Matthew Green, a cryptographer, security technologist and professor of computer science at Johns Hopkins University, says companies trying to integrate end-to-end encryption (E2E) must face a tough battle as resistance builds against innovators who develop systems to communicate privately. to protect.
In a message to his 99,500 followers on Twitter, Green writes:
“What really worries me is that the US and other governments are strongly urging to block the introduction of new E2E encryption.”
Backlash against end-to-end encryption (E2E) got a big push last year when U.S. Attorney General William Barr open letter Facebook, along with international law enforcement partners from the United States, the United Kingdom and Australia, and criticizes the social network’s plans to implement E2E on all its messaging platforms.
According to the letter,
“By using end-to-end encryption, which allows messages to be decrypted only by end users, service providers can no longer produce readable content in response to eavesdropping and search commands. This barrier allows criminals to avoid arrest by law enforcement officers by restricting access to critical evidence in the form of encrypted digital communications. The use of end-to-end encryption and other highly advanced encryption technologies completely hinders or prevents serious criminal and national security investigations. ”
“Law enforcement and intelligence agencies cannot force Congress to ban E2E, so they use all the non-legislative tools they need to stop it. And it turns out that this works. Not against the big entrenched providers that have already deployed E2E But against the new starters who want to use crypto to solve trust problems.
And the federal government has enormous power. Power over tools like section 230 [of the Communications Decency Act of 1996]. Power to create headaches for people. But even without Congressional help, the executive has tremendous power to make purchasing and certification decisions.
So if you are a company that wants to use E2E for your customers, even if there is an urgent need, you are in the specter of waging war with an immensely powerful government that has very strong negative feelings about broad access to encryption. “
In addition to consumers and individuals, Green also emphasizes how President Trump has targeted various forms of oversight of his administration: through reject five inspectors general.
“Fortunately, the US executive can’t mess with DoD tenders to thwart a company. We have a strong system of laws and inspectors general to prevent that kind of abuse. Yes, I’m kidding.)
And this is a huge problem. Because some companies all over the world have infrastructure. Some companies have incredibly valuable and sensitive business data (even on their ‘free’ levels) and there are those who want that data. Encryption is a great tool for protecting it.
The amazing thing about this particular moment is that thanks to a combination of the pandemic that is forcing us all online, more people than ever are directly exposed to it. “Communication security” is not something only activists and eggheads care about.
Now for companies exposed to this corrupt dynamic, there is an instinct to try to negotiate. Divide the baby in half. Implement E2E encoding, but only a little bit of it. E2E for some users, such as paying customers and businesses, but not for * everyone *.
And there is some logic in this position. The worst crimes, such as the distribution of child abuse media, take place in the free accounts. So limiting E2E to paid accounts seems like an elegant compromise, a way to avoid getting caught by a dragon.
But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users in the dragon’s mouth feels even worse.
But the real takeaway, and why I hope this issue is of interest to you, is if the federal government is able to intimidate one company into compromising your safety. What will happen to the next company? And next?
Once the precedent is set that E2E coding is too ‘dangerous’ to transfer to the masses, the ghost is out of the bottle. And once U.S. business accepts that private communications are too politically risky to implement, it will be difficult to put them back.
(I realize I’m mixing metaphors here.)
Either way, this could be an interesting academic debate if we were in normal times. But we are not. Everyone who looks at the state of our government and law enforcement systems – and feels safe reading all our messages – lives in a very different world from me. ‘
You can view the full thread here.
Featured Image: Shutterstock / Twin Design