(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


“Mutually Assured Surveillance” (MAS) — what will be the National Security playbook towards platform adoption of End-to-End Encryption for the next 5 years?

2021-11-11 10:19:46+00:00

There is a lot of end-to-end encrypted messenger tooling available to the general public:

iMessage (Q: why does everyone forget iMessage? A: because it’s a fabric.)

WhatsApp

Signal

FB Messenger (parts of)

Telegram (parts of)

Google (parts of)

Wire

Threema

Matrix

…

It might be tempting to presume from this that end-to-end encryption is inevitable, but clearly it is not because otherwise the UK Home Office would not be dropping half a million quid on MC Saatchi in an attempt to reshape public opinion and thereby armtwist Facebook out of using E2EE.

But it won’t work. End-to-end encryption is too useful, and Facebook seems to be launching Messenger E2E in salami slices, which is a clever strategy for PR management.

So what will the Governments want, next?

This is my guess for the next 5 years or so:

1. More of the “Shame” Strategy

(ongoing) We will see further attempts to dissuade broader adoption of E2EE by shaming it in the public sphere — ideally getting FB to stand down from deploying E2EE in order to make a really big splash; this will not work — see above, re: the wisdom of releasing E2EE in incremental “salami-slices” of functionality. If anything, one of the biggest challenges that Governments will have re: this strategy is making this story heard above all of the other vitriol that they are throwing at Facebook.

2. Top-Secret Demands upon Communications Providers for Backdoors

The next step will happen in secret: countries will start throwing Technical Capability Notices (or their local equivalent) at Facebook (and other platforms) in order to legally demand the installation of a “back door” into the communications path.

There’s a slight problem here: this will not scale, because (e.g.) Facebook is a global company. A backdoor built for the UK would likely also serve the “Five Eyes” (US/UK/CAN/AUS/NZ) — but what about Indian, Pakistani, Russian, and Indonesian backdoors, not to mention China?

These are all huge markets for the platforms (Apple China: $17bn per quarter) so the legal-economic pressure to comply will be immense, but the presence of a single backdoor for one country permits, even obliges many and the net result will be a “leaky colander” of communications security rather than proper end-to-end security.

This would be self-defeating. It’s a “Mutually Assured Surveillance” (MAS) problem – once one nation has a backdoor, all of them will demand one, and then how on earth will Facebook (a private company) reconcile whether to allow country A to surveil the communications of User Z who is a national of countries A, B and C? And all this reconciliation would have to happen under separate forms of national-security clearance for each of A, B, and C?

The result would be an unsolvable massive “surveillance compliance” problem, as well as a global weakening of everyone’s security, for a tiny amount of concrete benefit. Governments, too, profit from the wide available of secure and private communication, and MAS would require them to stop using “nice” tools like Signal and WhatsApp.

3. Top-Secret Demands upon Device Manufacturers for Backdoors

Let’s assume that the Governments of the world gradually come to the realisation that MAS will actually hurt themselves and will actually be self-defeating.

What next?

The rational next step will be to give up on attempting to wiretap the data in flight, and instead seek easier access to on-device snooping. This suffers exactly the same “globalisation” issue that MAS does, however devices are tangible assets which can be differentiated by market — e.g. “British”-sold iPhones will be subject to “British” backdoors.

Of course we’ve already seen what disasters happens to globalised hardware market differentiation enforced by cryptography, but Governments don’t realise that — we live in a world where politicians believe that social problems (crime, terrorism, exploitation) can be solved by technology rather than social change — so I am pretty sure that drilling holes in Android or iOS, rather than in the communications tools, is what they will next reach for.

Conclusion

The “War on End-to-End Encryption” is not over, and it will never be over — this is a war of attrition against all forms of digital privacy and integrity which can gift “the user” with better security.

However: if you are going to be part of this debate for the next 5+ years, don’t be trapped into thinking that E2EE is the be-all and end-all of security. We are already seeing the first skirmishes of the “on-device wars”, and if I strongly recommend all readers to familiarise themselves with the concepts of the “Trusted Computing Base” (TCB) and learn to ask, for each feature in a TCB, whose interests does it serve?
[END]

[1] URL: https://alecmuffett.com/article/15393
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.