February 14, 2020 · Encryption Technology Law Enforcement Politics Intelligence

The Future of Signal and Other Stories in Encryption

WhatsApp co-founder Brian Acton injected $50 million into Signal and they're putting the money to good use:

Marlinspike's nonprofit has put Acton's millions—and his experience building an app with billions of users—to work. After years of scraping by with just three overworked full-time staffers, the Signal Foundation now has 20 employees. For years a bare-bones texting and calling app, Signal has increasingly become a fully featured, mainstream communications platform. With its new coding muscle, it has rolled out features at a breakneck speed: In just the last three months, Signal has added support for iPad, ephemeral images and video designed to disappear after a single viewing, downloadable customizable "stickers," and emoji reactions. More significantly, it announced plans to roll out a new system for group messaging, and an experimental method for storing  encrypted contacts in the cloud.

I've used Signal for pretty much as long as it has been around. You can find it, and other security apps, on my recommended resources page.

Always remember that no app will protect you if you're careless and have poor security hygiene (reusing passwords, opening every attachment and clicking on every link that comes your way, not using 2FA (or stronger) authentication, etc). Once information leaves your head it is at risk. There is always some level of risk when traversing someone else's hardware, software, or network. Always. And then, of course, there is this:

Meanwhile, WhatsApp is still signalling (no pun intended) that they're ready to scrap with governments on encryption:

"For all of human history, people have been able to communicate  privately with each other," Cathcart told The Journal, adding: "And we  don't think that should go away in a modern society."

Over at Lawfare, Alan Z. Rozenshtein, argues that Congress, Not the Attorney General, Should Decide the Future of Encryption:

As a threshold matter, the attorney general is not the right person to make this decision. Encryption is an issue that implicates many competing values, but the attorney general’s natural focus will be on the subset for which he is responsible: fighting crime. His decision-making will reflect this priority, potentially at the cost of other values. This is not meant to single out the attorney general. It wouldn’t make sense to put sole authority to determine best practices in  the hands of the secretary of commerce, whose primary responsibility is  the economic competitiveness of U.S. industry, not law enforcement effectiveness. Decisions about encryption should not be delegated to one agency alone.
More fundamentally, the question of whether to permit ubiquitous encryption is the sort of high-level policy decision that is best handled not by the executive branch but by Congress,  which best represents the public and its different constituencies and interests. Congress doesn’t have to do the technical heavy lifting; it could, for example, organize an expert committee to offer proposals or  even outsource that job to various executive agencies, which could then return competing recommendations.

I'm not sure I have much faith in Congress' ability to parse this effectively, actually I'm sure that I don't, but Rozenshtein's model is the correct one. In the end governments can target companies and networks in their domains but developers and opensource code will continue to present users with alternatives.

Don't tell that to the Indian government though. Casey Newton has the latest on their approach over at The Interface. It is aggressive:

Now a set of rules proposed a little over a year ago would force tech platforms to cooperate continuously with government requests, without requiring so much as a warrant or court order. Among the requirements is  that any post be “traceable” to its origin. And in what is believed to be a world first, the rules would require tech companies to do the investigating — to deploy their sophisticated tools to track a post’s  spread on their network back to its point of origin, and then turn that  information over to law enforcement.

That almost certainly means breaking encryption — how else could tech companies be expected to trace the source of a message? Imagine Clearview AI, but as a service tech companies are required to provide to law enforcement for free, and you start to understand what the Indian government is asking for here.

I've spent too many years following this battle and it is sure to outlive me. In its current form it's sort of the tech equivilant of the struggle between the Israelis and the Palestinians and it's just as likely to get resolved. There's an underlying tension here, to keep secrets and to know them, that will take on new forms as technology evolves but will ultimately stay with us - forever.


Previous Post: The Lincoln Project: Telling the Truth
Next Post: Red Team: How to Succeed By Thinking Like the Enemy