European Law Enforcement Officials Upset Facebook Is Warning Users Their Devices May Have Been Hacked
from the screw-the-little-people,-we've-got-bad-guys-to-hack dept
Oh boy. Facebook has just added fuel to the anti-encryption fire. And by doing nothing more than something it should be doing: notifying users that their device may have been compromised by malware.
The Wall Street Journal article covering this standard notification is full of quotes from government officials who aren’t happy a suspected terrorist was informed his phone had possibly been infected by targeted malware. [Non-paywalled version here.]
A team of European law-enforcement officials was hot on the trail of a potential terror plot in October, fearing an attack during Christmas season, when their keyhole into a suspect’s phone went dark.
WhatsApp, Facebook Inc. ’s popular messaging tool, had just notified about 1,400 users—among them the suspected terrorist—that their phones had been hacked by an “advanced cyber actor.” An elite surveillance team was using spyware from NSO Group, an Israeli company, to track the suspect, according to a law-enforcement official overseeing the investigation.
Facebook is no fan of NSO Group. In fact, very few people are fans of NSO Group, other than their customers, which have included UN-blacklisted countries and a number of governments that rank pretty high on the Most Human Rights Violated charts. Facebook sued NSO back in November, making very questionable allegations about CFAA violations. Facebook’s servers were never targeted by NSO’s malware. Only end users were, which makes it pretty difficult for Facebook to claim it has been personally (so to speak) injured by NSO’s actions.
Back to the matter at hand, Facebook didn’t just warn suspected terrorists about detected malware.
WhatsApp’s Oct. 29 message to users warned journalists, activists and government officials that their phones had been compromised, Facebook said. But it also had the unintended consequence of potentially jeopardizing multiple national-security investigations in Western Europe about which Facebook hadn’t been alerted—and about which government agencies can’t formally complain, given their secret nature.
Would these government officials rather have not been warned about threats? Were any of these government officials receiving warnings the same ones now complaining the warning allowed a terrorism suspect to vanish? Maybe so. The one quoted in the article seems very short-sighted.
On the day WhatsApp sent its alert, the official overseeing the terror investigation in Western Europe said, he was stuck in traffic on his way to work when a call came in from Israel. “Have you seen the news? We’ve got a problem,” he said he was told. WhatsApp was notifying suspects whom his team was tracking that their phones had been hacked. “No, that can’t be right. Why would they do that?” the official said he asked his contact, thinking it a joke.
“Why would they do that” indeed. Maybe to protect their users from cybercriminals and state-sponsored hackers. It’s not about allowing suspected criminals to dodge law enforcement, even though it will undoubtedly have that effect. It’s about keeping users and their communications protected — users that include journalists, activists, and government officials.
This response indicates the investigators pursuing the suspected terrorist would rather hundreds of innocent people be harmed than someone suspected of terrorism go free. But it really doesn’t matter what unnamed officials think about Facebook’s “you may have been compromised” notifications or the harm these might do to ongoing investigations. Facebook’s voluntary warnings will soon be mandatory in Europe. By the end of 2020, all service providers and telcos will be obligated to warn customers of security threats.
That fact — and the apparent willingness to allow innocent people to be victimized by targeted attacks — makes the article’s closing statement all the more ridiculous.
Gilles de Kerchove, the European Union’s counterterrorism coordinator, says encryption shouldn’t allow criminals to be “less accountable online than in real life.”
I have no idea what that means. I know what the official thinks it’s supposed to mean — that “online” is bad because sometimes criminals get away — but even that interpretation doesn’t make sense. Criminals discover their phones have been tapped and stop using those lines. Criminals talk to each other in person to avoid creating records of conversations. Criminals get tips from other criminals they’re under surveillance. This stuff just happens. Investigations don’t always run smoothly.
A standard warning about possibly-compromised devices and services is just good business — something that protects everyone who uses the service, not just the people governments think are OK to protect. These warnings are essential and they benefit everyone, not just the people governments want to lock up.