Ride the Lightning

Facebook Denies That it Plans to Backdoor WhatsApp

August 5, 2019

There was a lot of buzz last week over reported plans by Facebook (FB) to insert a backdoor in WhatsApp, including a post by the highly respected Bruce Schneier. Schneier's post was based on a Forbes article which (after reporting the plans) was updated on 2nd August to reflect Facebook's statement on the reports.

This is the update: Facebook disagrees that the F8 video on using artificial intelligence to keep content safe indicates it is planning to surveil users' information. In Facebook's words, "We haven't added a backdoor to WhatsApp," said WhatsApp vice president Will Cathcart in a post on HackerNews. "To be crystal clear, we have not done this, have zero plans to do so, and if we ever did it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise which is why we are opposed to it," Cathcart wrote.

The encryption debate is typically framed around the concept of an impenetrable link connecting two services whose communications the government wishes to monitor. The reality is that the security of that encryption link is separate from the security of the devices it connects. The ability of encryption to shield a user's communications rests upon the assumption that the sender and recipient's devices are themselves secure, with the encrypted channel the only weak point.

After all, if either user's device is compromised, unbreakable encryption is of little relevance. This is why surveillance operations typically focus on compromising end devices, bypassing the encryption debate entirely. If a user's cleartext keystrokes and screen captures can be streamed off their device in real-time, it doesn't matter that they are eventually encrypted for transmission elsewhere.

There are many cybersecurity experts who believe it is only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape. Embedding content scanning tools directly into phones would make it possible to scan all apps, including ones like Signal, effectively ending the era of encrypted communications.

Governments would, it is thought, use lawful court orders to require companies to build in custom filters of content they are concerned about and automatically notify them of violations, including sending a copy of the offending content.

Rather than having an ongoing battle to defeat encryption, governments will have social media companies to perform their mass surveillance for them, sending them real-time alerts and copies of the decrypted content.

While some phone manufacturers could offer phones with custom operating systems that do not include such scanning, such devices are likely to be rare, used only by those who are willing to go to great lengths to escape government scrutiny and thus automatically drawing substantial attention to themselves. Over time, it seems probable that many governments will simply pass laws banning the possession and use of such devices, much as many jurisdictions ban devices that help speeders escape traffic tickets.

Is there an end run around encryption in our future? It seems quite possible to me.

HT to Dave Ries. And a second one for sending me Bruce Schneier's follow-up post.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson