Nevada Is In Court This Morning Looking To Get A Temporary Restraining Order Blocking Meta From Using End-To-End Encryption

Legal Issues

from the protect-encryption-now dept

There have been plenty of silly lawsuits against tech companies over the last few years, but a new one from Nevada against Meta may be the most crazy — and most dangerous — that we’ve seen so far. While heavily redacted, the basics fit the pattern of all of these lawsuits. Vague claims of harms to children from social media, with lots of vague handwaving and conclusory statements with no basis in insisting that certain harms are directly traceable back to choices Meta made (despite a near total lack of evidence to support those claims).

But, rather than go through the many, many, many problems of the lawsuit (you can read it yourself at the link above or embedded below), let’s jump ahead to a hearing that is happening today. Nevada has asked the court to issue a temporary restraining order, blocking Meta from using end-to-end encryption on messages, claiming that such encryption is harmful to children.

That sounds hyperbolic, but it’s exactly what’s happening:

With this Motion, the State seeks to enjoin Meta from using end-to-end encryption (also called “E2EE”) on Young Users’ Messenger communications within the State of Nevada. 1 This conduct—which renders it impossible for anyone other than a private message’s sender and recipient to know what information the message contains—serves as an essential tool of child predators and drastically impedes law enforcement efforts to protect children from heinous online crimes, including human trafficking, predation, and other forms of dangerous exploitation. Under such circumstances, the Nevada Supreme Court makes clear that to obtain the injunctive relief sought by this Motion, the State need only show “a reasonable likelihood that the statute was violated and that the statute specifically allows injunctive relief.” State ex rel. Off. of Att’y Gen., Bureau of Consumer Prot. v. NOS Commc’ns, Inc., 120 Nev. 65, 69, 84 P.3d 1052, 1055 (2004) (emphasis added). The State’s Complaint is replete with indisputable factual allegations detailing this harm and explaining—with specificity—how Meta’s conduct in this matter violates the Nevada Unfair and Deceptive Trade Practices Act, N.R.S. §§ 598.0903 through 598.0999 (“NDTPA”). And, because the NDTPA expressly authorizes the Attorney General to seek, inter alia, injunctive relief, the State’s Motion should be granted.

It’s no secret that lazy cops like the FBI’s Chris Wray (and before him, James Comey) have always hated encryption and wanted it banned for making it just slightly more difficult to read everyone’s messages, but at least they spoke mostly about just requiring magic backdoors that would allow encryption to work for normal people, but have it break when the cops came asking (this is not a thing, of course, as it would break for everyone if you did that).

Here, the state of Nevada is literally just saying “fuck it, ban all encryption, because it might make it harder for us to spy on people.”

The TRO request is full of fearmongering language. I mean:

And, as of December 2023, Meta reconfigured Messenger to make E2EE—child predators’ main preferred feature—the default for all communications.

The TRO request also more or less admits that Nevada cops are too fucking lazy to go through basic due process, and the fact that the 4th Amendment, combined with encryption, means they have to take an extra step to spy on people is simply a bridge too far:

As set forth in the Declaration Anthony Gonzales, the use of end-to-end encryption in Messenger makes it impossible to obtain the content of a suspect’s (or defendant’s) messages via search warrant served on Meta. See Ex. 2 (Gonzales Decl.) at ¶¶ 9-16. Instead, investigators are only able to obtain “information provided [that] has been limited to general account information about a given suspect and/or metadata and/or log information about the Messenger communications of that suspect.” Id. at ¶ 14. Once again, this is the equivalent of trying to divine the substance of a letter between two parties by only using the visible information on the outside of a sealed envelope.

Instead, the State is forced to try to obtain the device that the suspect used to send communications via Messenger—which itself requires separate legal process—and then attempt to forensically extract the data using sophisticated software. See Ex. 1 (Defonseka Decl.) at ¶¶ 5- 8. Even this time-consuming technique has its limits. For example, it is not possible to obtain the critical evidence if the device is “locked,” or if the suspect has deleted data prior to relinquishing his phone. Id. at ¶ 8; see also Ex. 2 (Gonzales Decl.) at ¶ 19 (describing commonplace “destruction of the evidence sought by investigators” when trying to acquire Messenger communications).

Just because you’re a cop does not mean you automatically get access to all communications.

As for the actual legal issues at play, the state claims that Meta using encryption to protect everyone is a “deceptive trade practice.” I shit you not. Apparently Nevada has a newish state law (from 2022) that makes it an additional crime to engage in “unlawful use of encryption.” And the state’s argument is that because Meta has turned on encryption for messages, and some people may use that to commit crimes, then Meta has engaged in a deceptive trade practice in enabling the unlawful use of encryption. Really.

As a threshold matter, the State alleges that Meta “willfully committed . . . deceptive trade practices by violating one or more laws relating to the sale or lease of goods or services” in violation of NRS § 598.0923(1)(c). Compl. ¶ 473. Nevada law states that “[a] person shall not willfully use or attempt to use encryption, directly or indirectly, to: (a) Commit, facilitate, further or promote any criminal offense; (b) Aid, assist or encourage another person to commit any criminal offense; (c) Conceal the commission of any criminal offense; (d) Conceal or protect the identity of a person who has committed any criminal offense; or (e) Delay, hinder or obstruct the administration of the law.”…. This amounts to both direct and indirect aiding and abetting of child predators, via the use of E2EE, in violation of NRS § 205.486(1)(a)-(d). And, as demonstrated in the Gonzales Declaration, Meta knows that E2EE drastically limits the ability of law enforcement to obtain critical evidence in their investigations—namely, the substance of a suspect’s Messenger communications—which is in violation of NRS § 205.486(1)(e).

Furthermore, Nevada claims that Meta engaged in deceptive trade practices by promoting encryption as a tool to keep people safer.

Meta “represent[ed] that Messenger was safe and not harmful to Young Users’ wellbeing when such representations were untrue, false, and misleading…..

Similarly, Meta publicly touted its use of end-to-end encryption as a positive for users, meant to protect them from harm—going so far as to call it an “extra layer of security” for users

This is a full-on attack on encryption. If Nevada succeeds here, then it’s opening up courts across the country to outlaw encryption entirely. This is a massive, dangerous attack on security and deserves much more attention.

Meta’s response to the motion is worth reading as well, if only for the near exasperation of the company’s lawyers as to why suddenly, now, end-to-end encryption for messaging — a technology that has been available for many, many years — has become so scary and so problematic that it needs to be stopped immediately.

Meta Platforms, Inc. (“Meta”)1 has offered end-to-end encryption (“E2EE”) as an option on its Messenger app since 2016. Compl. ¶ 202. E2EE technology is commonplace and has been hailed as “vital” by privacy advocates for protecting users’ communications with each other.2 The only change Meta made in December 2023 was to announce that the Messenger app would transition all messages to E2EE (rather than an option), id.—which is what Apple iMessage, Signal and numerous other messaging services already do.

These facts completely disprove the State’s assertion that it is entitled to temporary injunctive relief. E2EE has been available as an option on Meta’s Messenger app for eight years, and Meta began rolling out E2EE for all messages on Messenger months ago. The State cannot properly assert that it requires emergency injunctive relief—on two days’ notice—blocking Meta’s use of E2EE, when that feature has been in use on Messenger for years and began to be rolled out for all messages more than two months ago. The State’s delay—for years—to bring any enforcement action related to Meta’s use of E2EE (or other providers’ use of E2EE) demonstrates why its request for the extraordinary relief of a TRO should be denied.

The response also points out that for the state to argue it’s in such a rush to ban Meta from using end-to-end encryption, it sure isn’t acting like it’s in a rush:

The State admits that E2EE has been available as feature on Messenger for eight years. See Mot. 10 (“Since 2016, Meta has allowed users the option of employing E2EE for any private messages they send via Messenger.” (emphasis added)). On December 6, 2023—ten weeks ago— Meta began making E2EE the standard for all messages on Messenger, rather than a setting to which users could opt in. 3 In doing so, Messenger joined other services, including Apple’s iMessage, which has deployed E2EE as a standard feature since 2011, 4 and FaceTime, for which E2EE has been standard since at least 2013. 5 Yet the State waited until January 20, 2024—six weeks after the new default setting was announced, and eight years after E2EE first became available on Messenger—to file its Complaint. It then inexplicably waited another three weeks to serve Meta with the Complaint.6 As such, before yesterday, Meta had not even been able to review the full scope of the State’s allegations.7 Mot. 14. Concurrently with its lengthy Complaint, the State served the present motion, along with two supporting declarations that purport to justify enjoining a practice that was announced two months ago (and was available for years as a nondefault setting and as a feature in other services, such as Apple’s iMessage).

The State’s delays demonstrate the fundamental unfairness of requiring Meta to prepare this Opposition on one day’s notice. There is no emergency that requires this accelerated timetable. Quiroga v. Chen, 735 F. Supp. 2d 1226, 1228 (D. Nev. 2010) (“The temporary restraining order should be restricted to serving its underlying purpose of preserving the status quo and preventing irreparable harm just so long as is necessary to hold a hearing, and no longer.” (cleaned up)). Meta has not been given sufficient time to identify and prepare responses to the myriad assertions and misstatements in the State’s Motion. Moreover, the State apparently seeks to present live testimony from its witnesses. See Mot. at 6. In this unfairly accelerated and truncated timetable, Meta has not been given a fair chance to develop responses to the State’s witnesses, nor to develop and present its own witnesses and evidence. In short, there is no exigency that warrants this highly accelerated and unfairly compressed timetable for Meta’s Opposition to the TRO motion—in contrast to a motion for preliminary injunction that can be noticed, briefed and heard under a reasonable schedule that allows Meta a fair opportunity to be heard.

Meta also points out that Nevada itself recognizes the value of encryption:

Indeed, Nevada law recognizes the value of encryption, requiring data collectors to encrypt personal information. See Nev. Rev. Stat. 603A.215. A seismic shift that would fundamentally challenge the use of E2EE should not be undertaken with a 24-hour turnaround on briefing that does not afford Meta a fair and reasonable opportunity to develop a full response to the State’s arguments.

Nevada’s position here, including the haste with which it is moving (after doing nothing about encryption for years) is astounding, dangerous, and disconnected from reality. Hopefully the court recognizes this.

Filed Under: encryption, end to end encryption, messenger, nevada, tro
Companies: meta