Matthew Green, a cryptographer, security technologist and computer science professor at Johns Hopkins University, says companies trying to integrate end-to-end encryption (E2E) are facing an uphill battle as resistance mounts against innovators who are developing systems to protect private communications.
In a message to his 99,500 followers on Twitter, Green writes,
“The thing that’s really concerning me is that there’s a strong push from the US and other governments to block the deployment of new E2E encryption.”
Blowback against end-to-end encryption (E2E) got a big push last year when US Attorney General William Barr signed an open letter to Facebook, along with international law enforcement partners from the United States, United Kingdom and Australia, criticizing the social network’s plans to implement E2E across all of its messaging platforms.
According to the letter,
“Use of end-to-end encryption, which allows messages to be decrypted only by end users, leaves service providers unable to produce readable content in response to wiretap orders and search warrants. This barrier allows criminals to avoid apprehension by law enforcement by limiting access to crucial evidence in the form of encrypted digital communications. The use of end-to-end encryption and other highly sophisticated encryption technologies significantly hinders, or entirely prevents serious criminal and national security investigations.”
Adds Green,
“Law enforcement and intelligence agencies can’t get Congress to ban E2E, so they’re using all the non-legislative tools they have to try to stop it. And, it turns out, this works. Not against the big entrenched providers who have already deployed E2E. But against the new upstarts who want to use crypto to solve trust problems.
And the Federal government has an enormous amount of power. Power over tools like Section 230 [of the Communications Decency Act of 1996]. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions.
So if you’re a firm that wants to deploy E2E to your customers, even if there’s a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption.”
Beyond consumers and individuals, Green also highlights how the President Trump has targeted various forms of oversight of his administration: by dismissing five inspectors general.
Writes Green,
“Fortunately the US executive branch can’t fiddle with DoD procurement to spite a company. We have a strong system of laws and Inspectors General to prevent that sort of abuse. Yes, I’m joking.)
And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their ‘free’ tiers) and there are people who want that data. Encryption is an amazing tool to protect it.
The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. ‘Communications security’ isn’t something that only activists and eggheads care about.
Now for companies that are exposed to this corrupt dynamic, there’s an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for *everyone*.
And there’s some logic to this position. The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon.
But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon’s mouth feels even worse.
But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what’s going to happen to the next company? And the next?
Once the precedent is set that E2E encryption is too ‘dangerous’ to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back.
(I realize I’m mixing metaphors here.)
Anyway, this might be an interesting academic debate if we were in normal times. But we’re not. Anyone who looks at the state of our government and law enforcement systems — and feels safe with them reading all our messages — is living in a very different world than I am.”
You can check out the full thread here.
Featured Image: Shutterstock/Twin Design