Redirecting you to
Click if you are not redirected within 5 seconds
Search
USD
English
Contact Us
Free Trial
Podcast Jan 04, 2024

Root Causes 352: FBI Vs. End-to-end Encryption in Meta Apps

Meta is finally rolling out end-to-end encryption across its messaging apps. This is the latest chapter in the long story of government versus encryption. We rant a little about this.

  • Original Broadcast Date: January 4, 2024

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We’ve got a news item today. I’m looking at an Ars Technica article. The date is December 7, 2023. Writer is Jon Brodkin and here’s the headline: Meta defies FBI opposition to encryption, brings E2EE to Facebook (which is end-to-end encryption) to Facebook, Messenger. Subhead: Default E2EE rolling out now. Will takes months to reach all 1 billion users. So, this is the latest chapter in an ongoing theme that we continue to cover, right, Jay?

  • Jason Soroko

    Yeah. You and I, Tim, have talked a lot about government vs. the internet, government vs. encryption.

    This is another really good example. I don’t use it, but I know a lot of people do. I know that formerly Facebook now Meta has a messaging platform a lot of people use and for a long, long time, they were one of the holdouts of not having end-to-end encryption as a basis within their platform - the messaging platform - and now they do or are planning to, and this was flying in the face directly of apparently the U.S. government and the FBI specifically. It’s just an interesting story and another example of this government vs. encryption.

  • Tim Callan

    So, the government, and the FBI specifically, was attempting to prevent Meta from implementing end-to-end encryption or to convince them not to? What was going on there?

  • Jason Soroko

    Yeah. You know, without having been in the boardrooms, I don’t know all the details and I’m sure that it won’t be really, truly shared but according to what the journalism is saying, the FBI had specifically asked the leadership at Meta to not employ end-to-end encryption within that messaging platform.

  • Tim Callan

    So that they can sit in the middle and spy on conversations between people using Messenger in order to gather intelligence and evidence in their own jobs. Right?

  • Jason Soroko

    Presumably. Nobody is saying it but it’s not hard to imagine that.

  • Tim Callan

    Yeah. I feel like this is just the same conversation that we keep having over and over again. This almost feels like a matter of basic philosophy. Either you believe that the world is a better place if individuals can’t be spied upon in improper ways or you believe that governments should have the power to spy on individuals – their own citizens or not. And I think you and I both fall on the same side of this, which is the world is a better place when encryption and privacy are available to everybody. Even if that means that there are people you’d rather not have it who have encryption and privacy. Right, Jay? Do you agree?

  • Jason Soroko

    I tend to agree, Tim. Look, my old just weather vain style of thinking on this, just absolutely basic, is police work has been police work for, well, almost since forever and police work works. Good old-fashioned getting out there as a policeman and investigating and it works and therefore, the ability to give police or in a larger sense, the government, mass surveillance capability is not the answer. It’s good old-fashioned police work. In other words, please absolutely give the government the power to go after the bad guys.

    And there are bad guys out there. Please go after them. Use resources. Spend the tax money and go after them. But mass surveillance and taking away privacy and not allowing commercial industry to maintain important intellectual property secrets, this is the opposite of what we should be doing in our society.

    And that’s just my stupid little opinion.

  • Tim Callan

    And their one reason why, of course – and this might seem like the most obvious reason – is that you can’t rely on any group of people anywhere to always take the high road. Like, we all know even if most people in law enforcement are ethical people who are doing their best to make the world a better place, we all know because we see headlines all the time that individuals in law enforcement on a regular basis are able to go too far. And will. And that’s just built into the whole process. It’s cause they’re humans. And so, if we want those humans not to be able to abuse this power, you don’t give them the ability to abuse this power. That’s the only way they won’t. And so that seems like the obvious one, right? If law enforcement had a chance to sit in the middle and watch everybody’s Meta Messenger conversations then, yeah, maybe they’ll catch a terrorist they wouldn’t catch otherwise or a drug dealer they wouldn’t catch otherwise and we are all in favor of that but at the same time, they’d probably do a lot of other things that are not ok to perfectly innocent citizens and the more kind of authoritarian the government gets the worse that potential for abuse becomes. Right? So, that’s kind of probably the predictable argument.

    But the other argument that you and I have made in the past is that weaker security is just plain weaker. So once you leave this door open for the FBI to survey my Messenger communications, even if you think that the FBI is always gonna do the right thing – which I don’t – then you’ve also left the door open for someone else to survey my Messenger communications who isn’t the FBI. And once you make it weaker, it’s just plain weak. And one of the things about cryptography – setting aside our many conversations about quantum computers and RSA and all that business – one of the things about current cryptography is it’s actually a very, very, very, very strong protection mechanism. In a world of computers where very few things are as strong as our cryptography is. And so why would you take the bull work? Why would you take the most basic foundation stone that’s on rock solid granite and break that one in particular?

  • Jason Soroko

    Tim, you and I have both been in the security industry for a long time and probably a lot of the listeners to this podcast have as well. I can tell you though, if you don’t live in the security industry, it’s not such a reflective sort of moment in your life every time you hear anybody say to you, oh don’t worry about that. It’s secure. I remember during the COVID pandemic, the Canadian Federal Government had put out an app and invited people to write down their deepest darkest mental illness issues and they assured people oh this is totally secure. This would never go anywhere. I just shutter every time I see that. Every time you fill out a government form, every time you do something on a commercial endeavor, every time you offer any kind of information electronically, the risk surface is always there and the risk of that information being completely public is always there and so I’m just following up to what you just said, Tim. The risk is always there and if you make it any easier or just plain easy, it’s not just the government or the police that will have access to information. It will be absolutely every bad guy who wants it.

  • Tim Callan

    Yeah. And even within the government and the police let’s say - and this would be kind of a subcategory – we talked about the potential for abuse, right? The worry that at the end of the day some overzealous person with a job and authorized access to that information does something they shouldn’t do but there’s also the competency question, which is what if they get owned? What if they leak it? What if they get breached? What if they get that data stolen? And that’s a very serious concern as well. If I let the police harvest all my conversations even if the police don’t do something bad with it, if that falls in somebody else’s hands, is that person gonna do something bad with it.

  • Jason Soroko

    There’s even the risk, Tim, of insider information. You hand somebody within a police organization or whoever is doing the data handling on behalf of the police, you hand an administrator enough bribe money and that information is gone.

  • Tim Callan

    Yeah. Absolutely. And they’re humans. Right? Individuals get tempted? It could be bribe money. It could be insider information. How about insider trading? Right? If you and I are both executives at a company and we are talking about the upcoming quarterly results in a perfectly legitimate way, a very legal way across what we feel is a secure channel and law enforcement is listening in to it, they are now getting insider information that they shouldn’t be allowed to have that they could trade on.

  • Jason Soroko

    I think it’s hilarious that we have within our law, you know, institutionally, we have client/attorney privilege.

  • Tim Callan

    Right. What about client/attorney privilege?

  • Jason Soroko

    Yeah. We have secret periods for publicly traded companies where information cannot get because it’s very tradeable and it’s illegal to do so and yet, no, we cannot have encryption. Right?

    So, Tim, I’m just trying to boil it down. Guys, in a Western society, you know, unless you declare that we are getting rid of the whole system of innocent until proven guilty, if you want the dirt on a suspected bad guy, go get a warrant.

  • Tim Callan

    Yeah. And you can’t break everybody’s encryption on the theory that some very small set of the people whose encryption you broke are gonna turn out to be bad guys. You don’t know who they are, but you are just gonna kind of violate everybody’s rights and then comb through it and find them. Right? I mean that’s just so completely against the principles of the Western justice system and various countries and yet, there we are. Right? That’s what we see happening yet again.

  • Jason Soroko

    So, there’s really two levels here, Tim. Maybe this is an evolution now I think in this conversation you and I have on this topic. There is the old police need to police and part of police work should be mass surveillance. Right? There’s the argument. Mass surveillance makes police work better and police don’t have to get a warrant because everybody is guilty. Nobody should have the right to privacy in their electronic information. Well, first of all, bologna. And second of all, good luck. It’s not good. But police continue to seem to ask for it.

    But then the next level was a previous podcast we had where the EU in eIDAS2.0 are basically asking for sweeping measures to be able to do things such as man-in-the-middle attacks against 200, 300, 400-million people. And so, that to me, is far beyond just good old-fashioned police wanting to overstep their legal boundaries. This is now governments who truly are saying, yeah, the whole police thing is a bit of a red herring. This is really about we want to control people.

  • Tim Callan

    Yeah. And the level – right? This is a good point. The other thing is we kind of talk about, you know, I sort of start from this perspective of, oh, there’s an overzealous policeman sitting in an office somewhere who is going for information that they are not supposed to be able to get and is cutting corners because they really want to get this guy and they’re gonna do whatever they have to do to do it but if you are talking about something at the level of the a leadership level inside of the FBI, which is a U.S. Federal organization of the highest visibility, and highest level of power, or if you are talking about eIDAS which is the European Union trying to put these things in place systematically, these things are occurring at the very highest level of government. These are the people who have power over all of the citizens and residents and visitors in a country turning around and basically attempting to destroy encryption and destroy the basic ability to have private encrypted communications.

  • Jason Soroko

    Yeah, Tim. And the reason why we are calling this one out today, this particular story about Meta, is because this is no small deal. This is a very widely used platform worldwide and my goodness, just think about how long it’s taken for them to employ end-to-end encryption vs. not just the propellor head early adopter end-to-end encryption services that have been out there but we now have other mass-used messaging services that have it. iMessage being just an example.

    But now with Meta’s messaging platform this is a very large chunk of users who are very, very, very casual in what they share in those messages. And I can’t imagine mass surveillance on that and the implications of it. So, anyway, there it is.

  • Tim Callan

    There it is. So, we very recently in our 2024 predictions episode predicted that government vs. the internet and government vs. encryption was going to continue and looks like that one is met. Bummer.

  • Jason Soroko

    Yeah. I bet you 2024 it might even ramp up and we might have to talk about this more.

  • Tim Callan

    I think it’s gonna. I think it’s sad that that one in particular came true so fast, but I don’t think either you or I doubted for a second that that prediction was gonna be right and, unfortunately, it was and I agree with you – this is gonna continue to be a story throughout the year.

  • Jason Soroko

    Yeah. Unfortunately, Tim.

  • Tim Callan

    Alright. Well, thank you, Jay.

  • Jason Soroko

    Thank you.

  • Tim Callan

    Sorry, Listeners to leave you on that bummer of a note but this has been Root Causes.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All