Apple and Facebook fighting international encryption battle
Regulations in Australia, U.K. make it easier for police to pressure companies for data
Nearly three years after the Federal Bureau of Investigation abandoned an effort to force Apple Inc. to extract data from an encrypted iPhone, technology companies are facing several new efforts from governments fighting for access to digital secrets.
Australia and the U.K. have passed laws that make it easier for law enforcement to compel tech companies to turn over data, although the impact of those measures has yet to be tested. India is considering a sweeping law that would give authorities access to some data from the hugely popular WhatsApp messaging service within its borders, and the U.S. has signaled it has not given up on its efforts to get inside of encrypted devices such as Apple’s.
The so-called going-dark issue, or the government’s inability to access data as devices get more encoded and difficult to crack, “is a problem [that] infects law enforcement and the intelligence community more and more so every day,” said Amy Hess, executive assistant director with the FBI, in an interview. Ms. Hess, who previously oversaw the FBI’s science and technology branch, testified to Congress on the problem during Apple’s 2016 clash with the bureau.
Governments want access to user data to solve crimes and track potential threats. Silicon Valley companies, fearful that this access could be misused for spying or exploited by hackers, continue to build products that are so securely encrypted that the tech companies themselves are sometimes unable to access the data on them. And many tech companies are resisting any efforts to weaken their encryption capabilities.
On Thursday, a coalition of civil society groups, trade associations and nine tech companies, including Facebook Inc., which owns WhatsApp, Apple, Google, Twitter Inc. and Micro- soft Corp. filed comments with the Australian government warning that the law, passed in December, could create back doors into technology products.
“What happens here will ricochet everywhere,” said Fergus Hanson, the head of the International Cyber Policy Centre at the Australian Strategic Policy Institute.
In a public comment on the legislation, filed last fall, Apple wrote that “future governments could interpret the bill’s broad and vague terms quite differently, wielding its provisions to weaken encryption.”
A spokesman for Australia’s Department of Home Affairs, which has been working with tech companies on proposed amendments, said that claims that the legislation would weaken encryption are “completely false.”
Earlier this month, law-enforcement officials from 10 countries, including the U.S., Australia and India, met in Brazil to discuss the data-access problem. The U.S. hasn’t pursued legal action since backing off Apple three years ago, but the FBI is “very curious to see how the Australian law, now that it is passed, will be implemented and what will be the impact,” Ms. Hess said.
In the U.K., authorities passed a law in 2016 that lets law enforcement compel the technology companies to produce this data, but Australia’s has fewer restrictions for law enforcement, Mr. Hanson said.
India too is considering new rules that would allow authorities there access to some information about the sender of encrypted messages, and would force WhatsApp to remove objectionable content.
Those changes, being drafted by the Telecom Regulatory Authority of India, could compromise the privacy of WhatsApp’s 200 million Indian users by forcing the company to “re-architect” its software, a WhatsApp spokesman said in an statement.
The Australian, U.K., and Indian regulations have attracted the ire of privacy advocates, who said that they could undermine the security of end-toend encryption. The mushrooming patchwork of global regulations is also adding new complexity for tech companies that do business internationally. China has forced Apple and other tech companies to move user data and encryption keys within its borders. Russia and Brazil have aggressive data access requirements.
Late last year, Ian Levy, a technical director of the U.K.’s National Cyber Security Centre, part of the U.K.’s communications intelligence agency, floated a proposal that would allow the government to be added on as a silent new party to any encrypted group chat message.
The point was to kick-start a realistic debate on how governments might get access to these systems, Mr. Levy said in an interview. He said his proposal is a starting place for a discussion about how to solve the encryption problem. “The reality is that we want a debate,” he said.
But critics such as Alec Muffett, a former Facebook engineer who built Messenger’s end-to-end encryption capability, says that Mr. Levy’s proposal would create an unaccept- able risk to user privacy. “What they’re talking about is requiring the ability to insert someone else into every conversation, to listen in, because that’s not a back door. But it’s worse than a back door,” he said.
Even as international momentum builds toward mandating encryption rules on technology companies, the issue remains for now a political nonstarter in Washington, according to congressional aides, technology lobbyists and former law-enforcement officials.
In the aftermath of Edward Snowden’s 2013 revelations of the U.S. government’s datagathering capabilities, many technology companies locked down their products. Apple’s iMessage, Facebook’s Messenger and WhatsApp, Telegram Group Inc. and the opensource Signal software, for example, all have end-to-end encryption capabilities that they say make it impossible for them to obtain data sent through those services, which scramble data so that messages can only be read by the sender and recipient.
But in 2016, the U.S. government asked Apple to create a software update that would break the privacy protections of the iPhone to gain access to a phone used in a 2015 terrorist attack in San Bernardino, Calif. Apple refused to comply, and the conflict was largely viewed as a publicity win for the iPhone maker. The FBI suffered another setback last May when it revealed it had accidentally inflated public statistics about the number of encrypted devices investigators were unable to break open.
Ms. Hess, in the interview, declined to provide an updated figure other than to say the problem continues to increase. She said that one challenge to offering an accurate count was that investigators in the field may not be aware of certain methods or tools to access a locked device or may opt to not share it with the right personnel who are able to access it.