Encryption Backdoors: From Child Safety To Houthis | #childsafety | #kids | #chldern | #parents | #schoolsafey

The Signal messaging app touts itself as a “state-of-the-art end-to-end encryption” that “keeps your conversations secure.” It adds, “we can’t read your messages or listen to your calls, and no one else can either.”

That’s true – to a point. The recent addition of a journalist to a private group chat about military strikes on Yemen, showed that messaging is vulnerable to sharing contacts. Although encryption stops a message from being read in transit, it’s useless if a hacker accesses the account or device. Even the best quality end-to-end encryption doesn’t matter if one of the ends is compromised.

There is Signal-style inadvertent “backdoors” and there is government-required backdoors. Authoritarian Russia and China already operate expansive laws around government access to personal information. Under its cybersecurity legislation, Chinese companies must hand over personal information at government request.

Some democracies led by the UK now are considering imposing strict requirements in order to fight terrorism and to protect children. The UK Home Office recently ordered Apple to allow access to encrypted iCloud backup data from around the world.  Under the Investigatory Powers Act 2016 –  dubbed the Snooper’s Charter — UK authorities have broad surveillance powers, including the ability to compel companies to weaken encryption and other security features.  Seemingly in response—since Apple can’t comment—Apple disabled the feature for UK users, though it remains unclear whether this satisfies UK authorities.

“End-to-end” encryption means data is designed to be decrypted only at the beginning and end. When Signal says, “we can’t read your messages,” this is what they mean. The backdoor that the UK is asking for would mean that the UK Home Office would be able to read all messages.

If Apple complies in the UK, it would find itself unable to say no to similar demands from other nations for broad extra-territorial access. Sweden is considering similar rules, and the entire EU is debating a child safety law that could jeopardize encryption. In the US, official policy is unclear, but Trump administration officials have expressed concern over UK access while at the same time looking to gain access to data themselves.

Diligent police and intelligence work often can allow investigations without undermining encryption. In 2015, the FBI tried to compel Apple to help it break into an iPhone used by a terrorist in a California shooting. Apple refused. The FBI gained access to the phone with traditional methods, ending the stand-off. US police have asked friends and family to share the phones’ passcodes. Australia’s eSafety Commissioner recently issued a report outlining techniques companies use at all stages that can help detect abuse and prevent it.

Companies long have partnered with law enforcement to detect and combat child safety abuse. In the US, many platforms use their tools to detect child safety abuse on their platforms — and, in turn, contribute money and in-kind human resources to the National Center for Missing & Exploited Children and the International Center for Missing & Exploited Children.  As part of this collaboration, companies have developed tools to detect child safety abuse and investigate instances of it, without breaking encryption.

What happens in one country affects others. Because data travels internationally, the UK wants access to the data of Europeans, Americans, and nearly everyone else. US industry has protested, warning that UK “move would not only undermine encryption protections but also set a dangerous precedent by compelling companies to create security vulnerabilities that could be exploited by bad actors.”

End-to-end encryption isn’t a panacea either, because the endpoints might be vulnerable. A recent Google Threat Analysis warns that Russians modify legitimate Signal invite pages to link a device the hacker controls to the user’s account. Why would a hacker spend resources attacking encryption when a well-crafted fake invite can get unfettered access to the account?

The backdoor the UK wants to add for encryption adds a new set of points: now everyone’s data is only as secure as the Home Office. Or, more worryingly, everyone’s data is only as secure as the least secure device or account in the Home Office. Apple doesn’t want to bet all of their users’ data on the weakest device in the Home Office.

European regulations pose another threat. The Digital Markets Act requires Apple products to allow third-party app stores on their platforms. Given concerns that Russian influence over the Telegram messaging app, Telegram’s mini-App Store could represent a security risk if allowed on Apple devices. But Europe also endorses encryption. The European Court of Human Rights has held that the creation of backdoors violates data privacy.  

A difference exists between the UK and Russia asking for backdoors to encryption; one operates under the rule of law, the other does not. But democracies shouldn’t weaken encryption. Data privacy and security is a shared commitment in the democratic world, and it should stay that way.

Joshua Stein is a Technology Policy Analyst at the Software and Information Industry Association, which signed the letter opposing the new UK restrictions on encryption. He recently completed a postdoctoral fellowship at the Georgetown Institute for the Study of Markets and Ethics, where his work focused on technology policy and economics.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.