Say That Again
The federal government's anti-encryption push is starting to turn into a really weird movement. Yanking pages from the FOSTA playbook, Attorney General William Barr threw an anti-encryption party featuring him, FBI Director Chris Wray, Deputy AG Jeffrey Rosen, and some overseas critics of secure communications.
It was full of loaded language, beginning with the conference's name:
Lawless Spaces: Warrant-Proof Encryption and Its Impact On Child Exploitation Cases
This is how the DOJ and FBI are going to play this game: the specter of exploited children vs. secure communications for millions of Facebook users. Facebook is definitely the target. This conference -- which featured zero tech experts or encryption advocates -- was preceded by the announcement of a data-sharing agreement between the US and UK government that namechecked Facebook's Messenger and WhatsApp.
It was also preceded by Attorney General William Barr's letter to Facebook, asking it to drop its plans to add end-to-end encryption to Messenger. The letter, signed by the participants in this one-sided conference, said the addition of encryption -- without some form of "lawful access" -- would result in massive amounts of undetectable child exploitation.
Now that William Barr has said his piece, the floor has been opened up to DOJ Deputy Attorney General Jeffrey Rosen. Rosen's pitch isn't all that different from the one Barr laid out in his open letter to Facebook. But Rosen does add a bit more color to his in the form of questionable analogies.
Outside the digital world, none of us would accept the proposition that grown-ups should be permitted to mingle in closed rooms with children they don’t know in order to groom them for sexual exploitation. Neither would we ever accept the idea that a person should be allowed to keep a hoard of child sexual abuse material from the scrutiny of the justice system when all of society’s traditional procedures for protecting the person’s privacy, like the Fourth Amendment’s warrant requirement, have been satisfied. But in the digital world, that is increasingly the situation in which we find ourselves.
First off, no one finds the propositions Rosen offers acceptable -- not the digital variety nor the real-world version. However, both versions still happen, with or without "lawful access." It's not that the DOJ and FBI shouldn't go after child exploiters. It's that pretending that undermining encryption will cause "lawless spaces" to cease to exist isn't an honest approach.
To be fair, Rosen isn't saying exactly that. But what he's pitching is encryption backdoors that will result in millions of insecure communications for millions of people. The potential for harm is immeasurable. But we -- and our service providers -- should apparently be willing to take that risk so law enforcement has easier access to these communications. That's the trade-off being demanded, even if Rosen, Barr, etc. aren't intellectually honest enough to use those exact words.
The intellectual dishonesty continues with Rosen's refusal to call backdoors "backdoors."
I am not for a moment suggesting that we should “weaken” encryption. As we confront the problem of “warrant-proof” encryption, nobody is calling for secret “back doors” to communications systems, even though that is often how the issue is misreported. As FBI Director Wray said this morning, law enforcement seeks a front door — that is, access through a transparent and publicly acknowledged system, and only once we have secured the authorization of a court. And we don’t want the keys to that door. The companies that develop these platforms should keep the keys, maintaining their users’ trust by providing access to content only when a judge has ordered it.
If you put an entrance anywhere, the building is compromised. A hole in a wall, floor, roof, wherever, is still a hole. It doesn't matter who holds the keys. The keys exist and can be copied or misplaced. Law enforcement may need a warrant, but criminals and state actors only need access to the key. Dressing it up as an escrow system doesn't magically make this problem go away.
Rosen is calling for more than backdoors. Using another emotional argument, Rosen appears to saying the government should be allowed to eavesdrop on encrypted communications.
Every day, companies like AT&T, Verizon, and Sprint provide law enforcement with targeted lawful access to the content of phone communications in ways that promote public safety — but only after the government has complied with the rigorous requirements of the law, and a judge has authorized access. Why should internet technology companies operate under different rules? For a young girl who is being trafficked for sex, it makes no difference whether her tormenters are communicating via traditional voice calls over a cell phone, or via an encrypted internet app. But it makes a huge difference to the investigators trying to find her, as they can gather the first category of electronic evidence, but not the second. From a policy point of view, it doesn’t make any sense.
The example Rosen uses is wiretaps. The FBI would definitely like to be the unseen party to any number of conversations, especially now that most of them don't take place over the phone. With this, Rosen is asking for more than unencrypted access to data at rest. He's asking for a "non-backdoor" that allows investigators to intercept communications. This increases the complexity of the government's demands and the insecurity of the targeted app's users.
Rosen says 70% of 16 million child sexual abuse reports Facebook made last year originated from its Messenger service. Once end-to-end encryption is applied, these messages will no longer be visible to Facebook, in addition to being less accessible to law enforcement. He compares the millions of Facebook reports to the very limited number produced by Apple, which has provided end-to-end encryption for a few years now. Apple has forwarded a little over 200 tips over the last three years. As Rosen conjectures, it can't simply be because no child abusers use iPhones.
Rosen isn't wrong. Encryption will result in far fewer reports, if Facebook can't scan messages for child porn. But he's completely wrong in his portrayal of the trade-offs being made.
Some companies have completely favored the privacy of their users over the safety of their users.
This isn't about privacy, even though there is definitely a net privacy gain. It's about security, something even the government realizes is essential for electronic communications. But the government wants less security for everyone, in exchange for an unknown quantity of law enforcement "wins." Rosen actually says users are "safer" when their communications providers scan communications for illicit content -- an argument few outside the FBI and DOJ would make. Rosen is spinning this from the viewpoint of law enforcement riding to the rescue of victimized children. But it won't just be the FBI making use of backdoors or intercepted communications. It will also be governments who treat criticism and dissent as crimes, which definitely makes things less safe for millions of people around the world.
Rosen closes with this last bit of intellectual dishonesty:
If we are to move to a world where even judge-approved search warrants become useless to the protection of exploited children, and to public safety more broadly, our country needs an open discussion of the costs some such technology platforms will be imposing on all of us. If our efforts to make the virtual world more secure leave us more vulnerable in the physical world, that decision should be an informed one.
But Rosen and the agencies he's speaking for don't want an "informed" decision. They've spent years blowing off experts who say what they want will result in less security and safety for users, as well as pointing out the impossibility of creating a "secure" backdoor. You only need to look at the speaker list for this event to see the DOJ and FBI aren't interested in being informed. When the only people being asked for opinions are those who think undermining encryption is a necessity, you're going to come to the conclusion that undermining encryption is a necessity.
Filed Under: doj, encryption, going dark, jeffrey rosen, securityCompanies: facebook