As Germany Floats The Idea Of Encryption Backdoors, Facebook May Already Be Planning To Undermine Its Own Encryption

from the really?-backdoors-for-content-moderation? dept

The German government's desire to mandate backdoors in encrypted communications had barely been expressed when it was discovered Facebook might be willing to let them do exactly such a thing.

The German proposal is nowhere near ready to become law but the gist of it is this: it's too difficult to break into encrypted devices so maybe tech companies could just start storing encrypted communications in plain text... just in case these agencies ever need to access them. Sure, encryption makes things more secure but it's just creating some sort of criminal/terrorist Wild West and we can't have that -- even when that doesn't actually appear to be happening.

Facebook may already be making backdoored communications a reality. This isn't happening because it wants to be the inflection point for undermining encryption but because it really, really wants to keep accessing users' communications for its own purposes. Kalev Leetaru of Forbes points out Facebook put its encryption-undermining plans on display earlier this year, while discussing its plans to address another request being made by multiple governments: content moderation.

Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook’s acceptable speech guidelines.

[...]

Even more worryingly, Facebook’s presentation alluded to the company’s need to covertly harvest unencrypted illicit messages from users’ devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content.

If so, Facebook's proposed moderation efforts are encryption backdoors. If Facebook can access the content of encrypted communications, so can governments. And so can anyone else who can access the "encryption removed here :)" point where Facebook grabs communications to monitor content and train its moderation AI.

At this point, this effort is still in the research phase. It has not been implemented yet, but once more governments realize the implications of this content moderation effort, pressure will be applied. And this pressure will be applied to all companies offering encrypted communications under the not-unreasonable theory that if Facebook can do it, anyone can do it. Those refusing to comply with backdoor demands will have Facebook's efforts used against them during legislative sessions and criminal prosecutions.

The argument against backdoors isn't that they aren't technically possible. They are and always have been. The argument is that they make the encryption useless by converting the protection to an attack vector. Facebook's move may solve some of its own problems, but it will be sacrificing its users' security to appease ridiculous moderation demands being made by a handful of governments. And while these governments wring their hands about terrorist content, other governments unconcerned about terrorists or their content will be leaning on the company to grant them access to the communications of critics, dissidents, and activists.

Filed Under: backdoors, content moderation, encryption, end to end encryption, monitoring
Companies: facebook, instagram, whatsapp


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Gary (profile), 5 Jun 2019 @ 10:10am

    Unecrypted

    So not only would those messages be available to every government for the asking. (And to everyone else once that leaks), it would be super easy for FB to use the contents for their own purposes.
    Sounds legit to me.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2019 @ 11:02am

    Facebook specifically cited the need to be able to scan the unencrypted contents of users’ messages in an end-to-end encrypted environment

    In which case it is not end to end encryption, and no more useful than https. In fact why bother when https is available, other than as advertising a feel good factor to users.

    reply to this | link to this | view in chronology ]

    • icon
      Matthew Cline (profile), 5 Jun 2019 @ 6:58pm

      https *IS* end-to-end encryption

      The security issue with HTTPS is that if a certificate authority has their key stolen (or secretly cooperates with a third party) you can be tricked into establishing a connection with an impersonator, since the impersonator will have what appears to be a valid certificate. However, this is an issue with any end-to-end system which uses a certificate authority type scheme. The only way to avoid this is to personally validate the private key of the other party, like with key signing parties.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 6 Jun 2019 @ 3:45am

        Re: https *IS* end-to-end encryption

        Well, yes, when the ends are the user and Facebook. By being the man in the middle in encryption that is meant to be end to end encrypted by users Facebook is reducing it to a second level https between the users and themselves, which offers no additional security to the user, especially when the do not want Facebook to read analyse and give messages to the authorities, so why is Facebook bothering with this.

        reply to this | link to this | view in chronology ]

      • icon
        dhess (profile), 9 Jun 2019 @ 3:36pm

        Re: https *IS* end-to-end encryption

        This kind of attack has a danger for the attacker and especially the certificate authority. Forging the certificate provides proof that the attacker did this and that the certificate authority is compromised unless they somehow get the private key associated with the public key that the certificate authority certified.

        This is why governments do not routinely use this method of attack. It irrefutably destroys the certificate authority's credibility as a couple have discovered much to their woe.

        Facebook of course could hand over their private key as well allowing the government to impersonate them undetected which is just another reason not to trust them.

        reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 5 Jun 2019 @ 11:55am

    When can we expect Masnick's "this isn't Facebook's fault, blame GDPR" post?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 5 Jun 2019 @ 1:06pm

      Re:

      Why don't you go ahead and ghost-write that post and leave it here for Mike. That will get it to the readers sooner and make sure that it covers all the points you are expecting.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2019 @ 2:37pm

    facebook? I rest my case.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Jun 2019 @ 3:54pm

    After all the Facebook scandals. State floats idea of surveiling their population. Facebooks marketing team rushes in, "HEY! WE DO THAT ALREADY!" Hahahaha. Queue up the next investigation.

    reply to this | link to this | view in chronology ]

  • icon
    PaulT (profile), 6 Jun 2019 @ 1:16am

    So.. Facebook are asking for the return of this sort of thing?

    https://en.wikipedia.org/wiki/Firesheep

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 6 Jun 2019 @ 6:08am

    The question that should be asked to Germans: what would stop a new Hitler from abusing such backdoors with a new Stasi?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Jun 2019 @ 6:51am

      Re:

      The question that should be asked to Germans: what would stop a new Hitler from abusing such backdoors with a new Stasi?

      Nothing. That's what so great about it!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Jun 2019 @ 6:49am

    "It has not been implemented yet,"

    And we know that how?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.