Within the United States, top law enforcement officials such as Attorney General William Barr and FBI Director Christopher Wray are increasingly making the case that tech companies such as Facebook should weaken the type of encryption that they provide for their messaging and communication services such as WhatsApp. As they see it, encryption backdoors and access to encrypted devices are necessary for law enforcement to track and monitor criminals. Yet, as new surveillance technology makes its way into the market, it’s becoming increasingly clear that these encryption backdoors might not be necessary after all.
The arrival of new surveillance technology for breaking encryption
Much of this new surveillance technology is now being sold by a handful of surveillance technology companies, such as Cellebrite and NSO Group, both of them based in Israel. For its part, Cellebrite sells hacking hardware that enables law enforcement authorities to hack open locked and encrypted smartphones. As long as law enforcement officials have the actual smartphone in their possession and are willing to abide by a few ground rules (such as only unlocking smartphones in a secure, designated location), they have the ability to unlock encrypted phones – something that previously was impossible to do without the assistance of the phone manufacturer. When law enforcement authorities tried to get access to the locked iPhone of the infamous San Bernadino mass shooter, they ran into a brick wall when Apple refused to unlock the phone for them. With Cellebrite, though, law enforcement now has access to surveillance technology for unlocking any Android or iPhone.
NSO Group takes a different approach than Cellebrite. Instead of hacking hardware, NSO Group uses “lawful access” software that is implanted on the phone of a criminal suspect or terrorist. Once the software has been implanted, it works like malware, in that it goes to work infecting smartphone and grabbing the images, encrypted data, or contact lists it needs. And NSO Group has even found a way to infiltrate the strong end-to-end encryption of WhatsApp by exploiting a known security vulnerability. In one high-profile case, NSO Group enabled more than 1,400 people to be tracked and monitored as soon as they received a WhatsApp video call. Even if they didn’t answer the video call, the security vulnerability enabled malware to be loaded onto the phones.
The case against surveillance technology
The problem here, of course, is that surveillance technology designed with law enforcement agencies in mind is often used for other purposes and by less savory individuals. In some cases, for example, it is used by sexual abusers to stalk former spouses and in other cases, it is used by child predators to monitor and track potential child victims.
And in still other cases, this surveillance technology is used by government intelligence agencies to track dissidents, journalists and human rights activists. Presumably, it could also be used to track the encrypted messaging of diplomats and top foreign officials. In the case of NSO Group, for example, its surveillance technology has been linked to tracking of people such as political dissidents and government critics. That same surveillance technology has also been implicated in the high-profile murder of Saudi dissident Jamal Khashoggi. And National Security Agency contractor Edward Snowden famously warned of the perils of “backdoor access” to devices being used as part of mass surveillance programs.
The shadowy and often illegal use of surveillance technology to gain access to sensitive data is one reason why law enforcement officials prefer encryption backdoors. As they see it, encryption backdoors have less potential for abuse, are less apt to fall into the wrong hands, and do not require physical possession of a smartphone or digital device. The best way to think of an encryption backdoor is that it is a secret security vulnerability that is known only by law enforcement and can be used to monitor anyone suspected of criminal wrongdoing from a remote location.
The case against encryption backdoors
The biggest problem with encryption backdoors, however, is that they weaken the security of all users, not just criminals. If Facebook ever creates an encryption backdoor for law enforcement, for example, then every single user of Facebook Messenger or WhatsApp would be at risk – at least, theoretically – of being tracked and monitored. Breaking encryption in one case means breaking encryption for all cases. There is no such thing as “sort of strong encryption” – there is either strong encryption or no encryption.
Moreover, it’s simply naïve to assume that only law enforcement will ever get access to the encryption backdoor. Criminals, too, will know that an encryption backdoor exists, and they go about hacking so that they also can snoop on conversations or monitor innocent people.
As some top U.S. politicians and security experts have also pointed out, breaking encryption defeats the fundamental reason why criminals, terrorists and child predators are using WhatsApp in the first place. These criminals are doing so because they want a 100% guarantee that law enforcement can’t read their communications. As soon as they realize that a platform like WhatsApp has been “broken,” they will immediately migrate to another platform. Think about it – in Hollywood movies, what happens when criminals realize that a certain room has been “bugged” or that a certain phone has been wiretapped? That’s right – they either conduct their illicit business somewhere else, or they find ways to trick law enforcement or intelligence agencies. If they plan to rob a bank at 10:00 in the morning on a Monday, they might use the presence of a bug or wiretap to throw them off the trail by mentioning a wrong date or time (“Hey, it all goes down at 2:00 in the afternoon on Tuesday…”)
The balance between security and privacy
At the end of the day, it all comes down to a balance between security and privacy. In a world where strong, military-grade, end-to-end encryption is a reality, there is a gain for privacy at the expense of safety and security. In other words, your communications are 100% protected from prying eyes and ears, but so are the conversations of terrorists and criminals. And, in a world where encryption backdoors are a reality, there is a gain for safety and security at the expense of privacy. Your conversations are no longer 100% private, but neither are the communications of terrorists and criminals.
Until recently, this was the fundamental choice facing society – and a good reason why the argument for encryption backdoors has been gaining momentum in North America and Europe. However, with the arrival of new surveillance technology from tech companies, the debate between privacy and security might represent a false dichotomy, It might be possible to have both – privacy for the majority of law-abiding citizens, and access to the bad guys for law enforcement officials conducting legitimate search and seizure operations.