FBI Director Christopher Wray said on Sept. 21 that restrictions on encrypted chat services are needed to combat domestic terrorism—a claim that has been disputed by a wide array of tech companies, industry associations, and privacy groups, as well as other government agencies.
Wray made the remarks during the Senate Committee on Homeland Security’s counterterrorism hearing.
“I can’t overstate the impact of default encryption and the role it’s playing, including on terrorism,” Wray said in response to a question from Sen. Jacky Rosen (D-Nev.) about what tools Congress can give law enforcement to counter domestic extremism.
“The information that will allow us to separate the wheat from the chaff, in terms of social media, is being able to—with lawful process—get access to those communications, where most of the meaningful discussions of the violence is occurring.”
Wray’s remarks were the latest in what tech companies, industry groups, and civil rights organizations have criticized as an anti-encryption campaign by law enforcement.
In May 2020, then-Attorney General William Barr and Wray criticized Apple for not helping investigators who were attempting to gain access to two iPhones used by Mohammed Alshamrani, who launched a terror attack at the Pensacola Naval Air Station in Florida in December 2019.
In June 2020, Barr endorsed the now-dormant Lawful Access to Encrypted Data (LAED) Act, which would have required companies with more than 1 million customers to annually redesign their systems to make their data decryptable.
Wray continued his anti-encryption efforts in March, when he told the Senate Judiciary Committee that encryption was stifling his agents from investigating domestic extremism.
“Like Alshamrani, the plotters who sought to kidnap the governor of Michigan late last year used end-to-end encrypted apps to hide their communications from law enforcement. Their plot was only disrupted by well-timed human source reporting and the resulting undercover operation,” Wray said at the time.
“Subjects of our investigation into the Jan. 6 Capitol siege used end-to-end encrypted communications as well.”
According to Wray and other law enforcers, tech companies should be able to build “backdoors” into their encryption that preserves privacy, while allowing for access when necessary. That, they say, strikes the proper balance between data security and national security.
However, numerous tech experts, civil libertarians, and others say that it’s impossible to build a backdoor that can’t be exploited by hackers. They also say that by banning encryption, the United States would be following in the footsteps of authoritarian countries such as China, which recently blocked the encrypted messaging app Signal.
“It is important to understand that any kind of back door (or front door) access for the ‘good guys’ can also be exploited by the ‘bad guys,'” the pro-industry Information Technology & Innovation Foundation stated in a July 2020 report, in the midst of the Apple-Barr controversy.
“For example, key escrow systems would introduce new attack vectors that could allow attackers to gain access to encrypted information, such as by compromising the system that maintains copies of the keys.”
Encryption is one of the few issues of agreement between tech companies and nonprofit organizations such as the American Civil Liberties Union (ACLU).
For instance, when Wray attacked Facebook’s plans to encrypt its messaging system in October 2019, a coalition of more than 100 organizations wrote a letter supporting Facebook founder and CEO Mark Zuckerberg.
“Given the remarkable reach of Facebook’s messaging services, ensuring default end-to-end security will provide a substantial boon to worldwide communications freedom, to public safety, and to democratic values, and we urge you to proceed with your plans to encrypt messaging through Facebook products and services,” the letter reads.
“We encourage you to resist calls to create so-called ‘backdoors’ or ‘exceptional access’ to the content of users’ messages, which will fundamentally weaken encryption and the privacy and security of all users.”
Some government agencies are pro-encryption. New York Attorney General Letitia James and the U.S. Federal Trade Commission (FTC) both initiated enforcement actions against Zoom in 2020 for falsely claiming that its chats were encrypted. The FTC and New York state settlements required Zoom to upgrade its security practices.
What Companies Are Doing
Zoom responded to regulatory actions by purchasing the encryption firm Keybase and expanding its encryption services to all users.
Facebook’s general messaging system remains unencrypted, but its subsidiary WhatsApp increased its encryption efforts in early September. While WhatsApp messages have always been encrypted, the backups stored in the cloud haven’t.
Facebook said on Sept. 10 that it’s rectifying the situation.
“People can already back up their WhatsApp message history via cloud-based services like Google Drive and iCloud. WhatsApp does not have access to these backups, and they are secured by the individual cloud-based storage services,” Facebook stated.
“But now, if people choose to enable end-to-end encrypted (E2EE) backups once available, neither WhatsApp nor the backup service provider will be able to access their backup or their backup encryption key.”
However, Apple seems to be moving in the opposite direction. The company announced in August that it plans to incorporate tools in its products that can scan data for child pornography and other illicit materials—much to the dismay of privacy advocates.
“To say that we are disappointed by Apple’s plans is an understatement. Apple has historically been a champion of end-to-end encryption, for all of the same reasons that EFF has articulated time and time again,” the Electronic Frontier Foundation (EFF) stated in response to the announcement.
“Apple’s compromise on end-to-end encryption may appease government agencies in the U.S. and abroad, but it is a shocking about-face for users who have relied on the company’s leadership in privacy and security.”
Privacy experts have contended that law enforcement can still investigate child pornography by tracking metadata. If a grown man is messaging numerous children, law enforcers can and should monitor that person closely, they say.
Apple said in early September that it’s delaying the rollout amid heavy criticism and will take more time to make improvements before releasing the child safety features.
However, EFF said the only route that the company should take is keeping Apple data fully encrypted.
“Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly scoped backdoor is still a backdoor.”