Brazil’s ban of WhatsApp (which was rescinded today) is an interesting real-world reminder of how the rest of the world messages, and why it is foolish to push communications companies to add back doors to their services.
WhatsApp is an astonishingly successful app (with more than 800 million users worldwide) that allows voice and text communication over an Internet connection. It flourishes in countries like India and Brazil where people with cheap Android phones have cell plans that do not allow unlimited talk and text. Users in these countries save texting and data charges by connecting to wi-fi and using their cell plans as little as possible, and WhatsApp is their messaging service of choice. Over 90% of Android phone owners in Brazil use WhatsApp, so your friends are as likely to have a WhatsApp account as they are to have a smartphone.
When a Brazilian judge decided to block WhatsApp for 48 hours because they wouldn’t comply with a subpoena in a drug case, the competition got a big boost:
5.7 million users joined Telegram today. If you're new here, check this out: https://t.co/x1haKyjvzQ
— Telegram Messenger (@telegram) December 17, 2015
WhatsApp is owned by Facebook, and it keeps the details of its encryption private, so I’m not quite sure if they could comply with that subpoena. Telegram was built by some Russians and is encrypted end-to-end, so it’s very clear they could not comply with any subpoena. As long as Telegram’s encryption is designed and implemented correctly (and you can check the design on their site, it’s all openly specified), nobody can read your messages if they can’t get their hands on your device.
Before you begin cursing the Russians, remember that the first world’s preferred messaging application, iMessage, is also encrypted. iMessage is the protocol your iPhone uses to communicate with other iPhone users. A message in a blue bubble indicates that your i-device is using iMessage. (Green means the message is being sent to a non-i-person via the mobile network.) Apple CEO Tim Cook:
If the government laid a subpoena to get iMessages, we can’t provide it. It’s encrypted and we don’t have a key. And so it’s sort of — the door is closed.
The last reference I found indicated that Apple was processing 2 billion iMessages every day early last year (WhatsApp was processing 50 billion). Even if we assume that NSA superboffins could figure out a way to separate the “LOL WUT”s from the “kill Americans” in 10 billion messages (to pick a low estimate) sent over iMessage and Telegram today, they cannot read them. So we’re already living in a world with completely un-interceptable messaging. Asking US companies to open up a back door for the NSA and FBI (as Hillary Clinton seems to be advocating) will only allow companies like Telegram to gain a real foothold in the US market for those who care about encrypted messaging, which should probably include people living in prohibition states who enjoy an occasional bong hit.
Of course, this back door discussion assumes that terrorists will be smart and use those systems. In Paris, at least some of the communications of attackers was via unecrypted text message. The crazy two from San Berdoo were in the same house and buying guns either legally or illegally from a friend, so they didn’t need much in the way of communications security other than keeping their voices down so they didn’t wake the baby.
This is not to say that encryption is anything but a boon to what GWB would call “evil doers”. But it is also a boon to protect us from those who would want to do bad things to us, and those scammers and hackers have been pretty goddam effective in the past few years, despite the presence of relatively decent encryption. If we start to back door the systems that secure our communications and, more importantly, our key financial transactions, we are going to turn our communications over to a crew of hackers who are a hell of a lot more organized and effective than the few domestic terrorist we’ve seen in the last couple of years.
cmorenc
Government advocates of encryption “back doors” fail to realize that any back doors thus created are thus permeable by others as well, including folks inclined to do criminal harm to private individuals and governments.
Elie
Sorry to invade this important topic but there hasn’t been an open thread in a bit. I just noticed that when I try to get onto BJ on my cell phone (an ancient IPhone 3G), for the first time, the interface is tiny and almost unreadable. Since that was not the case up until this week, I was wondering if that is a permanent change that I just have to accept. That would make me sad, since it would mean I really couldn’t get on the site away from my home laptop since I have no intention of changing my iPhone 3 which works just fine for most of my other purposes.
dmsilev
And then there’s Blackberry, which apparently hasn’t died quite yet:
We’re now in a place where Apple evidently cares more about its users’ security and privacy than Blackberry does.
Elie
Some of us Americans are looking at the world only from the immediacy of whatever itch they have to scratch. Right now its TERRA — which while totally understandable, makes American white people of a certain mindset (particularly), just crazier than batshit. All of us are concerned and no one wants to be attacked by terrorists, but sheesh, running around and making thoughtless policies while hysterical is just not helpful…
If you are an adult, you realize that life has tradeoffs and things/risks you must learn to accept and to manage. These folks are just not apparently able to do that.
DCrefugee
@cmorenc: I think they know that perfectly well but don’t care as long as they get easy(ier) access…
schrodinger's cat
I use Whatsapp to keep in touch with my peeps in India and around the world.
Frankensteinbeck
Is she? The article says
quoting
which is very different from the full sentence
Reading the larger statement, she’s saying a lot of ‘this is a complicated issue.’
mistermix
@Frankensteinbeck: Her pronouncements on the topic are vague, I will grant you that.
Mnemosyne
I understand privacy concerns, but I’m really not comfortable saying that law enforcement should be blocked from accessing information that they have a warrant for. Let’s leave aside FISA and just go with an ordinary criminal case — if a guy who’s been making kiddie porn has it on an encrypted drive, do we let him go free to continue making it because we can’t violate the privacy of his encryption?
And is there really nothing else that can be done short of leaving backdoors everywhere? If the answer isn’t technological, maybe it’s legal, and refusing to provide passwords after being served with a legal warrant should be enough to trigger an obstruction of justice or destroying evidence charge, or maybe contempt of court. IANAL, so I don’t know what legal penalties already exist for refusing to comply with a search warrant.
Mike J
@Mnemosyne:
You serve your search warrant, you sit him in front of a laptop, and you tell him to decrypt it or he sits in jail until he does.
That’s a great model for law enforcement working after a crime has been committed. Intelligence services are supposed to be working on stopping things before they happen.
Eric U.
@Elie: I think Alain may still monitor threads in the “site maintenance” category like this:
link
raven
“A shoplifter this week used a snake and two dogs to create a distraction while stealing from two stores in downtown Athens.
With a snake draped around her neck, the thief Tuesday afternoon entered the Pitaya clothing store on East Clayton Street and the Dynamite vintage store around the corner on North Jackson Street Tuesday. Employees said the woman allowed the dogs to wander around the stores, while the snake slithered about, in an obvious attempt to create panic and confusion while she sent out her business taking five-finger discounts.”
Anoniminous
The chances FB/WhatsApp will change their encryption policy is zero, zip, nada, none. If necessary they would move out of the US to protect their business.
Mnemosyne
@raven:
Somebody on the board about narcissistic parents that I read sometimes said that she went out on a shopping trip with her new mother-in-law in the hope of getting to know her better, and discovered her MIL is a habitual shoplifter.
Someone’s response was something like, You gotta admit, you definitely knew her better after that happened!
raven
@Mnemosyne: Dang! Like Winona!
Honoré De Ballsack
@Mike J: You serve your search warrant, you sit him in front of a laptop, and you tell him to decrypt it or he sits in jail until he does.
Yeah, we should just detain suspects indefinitely until they’re willing to testify against themselves. Seriously, Mike J–do you know anything about the American criminal justice system?
Mandalay
@Mike J:
I initially liked the sound of that, but what is the legal basis? What crime has he committed? And what if he is genuinely innocent (someone else used the computer), or he genuinely forgot his credentials, or he correctly remembered his credentials but someone else had messed with them recently? None of those scenarios are wildly improbable, so what happens?
Does he still stay in jail until he rots just in case he’s guilty?
Davebo
@dmsilev: John Chen, the same guy who threatened to seek legislation forcing IOS/Andoid app developers to also make Blackberry versions of their apps.
That’s hilarous! 2nd Qtr 2015 Blackberry’s smartphone OS market share was a whopping 0.3%.
I tell you, they’re HUUUUUGE!
Roger Moore
@cmorenc:
I don’t think it’s a question of unaware as much as uninterested. They’re so focused on being able to snoop on everyone that they simply don’t care if the price is lots of other people being able to snoop, too. It’s a stupid, short-sighted viewpoint, but it’s the kind of thing that happens to people who focus too closely on something like that.
Anoniminous
@Mnemosyne:
The child porn providers who kept that shit on their own hard drives were busted and jailed years ago. Now it is all on the Dark Web. FBI took down Tor last month but they are going to re-build. And even if Tor shut down, there’s plenty of other low life scumbags willing to step up and into the market and they could care less about legal requirements for back doors. If the FBI, Interpol, etc., can track these dirt bags down using standard police methods, and they can, then there’s no reason for back doors.
And as far as local system encryption goes, xkcd (as usual) nails it by jumping the shark, since once the actual hard drives, etc., are in the hands of hackers and the hackers have a fairly good idea of what type of material, in what format, is on the hard drive decryption is … well, not easy – exactly … but doable.
Davebo
@Honoré De Ballsack:
It’s called contempt of court. If a cop knocks on your door explains he has a warrant to search the premises and you refuse to unlock the door do you think the cop will just shrug and walk away.
The difference is in that case the police know who the homeowner is and the address. If a government gets a warrant for “all text messages that went through your network for a given week that’s a totally different thing.
BillinGlendaleCA
@Honoré De Ballsack:
Do you? Once there’s a search warrant, your choices are to comply, go to jail, or appeal the warrant. Fifth amendment motions to exclude evidence could be brought up in a trial.
ETA: What Davebo said in the second paragraph applies to intermediaries.
Roger Moore
@Mnemosyne:
But that isn’t really the issue, here. The whole idea behind these kinds of messenger apps is that the information gets encrypted on the sender’s device, transmitted in encrypted form, and unencrypted on the recipient’s device. The company running the service, be it Apple, Telegram, or whomever, never has a copy of the plaintext (unencrypted) messages, so they literally can’t comply with a warrant demanding them; the best they can do is to provide the encrypted version and let the government try to read it. The snoops hate that because it’s too effective, and they’re trying to prevent people from even making something like that available.
Russ
the internet. over the years we have seen many companies try and fail to make a dollar off of it. Some have made a few dollars in their effort, some much more. The window for free communication is within view. free information has both – + consequences but more is better than less.
Mandalay
@Davebo:
That’s an interesting analogy because in that scenario I don’t think the uncooperative suspect would remain in jail forever. But it seems that you could remain behind bars forever just because you refuse to help the cops decrypt some data, or you are unable to help the cops, regardless of whether you are guilty of anything, and regardless of whether you actually can provide assistance.
Mnemosyne
@Honoré De Ballsack:
Search warrants are unconstitutional? You might want to re-read the 4th Amendment, because I don’t think it says what you think it says.
Mnemosyne
@Mandalay:
The uncooperative suspect’s house would be searched while s/he was in jail.
Davebo
@Mandalay: The issue of being unable to decrypt the data for the police is another thing altogether. What are going to say? “I forgot the decryption code!”
They aren’t going to buy that but at the same time it would be interesting to see how they handled it. However, I’m pretty sure it would involve them giving you some “time to refresh your memory” in confinement.
Baud
Who is proposing a back door to defeat encryption? The link to Hillary’s comment doesn’t say anything about that.
Roger Moore
@Mandalay:
You wouldn’t, but only because the police would physically break into the place rather than wait politely for you to open the door. If you had some kind of physical storage that took forever for the police to break into, they would probably keep you in jail for contempt as they were trying to break into it.
If you’re genuinely incapable of providing assistance, you could get your lawyer to argue that to the judge who’s holding you in contempt, or maybe make a 5th Amendment argument that you shouldn’t have to provide your key. You’re right that it would be awful if an innocent person were stuck in prison because a third party had stuck encrypted data on their computer and the police refused to accept they couldn’t decrypt it. But what’s your proposed alternative?
Mandalay
@Davebo:
Right. I’ve never understood why web sites even bother to have those “forgot your password” links because I really doubt that anyone using a computer has ever forgotten a password.
Mandalay
@Roger Moore:
I’d be asking my lawyer to make an 8th Amendment argument.
The government brings a case anyway if there enough supporting evidence (internet download logs, financial transactions, witness testimony, etc.). And the inability/refusal of the suspect to cooperate with the police can be considered relevant, just as it is relevant when someone gives one story to the police and another one later on in court.
But if the only “evidence” the government has is a strong suspicion that there is some shady data on a computer then no case should be brought. Frustrating if they “know” the suspect is guilty, but no biggie in the scheme of things – that happens all the time for all kinds of crimes.
Woodrowfan
if it’s built by Russians then the FSB can read it.
Woodrowfan
humm, am in Moderation hell. wonder why??
cmorenc
@Mistermix:
The Clinton statement you refer to is a classic example of politician-speak where they throw out a lot of intelligent-sounding concern on all sides of a problem, promising to put our smartest people working on an acceptable solution for it – but without revealing any actual decryptable substance to what the solution practically entails. She did *not* in fact advocate any “back doors” because if you pay attention to her actual words, she actually advocates nothing more than devoting people and resources to solving the problem of undecryptable messages passed back and forth among people up to no good. The statement is deliberately designed to be whatever the reader is inclined read into it, while leaving Clinton ample room for plausible denial for any readers whose interpretation is politically inconvenient to the best interests of her campaign.
I do agree, however that because her statement is a cipher, she is leaving herself wiggling room to consider back doors, while simultaneously leaving herself wiggling room to at some point explicitly reject requiring back doors – whichever seems more expedient to explicitly adopt as a position if a point comes along where she’s forced to endorse one vs the other.
Fr33d0m
@Mnemosyne: Does the thread about warrants really matter much? Isn’t what the feds are looking for is a means to gather intel about potential attacks by introspecting internet traffic?
So yes, if a crime is committed, a court can give you warrant to compel access to information, which doesn’t necessarily mean the suspected criminal has no rights. And a special court can give you cover to access otherwise protected private information in order to gather intel about potential attacks, but does that really relate to jailing them until they talk?
AnonPhenom
@mistermix:
Not a tech person. Some questions.
From a practical POV, how moot will this subject be once a big enough one of these is built?
How far away do you think we are from that day? 10 years?
As with the first computers, won’t governments be the ultimate early adopters because of the expense?
And what won’t the security state be able to accomplish during the 5 to 10 year lag before the price point becomes commercially viable and available to the public?
“Never put anything in an e-mail that you wouldn’t be willing to repeat standing naked in Herald Square on Christmas Eve shouting at the top of your lungs.”