Bug bounty programs are far from unusual; Facebook has said that it pays out millions each year to enterprising security researchers and ethical hackers that report on vulnerabilities they find. What is unusual is for a government to put a bounty on discovering a method to break into a service such as Facebook. Yet that is exactly what the United Kingdom’s Home Secretary is offering, promising grants of up to $117,000 to firms that can figure out how to bypass the end-to-end encryption used by the Facebook and WhatsApp messaging systems.
The story is even more strange in that the amount offered is paltry compared to what a researcher would likely get by taking advantage of the bug bounty program, or a criminal would get by selling it on the black market. The UK government says that the aim of the project is to “protect children”, commonly the first reason invoked when law enforcement agencies want a backdoor into hardware and services for their own private use.
Offer aims to catch child abusers “while ensuring end-to-end encryption is not compromised”
The offer comes after repeated refusals by Facebook to compromise its end-to-end encryption for the UK’s police agencies that date back more than a year. The most recent push from the UK was in April of this year, when home secretary Priti Patel called Facebook’s plans to expand end-to-end encryption to Facebook Messenger and Instagram “unacceptable” and claiming that it would keep police from catching child abusers. Applicants will be able to begin submitting their plans on November 1, and the program will run until March 2022.
The home secretary’s office frequently partners with the UK’s National Society for the Prevention of Cruelty to Children (NSCC) charity to make its pitch to derail tech industry encryption plans; the NSCC consistently claims that private messaging on platforms such as WhatsApp and Instagram is how the majority of child sexual abuse is facilitated in the country. While there is inarguably some amount of that, as well as serious criminal activity such as communication between terrorists, there are also privacy and security concerns for the much greater number of legitimate users of messaging apps. In addition to the obvious concerns about abuse of a law enforcement backdoor for spying and political purposes, Facebook has opposed the idea on the basis of it creating a massive potential security vulnerability.
The UK government is offering the grants, of “up to” $117,000 each, to as many as five organizations that come forward with a way to get around Facebook’s end-to-end encryption. The platform’s current message encryption scheme originated with WhatsApp, has been imported to Facebook Messenger for voice and video calls, and is seen as one of the strongest options available. Facebook plans to eventually encrypt all communications in Messenger as well as bringing the technology to Instagram.
The government does not directly call for these firms to break Facebook’s end-to-end encryption, but it sets a goal that appears impossible without doing so. The actual wording of the request is “to detect images or videos showing sexual abuse of children while ensuring end-to-end encryption is not compromised.” Of course, if the images are encrypted, there does not appear to be a way to detect or expose them without breaking the encryption.
Criminals that hit upon a solution would obviously not be in a hurry to go to the government, of course, and would likely be able to sell the exploit on the dark web for a much more substantial sum. That leaves security researchers, for whom it is unclear why they would venture into these ethically murky waters when Facebook has a $6 billion annual R&D budget they could make much more generous payments out of. It is unknown exactly how much Facebook pays out for bugs due to their generally sensitive nature, but last year the company said that it had paid out a little more than $11 million in total since the program was initiated in 2011.
UK goes to G7 to pressure Facebook into weakening end-to-end encryption
In the meantime, Priti Patel plans to continue the campaign by going before the G7 and requesting that its members demand Facebook cease its expansion of end-to-end encryption, and announcing the launch of a fund to provide support for online investigations of child sexual abuse. Rob Jones, the director of threat leadership at the National Crime Agency, claims that a complete rollout of end-to-end encryption would cut off vital “incisive intelligence”; a senior investigator claims that investigators would miss about 20 million child abuse images each year. Patel made mention of Apple’s controversial CSAM photo scanning plan, calling it a good “first step.”
A spokesperson for Facebook said that the company had an “industry-leading” system for internally detecting and monitoring child exploitation efforts in place, and that the ongoing rollout of end-to-end encryption across all of its services would protect all of its users from hackers and criminals.