WhatsApp's encryption news raises the stakes for Apple vs the FBI

Jon Reed Profile picture for user jreed April 6, 2016
WhatsApp set off another encryption debate with its latest news. One prominent headline said "Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People," but it's not that simple - especially for enterprises.

Update, 4/7/2016 - Since this story was published, the FBI has confirmed that the hack into the San Bernandino iPhone provided by a third party has indeed been successful (it's an approach that works on a "narrow slice" of iPhone models, the specifics of which have not been revealed. Nor has the FBI indicated whether any useful information was pulled from the phone). That means instead of postponing legal proceedings against Apple, those proceedings are now cancelled.

However, while this changes the ultimate confrontation that was brewing over this particular device, the government has other iPhones it wants to unlock. As of now, what we know is that the FBI is still contemplating legal options against Apple in an attempt to avoid "perfect encryption" of iPhones. These developments don't change the analysis in this story or the import of this debate, but they are worth noting. Onward.

I have argued that the Apple-FBI encryption dispute is far too narrow. Now, with WhatsApp's announcement that it now supports end-to-end encryption for its 1 billion users, we are reminded that encryption technology is not going to be held in check by regulatory desperation, however well-intended.

Yesterday, WhatsApp founders Brian Acton and Jan Koum announced that via the code of cryptographer "Moxie Marlinspike" (a pseudonym), Whats App was now providing end-to-end encryption for every form of Whats App communication, including text, video, and phone calls. Via Wired's Cade Metz:

With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices.

Wired's reader reaction was largely positive, though some readers expressed a paranoia that because WhatsApp is owned by Facebook, that you can never trust that your data is completely secure. A more reasoned position is that metadata is not part of this "end-to-end" encryption. As per a widely-circulated tweet by security engineer Micah Lee:

The U.S. government has yet to respond to this announcement, but they are watching WhatsApp closely. Even those who support encryption and oppose government-access backdoors have to reckon with the reality of how these systems can be used. As per Wired:

In late 2014, WhatsApp encrypted a portion of its network. In the months since, its service has apparently been used to facilitate criminal acts, including the terrorist attacks in Paris last year. According to The New York Times, as recently as this month, the Justice Department was considering a court case against the company after a wiretap order (still under seal) ran into WhatsApp’s end-to-end encryption.

Late in 2015, investigators revealed that some of the terrorists involved in the Paris attacks had used encrypted communications on apps such as WhatsApp and Telegram leading up to the attacks, though the contents of those messages are not known.

Those who advocate for backdoors - or at least the ability to comply with court orders - are faced with two difficult questions:

  • How would backdoors be regulated? (e.g. if the U.S. has a backdoor into a phone or app, would other governments demand, and get access?
  • How can citizens of repressive governments be assured that backdoor privileges won't be abused in their countries?

But the backdoor software debate is fundamentally flawed. If one app is compelled to open a backdoor, another app - or form of encryption - will be used. Wired:

A backdoor would just open the service to abuse by both government and hackers. Besides, if you did add a backdoor, or remove encryption from WhatsApp entirely, that wouldn’t stop bad actors. They’d just go elsewhere. In the age of open source software, encryption tools are freely available to everyone. “The encryption genie is out of the bottle,” Koum says.

During a backchannel Slack chat, SAP Mentor and analytics expert Ethan Jewett pointed out that the Wired headline saying "Forget Apple versus the FBI" was misleading. He argued that the WhatsApp news will only intensify the FBI-Apple dispute, because with end-to-end app encryption, the only way to get any incriminating information is to get access to the device itself. Jewett:

IMO, this will make the FBI more desperate. Good E2E encryption means that they need to control one of the end-points in order to get at the information. In this case, that means they need access to one of the phones. This is a good thing, but it makes Apple’s stand all the more important.

Of course, if users have 11 digit randomized passcodes set up on their iPhones, then even a backdoor won't help agencies crack an iPhone, as it would take up to 253 years to go through the number of "brute force" combinations.

My take - and enterprisey thoughts

Intelligence agencies will fondly look back at a time when they had free reign on tech surveillance and their adversaries were still naive about such tools. That time has passed. We are now "After Snowden."

I've long maintained that the truly diabolical types are way too careful to risk their electronic communications being compromised until it's far too late. The problem, however, is that we all need some form of communication with the outside world. Osama bin Laden was able to elude capture due to his reliance on his network of human couriers.

It was only when U.S. intelligence discovered and traced bin Laden's courier that his compound was found. It was the combination of human intelligence (including an embedded human "asset") and surveillance tech that got a result.

The same is true for enterprises, where the human element has a way of undermining security protocols. In Apple, FBI and encryption – four issues enterprises should care about, I delved into security lessons that companies can take from this debate. But we can't expect total diligence from all employees.

That means an enterprise encryption plan must take into account human sloppiness, the potential for bad intentions, and the danger of compromised credentials exploited by third parties. Each device and wearable brings another data protection project. And if that wasn't hard enough: we can't make the user experience so terrible that our own employees will resent using our systems and managing hopelessly complicated passwords.

In Seven Key Elements of a Successful Encryption Strategy, the authors argue that an encryption program is worth the effort, with a potential 20 percent ROI on top of data security. But for an encryption program to be successful, it must be applied across three states of data:

  • data in motion (data being transmitted over a network)
  • data at rest (in your data storage area or on desktops, laptops, mobile phones or tablets)
  • data in use (in the process of being generated, updated, erased, or viewed).

The authors cite encryption steps for each, before concluding:

Encryption can add nearly 20 percent to an organization’s ROI in security and render data useless in the event of a breach, but only if it is part of a comprehensive strategy that incorporates encryption with key management, access control and SSL decryption. With careful planning and equal investments in people, process and technology, you can navigate the variety of enterprise encryption options at your disposal and stay ahead of threats while reducing complexity and compliance costs.

However the legal rulings on encryption play out, the pattern is clear: the tools are sophisticated, but we may not be. Though the CNBC password breach was almost comical, what should keep IT managers up at night was the recent example of an HR employee emailing 1,000+ employee records - including social security numbers - to a hacker impersonating a manager in a "phishing" scam. We now know enough about encryption to put together a "good enough" plan - and grapple with contingencies.

A grey colored placeholder image