A Boom in E2E Encryption Apps Usage Makes Finding a Noninvasive Solution a Necessity

Protecting personal privacy is gradually becoming increasingly important to the public. This became especially visible after the change of rules introduced by the popular Whatsapp at the end of January 2021. This strive for more privacy often takes the form of moving daily communications to end-to-end (E2E) encryption apps such as Signal or Element. With a boom of these apps, security communities are now facing a renewed dilemma, to push again for regulating such impregnable apps or to acknowledge public demand despite the fact that encrypted apps could be also used by extremists, criminals or terrorists.

E2E encryption apps use sophisticated system to allow only the recipient of the communication to decipher the message. This is usually done with a two key system - one public and one private. Any contact in the app has access to the public key and is therefore able to encrypt a message to the recipient. However, only the original receiver with its private key, which never leaves the device, is able to decipher it. 

Unlike other types of encryption often used in the apps and on the internet (e.g. transport layer security, TLS), E2E does not allow a third party, such as a provider, accessing the contents of the messages. Security agencies thus cannot get information from the app or the provider even with a judicial warrant and are therefore forced to go directly to the sender or receiver. This usually requires hacking individual mobile devices, which is significantly more difficult and thus limits the potential mass communication surveillance.

 

Apps under pressure

Encrypted communications have been under scrutiny for a several years now, especially in the US, but also in the UK. In 2014 and 2015 a strong political pressure was put on President Obama to promise no legislation limiting E2E encryption would be implemented. Even though the pressure was largely successful at the time, in July 2020 US Congress passed the EARN-IT Act against the spread of child pornography. This bill forces internet providers and platforms to provide means to support automated scanning for child sexual abuse materials. Obviously, this is a difficult thing to do for the end-to-end encrypted platforms, because it forces them to a) abandon their encryption completely or b) build a backdoor into their system to allow for the required access.

The struggle between big tech companies such as Facebook that implemented E2E encryption on its WhatsApp platform, but planned it also in Messenger and Instagram, largely left Europe out. But this is not a case anymore, in November last year, documents leaked from the European Parliament showed preliminary plans for regulation on E2E encryption apps. Even though this was only a very early draft proposal, it clearly indicated the direction in which the EU is going to move in the near future. The leaked documents inferred a backdoor in the systems to allow security agencies equipped with a judicial warrant to access certain communications. However, there are several significant problems related to this demand, both political and technical.

 

Problems with backdoor access

Firstly, most security agencies demanding access to these apps push for legal access also called a “backdoor” option. This in practice means that the provider of the end-to-end encryption platform will be required to build-in a way how to exploit the app. This in itself is problematic for a couple of reasons. For one, some of the most popular encrypted apps (e.g. Signal) are open-source software and thus finding and exploiting the backdoor will be relatively easy, especially for actors with sophisticated tools and other resources. Moreover, even the simple existence of the backdoor decreases trust in the app and incentivizes various actors to exploit the compromised app. 

Secondly, obtaining backdoor access might paradoxically lead to more vulnerability. This is primarily due to malign actors with significant resources (e.g. China, Russia, …) have rich experience in finding and using such exploits to follow their interests, going in the contrary to the national security of affected countries. After obtaining access, international “bad actors” can eavesdrop sensitive communications and thus endanger national security in different ways depending on the type of acquired information. 

 

“Even the simple existence of the backdoor decreases trust in the app and incentivizes various actors to exploit the compromised app.”

 

Thirdly, building a backdoor into the encrypted app code comes with a political problem of sharing the data of the country's citizens. As a number of countries in the EU are members of the wider Nine Eyes or Fourteen Eyes spy community, it is not a far fetched thought to see the threat of sharing the citizens private information with those who do not have any right to have access to them.

Fourthly, E2E encryption apps are nowadays an important tool for human rights activists and journalists all around the globe, even in countries where the censorship authorities are very active. Limiting these apps would therefore be a heavy blow to human rights reporting globally.

Lastly, not just endangered activists, journalists or criminals who use encrypted communication, it is also an essential component to limit industrial espionage and is widely used by the financial institutions to securely handle sensitive information that might have a significant impact on the financial markets.

 

Privacy vs Security

Even though the importance of ensuring national security is paramount, intentionally building a technical backdoor into a widely used platform is still a controversial one, primarily due to the reasons stated above. Moreover, as is typical for highly illegal activities, providing a backdoor access to the security authorities will most likely cause a rapid shift of malign actors to different platforms. 

This in turn may make the new legislation obsolete, inefficient and possibly might even weaken already existing capabilities of the authorities (e.g. criminals stopping to use established messaging channels infiltrated by the authorities). In case criminals shift to different platforms, not only would the legislation not serve its intended purpose, but could also be easily misused to spy on people of interest.


“As is typical for highly illegal activities, providing a backdoor access to the security authorities will most likely cause a rapid shift of malign actors to different platforms.”

 

The aggressive approach of the global security community to the issue and subsequent mounting pressure on the tech giants is alienating the public and the companies from governmental interests. This is visible especially with a new approach a number of governments are taking to regulate E2E apps and which focuses on the app stores

The app stores serve as natural choke points since the apps generally have to be approved by the tech companies. It is possible that the security agencies might be able to pressure big tech to only offer apps with backdoor in the app stores. If this is the case, national security might very well achieve their goals without any democratic input. However, this brute force solution might find a little understanding among the public, which is the one group supposed to be protected.

About author: Pavel Hanosek

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace