Euro Security Watch with Mathew J. Schwartz

Encryption & Key Management , Fraud Management & Cybercrime , Messaging

Crypto Wars Continue, as Feds Seek Messenger Backdoor

FBI's Latest Backdoor Push Involves Facebook Messenger, Reuters Reports
Crypto Wars Continue, as Feds Seek Messenger Backdoor
Facebook Messenger

"The road to hell starts with a backdoor."

See Also: Live Webinar | Cybercrime 2.0: A New Era for the Identity and Authentication Challenge

So said Brad Smith, president and chief legal officer of Microsoft, in a keynote speech at the RSA Conference in March 2016. And later that same day, five out of five of the world's leading cryptographers agreed: Backdoors are bad (see RSA Conference Debates Apple vs. FBI).

"No one ever said that police work was supposed to be easy. Weakening the security of hundreds of millions of users to address these few cases is ludicrous." 

All were referencing a Justice Department suit against Apple that sought to compel the technology giant to build a backdoored version of its iOS mobile operating system, to aid the FBI's investigation into the San Bernardino shootings.

Not long after, the FBI dropped the case, after a third-party contractor helped it unlock an iPhone 5c used by one of the deceased shooters.

Since, then, the legal battle and underlying questions have remained unresolved.

New evidence, however, suggests that the Justice Department has continued to attempt to compel technology providers to build insecure backdoors into their products and services.

The latest such move, Reuters reports, comes via a case filed by the Justice Department against Facebook in California federal court, seeking to create a version of its Messenger app that the FBI can use to listen in on a suspect's voice conversations.

The Department of Justice declined to comment. Facebook couldn't be immediately reached for comment.

While the documents in the case remain sealed, three sources told Reuters that Facebook has gone to court to block the government's request. On Tuesday, Reuters reported, the government argued in court that Facebook should be held in contempt for not complying with the FBI's surveillance request.

One source told Reuters that the case centers on an investigation into Mara Salvatrucha, aka MS-13.

The violent international street gang has an estimated 10,000 members in the U.S., where it's become a political football. President Donald Trump and Attorney General Jeff Sessions regularly reference the group as they seek to advance more restrictive immigration policies.

New Backdoor Push, Same Old Problems

In the bigger picture, the new case shows that the Justice Department is continuing to seek backdoors in encrypted end-to-end messaging products. Of course, any decision against Facebook in this case could be used in future cases to try and compel the likes of Apple, Google, Microsoft and Signal to weaken their encrypted end-to-end messaging systems' security.

In other words, the legal questions at the heart of the "FBI vs. Apple" case remain unresolved.

Meanwhile, the FBI continues to argue that it should be able to obtain access to any device, with a court order. In January, for example, FBI Director Christopher Wray argued that device makers should provide backdoors for law enforcement, while suggesting that what he was asking for shouldn't be called a backdoor (see FBI: Encryption Blocked Access to 7,800 Devices).

"We're not looking for a 'backdoor' - which I understand to mean some type of secret, insecure means of access," Wray said at the time. "What we're asking for is the ability to access the device once we've obtained a warrant from an independent judge, who has said we have probable cause."

Information security veteran William H. Murray has accused the FBI of being disingenuous. "This is a source of evidence that did not even exist 10 years ago," he says of smartphones. "Instead of just saying 'thank you,' the FBI continues to whine that it is not better than it is. No one ever said that police work was supposed to be easy. Weakening the security of hundreds of millions of users to address these few cases is ludicrous."

Indeed, cryptography and information security experts say that while backdoors designed exclusively for government or law enforcement use might sound fine in theory, in practice a backdoor makes any system weaker. Thus backdoors put everyone at risk - not least from criminals, but also unfriendly nation states, bored teenagers or anyone else with the wherewithal to target computing systems (see Why 'Cryptophobia' Is Unjustified).

Life After Snowden

Reminder: The push for secure messaging systems - encrypted from end to end, without service providers being able to monitor the communications - arose in part because of unchecked U.S. government surveillance.

Edward Snowden's leaks, in particular, showed that the National Security Agency was engaged in systemic mass surveillance, including tapping into technology giants' data centers to intercept communications, as well as monitoring domestic phone call records.

People's privacy concerns were compounded by the realization that the U.S. Foreign Intelligence Surveillance Court appeared to be rubberstamping surveillance requests from intelligence and law enforcement agencies, including the FBI.

In response, Signal, as well as Apple, Google, Facebook and Skype - respectively for FaceTime, Hangouts, Messenger and Skype - upgraded their communications services to use encryption to protect calls from end to end, thus preventing them or anyone else from directly eavesdropping on the voice calls. But such calls could still be monitored if the device itself were to be hacked.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.