UK and US call on Facebook to walk back encryption plans

Four steps for Facebook

It called on Facebook to take four steps: to embed public safety in system designs to enable itself to continue to act against illegal content with no reduction to safety, and facilitating prosecution of offenders and safeguarding of victims; to enable law enforcement to access content in a readable and usable format; to consult with governments to do this in a substantive way that genuinely influences design decisions; and to not implement the proposed encryption until it can ensure the public safety systems are tested and operational.

TechUK’s head of national and cyber security, Talal Rajab, agreed that a balance needed to be struck between effective encryption and public safety.

“We welcome the government’s recognition of the importance of strong encryption and its support for the tech sector’s commitment to protecting user data,” he said. “Strong encryption is vital for ensuring the security of digital services and any limiting of its use will harm efforts to keep people secure online.

“In a world of increasing cyber threats, government and industry must continue to work together to find good and effective solutions to law enforcement challenges that do not put millions of innocent users at risk by restricting the use of encryption or implementing so-called backdoors.”

But in the wake of the letter’s publication, others were less complimentary. Hannah Quay-de la Vallee, a senior technologist at the Center for Democracy and Technology, said: “Strong encryption and end-to-end security are bedrock technologies that keep information safe online. These technologies protect billions of communications every day, from the sensitive correspondence of victims of domestic violence to businesses’ financial records to our private medical information.

“Creating a law that would mandate weaker and less secure technology is like mandating crumbling sidewalks to prevent criminals from escaping. It’s ridiculous, it won’t work, and it puts us all at far greater risk of serious injury.”

In a blog post, Peter Micek, general counsel at global digital rights organisation Access Now, said: “Strong encryption remains the last line of defence against unlawful access to our data, and protects all users from identity theft, scams and fraud.

“Both Facebook and law enforcement already enjoy robust tools to uncover and pursue perpetrators of illegal activities. Weakening encryption only puts innocent lives at risk. Survivors of sexual abuse and exploitation need more protection for the privacy and security of their personal data and accounts – not less.”

Speaking on Twitter, NSA whistleblower Edward Snowden added simply: “If Facebook agrees, it may be the largest overnight violation of privacy in history.”

In a statement emailed to Computer Weekly, a Facebook spokesperson said the organisation believed people had the right to hold private conversations online, and as both the UK and US had acknowleged, the US Cloud Act allows for companies such as Facebook to provide available information when they receive valid legal requests, without requiring them to build backdoors.

“We respect and support the role that law enforcement has in keeping people safe,” said the spokesperson. “Ahead of our plans to bring more security and privacy to our messaging apps, we are consulting closely with child safety experts, governments and technology companies and devoting new teams and sophisticated technology so we can use all the information available to us to help keep people safe.

“End-to-end encryption already protects the messages of over a billion people every day. It is increasingly used across the communications industry and in many other important sectors of the economy. We strongly oppose government attempts to build backdoors because they would undermine the privacy and security of people everywhere.”

More access for police

The letter’s publication comes the day after Barr and Patel signed a bilateral data access agreement between the UK and the US – with the intention of speeding up law enforcement investigations by enabling the authorities in both countries to go straight to tech companies to access user data.

This means that they will no longer have to rely on the Mutual Legal Assistance (MLA) process to obtain data through the other’s government, which can take between six months and two years.

“Terrorists and paedophiles continue to exploit the internet to spread their messages of hate, plan attacks on our citizens and target the most vulnerable,” said Patel.

“This historic agreement will dramatically speed up investigations, allowing our law enforcement agencies to protect the public.”

The Home Office said the agreement would accelerate complex investigations into serious crimes, such as those of sex offender Matthew Falder, described by the National Crime Agency as “one of the most prolific and depraved offenders” it had ever encountered.

The investigation into his crimes lasted four years and the NCA has maintained that this process could have been shortened if it had received more co-operation from tech companies.

The agreement will see the US have reciprocal access to any needed data from UK communication service providers (CSPs) in accordance with its own legislation.

The Home Office said the agreement changed nothing about the way companies such as Facebook use encryption, or stop them from encrypting data, and that the UK had received assurances in line with its use in regard to offences that carry the death penalty in the US, although it did not detail these assurances.

Backdoors are a terrible idea, say CISOs

Back in August, a survey produced on behalf of security services supplier Venafi found that 74% of security professionals believed encryption backdoors such as those being requested by Australia, the UK and the US made countries more vulnerable to cyber attack, and 72% believed that letting law enforcement access encrypted personal data would not make people safer.

The firm polled attendees of Black Hat USA 2019 in Las Vegas, and its findings echoed a similar study conducted in March 2019 by RSA.

“We know that encryption backdoors dramatically increase security risks for every kind of sensitive data, and that includes all types of data that affects our national security,” said Kevin Bocek, Venafi vice-president of security strategy and threat intelligence at the time.

“The IT security community overwhelmingly agrees that encryption backdoors would have a disastrous impact on the integrity of our elections and on our digital economy as a whole.”

Alex Balan, chief security researcher at BitDefender, said: “Those that remember the clipper chip will know that it was a bad idea then and it will always be a bad idea to punch holes into security systems. While privacy is a key factor in this debate, it goes far beyond this. Big brother spying on you is, quite frankly, the least concern here. It’s about weakening security systems, facilitating easier access to cyber criminals and the impact that can have. Not to mention that it’s outright futile.

“Firstly, governments want to be able to decrypt the traffic of end-users. While much will be done to keep the technology used secret, history has taught us that it won’t be long before hackers will exploit it massively. This means that everyone will have what’s left of their intimate online activities exposed publicly.

“Secondly, it’s impossible to put a break or gag on technology. Not even North Korea, China or, to their eternal shame, the US can do it. It wasn’t possible back in the day when they tried to outlaw RSA encryption and put crypto researchers in jail, and they sure can’t do it now with the number of options to anonymously create and disseminate both information or technology.”

Balan said that, taken together, this would weaken everyone’s security, while malicious actors move on to a different means of communication, or even create something new themselves. “It’s not just damaging, it’s stupid,” he said.