End-to-end encryption (E2EE) is the gold standard in secure communications. The method takes a message and uses a unique algorithm to convert it into a seemingly random sequence of numbers, letters and symbols. The message cannot be decrypted without a special encryption ‘key,’ which is only contained on the sending and receiving device(s). While hackers can still read the content of messages if they hack into the devices themselves, keeping the keys on the phones or computers means that it is nearly impossible to decrypt them while in transit.
In recent years, the incorporation of E2EE into popular messaging apps including WhatsApp has vastly improved the security and the privacy of communications for billions of people. That includes criminals. The use of E2EE prevents law enforcement agencies from using the kinds of wiretaps that allowed them to monitor the communications of organised criminal networks at scale.
While it remains possible to use search warrants and metadata to hack into individual devices and map criminal messaging networks to a certain extent, multiple Western governments have begun to loudly complain that E2EE provides criminals with a shield behind which they can more effectively plan their lawbreaking activities.
Nowhere has this trend been more pronounced than in the UK, where the government has proposed in its forthcoming Online Safety Bill to force messaging platforms to weaken encryption standards to allow police to more effectively prosecute those trafficking in illegal content.
Encryption of Meta’s platforms is especially troubling, said ministers. According to NSPCC research, these platforms were used in some 43% of all child sexual abuse material (CSAM) offences recorded by police last year. But the company nonetheless intends to apply E2EE to all of its private messaging services by next year.
“Social media companies need to understand they share responsibility for keeping people safe,” UK Home Secretary Priti Patel wrote in an op-ed for The Telegraph. “They cannot be passive or indifferent about what their products enable, or how they might inadvertently blind themselves and law enforcement from protecting children.”
Platforms including Meta have been responsive to these criticisms. While the social media giant claims that E2EE will further protect the human rights of billions of its users, it has committed to implementing additional safeguards for children, including investing in ‘proactive detection technology’ that analyses metadata that might indicate the trafficking of illegal imagery. Other technologies, such as Apple’s AI scanning tool that locates the presence of illegal imagery to the user, has been embraced by critics of E2EE as a middle ground between protecting children and users’ privacy at scale.
Many privacy activists and IT professionals, however, feel that efforts to undermine encryption will do vastly more harm than good. “Much as [CSAM] is a vile thing and everyone agrees it should stop, be tackled and enforced against, the fact is that these attacks on encryption are much wider than that particular concern,” says Jim Killock, executive director of the Open Rights Group.
Far from protecting criminals from the prying eyes of the police, he argues, weakening encryption standards would likely spell a return to the pre-Snowden era where communications were vulnerable to hacking and mass surveillance. This is all in spite of the fact that law enforcement has tools and powers at its disposal to map how and when criminals use E2EE messaging– and thereby unravel their networks once and for all.
The rise of end-to-end encryption
The opposition of Western governments to encrypted messaging is nothing new. “There’s been a long history of [UK signals intelligence agency] GCHQ and others either arguing for weaker standards in encryption or finding ways to break it,” says Killock, a record that dates back to the 1990s. During these so-called ‘Crypto Wars,’ intelligence agencies argued that making encryption publicly available would allow terrorists and criminal gangs new places to hide online, just as their mass collection of SMS, phone calls and email data reached its apotheosis.
Then, WhatsApp arrived. Millions of users flocked to the free platform. Their messages and images were encrypted end-to-end in 2016, when WhatsApp incorporated the Signal protocol. “That was perhaps the biggest single advance for privacy ever in terms of the billions of messages that were suddenly end-to-end encrypted,” says Ross Anderson, a professor of security engineering at the University of Cambridge. Within a few years, the ability of GCHQ and the NSA to scoop up text and email messages disappeared. “These spooks have been smarting about it ever since,” says Anderson.
Even so, the UK government and others still retain extraordinary legal powers to intercept private communications if they believe a crime has occurred. Under the Investigatory Powers Act 2016, the government can also issue Technical Capability Notices compelling messaging platforms to turn off encryption entirely, albeit with the consent of a judge.
On a smaller scale, police can order individuals to hand over device passwords on pain of imprisonment if they are suspected of terrorist or child protection offences. Law enforcement can also employ techniques such as cell site location to ascertain whether a phone used by a known criminal is near possible associates.
Platforms have also played their part in ensuring E2EE isn’t a shield for criminal networks. While some critics argue that the social media giants embrace encryption to shy away from their content moderation responsibilities, in truth they are under vast pressure to prevent illegal material from flourishing on their platforms. “It just requires different techniques, because these are not public messages anymore,” says Dhanaraj Thakur, research director at the Center for Democracy & Technology.
WhatsApp, for example, claims that metadata analysis – the act of sifting through masses of message timestamps, account details, file sizes and other data to undercover suspicious patterns – has resulted in the unearthing of 300,000 accounts distributing CSAM content a month. Other methods include hashing known offensive images so that they can be automatically detected by machine algorithms at scale, and even predictive models, like computer vision software, that can flag illegal imagery.
Detectives can also sidestep encrypted messaging entirely by investigating the payments involved in CSAM distribution. The FBI recently broke one such ring based in South Korea by tracing Bitcoin transactions. “That got taken down not by blocking people’s use of chat apps, but by using a company called Chainalysis,” says Anderson. “If you want to stop that kind of operation, then the sort of thing that you would do would be to regulate the cryptocurrency exchanges an awful lot more carefully than is done at the moment.”
Unravelling networks
Another tool in the fight against CSAM distribution is automated scanning technology. Last month, Apple rolled out a new feature for iPhone users in the UK that uses AI to scan all images received in E2EE messages on their device for nudity. If found, the photo will be blurred and the user will be issued a warning. This was a retreat from Apple’s original proposal that nude images sent to children would be flagged to their parents, which was strongly criticised by privacy campaigners.
Even pared back, Apple’s new system was praised by the UK government as the kind of middle ground it sought for the roll-out of E2EE en-masse: one that safeguarded users’ privacy without raising the risk of criminal activity.
For Killock, however, the mere presence of bots sifting through image data on millions of phones is still worrying. “The more you do this, the more there will be an attraction for AI and other things to do this kind of self-censorship, or censorship, or detection,” he says.
As well as potentially creating new vulnerabilities for E2EE messaging platforms, “you’re advertising that there’s a facility for governments and others to start looking for things” that it finds objectionable. Right now, says Killock, that definition would probably include terrorist content, but in a world where extreme nationalism constitutes a subversive threat to Western democracy, it could also expand to acts of political protest and modes of free expression.
There’s also the fact that any future legislation weakening E2EE is unlikely to shove the genie back into the bottle as far as hardened criminals are concerned. Recent years have seen a flowering of alternative messaging platforms specifically catering to underworld figures. One of these apps, known as EncroChat, boasted some tens of thousands of subscribers across Europe at its height. While this “Signal for drug dealers,” as Anderson describes it, was taken down by a coalition of national law enforcement agencies in 2020 and resulted in the arrest of countless gangsters, hitmen and drug dealers, new versions of this type of app keep appearing.
“About one of them gets taken down every year, because whenever one of them gets taken down, the drug dealers all go to the next one, that gets taken down, and so on, and so forth,” explains Anderson. “It’s just network effects. All the drug dealers want to be on the same network. And the reason that they go to custom criminal solutions rather than just using Signal is that the EncroChat phones and similar phones in other such networks are hardened against forensics.”
Meanwhile, the UK government continues to press ahead with reforms aiming to create a ‘backdoor’ for law enforcement into mainstream E2EE messaging platforms. It is not alone. In October 2020, it was joined by New Zealand, Canada, Australia and the United States in a statement condemning platforms such as Apple and WhatsApp for effectively blocking investigations into criminal networks by adopting end-to-end encryption. The EU’s new Digital Markets Act, meanwhile, calls on messaging platforms to become ‘interoperable’ with other like services, which critics argue could lead to them adopting the lowest common denominator of encryption.
If encryption were to be compromised in this way, explains Thakur, life online would be impacted far beyond messaging friends and colleagues. “I think we should recognise that it’s very central and important, not just for privacy… but also for just regular day-to-day commerce,” he says. “This is crucial. We’re talking billions and billions of dollars’ worth of commerce that rely on encryption, and encrypted services.”
Weakening standards through the imposition of backdoors, argues Thakur, will increase the risk of vulnerabilities emerging throughout encrypted services – which will, inevitably, play into the hands of the criminal networks such laws are designed to thwart. Should this occur, it is hard not to imagine some form of public outcry. Killock is more circumspect.
“I don’t think it’s so easy to say the public is simply settled on end-to-end encryption no matter what,” he says. Those fearful of state surveillance in Russia and China, for example, still use domestic social networks, despite the fact that such platforms are deeply compromised by the country’s intelligence services. All in all, says Killock, people “have to live in the world that they’re given”.