Part 1: WhatsApp, encryption and the battle with law enforcement
Encryption ensures the protection of data from being accessed or understood should it fall into the wrong hands – and for the most part, that is exactly as it should be. The challenge comes when there is absolutely no way to unencrypt that data, thanks to non-key recovery encryption methods, especially where it concerns the criminal activity of gangs, drug cartels and even terrorists.
In this two-part blog series, I will examine the state of encryption today – specifically WhatsApp’s implementation of end-to-end encryption – and what it might mean for law enforcement.
A brief history of encryption
As the information age dawned and digital communications became more prevalent, the National Bureau of Standards (NBS) put out a call seeking an encryption standard. The winner was an algorithm originally developed by IBM for money transfer, which was approved (and apparently improved) by the National Security Agency (NSA).
This standard, called DES (Data Encryption Standard) ushered in a new era of “asymmetric cryptography” where a combination of a public key and a private key – each consisting of large prime numbers – is used to encrypt data.
By the 1990s, the use of DES in the private sector became prevalent. This trend began to alarm law enforcement and national security agencies around the world. They argued that foolproof encryption could allow criminals and terrorists to operate with impunity.
Fast forward to today, and the use of sophisticated bulk encryption methods has only escalated. Techniques have improved, the Internet has enabled communication on an unprecedented level, and more and more data on personal devices is being encrypted.
Meanwhile, there has been a similar escalation of requests by law enforcement agencies to access data on personal devices for investigative purposes, along with increased government investments in resources designed to combat sophisticated encryption methods.
Matters came to a very public head in December 2015 following the San Bernardino terrorist attack. The FBI was unable to access the iPhone content of one of the shooters due to the phone’s advanced security features, including encryption of user data. The FBI first asked the National Security Agency (NSA) to break into the phone but they were unable to. At that point the FBI asked Apple to create new software that would enable the FBI to unlock the phone, but Apple declined to do so – perhaps marking a turning point in the conflict between advocates for law enforcement and public safety and champions of personal privacy.
WhatsApp and encryption
A more recent development involving the instant messaging client WhatsApp represents another step in the direction of protecting personal data and communications under all circumstances. WhatsApp has historically encrypted its data – but for some time, it was still possible for law enforcement to break the encryption when necessary. Since 2012, however, WhatsApp has improved encryption to the point where government agencies have had trouble deciphering the content. But given that WhatsApp still had access to the content via its servers, the information was ultimately accessible.
Then, in April 2016, WhatsApp announced that the company had added end-to-end encryption to every form of communication across its service. As a result, not even WhatsApp’s employees can read the data sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content traveling through its service.
While much of Silicon Valley has clashed with governments and law enforcement over privacy, and strong encryption is wholeheartedly supported in the technology field, the move by WhatsApp was unprecedented – effectively ensuring the content of a billion users would remain private under all circumstances.
The move by WhatsApp raises multiple questions about the appropriate balance between the right to privacy on one hand and national security and public safety on the other. With this kind of encryption in place, companies can now plausibly say they have no control or responsibility for the traffic that passes over their networks – and can ostensibly ignore court orders.
This runs counter to the historical law enforcement practice of intercepting communications in the interest of combating or investigating crimes when approved by independent judicial means.
Some lawmakers have called on technology companies to facilitate an encryption “backdoor” to be exclusively available for law enforcement use (something the FBI argued for in the San Bernardino case). But as of today, that sentiment has fallen on deaf ears.
For the moment at least, the balance of power appears to tilt toward the private sector. Google states that it does not automatically collaborate with warrants which may invade user privacy. Facebook has created a “Law Enforcement Online Request System” to review requests by government agencies to access information for investigation purposes. The Facebook system requires that law enforcement provide details about a case and explain the importance of the content being requested; it does not automatically obey judicial warrants.
In part two of this blog series, we will look at whether there are options available to law enforcement to circumnavigate end-to-end encryption and when would this be warranted.