As Germany Floats The Idea Of Encryption Backdoors, Facebook May Already Be Planning To Undermine Its Own Encryption

from the really?-backdoors-for-content-moderation? dept

The German government’s desire to mandate backdoors in encrypted communications had barely been expressed when it was discovered Facebook might be willing to let them do exactly such a thing.

The German proposal is nowhere near ready to become law but the gist of it is this: it’s too difficult to break into encrypted devices so maybe tech companies could just start storing encrypted communications in plain text… just in case these agencies ever need to access them. Sure, encryption makes things more secure but it’s just creating some sort of criminal/terrorist Wild West and we can’t have that — even when that doesn’t actually appear to be happening.

Facebook may already be making backdoored communications a reality. This isn’t happening because it wants to be the inflection point for undermining encryption but because it really, really wants to keep accessing users’ communications for its own purposes. Kalev Leetaru of Forbes points out Facebook put its encryption-undermining plans on display earlier this year, while discussing its plans to address another request being made by multiple governments: content moderation.

Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook’s acceptable speech guidelines.

[…]

Even more worryingly, Facebook’s presentation alluded to the company’s need to covertly harvest unencrypted illicit messages from users’ devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content.

If so, Facebook’s proposed moderation efforts are encryption backdoors. If Facebook can access the content of encrypted communications, so can governments. And so can anyone else who can access the “encryption removed here 🙂” point where Facebook grabs communications to monitor content and train its moderation AI.

At this point, this effort is still in the research phase. It has not been implemented yet, but once more governments realize the implications of this content moderation effort, pressure will be applied. And this pressure will be applied to all companies offering encrypted communications under the not-unreasonable theory that if Facebook can do it, anyone can do it. Those refusing to comply with backdoor demands will have Facebook’s efforts used against them during legislative sessions and criminal prosecutions.

The argument against backdoors isn’t that they aren’t technically possible. They are and always have been. The argument is that they make the encryption useless by converting the protection to an attack vector. Facebook’s move may solve some of its own problems, but it will be sacrificing its users’ security to appease ridiculous moderation demands being made by a handful of governments. And while these governments wring their hands about terrorist content, other governments unconcerned about terrorists or their content will be leaning on the company to grant them access to the communications of critics, dissidents, and activists.

Filed Under: , , , ,
Companies: facebook, instagram, whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “As Germany Floats The Idea Of Encryption Backdoors, Facebook May Already Be Planning To Undermine Its Own Encryption”

Subscribe: RSS Leave a comment
13 Comments
Anonymous Coward says:

Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment

In which case it is not end to end encryption, and no more useful than https. In fact why bother when https is available, other than as advertising a feel good factor to users.

Matthew Cline (profile) says:

Re: https *IS* end-to-end encryption

The security issue with HTTPS is that if a certificate authority has their key stolen (or secretly cooperates with a third party) you can be tricked into establishing a connection with an impersonator, since the impersonator will have what appears to be a valid certificate. However, this is an issue with any end-to-end system which uses a certificate authority type scheme. The only way to avoid this is to personally validate the private key of the other party, like with key signing parties.

Anonymous Coward says:

Re: Re: https *IS* end-to-end encryption

Well, yes, when the ends are the user and Facebook. By being the man in the middle in encryption that is meant to be end to end encrypted by users Facebook is reducing it to a second level https between the users and themselves, which offers no additional security to the user, especially when the do not want Facebook to read analyse and give messages to the authorities, so why is Facebook bothering with this.

dhess (profile) says:

Re: Re: https *IS* end-to-end encryption

This kind of attack has a danger for the attacker and especially the certificate authority. Forging the certificate provides proof that the attacker did this and that the certificate authority is compromised unless they somehow get the private key associated with the public key that the certificate authority certified.

This is why governments do not routinely use this method of attack. It irrefutably destroys the certificate authority’s credibility as a couple have discovered much to their woe.

Facebook of course could hand over their private key as well allowing the government to impersonate them undetected which is just another reason not to trust them.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »