The Whistleblower And Encryption: Everyone Has An Angle, And Not Everyone Is A Policy Expert
from the nuance,-nuance,-nuance dept
Over the weekend, the Telegraph (not the most trustworthy or reliable in a batch of UK news organizations that have long had issues with accuracy in reporting) claimed that the latest (and most high profile) Facebook whistleblower, Frances Haugen, was prepared to come out against encryption. This (quite rightly) raised the hackles of multiple encryption experts. As people were getting pretty worked up about it, the Telegraph (silently, and without notice) changed the headline of the piece (from "Facebook whistleblower warns ‘dangerous’ encryption will aid espionage by hostile nations" to "Facebook whistleblower warns company's encryption will aid espionage by hostile nations") as well as the actual text of the story, to suggest a slightly more nuanced (but still not great) view -- effectively saying she supported encryption, but was concerned that Facebook would use encryption as a "see no evil" kind of blindfold to problems on its platform.
Ms Haugen said that she is generally pro-encryption, which enhances users’ privacy. However, she added that Facebook’s plan was also way for the company to “sidestep” harmful content happening on its platform rather than address it.
She said: “End-to-end encryption definitely lets them sidestep and go ‘look we can’t see it, not our problem’.”
Of course, context and motives matter here, and the Telegraph -- which tends to be quite supportive of the current UK government, seemed to be twisting Haugen's (admittedly confused) statement in support of UK Home Secretary Priti Patel's positively dangerous plan to get rid of end-to-end encryption in the UK. It sure looks like the Telegraph went looking for a way to support that argument, and used Haugen's words to that effect.
A few hours later, Haugen actually testified before a UK Parliamentary committee and claimed her words were taken out of context. She said that she's strongly pro-encryption... but then tried to claim that her comments to the Telegraph were more about how she doesn't trust Facebook to actually implement encryption. Which is... a strange and almost nonsensical claim.
“I want to be very, very clear. I was mischaracterised in the Telegraph yesterday on my opinions around end-to-end encryption,” she said. “I am a strong supporter of access to open source end to end encryption software.
“I support access to end-to-end encryption and I use open source end-to-end encryption every day. My social support network is currently on an open source end-to-end encryption service.”
[....]
“Facebook’s plan for end-to-end encryption — I think — is concerning because we have no idea what they’re doing to do. We don’t know what it means, we don’t if people’s privacy is actually protected. It’s super nuanced and it’s also a different context. On the open source end-to-end encryption product that I like to use there is no directory where you can find 14 year olds, there is no directory where you can go and find the Uighur community in Bangkok. On Facebook it is trivially easy to access vulnerable populations and there are national state actors that are doing this.
“So I want to be clear, I am not against end-to-end encryption in Messenger but I do believe the public has a right to know what does that even mean? Are they really going to produce end-to-end encryption? Because if they say they’re doing end-to-end encryption and they don’t really do that people’s lives are in danger. And I personally don’t trust Facebook currently to tell the truth… I am concerned about them misconstruing the product that they’ve built — and they need regulatory oversight for that.”
But... here's the thing: Haugen may be a wonderful data scientist. And, she may have done the world tremendous good by leaking tons of internal Facebook documents, giving the world some insight into what's going on at the company. But that doesn't make her an expert on encryption. And, it shows. As Alec Muffett, a security expert who actually used to work on encryption at Facebook, noted in a detailed thread, what Haugen is asking for here is dangerous and shows a real lack of understanding about encryption.
First, she claims that there should be a government review of any Facebook end-to-end encryption to make sure it's legit. And, yes, there are many reasons to not trust Facebook, but introducing the idea that government needs to review and approve encryption is worse. Is she completely unaware of the government's history of constantly trying to undermine and backdoor encryption? I mean, it's not exactly secret. And the US government has been trying to undermine and backdoor encryption pretty aggressively lately. Suggesting that there needs to be some government entity blessing the encryption opens the door to all sorts of mischief.
The separate issue is claiming that end-to-end encryption for Facebook is somehow different because you can use Facebook for more than just messaging, and it's bolted on to other services. Again, as Muffett explains, this kind of thinking is dangerous as well. It suggests that encrypted chat needs to be silo'd and kept distant from tons of internet services, when the reality is often that many more internet services should be embracing encryption much more widely to protect their users.
This is also why it's difficult to understand Haugen's claims -- as they seem somewhat contradictory. Even if we take the Telegraph's mission-driven editing with a grain of salt, Haugen doesn't deny her claim that encryption makes it harder to protect Uighurs:
“A key part of [Chinese operatives’] strategy was to send malware to Uighurs who lived in places that weren’t China, as if they could compromise one phone they could compromise a whole community. We said we won’t be able to see the malware anymore [with encryption].”
But, that's backwards. Do we think Uighurs will be more protected with encryption, or without it? As Riana Pfefferkorn pointed out just last week, encryption and security go hand in hand. It is not -- as law enforcement would falsely have you believe -- that encryption and security are at odds. Encryption provides security -- especially against oppressive governments trying to genocide and entire culture. Uighurs need encryption much more than they "need" Facebook to be able to see what the Chinese are doing to protect the Uighurs.
Haugen's statement on the Uighurs seems ridiculous when thought about: it's basically arguing that without encryption Facebook can better protect the Uighurs from the Chinese government. Does anyone actually believe that? Or would they be better off with access to encryption? They shouldn't necessarily rely on Facebook's encryption, but arguing that it shouldn't be there to better protect them is just silly.
Again, Haugen has likely done the world a great benefit in leaking a bunch of internal documents (I'll have more on those soon). But it's important to remember that just because she blew the whistle regarding Facebook research, it doesn't make her an expert on everything else. She's not an expert on content moderation, or antitrust, or encryption. She may be a useful source for exploring what Facebook's research showed, or some of Facebook's decision making, but it's depressing how quickly eager politicians looking to gain support for their already existing plans are exploiting her to argue for their position on topics she's really not qualified to comment on. Indeed, it's also dismissing the hard work of tons of actual experts on these topics, from practitioners in the field to the academics who study these issues.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, frances haugen, going dark, tech policy, uk
Companies: facebook
Reader Comments
Subscribe: RSS
View by: Time | Thread
When will people realize that encryption is working if only communicating parties can read the messages, and broken if anybody else, including governments, can also read the messages? Its not possible to have working end to end encryption if some third party, including those providing messaging services, can read the messages, then that is encryption between users and the servers, and NOT end to end encryption; and selling it as such is false advertising.
[ link to this | view in chronology ]
As she said there's a problem with Facebook pushing harmful negative content to maximize user engagement fb is rapidly losing young users
She's s data expert the uk government has for years with the 5 eyes been pushing to ban encryption and erase privacy from surveillance for the ordinary user
Does she really think getting rid of encryption will help protect uighers from the Chinese government
Wtf?
Fb has problems but we must remember every day millions of users use it for free to talk to friends and relatives and it's a major platform for business too
Also other tech websites have reported fb and Google have conspired to fix the ad market to keep prices high by not really competing with each other see project jedi
I think it's been obvious for years most of the time Facebook chooses profit over the mental health of users by displaying negative content like conspiracy theory's fake news etc
[ link to this | view in chronology ]
I think YOU may be confused
She says she wants to know the end-to-end encryption REALLY IS end-to-end encryption ... considering the source. She's saying that if Uighurs trust their encryption and it's bollocks, they have trouble ... though from what I've read, I'm not sure there is anything a Uighur can do to avoid trouble, apart from hanging himself to spare the government the inconvenience.
I don't think a Facebook whistleblower is too likely to get a fair treatment in the mass media, given as they apparently are all, by virtue of still being in business, utterly abased servile worshippers of the company who would offer up their children on an altar for a modest degree of goodwill from the company.
From Crypto AG to the first https in Netscape to whatever that "secure encryption company" targeting the drug dealers last year was called, companies' claims they offer "real crypto" are at least 90% false. The other 10% we just don't KNOW are false yet. Why should Facebook get a pass?
[ link to this | view in chronology ]
Re: I think YOU may be confused
you might want to re-read the article:
That right there is Mike stating your position, that she wants code review. Mike then continues to points out an issue with that plan, not just that she misunderstands the issue.
The title and initial comments in your post completely ignore what was actually said in the article. Mike isn't confused, he knows the request is for code review. You are because you didn't read. The issue is can you can trust a government who wants to undermine encryption (cough the US Government cough) to tell you encryption is safe? Do you really think if the CIA finds a backdoor the CIA will tell anyone it exists? No, they will exploit that discovery for themselves and tell everyone the encryption is safe. I don't know why you think differently.
[ link to this | view in chronology ]
Re: Re: I think YOU may be confused
Apple.
[ link to this | view in chronology ]
Additionally...
She is making the claim that if the encryption really is good, it will make it harder for ... someone... "to detect malware". So if she holds both those positions, they are mutually contradictory.
No one should be scanning other people's messages on the wire, anyway. And the history that we know, since so much involving the biggest scanners of communications is secret, is that no one has ever stopped anything by live signals intelligence / malware scanning. It just gives them a later excuse at some point in the future to get up in peoples' private lives (including parties who are victimized), or simply use malware, exploits, and compromised endpoints to their own ends.
Now, if you wanted some open cryptographic org to review the crypto and implementation, that would be sensible. Haugen apparently wants it both ways, but with govenments doing the crypto verification and spying on supposedly encrypted communications.
Maybe if governments didn't hoard explouts, and demanded patching of all the things, including telecom vulnerabilities existing since time out of mind, and all the IoT bullshit, someone might have the slightest hint of an argument here.
[ link to this | view in chronology ]
I'm having some serious reservations about Ms Haugen, her objectives and motivations.
The fact she's endorsing the lurching atrocity of the Online Harms Bill doesn't inspire much confidence for a start! A bill that proposes everything from forcing sites to take down content that's not illegal, to curtailing encryption, to mandating "politically neutral moderation" whatever that's supposed to mean. (Presumably giving terfs and UKIP supporters an avenue to complain next time they get kicked off private websites).
Obviously it's not finalized yet. But as the only mainstream pushback to the bill here in the UK, is that it doesn't go far enough (!) I'm not expecting any last minute improvements!
[ link to this | view in chronology ]
Not even a whistleblower
There needs to be an actual offense to blow on. I mean if a reporter from a Murdoch tabloid came out about exploiting fear and negativity for money we would ask "What are you, stupid? We already knew and it isn't illegal!"
[ link to this | view in chronology ]
Re: Not even a whistleblower
That's a very good point, and one that's getting the short shrift across most of the coverage. The Hoeg Law YouTube channel discusses that in some detail
Don't get me wrong, I think it's a good thing that these documents are coming into public scrutiny, . And I don’t think Facebook would want the bad PR of trying to sue or prosecute Ms Haugen, who's largely being portrayed as a brave woman speaking up against an evil megacorp.
Still, what’s the underlying criminal activity? Being profitable isn’t illegal. Malleable concepts like ‘misinformation’ and ‘spreading hate’ aren’t illegal. (at least under 1st Amendment jurisprudence). And Section 230 absolutely forecloses the argument that Facebook is legally liable for user generated content; the entire crux of Ms Haugen’s activism!
Take away any alleged legal wrongdoing, and you’re legally (if not morally) close to situations like Palmer Luckey or Anthony Levandowsk: Disgruntled ex-employees walking out of their jobs with a sack of stolen documents and trade secrets.
[ link to this | view in chronology ]
Re: Re: Not even a whistleblower
I don't see any problem with being a whistelblower about immoral but legal activity.
[ link to this | view in chronology ]
Out of the frying pan into the forest fire
If Facebook doesn't make use of working encryption, whether intentionally or simply due to getting something wrong that's bad but once it's been caught there's a chance that it can be fixed with sufficient pressure.
If governments are the ones deciding what encryption is or is not 'good enough' then you might as well assume that any encryption that gets the go-ahead either already had a known vulnerability or had one added(in neither case should it be trusted), because with the multiple governments around the world showing open animosity towards encryption the odds that they will be vetting it in good faith is staggeringly low.
Facebook not properly implementing encryption is most certainly a potential problem worth keeping an eye on but the 'solution' presented is just so much worse it's difficult to understand how she missed the glaring problems with it.
[ link to this | view in chronology ]
I'm sorry
As a Brit I feel the need to apologise for Johnson, Patel, the Telegraph, and the demon spawn that is the online harms bill.
I would like to offer up some positive news from the government in balance, but I can't.
They are just terrible.
[ link to this | view in chronology ]