Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Facebook Government

Facebook and WhatsApp Will Be Forced to Share Encrypted Messages With British Police (bnnbloomberg.ca) 128

"Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users' encrypted messages with British police under a new treaty between the two countries, " reports Bloomberg, citing "a person familiar with the matter." The accord, which is set to be signed by next month, will compel social media firms to share information to support investigations into individuals suspected of serious criminal offenses including terrorism and pedophilia, the person said.
This discussion has been archived. No new comments can be posted.

Facebook and WhatsApp Will Be Forced to Share Encrypted Messages With British Police

Comments Filter:
  • by o_ferguson ( 836655 ) on Saturday September 28, 2019 @11:51AM (#59246886)
    n/t
    • Rubber hose, or the deluxe steel wrench. If you don't want to leave a mark, waterboarding will do.

    • Trivially simple: (Score:4, Insightful)

      by BAReFO0t ( 6240524 ) on Saturday September 28, 2019 @12:14PM (#59246944)

      It's closed source.

      Yes. That's it. No need to say more.

      • So you're in the camp that says that their current encryption actually doesn't exist? I can see that is a possibility.
        • by DrYak ( 748999 ) on Saturday September 28, 2019 @06:03PM (#59247896) Homepage

          Remember guys, end-to-end encryption only work iff you control said endpoints.
          If these endpoints are closed source software, this means the end points are *somebody else's software*, it doesn't belong to you, you can't control what's happening inside.

          It's entirely possible that yes, WhatsApp and Messenger, did implement Open Whisper Systems' Axolotl encryption (= the Signal protocol) as announced back then by Facebook, that their Apps did indeed receive perfectly secure message form other users, and that the Apps contain extra code that will send a perfectly secure copy of your message to law enforcement.
          WhatsApp already contains the capability to relay securely messages form your app to a web-app running in the browser on your desktop.
          Probably the police will get something similar, except they don't need to scan a QR code to establish a secure channel with your App, and your App will not constantly pop-up reminders that you have a "CopApp" session logged in, the same way it adverises currently your logged in WebApp sessions.

          • by rtb61 ( 674572 )

            Encryption should always be a FOSS add on, the code must be open and viewable by all that use it, else you will be backdoored every time. Although, if it is your government doing the backdooring, safer to let them, the alternate is they kick down your doors, steal your electronic stuff and possibly shoot your for holding a suspicious looking cheeto, just to be safe, they had to shoot you thirty to forty times sort of thing. When you are, do not forget to give them many interesting things to read, don't forg

          • Remember guys, end-to-end encryption only work iff you control said endpoints.

            No. It works if you *TRUST* the said endpoints. There's a big difference. I didn't setup my bank's computer system but the fact that I didn't do so doesn't make my encrypted internet banking section broken. It still works just fine.

        • Whatsapp does ue Signal's protocol. That is not in question.

          But what good is a secret underground tunnel ... between your enemy's forts?

          Both end points are untrustworthy, so securing the connection between them is so ridiculous it's making the TSA tell you to turn down the theater a notch. And frankly, it's insulting our intelligence.

          Like in science, if you, personally, can't verify it really is secure, then it's not security.
          And I mean with the ability to compile it yourself to check if it results in the s

      • Is there a good app to wrap Facebook/Whatsapp to only send PGP encrypted messages over their networks?

        The only safe communication (from a privacy point of view) is one that uses standards-based client side encryption where the key never is shard with the service provider.

        The technologies exist (pgp-encrypt your facebook message before giving it to facebook) - but aren't used much.

        • Oversec in the F-Droid Store is close.

        • First, PGP is a bad idea (but has been experimented in the past).
          In practice you need some deniability.
          Systems like OTR - Of The Record - are better suited.

          now about the question:
          - Pidgin has optional plug-ins that relies on the API used by the webapp of Messenger to get the messages.
          - Pidgin has a plugin that implements OTR encryption atop off any messenging protocol.

          Problem: only few nerds are going to jump through the hoops to get that stack running.
          The other 99.98% of the population want an app that jus

  • Corporations are not compelled to follow treaties unless U.S law requires it. Without laws to accompany the treaty, they will just refuse and the U.S will be in breach
    • by malchus842 ( 741252 ) on Saturday September 28, 2019 @12:04PM (#59246926)
      The Constitution would seem to disagree with you:

      This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.

      • Technically yes but the treaty can't set punishment for citizens (or corporations) that don't follow it, only U.S law can do that
      • A treaty cannot dictate how a US citizen behaves within the US borders. It dictates how a US citizen must behave if within the borders of the country with which we have the treaty and vice versa. If the servers are in the US then the corporation is not entering the foreign country, the citizens of said country are entering the US (via the internet). So no, a treaty with a foreign country cannot compel a US corporation to go ever to said country (again, via the internet in this case) and hand over documents.
        • by malchus842 ( 741252 ) on Saturday September 28, 2019 @12:45PM (#59247062)
          As noted, the Constitution says otherwise. Treaties to which the US Senate agrees are the supreme 'law of the land' and must be enforced by judges (see the above citation of Article VI of the US Constitution. So, if the US/UK sign a treaty that says US corporations have to turn over data to the UK, that's enforceable by the US courts against US citizens. Think extradition treaties - they operate in the country which signed the treaty and must be followed by the US courts as 'the supreme law of the land'. You can't go into court and argue successfully that the extradition treaty doesn't apply to you. It does.
          • by sjames ( 1099 )

            Treaties apply to the government, as does the Constitution. That means the government is bound by the treaties it signs and by the Constitution.

            Neither is binding on anyone else. For that, laws must be passed.

            A treaty nay bind the government to pass a law or not pass a law. If a law is passed, it must still be consistent with the restrictions of the Constitution.

            • by dryeo ( 100693 )

              Government signs a treaty with a native tribe that establishes some land is theirs. They can then use existing trespassing laws to keep someone off their land with no further law needing passed.

              • by sjames ( 1099 )

                Nevertheless, a law must exist in order for anyone but the government to be bound the treaty alone won't do it.

          • by davecb ( 6526 ) <davecb@spamcop.net> on Saturday September 28, 2019 @04:43PM (#59247740) Homepage Journal

            In fact, the example of extradition contradicts your thesis. Extradition and anything else created by treaty is always subject to the laws of the country where the person is, say the US or Canada. In particular, the crime that the person is accused of must be a crime in the US if Canada wants to extradite someone from the US, and vice versa.

            If you read the wording in the (British-flavored) English of the day, it says in modern terms

            This Constitution comes first, then the Laws of the United States, then treaties.

            If you're interested in how this works in practice, there's an active extradition-treaty case about that as we speak, United States v Meng, 2018 BCSC 2255 (CanLII), http://canlii.ca/t/hwmhm [canlii.ca], retrieved on 2019-09-28, about Meng Wanzhou, the daughter of the founder of Huawei and currently the CFO and Deputy Chairwoman of the Board of Huawei. She argues what she did in the US is not a crime anywhere else in the world, and arguably not in the US either.

            • by dryeo ( 100693 )

              Usually that is how extradition treaties are written. Example, Canada's extradition treaty with America includes the provision of no capital punishment so we don't extradite murderers until you assure us that the death penalty will not be pursued.

      • SCOTUS has already interpreted this clause to mean that a treaty cannot be used to create unconstitutional provisions. And SCOTUS has the final word.
        • If you're relying on Reid v. Covert that's a plurality decision, so you can only take the narrowest reading from the concurrences as 'law' (as the Supreme Court as said). In that case the narrowest ruling was only that UCMJ cannot be applied to civilians in capital cases. Anything else is not precedent.
          • The power to ratify a treaty does not supersede the power to amend the Constitution. In a word, the treaty-power cannot purport to amend the Constitution by adding to the list of Congress’s enumerated powers. [cornell.edu] You can read the relevant cases in the references.
            • If you actually read through that it doesn't contradict what I've said, NOR does it reach an opinion on the actual extent of self-executing treaties. To wit:

              a treaty is “to be regarded in courts of justice as equivalent to an act of the legislature, whenever it operates of itself, without the aid of any legislative provision

              and

              What other treaty provisions need congressional implementation is debatable.

              • Of course, it contradicts what you said. In as much as you contradict what I said anyway. A treaty cannot be used to amend the Constitution. It can only have a power of a legislature. Which means that a treaty cannot enact provisions which would be unconstitutional if they were laws (acts of Congress).
                • Missouri v. Holland where the state argued the treaty could not expand the constitutional powers of the federal government. the state lost. QED
                  • It didn't lose on those grounds. It lost because of the supremacy clause.
                    • It didn't lose on those grounds. It lost because of the supremacy clause.

                      Which was the Supreme Court doing what it frequently does, and completely dodging the incipient constitutional crisis. The crisis is still waiting for something written in a such a way that it wends its way through all lessor wickets and actually forces the Supreme Court to rule on Article VI.

                • by dryeo ( 100693 )

                  How about limiting what is considered arms per the 2nd. America has signed treaties outlawing chemical and biological weapons, I think that would make a strong case that people can't arm themselves with poison gas or smallpox. (This is in theory as the 2nd isn't honoured anyways as it clearly allows any arms that a militia needs to function as a militia as well as the common law principles of self defence, hunting and such. That piece about the militia was added on purpose to be clear it included military a

      • The Constitution would seem to disagree with you: [quotes the supremacy clause]

        That's another of the misreadings of the clause.

        (The common one is the claim that it means treaties, negotiated by the President's team approved by 2/3 of the Senate, are equivalent in force to constitutional amendments, requiring approval of 2/3 of the state legislatures after being proposed by either 2/3 majorities of both the senate and the house or a consitutional convention called by 2/3 of the state legispatures.)

        What it

        • What it really says is that the constitution, federal laws, and treaties trump state constitutions, laws, and court rulings when they are in conflict. The states can't nullify provisions of the Constitution or federal laws, or abrogate or modify treaties, by legislation or court rulings.

          If this were true, then the court would have decided Misouri v Holland in the other direction, as the ruling expanded the powers of the Federal government which is the purview of the states, via amendment. In other words, the US government was given permission to engage in plainly unconstitutional behavior because they signed a treaty saying they could.

          • Missouri v. Holland simply found that federal treaties trump state constitutions (not the federal constitution), exactly as the guy you're responding to said. You have no clue what you're talking about.

          • If this were true, then the court would have decided Misouri v Holland in the other direction, as the ruling expanded the powers of the Federal government which is the purview of the states, via amendment.

            No, it did not.

            The previous federal attempts to regulate migratory birds, as an interSTATE issue, had been struck by the Supremes when states argued that there wasn't an enumerated power to regulate bird harvests so the Tenth Amendment reserved this to the states.

            So the fed negotiated a treaty with Canada

      • Insanely, despite that rather clear constitutional binding, the Roberts court decided otherwise in MedellÃn v. Texas...

        https://en.m.wikipedia.org/wik... [wikipedia.org]Ãn_v._Texas

      • by Agripa ( 139780 )

        The Constitution would seem to disagree with you:

        This Constitution, and the Laws of the United States which shall be made in Pursuance thereof; and all Treaties made, or which shall be made, under the Authority of the United States, shall be the supreme Law of the Land; and the Judges in every State shall be bound thereby, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.

        The treaty either has to be "self executing" or statutory law is required to implement it domestically. Otherwise the Senate and President could bypass the constitution including the bill of rights and implement law by treaty alone.

    • Or the IP ranges (taken from DNS) and VPN, if they aren't retarded (but evil).
      Or, create an IP whitelist, if they want it to actually work (and are even more evil).

      Basically, the UK is already halfway to a Great Firewall of China.

  • by stevegee58 ( 1179505 ) on Saturday September 28, 2019 @12:01PM (#59246918) Journal
    It's as easy as that.
    • by BAReFO0t ( 6240524 ) on Saturday September 28, 2019 @12:12PM (#59246940)

      1. That's circular reasoning. It is also the cause.

      2. I got a bunch of computer illiterate mature women to use Signal, as they were dealing with sensitive patient data. From children too.
      Now their clients use it aswell. That way they can share videos of the progress of the children. Many of which using sign language, meaning text or audio is out of the question.
      That's already a whole community. Because of one person.

      Now's your turn. Be a leader for once. Accept that you're the cool guy here. Not that Facebook-using retard.

      • by AmiMoJo ( 196126 )

        I was using Signal but it's bloated and needs ridiculous permissions. It's there a light version or something?

        • I found it a bit minimalist at first, but it improved now.

          Also, it actually uses all those permissions. And for sensible things only. If you don't trust my or anyone's code audit, only reading it yourself will help.

          Otherwise, how about IRC? Or smoke signals? With hand-encoded one time pads, of course. In a featureless gray cement one-room "house". On the bare floor. Naked. Cause everything else is bloated and overwhelming.
          Much more rational and sane. :P

        • by Herve5 ( 879674 )

          Signal offer an open version, separate from the app store, that you can install yourself; for instance on https://signal.org/android/apk... [signal.org]
          I consider it quite cool as there also are laptop versions, including for Linux.
          With Signal nobody can read your talk, but anybody could check who you are talking to.
          If you want to avoid the latter, to my knowledge you have a single solution, Briar, which has no laptop version. But then with Briar not only your comm is encrypted, but because it uses an Onion network nobo

    • by Dunbal ( 464142 ) *
      The bullshit is a function of the number of users, not particularly of Zuckerberg. If lots of people start using Signal they will start pulling exactly the same crap.
      • Backdoors don't work on opensource software.
        At worst someone outside of their jurisdiction (or an anonymous person) will simply fork their repo and create a backdoor-free version.
      • The bullshit is a function of the number of users, not particularly of Zuckerberg. If lots of people start using Signal they will start pulling exactly the same crap.

        This is essentially a claim that all people are equally bad. I do not think that is the case.

    • Signal is an obvious honeypot.

    • I tried using Signal but my friends on Whatsapp weren't getting messages. Apparently I wasn't either because you suggest I delete Whatsapp.

      Why did you even offer that as a suggestion. Your solution literally broke the one thing I need this kind of app to do: Talk to specific people.

      You are really bad a tech support. I'm leaving you a bad Yelp review.

  • There are so many alternatives. There's no reason for the cops to know you're even communicating at all.

  • by BAReFO0t ( 6240524 ) on Saturday September 28, 2019 @12:07PM (#59246932)

    AFAIK they use ephemeral keys due to using the same protocol as Signal. So even if they have the user keys, they can't get the messages contents.

    Oh wait. They are closed source! Meaning that even with "independent" code audits, the encryption means nothing whatsoever!
    Nevermind.

    • by Dunbal ( 464142 ) * on Saturday September 28, 2019 @12:22PM (#59246964)
      The man in the middle is still the man in the middle. I tell you your message is encrypted. You send it to me. I decrypt it because after all I gave you the key. I read your message. Then I re-encrypt it with the key I gave Alice (it could even be the same key, if everyone is sharing it with me). She gets an encrypted message. Wow, perfect security. Except it's bullshit.
      • Shhhhhhh! You will spoil everyone's daydream...

      • by sjames ( 1099 )

        The Diffie-Hellman key exchange [wikipedia.org] is specifically designed such that the middleman is unable to derive the exchanged key even if he sees all messages passed.

        Note that you need to use the verify end-to-end security feature out of band to assure that the diffie-hellman exchange is, in fact, with the intended peer and not a middleman after the first message exchange (which should be something you don't care about like "how's it going").

        • by Dunbal ( 464142 ) *

          is specifically designed such that the middleman is unable to derive the exchanged key even if he sees all messages passed.

          Yes, and if that is what they were doing then they wouldn't be able to hand messages over to police now, would they? So I'm willing to bet that's pretty much NOT what they're doing.

          • by sjames ( 1099 )

            Just because a law says they have to hand the messages over doesn't mean they can do more than hand over the cyphertext.

            All the same, I am switching over to signal wherever possible since I don't trust Zuck to not tamper with WhatsApp (or rather not to order others to tamper).

            The point is, it's not the man in the middle that can screw you, (given a good protocol) it's the provider of the software.

      • by AmiMoJo ( 196126 )

        With Signal you are supposed to verify the other users in person. With WhatsApp, which uses the Signal protocol, I'm not sure if you can verify so all you get is a notification if their key changes. That happens when they reinstall the app, for example.

        Anyway, if you verify then MITM is impossible because the MITM can't fake the other person's secret key that you verified.

    • That's the thing. They cannot simply hand over user keys to comply with this, but they can still change the apps to send those keys and/or message transcripts to Facebook, in case law enforcement wants them later.
      It's a huge bonus for FB, if they can sell it as "no one can read your crap but you, and law enforcement after they serve us with a warrant". Most ordinary people would be ok with that. They will fail to mention that having the keys or transcripts on a central server is a huge weakness... and
  • Amazing! One less leaking/insecure messenger on my phone.

  • That's technically impossible. Perhaps they don't understand how end-to-end encryption works.
    • That's technically impossible. Perhaps they don't understand how end-to-end encryption works.

      Facebook and Whatsapp write the software. I'm quite sure they're much more aware than someone on /. as to what can and can't be achieved. Given there needs to be an exchange of keys between sender and recipient somewhere along the path otherwise you can't decrypt the sent message I'm quite sure Facebook/Whatsapp have the ability to find what those keys are.

    • They understand it perfectly which is why they are trying to set up a scenario where it must be abandoned in order to be compliant. Unfortunately for them they don't get to dictate how US citizens behave in the US so their treaty is meaningless.
    • That's technically impossible. Perhaps they don't understand how end-to-end encryption works.

      When have governments ever worried about a trivial detail like understanding how something works?

      Although, this being Facebook, I wouldn’t be particularly surprised to find out their client is saving a clear text copy of every message to a Facebook server before encryption and transport.

    • "That's technically impossible according to what I've read in the tame media. Perhaps I don't really understand how 'end-to-end' encryption works."

      FTFY

    • That's technically impossible. Perhaps they don't understand how end-to-end encryption works.

      Only if YOU have complete control of the keys. If they are managed by anyone but you, then it's perfectly possible. Apple could, for example, in their key bundle in iMessage, insert a third-party key without you knowing about it. That's the price of convenience.

      Unless your message/file/whatever is encrypted with software you know to be 'good', and you create the key yourself, then snooping is entirely possible.

    • by AHuxley ( 892839 )
      When the user reads the message on their smartphone the "end-to-end encryption" is not in place.
      Thats the level of the app software the police like to have equal access to :)
  • The UK proceeding apace in its efforts to becoming a Big Brother state. In the UK, Big Brother is watching you all the time already (London has proportionally more CCTVs than any other city in the world) and now this.
  • If the messages are encrypted, why does anyone care that the police get them? Or is the headline wrong?
  • If whatsup has to chose between destroying its worldwide business (by destroying its platform for the sake of UK compliance) or leaving UK, they'll leave UK.
  • by Rick Schumann ( 4662797 ) on Saturday September 28, 2019 @02:08PM (#59247304) Journal
    Dumb criminals are low-hanging fruit for law enforcement anyway and aren't smart enough to stop using things the cops have hooks into.
    Smarter criminals will move to something else more obscure, maybe even smart enough to speak in code and remember not to use names (or at least real names).
    Top-tier criminals, the really organized ones, including terrorist organizations, these days can even have personnel on their staff who can write their own encrypted communications software and apps that garden-variety police won't even know about, and MI-5/MI-6 types will lag behind knowing about.
    Then there's old-school tradecraft: word substitution, book cyphers, and so on.
    Truly sensitive information and communication, if not time-sensitive, can still be done in truly old-school ways: dead-drops and handoffs, facilitated these days by microSD cards -- which can contain deeply encrypted data. For bonus points: deeply encrypted digitally, plus book cyphers. Have fun unlocking that!

    For the common citizen, though: Have sensitive, personal communications, that you don't want nosy government types poking their little brown noses into? Do it in person, not on your phone or over any 'apps' or 'social media'. Assume, anymore, that there are eyes and ears everywhere online.
  • Let the police have all the encrypted messages they want, they cant read them
  • If the platform CAN share the contents of an encrypted message, there is no reason to use that platform to send encrypted messages because if they are not worth what it would take for someone to get access to the content, they probably are not worth the effort to "encrypt" them in this manner.
  • On who authorizes

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...