As Germany Floats The Idea Of Encryption Backdoors, Facebook May Already Be Planning To Undermine Its Own Encryption
from the really?-backdoors-for-content-moderation? dept
The German government's desire to mandate backdoors in encrypted communications had barely been expressed when it was discovered Facebook might be willing to let them do exactly such a thing.
The German proposal is nowhere near ready to become law but the gist of it is this: it's too difficult to break into encrypted devices so maybe tech companies could just start storing encrypted communications in plain text... just in case these agencies ever need to access them. Sure, encryption makes things more secure but it's just creating some sort of criminal/terrorist Wild West and we can't have that -- even when that doesn't actually appear to be happening.
Facebook may already be making backdoored communications a reality. This isn't happening because it wants to be the inflection point for undermining encryption but because it really, really wants to keep accessing users' communications for its own purposes. Kalev Leetaru of Forbes points out Facebook put its encryption-undermining plans on display earlier this year, while discussing its plans to address another request being made by multiple governments: content moderation.
Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook’s acceptable speech guidelines.
[...]
Even more worryingly, Facebook’s presentation alluded to the company’s need to covertly harvest unencrypted illicit messages from users’ devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content.
If so, Facebook's proposed moderation efforts are encryption backdoors. If Facebook can access the content of encrypted communications, so can governments. And so can anyone else who can access the "encryption removed here :)" point where Facebook grabs communications to monitor content and train its moderation AI.
At this point, this effort is still in the research phase. It has not been implemented yet, but once more governments realize the implications of this content moderation effort, pressure will be applied. And this pressure will be applied to all companies offering encrypted communications under the not-unreasonable theory that if Facebook can do it, anyone can do it. Those refusing to comply with backdoor demands will have Facebook's efforts used against them during legislative sessions and criminal prosecutions.
The argument against backdoors isn't that they aren't technically possible. They are and always have been. The argument is that they make the encryption useless by converting the protection to an attack vector. Facebook's move may solve some of its own problems, but it will be sacrificing its users' security to appease ridiculous moderation demands being made by a handful of governments. And while these governments wring their hands about terrorist content, other governments unconcerned about terrorists or their content will be leaning on the company to grant them access to the communications of critics, dissidents, and activists.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: backdoors, content moderation, encryption, end to end encryption, monitoring
Companies: facebook, instagram, whatsapp
Reader Comments
Subscribe: RSS
View by: Time | Thread
Unecrypted
So not only would those messages be available to every government for the asking. (And to everyone else once that leaks), it would be super easy for FB to use the contents for their own purposes.
Sounds legit to me.
[ link to this | view in thread ]
Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment
In which case it is not end to end encryption, and no more useful than https. In fact why bother when https is available, other than as advertising a feel good factor to users.
[ link to this | view in thread ]
When can we expect Masnick's "this isn't Facebook's fault, blame GDPR" post?
[ link to this | view in thread ]
Re:
Why don't you go ahead and ghost-write that post and leave it here for Mike. That will get it to the readers sooner and make sure that it covers all the points you are expecting.
[ link to this | view in thread ]
facebook? I rest my case.
[ link to this | view in thread ]
After all the Facebook scandals. State floats idea of surveiling their population. Facebooks marketing team rushes in, "HEY! WE DO THAT ALREADY!" Hahahaha. Queue up the next investigation.
[ link to this | view in thread ]
https *IS* end-to-end encryption
The security issue with HTTPS is that if a certificate authority has their key stolen (or secretly cooperates with a third party) you can be tricked into establishing a connection with an impersonator, since the impersonator will have what appears to be a valid certificate. However, this is an issue with any end-to-end system which uses a certificate authority type scheme. The only way to avoid this is to personally validate the private key of the other party, like with key signing parties.
[ link to this | view in thread ]
So.. Facebook are asking for the return of this sort of thing?
https://en.wikipedia.org/wiki/Firesheep
[ link to this | view in thread ]
Re: https *IS* end-to-end encryption
Well, yes, when the ends are the user and Facebook. By being the man in the middle in encryption that is meant to be end to end encrypted by users Facebook is reducing it to a second level https between the users and themselves, which offers no additional security to the user, especially when the do not want Facebook to read analyse and give messages to the authorities, so why is Facebook bothering with this.
[ link to this | view in thread ]
The question that should be asked to Germans: what would stop a new Hitler from abusing such backdoors with a new Stasi?
[ link to this | view in thread ]
"It has not been implemented yet,"
And we know that how?
[ link to this | view in thread ]
Re:
Nothing. That's what so great about it!
[ link to this | view in thread ]
Re: https *IS* end-to-end encryption
This kind of attack has a danger for the attacker and especially the certificate authority. Forging the certificate provides proof that the attacker did this and that the certificate authority is compromised unless they somehow get the private key associated with the public key that the certificate authority certified.
This is why governments do not routinely use this method of attack. It irrefutably destroys the certificate authority's credibility as a couple have discovered much to their woe.
Facebook of course could hand over their private key as well allowing the government to impersonate them undetected which is just another reason not to trust them.
[ link to this | view in thread ]