Did Facebook End The Encryption Debate? (forbes.com) 163
Forbes contributor Kalev Leetaru argues that "the encryption debate is already over -- Facebook ended it earlier this year."
The ability of encryption to shield a user's communications rests upon the assumption that the sender and recipient's devices are themselves secure, with the encrypted channel the only weak point... [But] Facebook announced earlier this year preliminary results from its efforts to move a global mass surveillance infrastructure directly onto users' devices where it can bypass the protections of end-to-end encryption. In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted. The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service...
If Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape... Governments would soon use lawful court orders to require companies to build in custom filters of content they are concerned about and automatically notify them of violations, including sending a copy of the offending content. Rather than grappling with how to defeat encryption, governments will simply be able to harness social media companies to perform their mass surveillance for them, sending them real-time alerts and copies of the decrypted content.
Putting this all together, the sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook. If the company's new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption.
In the end, encryption's days are numbered and the world has Facebook to thank.
UPDATE: 8/2/2019 Will Cathcart, WhatsApp's vice president of product management, took to the internet with this forceful response. "We haven't added a backdoor to WhatsApp. To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it."
If Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves, making them impossible to escape... Governments would soon use lawful court orders to require companies to build in custom filters of content they are concerned about and automatically notify them of violations, including sending a copy of the offending content. Rather than grappling with how to defeat encryption, governments will simply be able to harness social media companies to perform their mass surveillance for them, sending them real-time alerts and copies of the decrypted content.
Putting this all together, the sad reality of the encryption debate is that after 30 years it is finally over: dead at the hands of Facebook. If the company's new on-device content moderation succeeds it will usher in the end of consumer end-to-end encryption and create a framework for governments to outsource their mass surveillance directly to social media companies, completely bypassing encryption.
In the end, encryption's days are numbered and the world has Facebook to thank.
UPDATE: 8/2/2019 Will Cathcart, WhatsApp's vice president of product management, took to the internet with this forceful response. "We haven't added a backdoor to WhatsApp. To be crystal clear, we have not done this, have zero plans to do so, and if we ever did, it would be quite obvious and detectable that we had done it. We understand the serious concerns this type of approach would raise, which is why we are opposed to it."
Wow (Score:5, Insightful)
In the end, encryption's days are numbered and the world has Facebook to thank.
Dumbest thing I've read all year (including my own writing).
Re: (Score:1)
If anyone thinks facebook IS the Internet, ... let them die in their ignorance.
Let's make they don't know about everything else, shall we?
Re: Walled gardens and "trusted" computing... (Score:3, Interesting)
Do you realise the raspberry pi runs an entire proprietary OS on the GPU and the ARM processor is just a guest?
Re: (Score:2)
so what, no normal human is connecting to social media on their raspberry pi
Re: (Score:3)
You have poor reading comprehension if you didn't find that the BCM2835 boots the system with its proprietary OS including enabling the ARM CPU after loading whatever your OS is.
The parent is factually correct (Score:1)
That's just the way the RPi is organized, and it has maintained that organization from its very first model to its very latest.
The VideoCore IV GPU, DSP and media processor is completely in charge, not the ARM which runs your Linux distro.
Re: (Score:1)
Some lightweight ARM device is probably a good idea, as long as it is not a Raspberry Pi. Broadcom makes those, and you can bet there are a ton of skeletons buried in their proprietary firmware.
Wifi hardware definitely is. (Score:1)
They used 3 arm cores including a couple mmuless ones for doing realtime processing of wifi signals. It was shown they could be backdoored due to buggy coding ~18-20 years ago in the 802.11b days.
The VC4 has its own set of issues, but most of its threat window is mmuless memory access, rather than the firmware running on it. The OpenCL 1.1 Embedded Profile driver is an example of this, since any compiled CL code meant to run on it has full access to all memory in the device. The Pi4 processor remedies some
Re:Walled gardens and "trusted" computing... (Score:5, Interesting)
I don't trust "trusted" computing
IMHO, you are confusing things. Trusted computing doesn't mean that the end user can trust it, but that the society can trust it to prevent the end user from doing something undesirable. In trusted computing, THE END USER IS THE ADVERSARY.
Re: (Score:2, Insightful)
That isn't "society", but rather large media companies who don't file massive lawsuits against the manufacturing companies for enabling copyright violations. Cut out that "society" business because it is a meaningless term that has no relation to reality. "Society" was never consulted, it never became a major election issue, and no referendum ever happened seeking such permission. "Trusted Computing" was installed strictly because a small handful of people talked to another small handful of people and go
Re: (Score:3)
Not "society". Just the vendor and its business partners (which invariably includes the government in this case).
Re: (Score:3)
Re: (Score:1)
Where does all of your "end-to-end encrypted data" flow in and out of, unencrypted? Your web browser. What single of piece of software does Apple outright ban from implementing in your own third party app? A web browser. You can't even embed a web viewing component in your otherwise not-a-web browser app unless it is the system provided web browser component. Break these rules and you will be banished from the Apple walled garden.
What does Apple have going on inside that officially ordained OS web browser c
Re: (Score:1)
What does Apple have going on inside that officially ordained OS web browser component that they are protecting so carefully?
So do a "Project Veritas" and either get some Apple engineers to whistle-blow, or if that fails, do an undercover "sting" type video where Apple incriminate themselves, or as last resort, compromise/blackmail a few key employees with access to the relevant data and post it to Wikileaks.
If anyone thinks the WWW is the Internet... (Score:1)
FB is not even a social network. Let alone the WWW. An anti-social 'tard farm is more like it.
Re: (Score:1)
In the end, encryption's days are numbered and the world has Facebook to thank.
Dumbest thing I've read all year (including my own writing).
If privacy days are numbered on the Internet, then we only have ourselves to blame (or thank, if you are Facebook, Google, Amazon, etc.). We built all this, we did it to ourselves. Slowly, and bit by bit, but we did this to ourselves.
Re:Wow (Score:5, Insightful)
Sweeping conclusions from minimal events (Facebook never had privacy, they just have increased the level of deception here) is the name of the game. Journalism is dead, instead we now have this cheaply made fake.
Re: (Score:2)
WhatsApp, which is owned by Facebook, uses the Signal protocol for encrypted messages. Signal is generally well regarded, rated highly by the EFF and cryptographers. However, the specific implementation in WhatsApp is secret and not audited.
GCHQ, the UK's equivalent of the NSA, suggested that WhatsApp and similar apps using end-to-end encryption should install a backdoor that allows GCHQ to be added to chat groups silently. So rather than weakening the crypto, simply backdoor the app. That appears to be wha
Re: (Score:2)
Re: Wow (Score:2)
And this isn't even new tech. Anti-virus software have intercepted encrypted traffic for years.
Re: (Score:2)
See, this is basically what I came here to say. If you're using FaceBook, what the hell do you care about encryption or even security itself?
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Too bad you can only get 5, Insightful. That's one of the most Captain Obvious moments this year.
Re: (Score:1)
I fuck the moon, eat pigs, and bark at shit. It's much more fun.
Well... (Score:4, Informative)
...yes, if you don't root your device. I doubt LineageOS would come with such tools installed.
And from there it's up to us to decide if we want to even use apps that do such things. So I'm not really worried.
Re: (Score:2)
In principle at least, owning the baseband gives you a springboard for lateral movement to a different chip in the device. In other words, a platform from which to attack the SoC or memory or whatever. And from those you get access to app data and computation which lets you attack e2e crypto.
To be fair, this is pretty non-trivial stuff and probably more APT / nation-state level offensive technology. So not sure the FBI is gonna be spending these kind of resources (and risking burning such tools/techniques)
Re: (Score:2)
Re: (Score:2)
No (Score:5, Insightful)
Re: (Score:2)
Well, not that hard. Finding out how to use PGP or GnuPG securely takes less than a day. The overhead per message is in the minutes at worst. As an IT expert, I would not call that "hard". There are lots of things in IT that are hard and require you weeks or months to invest before you can do them well. But that one day is apparently already far too much to expect from people that spent years learning to read and write in the first place.
Re: No (Score:1)
An self proclaimed IT expert only took a day to figure out ow to securely send a message every few minutes? And you think that's a practical solution for normal people?
I'm guaranteed way the fuck more technical than you are but there is no way in hell i'm going to waste the few precious years I have on this planet fucking around with user-antagonistic trash like pgp. Why does so much open source suck so hard at usability? Making things easy is not shameful. Making them hard is not honorable. Making the
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
People who insist on letting a third party "protect" their communications are the ones ending the encryption debate.
Unless you write your own software, that's pretty much everyone.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
> the only way to truly have secure communications between two (and only two) individuals is for those two individuals to personally maintain individual or shared secrets.
whats wrong with public key crypto?
Also, i find the line your drawing a bit arbitrary here. e.g. you could just as well claim that to get secure communication with out trusting anyone else you'd have to design your own crypto primitives, implement them, build your own hardware, etc. Its just all a bit arbitrary.
alternatively maybe card
Re: (Score:2)
> the only way to truly have secure communications between two (and only two) individuals is for those two individuals to personally maintain individual or shared secrets.
whats wrong with public key crypto?
Other than complexity, nothing wrong with public key cryptography - that is the "individual secret" that I mentioned above. With public key you don't have to share a secret with whomever you are communicating with, but you do have to keep your private key (the individual secret) private. To be secure you need to generate the private key on your device using a TPM (or some other form of cryptographic hardware that does not ever allow the private key to be accessed directly or exported), generate a signing re
Re: (Score:2)
Insisting that people become op-sec and crypto experts isn't going to help anyone. Adding string end-to-end crypto to apps is, because even if it isn't perfect it still massively increases the cost of mass surveillance.
It also makes it easier for people who really do care to blend in to the crowd. GCHQ used to take special interest in encrypted data, and got rather upset when BitTorrent added crypto to the protocol to defeat ISP throttling because suddenly their filters were clogged.
Why is victim blaming so popular in the US? (Score:1)
First of all, have you seriously never heard of shadow accounts?
And of peers accidentially leaking information (like photos) about you?
Secondly, no matter if you shake my naked lubed ass in front of me, and I say "I will fuck you", it is still not OK for me to rape you! I can leave, do nothing, or force you to stop harassing me if you don't leave me alone. Even a crime does not justify another crime! (I thought you Americans followed the teachings of Jesus, not the first testament God!)
illusiory privacy (Score:5, Insightful)
This applies to more than FB. The only form of anonymity available on the internet is the sort that exists in a crowded restaurant: there are a million conversations going at once, and yours just isn't that special, and most of the time nobody is gonna bother to listen. The story changes the second that someone with the motivation really decides to eavesdrop
Re: (Score:2)
Yes. Most of the idiots using it actually. A good number of them left once the Cambridge Analytica scandal broke out.
The idiots stayed, those leaving was the ones realizing there were no actual privacy but revolted by how extremely shitty FB actually are and to what extent they track users, gather data, and share that data.
Re: (Score:2)
The Arrogance of Professionalism (Score:5, Insightful)
What the OP and others forget is that not everyone has time to dedicate to learning all this arcane shit. Instead, they are learning their own arcane shit. They feel the SAME way about you. Like, when you go to the mechanic for a car issue, and he looks at you like you are a moron because you did not do a "simple" repair yourself. Or, the dentist, who drones on about how you are not doing something so obvious as clean your teeth the way they do. How about the dancer, who just can't believe someone as nerdy as you does not have that level of practiced grace? Etc etc
So, instead of succumbing to dark impulse to make fun of them and say they get what they deserve, maybe show some empathy, and remember that you are the dumbass noob in other areas of life. Take the time to explain things. Make the world a slightly better place by sharing what you know. If you show people why big tech like FB is evil, they can help you fight it. Laugh at them, and they will help FB come after you....
Re: (Score:3)
Same could be said about moving about in public, talking with friends in a restaurant, having a modern TV, owning a smartphone, using a car that was built after 2018 etc. ad nauseum.
There is a huge difference between "some (few, with no central collection) people may overhear some (few, unrelated) conversations at some point in time (uncommon)" and "all communication is scanned and reported at all times and reported to one central authority". One is several orders of magnitude more fascist than the other.
Th
One more time for the people in the back (Score:2)
There is not, and never has been, any such thing as "privacy" online. That fact goes all the way back to the days of timesharing on mainframes.
Nothing more to say.
Ooooo this is tricky (Score:3)
Funny Zuck does not like having customers?
But then if this is their solution I will take it!!!!! I really don't need anything they have or provide
Just my 2 cents
Re: (Score:3)
Re: Ooooo this is tricky (Score:3)
Re: (Score:2)
Not all android phones come with Facebook pre-installed. And it's easy to delete on an iPhone if someone installs it. Same with all the Google crap.
OK, but how do I delete all the Apple crap?
Re: (Score:1)
I don’t get it (Score:4, Interesting)
How does Facebook doing an end-around “end the encryption debate”?
What Facebook is talking about doing seems pretty orthogonal to the discussion around encryption. It does, however, make me think their apps are basically behaving like malware and should be treated the same way.
This idea is even worse than what sounds at first. (Score:4, Interesting)
There are also security implications. Those blacklists have to be provided from somewhere. Source and destination (for suspicious messages) addresses will be discovered pretty damn soon. If you're an administrator, you can easily intercept traffic in your network (DNS/IP redirections) and block/intercept communications. I can easily see how this will get exploited by all the public wifi providers. Perhaps even ISPs.
Re: (Score:2)
Trouble is that the TLAs *want* you to use "detectable encryption technology" [theregister.co.uk] - uncommon technologies identifiable at the network level based on ciphertext or traffic patterns. PGP is the poster boy, as pointed out in that article - it's uncommon and the ciphertext is easily identifiable.
Old-school secure(*) Whatsapp was an "undetectable encryption technology" rather than a detectable one simply because it was commonly used - you can blend into the crowd if everyone is using it, so targeting all the users i
Re: (Score:2)
Old-school secure(*) Whatsapp was an "undetectable encryption technology" rather than a detectable one simply because it was commonly used - you can blend into the crowd if everyone is using it, so targeting all the users in impractical.
I'm curious...how is WhatsApp more "undetectable" than Signal? They both use the same Signal protocol.
Re: (Score:2)
They use different server addresses and have separate networks, that allows them to be differentiated at the network level.
Re: (Score:2)
Re: (Score:2)
Not simply more people than Whatsapp, but a critical mass of users so large that targeting them collectively would be impractical. More than the current Whatsapp user count would be enough.
clipper chip (Score:3)
So... end to end encryption is useless if you don't trust the endpoint. Duh. If you are using whatsapp or facebook or facebook messenger, you are trusting facebook. This has always been categorically stupid.
"If Facebook's model succeeds, it will only be a matter of time before device manufacturers and mobile operating system developers embed similar tools directly into devices themselves"
Wow, how did we get this far before anyone thought of this?! Oh wait... you mean the "clipper chip" model, from the 90s, where the hardware is spying you for the NSA?
We've known about this avenue of attack forever, and idiot lawmakers have been proposing it for the last 30 years. Facebook hasn't really moved the needle here. I guess its good it woke up the article author... although he's already surrendered in defeat. Fucking donut.
Re: (Score:2)
And yet the 'clipper chip' is EXACTLY the technology TFA author is fretting over.
Delete your facebook account asap (Score:2)
If you still have a facebook account, you are a moron...
Almost nobody has secure encryption (Score:3)
And the reasons are simple: Encryption (like, for example backups) is inconvenient and requires you to learn some things before it works and is secure. All efforts to make it "just work" have predictably failed. Hence the only ones that have secure encryption are the experts and the few non-experts that invested a few hours (apparently already too much effort for most people) to find out how it works. These people will continue to have secure encryption, the rest will never have it. And while the attempts of Facebook described in the story are impressive in their sheer dishonesty and deception, they are not the root-cause for this.
Will this also be installed (Score:2)
on the devices of people that don't faceplant?
Oh, man! (Score:3)
"Remember when it was legal not to be on Facebook?" - Utahraptor, 2013
What a moronic article (Score:1)
Encryption on devies you don't fully control (Score:4, Interesting)
Is a risky endeavor anyway.
A simple keylogger built into any number of installed apps ( base, user or clandestine installation), programs, the OS or even the GD hardware ( like your keyboard ) itself will negate even the most amazing crypto algorithm ever created.
The argument for secure crypto on a digital device is moot if an adversary can gain ( or already has ) any level of control over the endpoints.
it ends facebook (Score:4, Interesting)
If you haven't dumped Facebook off of every ... (Score:5, Interesting)
... device you own and use, what the heck are you waiting for? IMHO, Facebook would spy on everyone and/or give the government the spare key to your communications so they could do the spying themselves if it meant keeping the company from being broken up and Zuckerberg fined to oblivion or out of jail.
Whatever products you're using today, you should be looking for alternative in the event that Facebook buys them. With the money they now have, it'd be a good idea to start thinking about living without certain applications---they could buy just about anyone nowadays.
This is (to me anyway) reminiscent of the days of doing due diligence research on what products one could switch to in a commercial setting in case CA were to buy one of the applications your business depended on. In those cases it was to protect against outrageous licensing and maitenance fees. With Facebook it's worse; it's everyones' personal privacy that's at stake.
Privacy, smivacy (Score:2)
Thanks (Score:1)
Encryption? Crypto Illiteracy (Score:2)
While idiots keep using language like 'encryption' to mean cryptography in all its forms - authentication, authorization, signing, privacy, liveness, replay protection and so on, they will continue to be the class of idiot who should not write opinions on cryptography online if they don't want their idiocy exposed.
Delete Facebook, get rid of your smartphone (Score:2)
Wait what? (Score:2)
OMG, I hever realized that Facebook is essential. When did Facebook become essential? The last company that sold me a phone with Facebook preinstalled and unremovable never sold me anything again, and never will. Ever.
Fuck Facebook.
Re: (Score:2)
Fuck Facebook.
Wait...you can break encryption that way? (Score:2)
Does this really need to be tagged as sarcastic?
Operating systems should be set up to specifically block this sort of thing. The only stuff that should be able to globally intercept keyboar
the usual story of misplaced blame (Score:2)
encryption's days are numbered and the world has Facebook to thank
The author has an enormous blind spot, leading to erroneous conclusions. Facebook doesn't give a crap, per se, about end to end encryption. The whole thing is coming out of pressure and regulations from various governments for them to "do something" about people talking to each other outside of approved channels.
I Do Not Have A Facebook Account (Score:2)
Will I be required by law to have social media apps installed on my phone, tablet or laptop? Perhaps there is a simpler method.
There are countries that are right now requiring root certificates belonging to their government be installed on computing devices. The U.S. Attorney General is demanding an encryption back-door such as this right now. No pesky court order required. Your communications are always accessible on demand, in real-time, that way.
It may be that we are not yet cowed sufficiently to let
Blame FakeBook (Score:2)
" In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. "
I'm not even vaguely interested FakeBook or WhatApp, and I'm certainly unwilling to have my messages "content-moderated" by those lefty companies.