The US war on encryption has quieted down recently. The San Bernardino and Brooklyncourt cases concerning encrypted iPhones both ended this spring not with a bang, but with a whimper. The disastrous Burr-Feinstein anti-crypto bill has gone dormant — for now. Likewise, similar measures proposed in the New York, California, and Louisianalegislatures have either been formally killed off or left to wither away in committee. The tragic massacre in Orlando may have helped defeat a proposed amendment to a defense appropriations bill that would have protected encryption. But on the bright side, it has not spurred a renewed offensive against encryption like what we saw after the Paris and San Bernardino attacks last winter (though some politicians and national security expertscontinue to claim that defeating terrorism requires reaching a “middle ground” on encryption).
While encryption has fallen off the front page in US news, the current round of the Crypto Wars continues elsewhere and behind the scenes. Internationally, governments are quite active on this issue. The lower and upper houses of Russia’s legislature have just passed a bill that, if approved by the Kremlin (as is expected), would mandate state security services be able to access Russians’ encrypted communications and would allow them toobtain providers’ encryption keys without a court order. Within the same week, India’s high court rejected a petition to ban end-to-end encrypted messaging apps and mandate crypto backdoors. The court, while dismissing the case, urged the petitioner to take the matter to the appropriate state agencies. In the space of a week, the fate of secure communications turned grim for 143 million Russians and was left up in the air for over 1.3 billion Indians. With national governments watching each other closely on encryption issues, the ramifications of these two powerful countries’ encryption policies won’t be confined within their borders.
This international activity supports my suspicion that end-to-end encrypted messaging tools are probably the next frontier in the current Crypto War here in the US as well. FBI Director Jim Comey has promised more litigation over government access to encrypted data. One of the next big court showdowns will probably involve a demand that an app’s provider somehow decrypt encrypted communications intercepted in transit pursuant to a wiretap order, rather than access to encrypted data in storage on a device for which the government has a warrant.
Director Comey alluded to this possible move in a May speech. He claimed that one out of every eight devices involved in active FBI investigations now can’t be unlocked — an eyebrow-raisingly high number. He also predicted that messaging apps’ rising adoption of end-to-end encryption will further increase that number. While this remark didn’t seem to distinguish between searches of encrypted devices and interception of encrypted messages on the wire, it nevertheless indicates that US law enforcement officials are thinking about their next move vis-à-vis encrypted messaging. At present, the newly-released wiretap report for 2015 has been read to indicate that encryption remains a negligible problem for law enforcement intercepts. However, the reports contain few details relating to encryption, and Comey and Deputy Attorney General Sally Yates have cautioned in the past against drawing that conclusion from the report (namely the 2014 version, whenmore instances of encryption were reportedly encountered than in 2015).
So who will be up at bat for the coming fight over end-to-end encrypted messaging apps? If popularity is any prediction, the most likely contenders are Apple’s iMessage, with itsheavy US traffic, or Facebook-owned WhatsApp, which roughly one-seventh of the Earth’s population uses. (While it’s the darling of privacy and security advocates, Signal has arelatively tiny user base, meaning it probably doesn’t come up much in the garden-variety cases that dominate law enforcement’s time.)
Last winter, before WhatsApp deployed end-to-end encryption by default, Julian Sanchez speculated that the company was already getting numerous wiretap orders. But, he pointed out that law enforcement would no longer be able to intercept readable messages once WhatsApp finished rolling out end-to-end encryption, which it completed in April (using Signal’s encryption protocol). In the intervening months, the public has learned little about US law enforcement’s response. Are they still bothering to get wiretap orders for WhatsApp users? Can they somehow obtain legible WhatsApp messages, and if so, how? Are police getting court authorization to mount a man-in-the-middle attack, as Sanchez suggested? Has Facebook been ordered to provide decrypted WhatsApp messages to police, or to give them other assistance to enable them to do so?
Those are the sorts of court scenarios that might arise in the end-to-end encryption fight. Indeed, iMessage and WhatsApp specifically have already gotten caught up in court disputes in the US and abroad. In the US, the Justice Department was reportedly figuring out how to proceed in a recent wiretap matter involving WhatsApp. The Indian high court petition sought to ban WhatsApp and other end-to-end encrypted messaging tools because Indian police and intelligence services can’t read users’ messages. In Brazil, WhatsApp’s inability, by design, to comply with orders to hand over user data led a judge to have a local Facebook executive briefly jailed and to block the app country-wide — twice. And a US court showdown over Apple’s iMessage was supposedly averted last year when DOJ backed down.
Read the full post at Just Security.