The Whistleblower And Encryption: Everyone Has An Angle, And Not Everyone Is A Policy Expert
from the nuance,-nuance,-nuance dept
Over the weekend, the Telegraph (not the most trustworthy or reliable in a batch of UK news organizations that have long had issues with accuracy in reporting) claimed that the latest (and most high profile) Facebook whistleblower, Frances Haugen, was prepared to come out against encryption. This (quite rightly) raised the hackles of multiple encryption experts. As people were getting pretty worked up about it, the Telegraph (silently, and without notice) changed the headline of the piece (from "Facebook whistleblower warns ‘dangerous’ encryption will aid espionage by hostile nations" to "Facebook whistleblower warns company's encryption will aid espionage by hostile nations") as well as the actual text of the story, to suggest a slightly more nuanced (but still not great) view -- effectively saying she supported encryption, but was concerned that Facebook would use encryption as a "see no evil" kind of blindfold to problems on its platform.
Ms Haugen said that she is generally pro-encryption, which enhances users’ privacy. However, she added that Facebook’s plan was also way for the company to “sidestep” harmful content happening on its platform rather than address it.
She said: “End-to-end encryption definitely lets them sidestep and go ‘look we can’t see it, not our problem’.”
Of course, context and motives matter here, and the Telegraph -- which tends to be quite supportive of the current UK government, seemed to be twisting Haugen's (admittedly confused) statement in support of UK Home Secretary Priti Patel's positively dangerous plan to get rid of end-to-end encryption in the UK. It sure looks like the Telegraph went looking for a way to support that argument, and used Haugen's words to that effect.
A few hours later, Haugen actually testified before a UK Parliamentary committee and claimed her words were taken out of context. She said that she's strongly pro-encryption... but then tried to claim that her comments to the Telegraph were more about how she doesn't trust Facebook to actually implement encryption. Which is... a strange and almost nonsensical claim.
“I want to be very, very clear. I was mischaracterised in the Telegraph yesterday on my opinions around end-to-end encryption,” she said. “I am a strong supporter of access to open source end to end encryption software.
“I support access to end-to-end encryption and I use open source end-to-end encryption every day. My social support network is currently on an open source end-to-end encryption service.”
[....]
“Facebook’s plan for end-to-end encryption — I think — is concerning because we have no idea what they’re doing to do. We don’t know what it means, we don’t if people’s privacy is actually protected. It’s super nuanced and it’s also a different context. On the open source end-to-end encryption product that I like to use there is no directory where you can find 14 year olds, there is no directory where you can go and find the Uighur community in Bangkok. On Facebook it is trivially easy to access vulnerable populations and there are national state actors that are doing this.
“So I want to be clear, I am not against end-to-end encryption in Messenger but I do believe the public has a right to know what does that even mean? Are they really going to produce end-to-end encryption? Because if they say they’re doing end-to-end encryption and they don’t really do that people’s lives are in danger. And I personally don’t trust Facebook currently to tell the truth… I am concerned about them misconstruing the product that they’ve built — and they need regulatory oversight for that.”
But... here's the thing: Haugen may be a wonderful data scientist. And, she may have done the world tremendous good by leaking tons of internal Facebook documents, giving the world some insight into what's going on at the company. But that doesn't make her an expert on encryption. And, it shows. As Alec Muffett, a security expert who actually used to work on encryption at Facebook, noted in a detailed thread, what Haugen is asking for here is dangerous and shows a real lack of understanding about encryption.
First, she claims that there should be a government review of any Facebook end-to-end encryption to make sure it's legit. And, yes, there are many reasons to not trust Facebook, but introducing the idea that government needs to review and approve encryption is worse. Is she completely unaware of the government's history of constantly trying to undermine and backdoor encryption? I mean, it's not exactly secret. And the US government has been trying to undermine and backdoor encryption pretty aggressively lately. Suggesting that there needs to be some government entity blessing the encryption opens the door to all sorts of mischief.
The separate issue is claiming that end-to-end encryption for Facebook is somehow different because you can use Facebook for more than just messaging, and it's bolted on to other services. Again, as Muffett explains, this kind of thinking is dangerous as well. It suggests that encrypted chat needs to be silo'd and kept distant from tons of internet services, when the reality is often that many more internet services should be embracing encryption much more widely to protect their users.
This is also why it's difficult to understand Haugen's claims -- as they seem somewhat contradictory. Even if we take the Telegraph's mission-driven editing with a grain of salt, Haugen doesn't deny her claim that encryption makes it harder to protect Uighurs:
“A key part of [Chinese operatives’] strategy was to send malware to Uighurs who lived in places that weren’t China, as if they could compromise one phone they could compromise a whole community. We said we won’t be able to see the malware anymore [with encryption].”
But, that's backwards. Do we think Uighurs will be more protected with encryption, or without it? As Riana Pfefferkorn pointed out just last week, encryption and security go hand in hand. It is not -- as law enforcement would falsely have you believe -- that encryption and security are at odds. Encryption provides security -- especially against oppressive governments trying to genocide and entire culture. Uighurs need encryption much more than they "need" Facebook to be able to see what the Chinese are doing to protect the Uighurs.
Haugen's statement on the Uighurs seems ridiculous when thought about: it's basically arguing that without encryption Facebook can better protect the Uighurs from the Chinese government. Does anyone actually believe that? Or would they be better off with access to encryption? They shouldn't necessarily rely on Facebook's encryption, but arguing that it shouldn't be there to better protect them is just silly.
Again, Haugen has likely done the world a great benefit in leaking a bunch of internal documents (I'll have more on those soon). But it's important to remember that just because she blew the whistle regarding Facebook research, it doesn't make her an expert on everything else. She's not an expert on content moderation, or antitrust, or encryption. She may be a useful source for exploring what Facebook's research showed, or some of Facebook's decision making, but it's depressing how quickly eager politicians looking to gain support for their already existing plans are exploiting her to argue for their position on topics she's really not qualified to comment on. Indeed, it's also dismissing the hard work of tons of actual experts on these topics, from practitioners in the field to the academics who study these issues.
Filed Under: encryption, frances haugen, going dark, tech policy, uk
Companies: facebook