Privacy: End game for end-to-end encryption
By Heather Burns: Last week, Wired has reported that the Home Office is actively exploring legal and technical mechanisms to compel Facebook and WhatsApp to break end-to-end encryption messaging.
The article states that:
“Since Facebook’s announcement on the extension of end-to-end encryption in 2019, Patel has grown increasingly impatient and vocal about the dangers of the technology – publicly calling on Facebook to “halt plans for end-to-end encryption”, and bringing up the subject in meetings with her US counterparts and the Five Eyes intelligence alliance of English-speaking countries…According to a person familiar with policy discussions, technology companies are now increasingly worried that the Home Office could issue a Technical Capability Notice (TCN) against Facebook – that is: an injunction forbidding the company from switching to end-to-end encryption.”
Nearly every successful instant messaging product today uses end-to-end encryption. This is because users wish to protect their privacy, control their sensitive personal information, avoid fraud and scams, explore their personalities and beliefs, and safeguard themselves from criminals and abusive partners. So government’s desire to limit encryption for Facebook users, which clearly goes against user expectations, has enormous implications for all of our private communications. What is framed by the government as a means to “detect crime” is, in fact, likely to reduce personal security, introduce new risks, and create opportunities for criminals and abusers.
Thus the current attacks cannot be seen as “just” targeting WhatsApp and Facebook, or as a measure to address a particular problem on a single platform. Rather, it appears that government is determined to limit the ability of platforms and service providers to use encryption, especially at scale. In doing so, the government is likely to use secretive powers introduced in the Investigatory Powers Act.
In that light, it is important to understand those regulatory and law enforcement options which are likely to be under active consideration for imposition on Facebook/WhatsApp, and by extension, your private messages.
WHAT ARE THE OPTIONS?
The Home Office could choose to continue its active engagement with Facebook/WhatsApp. It could also attempt to limit access to encrypted products through the Online Safety Bill. As we have previously explained, there has been a push to use the online harms framework to only allow access to encryption when the “risks” of use by criminals is low or eliminated, and when children are not using the product. This could, by implication, require age verification to use an encrypted messaging app, among other possible outcomes.
What the Wired piece suggests, however, is that both those ships have sailed, and the Home Office may now be looking to compel Facebook/WhatsApp to take technical steps through a legal mechanism of the Home Office’s choosing completely outside the Online Safety framework and the Parliamentary scrutiny which surrounds it.
This is particularly credible, as the Minister for Digital, Oliver Dowden, recently stated to the press (partly quoted here):
SafeSubcribe/Instant Unsubscribe - One Email, Every Sunday Morning - So You Miss Nothing - That's It
“I do have very grave concerns about Facebook’s plans for end-to-end encryption and the Home Secretary and I have been engaging on all levels with Facebook on that. End-to-end encryption cannot be a way of facilitating child abuse and so on and we have shared those concerns. We haven’t ruled out any steps to protect against those abuses. But at the moment we are engaging with Facebook to try and resolve this in a way that is in the interest of everyone and that we have appropriate protections in place. We are keeping all options on the table, but the legislative vehicle would not be the Online Harms bill.”
IS A TECHNICAL CAPABILITY NOTICE COMING?
If the proposed solution is not part of the online harms framework, then it’s likely that the Home Office is considering the use of a Technical Capability Notice, or TCN. The Investigatory Powers Act established TCNs as the legal mechanism to compel a provider of communications services to provide the capability for interception of communications, including equipment interference and the acquisition of bulk communications data.
The regulation further provides that a TCN can compel a service provider to remove electronic protections, including security standards, such as encryption.
TCNs provide for the interception of communications data. TCNs are negotiated in secret and are not made public. Actual requests for data are made through further warrants, signed off by a Judicial Commissioner. However, these warrants can be thematic, allowing for a general category of information or persons to be intercepted, rather than against specific individuals or pieces of content.
A VEIL OF SECRECY
A company that is subject to a TCN is legally barred not only from discussing the specifics of the notice but from disclosing whether the notice exists at all. Any employee of a company subject to a TCN who disclosed that one existed would be subjected to criminal penalties for breaking a gagging order. The powers also appear to apply to the use of “warrant canaries”.
“this means that if a TCN were to be applied, any private message exchanged on Facebook/WhatsApp could be subject to monitoring and surveillance, with no notice, recourse, or transparency, and the company would be legally barred from disclosing the fact that the surveillance exists.”
Because of that, we do not know how many TCNs have been applied to date under the Investigatory Powers Act, we do not know whether they have proven effective, and we do not know when they were suspended. TCNs are applied under a level of secrecy that, legally, cannot even be reported. The only thing you will ever learn about the insinuation that a TCN exists is in the annual reports of the Investigatory Powers Commissioner’s Office, who can only discuss the fact that they exercised oversight over one. No further details can be disclosed.
Quite simply, this means that if a TCN were to be applied, any private message exchanged on Facebook/WhatsApp could be subject to monitoring and surveillance, with no notice, recourse, or transparency, and the company would be legally barred from disclosing the fact that the surveillance exists. And a thematic warrant, which is almost certainly the option being explored, would permit that monitoring and surveillance to be carried out on all messages regardless of risk or content.
This creates a problem for the Home Office, however, as it is also clear that the Government wants to force Facebook to back down publicly. Complete secrecy about capabilities may not be practical, given how much time and effort is going into the public campaign against Facebook/WhatsApp and encryption of messages in general.
WHAT DO WE WANT TO SEE HAPPEN?
If, as the Wired piece suggests, Government is inclined to compel Facebook to break encryption, then this will send a strong message to all of us – regardless of what messaging service we choose to use – about our rights to privacy and freedom from surveillance. It will send an equally strong message to companies providing communication platforms in the UK, whether large or small, about what they can expect from the UK government in the years to come.
The circulation of child abuse images, and the uses of tools by criminals, absolutely need to be addressed. However there are many options to deal with this effectively, ranging from targeted cracking of devices through to infiltration of groups, and at scale, the use of metadata analysis to find malicious actors; this latter technique is already employed by WhatsApp and many other companies relating to abusive material. While Government does need to ensure these methods work, it is far from obvious that equipment interference, and the acquisition of bulk communications data, are the only reasonable means to deliver its aims.
We have known for many years that it was not a matter of if, but when, the UK government and Home Office would seek to restrict the use of encryption. Their intentions have been publicly stated for quite some time, alongside similar gestures by other countries in the Five Eyes surveillance alliance.
Today’s Wired piece suggests that this move on encryption is now imminent. The secrecy which surrounds the legal and technical measures which the government may be considering is unsustainable, given the widespread, public and international effects that would follow. Transparency, engagement, and communication are essential.
By Heather Burns – Open Rights Group – a UK-based digital campaigning organisation working to protect our rights to privacy and free speech online.