For the past few years, law enforcement officials in both the United States and UK have been looking for ways to access the messages and content sent via end-to-end encrypted messaging platforms such as WhatsApp. Now, it looks like they might have finally found a way. According to media reports circulating on both sides of the Atlantic, the U.S. and UK will soon sign a controversial new treaty that will force social media companies and other tech firms to share encrypted communications with law enforcement officials. Such a treaty would enable police and counter-terrorism units to deal with criminals, terrorists and perpetrators of child sexual abuse in a much more effective and expedient manner. The big question, of course, is whether such a treaty would mandate an encryption backdoor.
The push for an encryption backdoor
Initial reports suggested that the new treaty (or so-called “Data Access Agreement”) would mandate an encryption backdoor, and that would have been a potentially explosive development from the perspective of social media companies. First and most importantly, an encryption backdoor would force social media companies such as Facebook to redesign their communications platforms from scratch. And, secondly, an encryption backdoor would essentially remove one of the key reasons why people use these end-to-end encrypted platforms: complete and total privacy.
When end-to-end encryption exists, the only people who can read the messages and any content attached within those messages are the sender and receiver of those messages. Even if law enforcement agencies ask WhatsApp (such as via an official court warrant) to provide backdoor access to the content of those WhatsApp messages, it’s impossible (from a technical perspective) to honor such a legal request and provide access to encrypted messages. And that’s exactly what has frustrated law enforcement authorities so much – criminals, terrorists and pedophiles have started using these end-to-end encrypted messaging platforms solely to avoid law enforcement detection. They are able to exchange messages and traffic in certain content, and law enforcement simply has no way to read those messages.
Thus, as might be imagined, law enforcement officials have been hunting for various ways to create an encryption backdoor. One recent idea, for example, was proposed by UK spy agency GCHQ. Under this proposal from security experts, social media companies would have been forced to create a so-called “Ghost Protocol” that would insert an extra “end” into the “end-to-end” encryption. Doing so would enable law enforcement officials to snoop on conversations by adding them silently and secretly to any conversation. Two criminals might think that they were having a two-way conversation, but unbeknownst to them, “ghost” law enforcement officials would also have been hanging out on the conversation. Needless to say, this proposal for a “ghost protocol” encryption backdoor met with a firestorm of controversy from technology companies as soon as it was divulged.
Facebook and the fight against encryption backdoors
UK Home Secretary Priti Patel has been particularly vocal about the need for social media companies such as Facebook to work with law enforcement officials. Earlier this year, for example, Patel accused Facebook of deliberately frustrating the fight against terrorists and child abusers. That’s because Facebook recently announced that it would be transforming all of its messaging platforms – and not just WhatsApp – into end-to-end encryption platforms. Currently, only WhatsApp is end-to-end encrypted, but Facebook Messenger is not. Facebook’s master plan right now is to integrate all of its social network messaging platforms so that they can work with each other, and the only way to do that – at least from a technical perspective – is to make everything encrypted communications. That would, essentially, make it even more difficult for anyone to build back doors into several platforms at once.
So that introduces a very interesting wrinkle into the whole debate over privacy and encryption backdoors – the very company that is accused of abusing personal privacy (Facebook) has now emerged as one of the key figures in the fight against encryption backdoors. Ever since the Cambridge Analytica scandal of 2018 and the resulting public uproar over abuse of personal privacy, Facebook has been looking for ways to become a “privacy-first” company. And one way to do that is by embracing end-to-end encryption.
Privacy and the CLOUD Act
Which is not to say that social media companies such as Facebook do not work with law enforcement officials and government agencies entirely – it’s just that the whole process can be very laborious and time-intensive, especially if it involves coordination of law enforcement officials on both sides of the Atlantic. The current legal framework for sharing communications on social media is known as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and it does not mandate an encryption backdoor. This CLOUD Act is what Facebook cites when it pushes back against calls for it to install an encryption backdoor.
Under the terms of the 2018 CLOUD Act, social media companies only need to provide meta-data associated with communications, and not the actual content of the messages themselves. This meta-data might include IP addresses, phone numbers, timestamps of messages sent or received, contact lists, and profile photos. Thus, law enforcement officials would know when Criminal A was talking to Criminal B, but would not know what they were actually talking about. The only way to find that out would be to create an encryption backdoor, which is why there is so much controversy about what might be included in the new U.S.-UK treaty. The new treaty, presumably, would go one step further than existing laws.
The fundamental tension between privacy and security
At the end of the day, the ongoing debate over encrypted communications and the need to create an encryption backdoor is really a debate between privacy and security. On one hand, platforms such as WhatsApp are phenomenal tools for anonymity and privacy. On the other hand, they are ripe for misuse and abuse in the wrong hands (i.e. criminals, terrorists, child abusers).
All of this, of course, places social media companies in a tight position. For nearly two years, they’ve been dragged in front of regulators and legislators and forced to atone for past sins. In the case of Facebook and Google, they’ve been fined millions of dollars and been subject to countless lawsuits and investigations. Now they face another potential fight on the public stage. Will they stand up for personal privacy and refuse to install an encryption backdoor, or will they finally give in to so much pressure?