Skip to main content
banner image
venafi logo

Unfinished Business: Why Apple’s Decision Left Facebook Holding the Ball [Encryption Digest 23]

Unfinished Business: Why Apple’s Decision Left Facebook Holding the Ball [Encryption Digest 23]

apple and facebook certificate challenges
December 20, 2019 | Katrina Dobieski


Maybe it’s because nothing happened last time.

In 2016, a precedent was set. We’ll withhold value judgements, but it’s clear that a landmark opportunity may have been teed-up and missed. Following the 2015 San Bernardino shootings, the Justice Department obtained a warrant to search the suspect’s iPhone. Having denied the DOJ’s initial request, Apple this time stood up a court order. The Department found another way. The case was dropped.
 

Fast forward to (almost) 2020 and the Department of Justice is finding more occasion to search the encrypted contents of phones, email, and social media accounts. And, not without good reason. Just as the San Bernardino shooting revealed links to terrorism, so Facebook reporting has led to the prosecution of sex traffickers, organized criminals and pedophiles by the thousands. Really.More than 99% of the content Facebook takes action against—both for child sexual exploitation and terrorism—is identified by [its] safety systems, rather than by reports from users.” Undeniably, the ability to track offenders down their own cyber rabbit holes has proven powerful.


However, the unfinished legalities of 2016 left us with questions to answer.
 

 

 

 

Facebook: “Not us, not governments, not criminals”

The Department of Justice aims to put into practice what circumstance failed to cement four years ago. Having dropped the case against Apple, no situational “Apple v. Department of Justice” remains to decide the future of encrypted privacy law. Now the DOJ is left to create their own headwind, and in this climate, they'll row against the tide.
 

Faced with the relentless assailment of legislators, well-meaning public servants and a blighting accusation of providing a “gift to sex traffickers,” Apple and others are mounting a counter-offensive.
 

Pending an approaching Senate Judiciary Committee interrogation, Facebook released an open letter explaining the facts of encrypted life: “No one can intercept and read these messages—not us, not governments, not hackers or criminals.” Since catching some bad press over its management of user data with Cambridge Analytica, the company has sought to rebrand as a privacy focused provider. So far, they are sticking to plan.
 

This proactive letter was in response to the October call to provide encrypted backdoor access, signed by Attorney General Barr, the UK’s Home Secretary Priti Patel, and Australia’s Minister for Home Affairs Peter Dutton.
 

To date, Facebook has rejected requests from lawmakers to keep Messenger unencrypted (plans roll forward) and continue to push the front by maintaining fully encrypted WhatsApp and setting their sights on encrypting Messenger calls and video.
 

Jay Sullivan, guardian of Messenger privacy, emphasized “We think it is critical that American companies lead in the area of secure, encrypted messaging.”

 


“He’s With Me”—DOD says Encryption is Alright

It looks like the Department of Defense takes a sympathetic stance when it comes to E2EE encryption, using it (we’d hope) in their day to day operations.
 

Dana Deasy, the Department’s CIO, recently sent off a letter to Representative Ro Khanna outlining the “imperative” nature of E2EE encryption for the department’s work.
 

Notably, also this sentence:
 

“The Department believes maintaining a domestic climate for state of the art security and encryption is critical to the protection of our national security.”
 

Calling out the importance of encryption in a “domestic climate” fundamentally undermines the premise that encryption represents a threat to national defense, as postured by the DOJ.
 

Representative Khanna forwarded the letter to Sen. Linsey Graham (R-SC), chairman of the Judiciary Committee and an outspoken proponent of encryption backdoors.


 

Senate Judiciary Committee: Let’s Go Rabbit Hunting

It’s not that they don’t mean well. Just over a week ago, the Senate Judiciary Committee held a hearing on “lawful access,” a term which they hope would exclude just the bad guys, and which the EFF refers to quaintly as “fanciful.”
 

It’s just the incorrect notion that somehow, anyone is above the law. Natural laws. Laws of mathematics. Laws upon which encryption (RSA, AES and otherwise) are based. Laws that can’t break for one without breaking for all.
 

Their laid-out justifications are admirable, correct even. And very difficult to disagree with. The main claim that encrypted tunnels are used for child exploitation isn’t wrong, and we’ve seen the Sinaloan cartel leverage WhatsApp in horrific ways.
 

Interestingly, in the hearing though, a few points came to light that could have given pause to pro-backdoor supporters.
 

Apple’s manager of user privacy Erik Neuenschwander explained that the only two options to give the Committee what they want are to roll back encryption or create a master key. As he explained, Apple implemented encryption on the heels of threats by bad actors and has never held a key—the implications of which would pose a troubling security quandary. It would be undoing the work of the past few years only to leave us exposed to even more sophisticated threats today.
 

What’s a social media company to do? Essentially, it may be “run the same play as last time.” If Senator Graham gets his way should this come to legal blows (“You’re going to find a way to do this, or we’re going to do this for you”), it would be fair to assume that Apple, Facebook or whoever else could always parlay the court mandate like last time. However, chances are slim that it would receive a similarly innocuous dismissal.
 


A Complicated Conclusion

It’s murky task to separate narratives or parse out motives completely. The Department of Justice means well and wants to catch bad guys. Opponents suspect government data collection and statewide surveillance. Facebook wants to rebrand as a trusted encrypted haven and provide open and safe communication. Others point out Facebook’s utility as an unwilling accomplice to some underground crimes. The fact that these questions weren’t answered in-play, when a suitable use case came up five years ago, has only delayed an inevitable decision.

And, this is the decision that could determine the future of our information, economies and policy for the foreseeable future. While there are undeniable tradeoffs to both sides, the tech industry, security analysts and privacy activists all tend to coalesce behind the Bruce Schneir axiom that, in general, “
weakening encryption does more harm than good.”




Related posts

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Katrina Dobieski
Katrina Dobieski

Katrina writes for Venafi's blog and helps optimize Venafi's online presence to advance awareness of Machine Identity Protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more