Five Eyes Countries Band Together To Complain About Facebook And End-To-End Encryption
from the breaking-Messenger-will-leave-criminals-with-only-dozens-of-secure-options dept
The world's law enforcement agencies are back at it, advocating for the demise of end-to-end encryption. The last time they all got together like this, they were complaining to Facebook for thinking about adding encryption to its Messenger service.
Because Facebook does so well reporting child porn to the proper authorities, the proper authorities have gathered to decry its decision to encrypt this service, claiming it would result in a lot of unobserved child porn being passed between users. With Facebook unable to eavesdrop on messages, the images and videos can be shared unnoticed.
And, again, the international law enforcement community is asking for weaker encryption… and namechecking Facebook as the cause of and potential solution to all the world's child porn problems. The new "international statement" opens up with a united declaration that everyone loves encryption, before getting to the long list of "buts."
We, the undersigned, support strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets and cyber security. It also serves a vital purpose in repressive states to protect journalists, human rights defenders and other vulnerable people, as stated in the 2017 resolution of the UN Human Rights Council. Encryption is an existential anchor of trust in the digital world and we do not support counter-productive and dangerous approaches that would materially weaken or limit security systems.
Of course, that last sentence is a lie. At best, it's completely disingenuous. Almost immediately following this assertion that the undersigned have no intention or pursuing counterproductive/dangerous approaches, the Five Eyes crew (along with India and Japan) lists the counterproductive/dangerous ways they'd like encryption to be broken.
Particular implementations of encryption technology, however, pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children. We urge industry to address our serious concerns where encryption is applied in a way that wholly precludes any legal access to content. We call on technology companies to work with governments to take the following steps, focused on reasonable, technically feasible solutions:
Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable;
Enable law enforcement access to content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and
Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.
I'm not sure what sort of "strong encryption" can handle all of these weak spots being introduced without turning into something easily misused, but these government reps are pretty sure people at these companies will come up with something. These governments have convinced themselves they're "stakeholders" in private conversations between citizens that are facilitated by services like Facebook's Messenger.
And that's what this is about. The statement cites Facebook's success in handling child porn while trying to use that against it.
In 2018, Facebook Messenger was responsible for nearly 12 million of the 18.4 million worldwide reports of CSAM [child sexual abuse material to the US National Center for Missing and Exploited Children (NCMEC)]. These reports risk disappearing if end-to-end encryption is implemented by default, since current tools used to detect CSAM [child sexual abuse material] do not work in end-to-end encrypted environments.”
If this is true, then there's nothing else that can be done. Weakened encryption that allows Facebook to intercept users' messages does nothing for the millions of Facebook users who've never trafficked in illegal content. The company can either give users security and privacy, or it can give these governments what they want. There's no middle ground that's going to accommodate both groups.
And this push against Facebook is working. These statements were converted into news articles claiming Facebook is "responsible" for 94% of all reported child porn. But that wording suggests Facebook is the problem, rather than its users. Facebook made 94% of the reports, showing once again it's been doing what it can to combat the problem.
Its decision to offer encryption to Messenger users isn't being made lightly. It's aware of the downside. But it's also aware of the threat posed to its users by a number of malicious entities, which include authoritarian governments and state-sponsored hackers. If it wants to protect its millions of innocent users, it has to offer the same shelter to criminals using the service. That's how it goes. The middle ground governments think the private sector should nerd towards simply doesn't exist.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: australia, backdoors, canada, encryption, five eyes, india, japan, new zealand, security, uk, us
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
Localized, hashed CSAM Check?
So, the government demands that they resolve this issue 'their way', but there are other avenues Facebook could use to combat this very specific problem. one of which would be any photo uploaded could be hashed on the local device before upload to determine if it is probable CSAM. If it is found to be suspicious, a copy of the image could be uploaded to an FB server for further evaluation. You could add a ToS notice about this feature and still not break the encrypted communications channel.
Just one of the infinite number of possibilities that doesn't require backdoors to encrypted communications.
[ link to this | view in chronology ]
Re: Localized, hashed CSAM Check?
This isn't easily done.
Anything that runs on the client-side is under complete control of the client device. I can make any client-side code behave however I want.
Relying on client-side checks is equivalent to asking users to report themselves to law enforcement if they upload child porn. You'll catch some of the dumb criminals, but that's about it.
[ link to this | view in chronology ]
Re: Re: Localized, hashed CSAM Check?
Relying on client-side checks is equivalent to asking users to report themselves to law enforcement if they break DRM. You'll catch some of the dumb criminals, but that's about it.
Same problem, different game. Relying on remote attestation is a broken security model, no matter how or for what it's implemented for. Nonetheless, we still have idiots everywhere who've convinced themselves that requiring criminals to announce their presence to their enemies is the best solution. This just in: Criminals intentionally don't follow laws. In other news: Politicians in five different countries have signed agreements mandating by law that water be dry so that they don't have to hire people to mop up the wet parts.
[ link to this | view in chronology ]
The more law enforcement uses child abuse as the go to excuse to attack encryption, the stronger QAnon will become.
[ link to this | view in chronology ]
Dear Five Eyes
As I was taught in Kindergarten: if you don't play nice with your toys, they get taken away, and you have no one to blame but yourself.
[ link to this | view in chronology ]
Backdoor backblow
I wonder if the governements wordlwide will force manufacturers to install backdoors, wouldn't that undermine the reliability of evidence collected using backdoor tech.
Given the fact that encryption usually oovides not only the confidentiality but integrity of the data too,
the accused can claim that given the fact that device is insecure 3rd party is able to tamper with the device(or communication) content.
[ link to this | view in chronology ]
Re: Backdoor backblow
Strong signature cryptography is independent of any message encryption, and can be used to verify content of plain text as well as encrypted content. So it is possible to have strong signatures to verify content, and weak encryption to hide content from prying eyes.
[ link to this | view in chronology ]
Re: Re: Backdoor backblow
How? You do realized that both transmitted and at-rest data are encrypted using exactly the same set of ciphers, right?
[ link to this | view in chronology ]
Re: Re: Re: Backdoor backblow
Encryption and signing are different things. Encryption is used to protect the contents, while signing is used to verify the source. While sometimes they use the same encryption technique, mostly they use different techniques. For instance all the certificates that your browser rely on are plain text, with signing used to verify signer, because everybody going to the same site sees the same certificate, so there is little point in encrypting the contents, but ensuring that it was verified by the signer is critically important.
[ link to this | view in chronology ]
Re: Re: Backdoor backblow
[ link to this | view in chronology ]
Re: Re: Re: Backdoor backblow
Two points, anybody can write an insecure cypher, while it takes an expert with peer review of their work to write a secure cypher, and even them mistakes happen. While the best cyphers are open source, they are also written and validated by a small community of PdD's who specialize in cyphers, and who are capable of reviewing each others work, and want other mathematicians to look at their work. They are all aware that they do not know all maths, or even who to ask for possible means of attack on a cypher.
[ link to this | view in chronology ]
Re: Re: Re: Re: Backdoor backblow
"it takes an expert with peer review of their work to write a secure cypher"
I doubt that.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Backdoor backblow
Encryption is not easy to do well. It's unlikely someone with less than expert level skills would be able to do it right, and without review by other experts, likely that even an expert would miss, forget, or misimplement something.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Backdoor backblow
Agreed, but not impossible.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Backdoor backblow
It's not impossible in roughly the same way it's not impossible for me (someone with no racing experience) to win the Pike's Peak Hill Climb. No laws of physics prohibit it, but it's not going to happen.
[ link to this | view in chronology ]
Re: Backdoor backblow
"I wonder if the governements wordlwide will force manufacturers to install backdoors, wouldn't that undermine the reliability of evidence collected using backdoor tech."
Well, yes, because once you have a skeleton key which opens that backdoor, every criminal organization and foreign power in the world will have it as well.
In other words if the FBI tries to cast a dragnet for drugs, gun running and CP they will instantly find evidence of such in the computers of every US politician the mob, russia and/or china do not like.
Meanwhile the leaked key will have been included in half a dozen ransomware trojans making the rounds so expect any device provided with said backdoor to be bricked anyway. This, in a nutshell, is why even China isn't inserting hardware backdoors in the hardware over which they have control - they know that rather than gain a weapon they'd have it held to their own throats by any joker able to wrap a trojan around a certificate key.
[ link to this | view in chronology ]
Re: Re: Backdoor backblow
... and who will try to use this thing full of holes for anything other than laughs.
[ link to this | view in chronology ]
Re: Re: Re: Backdoor backblow
"... and who will try to use this thing full of holes for anything other than laughs."
Everyone who thinks "government knows best" which, unfortunately, tends to include law enforcement, medical services and the military.
Hanlon's Razor is the only reason I don't tend to accuse village idiots in politics for working for foreign powers when they start demanding we weaken publicly available strong encryption.
[ link to this | view in chronology ]
I think you meant a "long list of butts."
[ link to this | view in chronology ]
'I don't get it, why is no-one returning our calls?'
From Apple to Backpage and now on to Facebook, various law enforcement agencies around the world seem damn determined to send one very clear message: Working with law enforcement can and will be used against you the second it's beneficial for them. Whether it's helping catch sex traffickers or providing access to data in an attempt to catch criminals, if a company decides to go above and beyond in providing more help than they have to it seems law enforcement just can't help themselves and demand everything.
If companies are hesitant to help law enforcement and/or spy agencies part of that is almost certainly because they realize just how dangerous the requested help would be both to them and the public, but at this point I can't help but suspect that part of that hesitation might stem from the knowledge that if they help once they'll be facing demands for even more help(both in frequency and what's involved) down the line.
[ link to this | view in chronology ]
Re: 'I don't get it, why is no-one returning our calls?'
What better way to kill your business than working with government in their ill fated attempts at taking over the world?
[ link to this | view in chronology ]
Have a bad policy and need to push it through? Use the "think of the children" line...Clipper Chip all over again. All is lost when law enforcement feel qualified to make decisions on tech policy. Like watching management attempt to create a ZFS pool after watching a youtube.
[ link to this | view in chronology ]
Who told Politicians they knew anything..
"Enable law enforcement access to content in a readable and usable format where an authorisation<interesting word> is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight; and"
Who told them that they knew/know anything about Encryption?
REALLY!!
Whats stopping the Person from encrypting Before they send it? Which the Politicians would Bitch about to FB.
ALSO,
Monkey see Monkey do.
WHY do they get the idea that Crooks/thieves/Child molesters/and all the BAD people are a larger group then <1%?
Or are they counting themselves?
[ link to this | view in chronology ]
Everything in the US seems to be a "war". The war on crime, the war on drugs, the war on terrorism, the war on child sex abuse. Each war provides an excuse based on overwhelming public interest to remove or weaken constitutional rights and protections. None of these wars will ever end, so the effect on rights is permanent. In all these wars the citizen is both victim and enemy. Did you smoke a joint in high school? Then of course you accept random stop and search and the seizure of assets for no particular reason. Did you ever shoplift? Then you know how important it is to throw people in prison for years for non-violent crimes. Did you ever read Playboy? Then you know how vital it is that law enforcement has total access to all your digital media at all times. Because anyone could be one. And no policing power is too extreme to deal with it. We certainly wouldn't want judges and lawyers and, well, law itself, getting in the way.
Because of the self-Streisanding all of this causes the alphabet agencies, it should be obvious that only exceptionally thick perverts would rely on commercial communication encryption. Why bother, when old-fashioned tradecraft is more secure. But that isn't the real aim anyway, is it? And the question remains; it's easy to start a war, but how do you stop it?
[ link to this | view in chronology ]
Re:
Simple: One side must either surrender or be destroyed.
Considering the public is both victim and enemy of their government, but the government is far fewer in number, it's easy to see which side will win in a fight to the death. The real question is which method will the public choose to end the war.
[ link to this | view in chronology ]
Re:
"Everything in the US seems to be a "war". The war on crime, the war on drugs, the war on terrorism, the war on child sex abuse. Each war provides an excuse based on overwhelming public interest to remove or weaken constitutional rights and protections."
...because all the US politicians pine for the good old days when they had a war against the USSR and communism, with one Big Scary Bad they could unite the country against and drown all questions in. Then the USSR collapsed and those same US politicians now had to invent a new Big Scary Bad they could use for the same effect. Enter "think of the children", anti-drug scaremongering, and "They are coming to bomb YOUR house next!".
Fear is an awesome drug for a politician. It stops people from thinking. Citizens in fear never question, making any inconvenient queries about self-serving corruption and ineptitude magically go away. Fear is the bucket of water you pour on that wicked witch called vox populi to make them all shut up and stay in line.
And the US body politic has been hooked on it since right after WW2 when they discovered just how versatile it was to just be able to invoke the Big Scary Bad and find the voices of dissent silencing at once.
[ link to this | view in chronology ]
Re:
They call it a war in order to invoke the patriot in everyone, thus providing a willing populace. Only problem is .. it's like calling wolf too many times. People are not going to put up with shit for very long before tossing back.
[ link to this | view in chronology ]
Government First
I'd love to see someone create a backdoored communication system for law enforcement, and then challenge them to use it. Let them walk the talk first, while the rest of us sit back and watch the fire.
[ link to this | view in chronology ]
'Good enough for the public but not you? Imagine that.'
So very many stupid, dangerous, and dangerously stupid ideas would be shut down and retracted immediately if the ones proposing them were faced with a 'you first' ultimatum.
[ link to this | view in chronology ]
Re: Government First
"I'd love to see someone create a backdoored communication system for law enforcement, and then challenge them to use it."
I'm not sure the strategy of "dropping a nuke exclusively on the police precinct" is a desirable choice.
But sure, if you magically could accomplish this using the same magic you try to advocate when it comes to "Free speech only for some" then be my guest.
Me, I hope for law enforcement to use the same standard of encryption everyone else has access to, more or less as it is now, because that gets me security without having to violate the laws of mathematics.
[ link to this | view in chronology ]
Isn't it unsettling how much law enforcement craves access to child porn?
[ link to this | view in chronology ]
Re:
"Isn't it unsettling how much law enforcement craves access to child porn?"
I wish I could give this a "lol" vote, but given how often police officers have been exposed carrying some CP "homework" home on a USB stick, I'd be inclined to say that this is just one more damn good reason as to why we should continually verify our trust in our watchmen.
And that's in europe. In the US I could instead make a joke that by the statistics it appears US officers of the law get their jollies covered by murdering at will. It sticks a bit in the throat, but a ratio of a thousand police shootings in the US to every police shooting in europe speaks quite loudly.
[ link to this | view in chronology ]
Hmmm
By that logic, even police should be unencrypted. After all , they have nothing to hide.
And would make it easier to spot spies or undercovers as they would use necrpyted and could tell.
Also.... Back door should be used by government first to test it. If not hacked quickl wellll....
[ link to this | view in chronology ]
Cyber secure
Use Utopia Ecosystem and there will be no problems with protection and anonymity. These guys know their stuff!
[ link to this | view in chronology ]