Encryption a poisoned chalice
Facebook is damned if it hides info and damned if it doesn’t
It is a strange feeling to see Facebook’s new-found stance on privacy being staunchly defended by civil liberties organisations. But that’s how the increasingly complex encryption debate twists and turns.
Under fire from users and governments threatening regulation for not protecting its users’ data and privacy better, Facebook decided to do something about it.
One privacy and security upgrade that the social network’s founder Mark Zuckerberg has decided on is end-to-end encryption for all Facebook apps.
If you and I make calls or send texts using say WhatsApp, there’s no way for anyone to listen in to what we say or read messages.
End-to-end encryption keeping everyone’s internet activities secure is great, right? No it’s not, the governments of the United States, Britain and Australia state.
Supported by New Zealand, the three governments have sent an open letter to Zuckerberg asking for the end-to-end encryption for Facebook apps to be put on hold until there’s some yetto-be-developed way to provide lawful access to users’ communications.
Strong end-to-end encryption means Facebook isn’t protecting its users, the governments argue, because it puts an end to intercepting terrorists and child abusers’ communications.
The governments put in the letter actual examples of cases of abusers being caught thanks to interception, to justify the argument.
Nobody wants to help abusers and terrorists, but how far should we go to stop them? Should we accept that everyone must be less secure online to make interception easier?
Because that is what the governments want; there’s no point in saying anything else as encryption that can be broken or bypassed isn’t strong, it’s weak and useless.
In that scenario, it would make sense to limit access to smartphones and mobile networks, or even the internet itself, as the technologies enable and aid bad people.
Furthermore, without strong encryption they won’t be safe for normal people to use.
Any type of secret backdoor to provide interception capability would be discovered or leak out sooner rather than later. Governments aren’t particularly good at keeping sensitive data safe, as evidenced by the recent Tu¯ Ora data breach where the Ministry of Health doesn’t even know if the health information was accessed or not.
The demands in the governments’ letter places Facebook in an impossible position. Either they put their users at risk by weakening encryption, or Facebook is branded a terrorist and child abuse supporter.
Hobson’s Choice, and Facebook is likely to get into fights with governments everywhere no matter what it does.
There are shades of grey in the encryption debate and you see some of that in the controversy caused by a new privacy-enhancing feature for web browsers and apps.
It involves a bit of internet infrastructure most of us never think of. When you look for a website like www.nzherald.co.nz the query and responses to it go to and arrive from Domain Name System (DNS) servers in clear text.
If captured, the clear-text requests show the sites you visit, when and how often. Even if you can’t tell what a person reads or does on a website, information leaked through DNS is valuable for surveillance and tracking purposes. You can work out sensitive information like the bank Person A uses, ditto which airlines and log visits to political sites.
Google’s Chrome browser and Mozilla Firefox can now encrypt DNS requests, which makes being online more private (although there are problems with the technical implementation of the feature).
Scrambling DNS lookups has negative side-effects though. Antimalware filters can’t intercept the requests and block access to known bad sites for example, as the DNS traffic is folded into strongly encrypted HTTPS data streams.
Sending DNS requests over HTTPS means they only go to specific servers like Cloudflare’s 1.1.1.1. That’s instead of using the distributed global network of DNS servers as is the case with clear-text requests.
The effect is that one or just a few centralised DNS servers get full logs of users’ web browsing. Oops.
Contortions like the above show how difficult it is to balance both sides of the privacy and safety equation. Finding a way out looks set to be a case of picking what seems the least damaging solution, and hope can handle any disastrous consequences.