is launching an anti-Facebook encryption push. Don't think of the children: Think of the nuances and edge cases instead

You can't reduce such a vital issue to concern over paedophiles and terrorists

Opinion The British government is preparing to launch a full-scale policy assault against Facebook as the company gears up to introduce end-to-end encryption across all of its services.

Yet the backlash has already begun, showing that officials face a tooth-and-nail fight against their attempt to derail the rollout of end-to-end encryption on the anti-social networking site and others in the Facebook estate.

Prominent in details briefed to the news media this week (including The Register) were accusations that Facebook harbours paedophiles, terrorists, and mobsters and that British police forces would effectively be blinded to the scale of criminality on the social networking platform, save for cases where crimes are reported.

It's a difficult and nuanced topic made no simpler or easier by the fact that government officials seem hellbent on painting it in black and white.

Government and law enforcement officials who briefed the press on condition of anonymity earlier this week* sought to paint a picture of the internet going dark if Facebook's plans for end-to-end encryption (E2EE) went forward, in terms familiar to anyone who remembers how Western nation states defended themselves from public upset after former NSA sysadmin Edward Snowden's 2013 revelations of illegal mass surveillance. The US National Centre for Missing and Exploited Children (NCMEC) generates around 20 million reports of child sexual abuse material (CSAM) every year, of which 70 per cent would be "lost" if E2E encryption were put in place, claimed British officials.

The government's long-signalled push to deter Facebook from implementing E2EE comes, inevitably, at a significant cost to taxpayers: London ad agency M&C Saatchi has been hired at an undisclosed cost by the Home Office to tell the public that Facebook (and WhatsApp) harbours criminals. The ad campaign will run online, in newspapers and on radio stations with the aim of turning public opinion against E2EE – and, presumably, driving home the message that encryption itself is something inherently bad.

Other announcements due this week, from notoriously anti-encryption Home Secretary Priti Patel and intergovernmental meetings, will explicitly condemn Facebook's contemplated rollout of E2EE.

Weighing it up

Unsurprisingly, given Facebook's 42 million UK users (in 2017, according to the London School of Economics, PDF) there are indeed some criminals, and certainly criminal abusers using the site. Around 100,000 individuals are reportedly on the Sex Offenders' Register at any one time, while government officials suggested to the press that potential child sex abuse offenders on Facebook are greatly in excess of that number.

Officials suggested that the greatest threat to child safety from Facebook is that abusers can discover a safe space that normalises the sharing of CSAM and helps encourage depraved newcomers onto the platform.

Looking at the drive from a prevention-is-better-than-cure perspective, implementing E2EE would disrupt the ability of Facebook itself to monitor chat conversations for concerning content; inherent in proper implementations of E2EE is the notion that the service provider cannot read the contents of messages. It would also disrupt the platform operators' ability to scan for hashes of known child sexual abuse material (CSAM), for example by comparing hashes of new image uploads to watchlists maintained by the Internet Watch Foundation or the US' National Centre for Missing and Exploited Children (NCMEC.)

These are not trivial concerns. If the current state of affairs helps catch and divert abusers, and those who may be sliding down the slippery slope towards creating and sharing CSAM, perhaps maintaining it has some merits that deserve an informed public discussion.

Mass hacking?

One consequence of E2EE on major social media platforms (and not just Facebook) may be an increased demand by government for weaponisable exploits against personal devices: that primarily means Android, iOS and Windows. It would also mean police forces having to make direct attempts to break into phones and computers in search of evidence, instead of having it brought to them on request by social media companies.

There are two ways of looking at that. One is to say that police and government ought to accept a new reality where they are constrained to operate within specific one-off warrants authorising hacking into a specified device. The last quarter of a century, where legislation controlling police searches of digital devices and cloud storage failed to keep pace with technology, is a blip against a long legal and historical tradition that kept police on a short leash when it came to searches and seizures.

On the other hand, officials talking to the press raised the spectre of vulnerability disclosure by governments drying up as frustrated law enforcement agencies hoarded vulns for their own use, out of public sight or legal control.

Yet, looking beyond the issue of paedophiles that British government officials want the public conversation to focus on, implementing end-to-end encryption (E2EE) also makes it far more difficult to implement population-scale mass surveillance of the type exposed by NSA whistleblower Edward Snowden in 2013.

Not only that, but in an era where hostile foreign countries actively hack large stores of personal data for their own purposes, placing encryption barriers in their way is no bad thing. So far, we don't know the implications of countries such as China and Russia sharing and dissecting Westerners' personal details, but doubtless it's nothing positive.

Officials were grave when The Register asked what their Plan B was if Facebook shrugs off the publicity blitz and implements E2EE anyway. One said we'll still hear the stories of children targeted by abusers, but not "in sufficient time that we can intervene." Rather than being proactive, we're told, police forces would end up being reactive, responding to reports instead of proactively patrolling what they see as the digital streets of the modern era.

Yet that focus may mean that crucial nuance and balance in this debate gets missed. While taxpayer-funded messaging bombards us with "think of the children" over the next few months, think instead of what else E2EE encryption brings – both its upsides and its downsides.

A poorly informed decision hastily reached on the basis of one-sided information is no decision worth making. ®


*Of those who spoke to journalists this week, about half have previously gone public and declared their opposition to end-to-end encryption.

Government officials routinely brief friendly news outlets under condition of anonymity, ruthlessly exploiting British political journalism's convention that official mouthpieces are never named and are usually referred to, obliquely, as "Whitehall sources". A true source – a whistleblower, or someone who tips off the media about wrongdoing – usually becomes a "person familiar with the matter" or isn't referred to in reporting at all.

Other stories you might like

  • Facebook phishing campaign nets millions in IDs and cash
    Hundreds of millions of stolen credentials and a cool $59 million

    An ongoing phishing campaign targeting Facebook users may have already netted hundreds of millions of credentials and a claimed $59 million, and it's only getting bigger.

    Identified by security researchers at phishing prevention company Pixm in late 2021, the campaign has only been running since the final quarter of last year, but has already proven incredibly successful. Just one landing page - out of around 400 Pixm found - got 2.7 million visitors in 2021, and has already tricked 8.5 million viewers into visiting it in 2022. 

    The flow of this phishing campaign isn't unique: Like many others targeting users on social media, the attack comes as a link sent via DM from a compromised account. That link performs a series of redirects, often through malvertising pages to rack up views and clicks, ultimately landing on a fake Facebook login page. That page, in turn, takes the victim to advert landing pages that generate additional revenue for the campaign's organizers. 

    Continue reading
  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022