Meta Tries to Break the End-to-End Encryption Deadlock

Credit to Author: Lily Hay Newman| Date: Wed, 06 Apr 2022 11:00:00 +0000

To revist this article, visit My Profile, then View saved stories.

To revist this article, visit My Profile, then View saved stories.

After years of tech companies and police fumbling and clashing over end-to-end encryption, Meta this week brandished a new tool in its arsenal that may help the social media giant resist government pressure to change course or weaken its plan to implement end-to-end encryption across its private communication services.

On Monday, Meta published a report about the human rights impacts of end-to-end encryption produced by Business for Social Responsibility, a nonprofit focused on corporate impacts. Meta, which commissioned the independent BSR report, also published its response. In a study that took more than two years to complete, BSR found that end-to-end encryption is overwhelmingly positive and crucial for protecting human rights, but it also delved into the criminal activity and violent extremism that can find safe haven on end-to-end encrypted platforms. Crucially, the report also offers recommendations for how to potentially mitigate these negative impacts. 

Since 2019, Meta has said that it will eventually bring end-to-end encryption to all of its messaging platforms. The security measure, designed to box services out of accessing their users' communications, has already long been deployed on the Meta-owned platform WhatsApp, but the initiative would bring the protection to Facebook Messenger and Instagram Direct Messenger as well. Meta has said that its delay in fully deploying end-to-end encryption on these other services largely has to do with technical challenges and interoperability issues, but the company has also faced criticism about the plan from the United States government and other countries around the world over concerns that adding the feature would make it more difficult for the company and law enforcement to counter a range of threats, like child abuse and distribution of child sexual abuse material, coordinated disinformation campaigns, viral hate speech, terrorism, and violent extremism. The US government, and the FBI specifically, has long argued that comprehensive encryption that protects user data equally protects suspects from criminal investigations, thus endangering the public and national security.

“I am glad to see BSR’s report affirm the crucial role that encryption plays in protecting human rights,” says Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory who was not involved in the study. “While it’s true that undesirable conduct occurs in encrypted contexts, most people aren’t criminals, whereas everyone needs privacy and security. Weakening encryption is not the answer.”

The question for Meta and privacy advocates around the world has been how to develop mechanisms for stopping digital abuse before it starts, flagging potentially suspicious behavior without gaining access to users' actual communications, and creating mechanisms that allow users to effectively report potentially abusive behavior. Even very recent efforts to strike a balance have been met with intense criticism by privacy and encryption advocates. 

For example, Apple announced plans in August to debut a feature that would scan user's data locally on their devices for child sexual abuse material. That way, the reasoning went, Apple wouldn't need to access the data directly or compile it in the cloud to check for abusive material. Researchers raised a host of concerns, though, about the potential for such a mechanism to be manipulated and abused and the risk that it wouldn't even accomplish its goal if the system produced a slew of false positives and false negatives. Within a month, Apple backed down, saying it needed time to reassess the scheme.

In its report to Meta, BSR did not endorse such “client-side scanning” mechanisms, saying that the approach ultimately produces an untenable slippery slope. Instead, BSR recommended that Meta pursue other mechanisms like safe and responsive reporting channels for users and analysis of unencrypted metadata to catch potentially problematic activity without direct communication scanning or access.

“Contrary to popular belief, there actually is a lot that can be done even without access to messages,” says Lindsey Andersen, BSR's associate director for human rights. “And what is essential to understand is that encryption isn’t just any old technology, it’s a really important means to advance human rights, and it's unique in that way. I'm not sure we’ve seen anything that has so many clear human rights benefits as end-to-end encryption.”

The BSR report includes 45 recommendations, 34 of which Meta has committed to implementing. The company says it will partly implement another four and that it is doing further research about six of the remaining recommendations. The company declined to adopt one recommendation related to exploring a special type of math known as homomorphic encryption as a means to potentially develop more secure client-side scanning. Meta says this recommendation is not worth pursuing because, it concluded, it is not technically feasible.

Meta says that throughout BSR's research process the company has been guided by the findings and that its direction is already largely aligned with BSR's proposals. And at the beginning of March, the company rolled out end-to-end encryption for Instagram Direct Messaging in Ukraine and Russia in response to Russia's invasion of Ukraine. The company told WIRED on Monday that it will not deploy the protection across its messaging services in 2022, but that it is planning to move forward in 2023.

“From a human rights perspective you realize there are tensions, but it isn’t an either-or,” says Gail Kent, Meta's Messenger global policy director. “That's something we are hoping that we can show in our product—you don’t need to choose between privacy and safety, you can have both. And we clearly know from speaking to users that users expect us to provide both. On Messenger or Instagram DMs they expect to have a trusted space where they can communicate freely without interactions they don't want.”

After decades of going in circles on the problem, the debate won't be resolved by one report. But it doesn't hurt to have the biggest social media company on the planet pushing and investing to find a solution.

https://www.wired.com/category/security/feed/