Encryption has been the biggest issue on the chopping block in the wake of the COVID-19 crisis. In the midst of it all, the British government uses WhatsApp to disseminate info about acceptable protocols and belies a rather tangled history with the app itself, and encryption at large. Journalists speak out as the Committee to Protect Journalists releases a fact sheet on why their job requires full data privacy, and how government backdoors could undermine the ability to reveal truth in the press. Heads up—both the EARN IT act (which limits consumer privacy) and the Privacy Bill of Rights Act (which protects consumer privacy) are both stuck in Congress. This might be the most defining coin toss of our era.
Who does the British government go to when they need to get the word out on coronavirus best practices? WhatsApp. Not a big deal, this should be a neutral play on a neutral platform. Parliament “goes to where the people are” and utilizes a popular messaging app to do so. However, does this government sanctioned use of a privately-owned platform hold more political significance than good will?
Facebook, and its subsidiary WhatsApp, have enjoyed an accommodating relationship with governments in the past. Russia and Iran are both notorious anti-encryption zones (Russia is underway on its new state sponsored internet) and deny apps like Telegram for failure to comply with government backdoor policies. WhatsApp, however, is allowed. The policies haven’t changed.
Two years ago, the Tories got into an embarrassing debacle when (trigger warning) Brexit-based chats leaked out from their private WhatsApp group. It was a mole, but the fact that they were using WhatsApp for sensitive party information raised some eyebrows. (After the leak, they were calling for Telegram).
And yet again in this third case, we see Britain’s legislative assembly turning to the Facebook owned app as an official outlet to warn their citizens. Other sanctioned sources include the BBC, Britain’s government owned news agency and responsibly in line with the state referendum.
All of this might seem like a lot of smoke, no fire, but when we peel below the surface and see what measures are being attacked in the international state responses to COVID-19, we may have reason to pause. Facial recognition is being employed “en masse” (to stop the spread), aggregated consumer data is being handed over carte blanche to the US government, and a bill that effectively eliminates encryption is under consideration while we’re all in quarantine.
As we lean a wary eye towards the backdoor attempts, surveillance policies and privacy infringements trailing behind state sponsored responses to COVID-19, it’s safe to say that “WhatsApp: the app that governments trust” might not be the best calling card.
Imagine this. You’re a journalist meeting a contact at an undisclosed location who’s going to give you a tip-off about a guy he knows in the Miami cartel. Just don’t give his name out. You publish the story, keep his anonymity, credit him as a hero—then find out he’s dead in the papers the next day. The cartel tracked him down because they cracked that semi-encrypted app you were using to communicate. Because there was a backdoor.
Granted, this is a worst-case-scenario, and “bad guys” can get caught via the same means. But is it enough to justify full vulnerability of anyone trying to communicate on the internet, just to let the government catch criminals a bit easier? There is already evidence to support that they can crack into encrypted technology if they need to. Why the need to do it en masse?
Journalists rely on the confidentiality of their sources to tell the truth. In many countries, that’s beside the point as journalists themselves are the targets. The Committee to Protect Journalists quotes,
“Nigerian police have used telecommunications surveillance to lure and arrest journalists; a separate October report documented the Nigerian military’s use of forensic technology to search journalists’ phones and computers for sources.”
And not only that; what about start-up tech? NDAs? Cracked Zoom calls and crashed Wikr chats and proprietary information that was meant to be kept safe, but now there’s no safe place to hide it? Encrypted backdoors do more than expose your email messages (though that’s bad enough). They can fundamentally leave every industry without a basis of trust upon which to operate. Run a small business? Only until you get hacked and someone makes off with your payment card data. Build private-sector spaceships? Only until a state-sponsored attacker hacks your code and fails the mission in flight. Pretty much anyone, anywhere – as the journalists above highlight – can be affected by government backdoors. There is no way to stop unwanted intruders. There’s no way to separate a "lawful access” from a hostile one.