Is Facebook Already Working On An Encryption Backdoor? (forbes.com) 79
Horst Seehofer, Germany's federal interior minister, wants to require encryption companies to provide the government with plain text transcripts. One security expert says Facebook is already working on a way to make it happen.
An anonymous reader quotes his remarks in Forbes: The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption...
While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform.
Even more worryingly, Facebook's presentation alluded to the company's need to covertly harvest unencrypted illicit messages from users' devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content. While it stopped short of saying it was actively building such a backdoor, the company noted that when edge content moderation flagged a post in an end-to-end encrypted conversation as a violation, the company needed to be able to access the unencrypted contents to further train its algorithms, which would likely require transmitting an unencrypted copy from the user's device directly to Facebook without their approval.
Could this be the solution Germany has been searching for?
The article warns that by "sparking the idea of being able to silently harvest those decrypted conversations on the client side, Facebook is inadvertently telegraphing to anti-encryption governments that there are ways to bypass encryption while also bypassing the encryption debate."
An anonymous reader quotes his remarks in Forbes: The reality is that at its annual conference earlier this month, Facebook previewed all of the necessary infrastructure to make Germany's vision a reality and even alluded to the very issue of how Facebook's own business needs present it with the need to be able to covertly access content directly from users' devices that have been protected through end-to-end encryption...
While it was little noticed at the time, Facebook's presentation on its work towards moving AI-powered content moderation from its data centers directly onto users' phones presents a perfect blueprint for Seehofer's vision. Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines. This would actually allow a government like Germany to proactively prevent unauthorized speech before it is ever uttered, by using court orders to force Facebook to expand its censorship list for German users of its platform.
Even more worryingly, Facebook's presentation alluded to the company's need to covertly harvest unencrypted illicit messages from users' devices without their knowledge and before the content has been encrypted or after it has been decrypted, using the client application itself to access the encrypted-in-transit content. While it stopped short of saying it was actively building such a backdoor, the company noted that when edge content moderation flagged a post in an end-to-end encrypted conversation as a violation, the company needed to be able to access the unencrypted contents to further train its algorithms, which would likely require transmitting an unencrypted copy from the user's device directly to Facebook without their approval.
Could this be the solution Germany has been searching for?
The article warns that by "sparking the idea of being able to silently harvest those decrypted conversations on the client side, Facebook is inadvertently telegraphing to anti-encryption governments that there are ways to bypass encryption while also bypassing the encryption debate."
Re:I'd definitely like to (Score:5, Insightful)
There's no need for backdoors in the encryption when you have full access to the plaintext at both ends.
The only reason Whatsapp is encrypted is to prevent ISPs from mining the data as it passes through their routers, ie. so that Facebook has a competitive edge over them. Nothing to do with protecting anybody's intimacy.
only you can read this (Score:2, Funny)
Sent from my Huawei
Re:I'd definitely like to (Score:5, Insightful)
>"There's no need for backdoors in the encryption when you have full access to the plaintext at both ends."
Bingo. If you have no control over the "app" at the source or destination, that app can do anything it wants before and after encryption. Which is why you can't trust binary or proprietary software, even if you trusted the encryption has no backdoors. It might help with people spying on you through the transmission of the end-to-end encrypted message, but nowhere else.
Also, encryption with back-doors isn't really encryption at all.
Also, even if the app is trusted, you could still have malware on either end that might snarf the message before or after the encryption.
This is why I am absolutely amazed anyone would trust "password manager" apps on the Play Store, for example. You have no idea how the encryption is managed or what the app does. Put all your most important security info in one very questionable place.... sounds like a great idea, no?
Re: (Score:2)
This, Password Managers in general are a compromise of security.
Re: (Score:2)
Still a compromise of security, but auditable by yourself.
Re: (Score:2)
So the same idea that was proposed in (forget the publication) for the UK. Invisibly add another recipient to the conversation?
That will certainly work but by now I would expect someone to have broken WhatsApp's packet format and have succeeded in harvesting both key change events, sending of ephemeral keys and encrypted messages. If they are doing it this way I suspect it would be discoverable especially now that people know how to look.
A really secret way to do it is to build the ephemeral key so that f
Re: (Score:2)
But there are people that are looking to see what the apps are sending back to the companies. So even if they encrypted a copy of the text there would still be double the data. By accessing the text at the app level they need to send the text back to the company for processing. It's going to be seen. They can't put the processing in the app and risk having someone find something. Besides, people don't update fast enough to meet their needs.
If they build the chat app so that it runs through a central server
Comment removed (Score:5, Interesting)
Re: (Score:2, Insightful)
Facebook/Whatsapp own the endpoints. Just because they tell YOU they are not interconnected does not mean they are not.
Re: WhatsApp, end-to-end encryption and FB (Score:2)
Do you use gmail?
Re: (Score:3, Interesting)
Whatsapp messages are only encrypted during transmission. Not in storage on your local device.
Your wife has Facebook and whatsapp on her phone. The Facebook app probably reads the messages straight from the filesystem.
Did you sleep through the news? ;) (Score:1)
No offense; enough sleep for everyone! But:
It's closed-source.
Need I say more?
It was literally news here on Slashdot, not that long ago, how FB vacuums off ALL the data, to sell it to advertisers.
Trusting closed source from FB is a *bit* insane, don't you thin ;)
(Hell; trusting *open* source from FB is bad. Trusting an auditing company is not much better. Unless they are trusted close friends of you personally. ... Generally, my rule is: If I cannot punch them in the face if I wanted to, they are not to be
Re: (Score:2)
The messages are securely encrypted during transmission but they obviously get decrypted before your wife reads them. That would be the point that Facebook 'processes' them for keywords.
PS: Why else would Facebook have spent so much money for a messaging app?
Re: (Score:1)
The point is, you can have 'super duper mega encryption' and it all means shit if the device you use is compromised by malware. Nobody seems to get this.
Re: (Score:2)
People are fucking stupid.
Only relevant pert of AC comment.
Re: (Score:2)
Doesn't mean they didn't change it afterwards. Doesn't take much to add a "and dump to the "analytics" file to the programs encode/decode function.
Re: (Score:2)
Now they're going after the lurkers!! When will it stop!!
Re: (Score:2)
Re: (Score:1)
creepy (Score:5, Insightful)
"content moderation flagged a post in an end-to-end encrypted conversation as a violation"
Now Faceboot is censoring people's private conversations?
China is going to just love that. (Score:5, Insightful)
"content moderation flagged a post in an end-to-end encrypted conversation as a violation"
Now Faceboot is censoring people's private conversations?
China is going to just love that.
Maybe they are working on gaining access to the Chinese market?
Re: (Score:2)
Now Faceboot is censoring people's private conversations?
Yes. Same way none of your "private" files online are actually private, anything you upload to Dropbox, GDrive etc. is scanned for bad content, you don't have to actually share it with anyone.
it's FB (Score:2)
Of course FB is ready to "abide by the laws"... uh... not? Not when it is to their advantage to ignore them.
But in this case, it is to their advantage to break open the encryption. Encrypted chat is bad for FB. They don't make money from it. They can't scan it for keywords to improve their profile on you. So of course they will be happy to be "forced" by any government that is ready to play the part.
Re: (Score:2)
Sure they can scan it (and summarize it in some fashion that cannot be linked to the original text, by using hashing or something).
Remember, in a WhatsApp chat there's always at least two devices that have the unencrypted text, unless you honestly think that that App on your phone is only doing things that are in your best interest...
Encryption Backdoor (Score:1)
Not end to end (Score:2)
Let's not repeat the corporate BS, if it has a backdoor it's not end to end encryption.
Re: (Score:2)
Unless the decryption happens in your brain (cyber implants?), it's never end-to-end by your definition. The article here talks about FB app grabbing the content from your device before or after encryption (i.e. when you create the message or when you read it), so the device-to-device, which is what most people mean by "end-to-end", encryption is bypassed. Imagine someone installing a keylogger and screen grabber on your PC, it can bypass end-to-end encryption.
The only safety is to NOT USE FACEBOOK (Score:3, Insightful)
And you know that Zuckerberg, who's security is even worse than Microsoft, will be offering backdoors for sale.
Re: (Score:2)
Going full East Germany on all communications.
Laws on history, politics, words, links, art, comments, reviews.
You really don't have encryption now. (Score:2)
Anyone who is using closed source encryption software of any kind is only fooling themselves. It is, in my opinion, worse than using no encryption at all. At least with no encryption you're not lulled in to a false sense of security.
There are already keyword searches (Score:2)
Tell me how else I can talk to a friend about project management methodologies on Whatsapp, which I usually never ever talk about, especially on whatsapp, and 20 minutes later I am being hit with ads about Project Management Methodologies on facebook.
I don't think they are receiving the contents of my messages in FB HQ, but I bet there is a little keyword scanning function in whatsapp with a 1 or 2mb database of interesting keywords that beams a tiny little message to HQ saying FB id number xx is interested
Are they? All the more reason to leave, now. (Score:3)
This is not moderation (Score:2)
Touting the importance of edge content moderation, Facebook specifically cited the need to be able to scan the unencrypted contents of users' messages in an end-to-end encrypted environment to prevent them from being able to share content that deviated from Facebook's acceptable speech guidelines.
This right here is just invasion of privacy. There is no instance where end-to-end comms should be EVEN MONITORED, much less moderated. This is the biggest 'no no' of private user-to-user chat systems. You leave it alone, period. It's up to the end users to manage their content.
But oh yeah, I remembered this is Facebook. Please, carry on. Continue to make a complete mockery of netiquette and human decency.