook is a global company, and any potential changes it makes to WhatsApp may well affect its US users, too. In turn, any success the UK government has in browbeating tech companies into compromising user security might embolden policymakers in the US to try the same thing here. Rudd says she’s summoned a number of tech companies, including Facebook and Google, to meet with her this week to discuss the issue. Anyone concerned about the future of secure messaging should pay close attention to what comes of it.