SECURITY vs. FREEDOM: THE FIGHT OVER ENCRYPTION
The Curious Case of end-to-end encryption regarding public security and personal freedoms
The Joy of Achieving 100% Data Protection
Everybody wants your data, and that “everybody” list is not restricted to some black hat guys hacking accounts from an unknown location. The list also includes many civil servants who get paid by your taxes. The only difference might be that the latter claims to access your data in the name of public security and the fight against crime.
Governments, since they are also commissioned to protect you from some bad-ass digital perpetrators, want to protect your data on one hand and also want to access your data freely whenever it suits them.
The General Data Protection Regulation (GDPR) expects any size of organization to implement some costly data protection technologies. GDPR names some of these technologies, and encryption is among the few. It is a magical word when it comes to compliance with the law since encrypted data loses its definition as personal data and thus releases the data controller of its other duties as long as the data is encrypted.
Since #GDPR compliance hit the sectors as a leading concern, many data processors are jumping on the bandwagon to provide a high level of encryption to their customers. Speaking of instant messaging services, Signal and WhatsApp come to mind, which provides a high level of encryption to their customers.
They are among the service providers that adopted the most advanced level of protecting your data, which is end-to-end encryption (E2EE). #E2EE avoids any third party from accessing the data other than the sender and the receiver. The word “any” literally means “any” in the E2EE case since even the service provider cannot decipher your data in a meaningful way. And that “any” also includes government agencies that want to sneak a sip from your data themselves.
The United Kingdom is still within the GDPR zone as an ex-member of the EU and is accepted as an “adequate” foreign country by the European Commission. Its own data protection law, #UKGDPR (32), introduces encryption as an appropriate technical measure. But in a hypocritical way, as some may say, the UK government seems to be badly wanting to break the high-level data protection scheme. This is the reason we now have a war between E2EE service providers, and the UK government waging a war with WhatsApp.
On January 17th, the UK government put its new “Online Safety Bill” into the debate in the UK Parliament. As Dan Milmo summarizes in his article (1), the bill also aims to protect children and it “requires all tech firms within its scope – services that publish user-generated content from Facebook to TikTok, plus search engines – to protect children from harmful content and activity that causes harm (such as child sexual abuse material).”
This pushes many giant service providers right to the front line in the war against crime, and that is understandable to some extent. But it is also very unsettling for them since this comes to mean that service providers will have to break their high-end E2EE schemes and begin accessing user data (all talks, messages, voice messages, pictures, and files that you have shared).
Once the E2EE walls are breached, this whole technical measure will be rendered useless, while where “any” third party was not able to access the data, now “many” third parties, including governments and the service providers themselves, will have access.
“And this is not the first time UK Government agencies have demanded access to WhatsApp’s encrypted database. Legally, they can claim access to any service provider’s data with a legal instrument known as Technical Capability Notice (TCN). In 2020, it was rumored that they had done so, but later, these rumors were falsified (2). It is not that government agencies wanted to access the data with a TCN, but it was technically impossible for them to break into E2EE data back then.
Corporates Fight Back
Unsurprisingly, both Signal and Meta (#WhatsApp) – and possibly other E2EE-integrated businesses – are rigorously opposing the new Bill since, once the E2EE walls are breached, it will be rendered useless to protect personal data.
On the other hand, while the companies will begin combing through their user data to find illegal and potentially hazardous content for minors, once the walls are down, the same UK Government agencies who were previously unable to access user data will be happily issuing TCNs for other “blessed” purposes.
The Head of Meta WhatsApp, Will Cathcart, recently traveled to the UK to discuss the E2EE subject with the government. As Morgan Meaker reported in his article at WIRED (3), Cathcart later tell journalists that he was concerned that the bill could make it harder for WhatsApp and other messaging platforms to provide end-to-end encryption,” and said,
“It’s hard to imagine we’re having this conversation about a liberal democracy that might go around people’s ability to communicate privately.”
According to Meaker, Signal also refused to break its E2EE and told the UK government that they would rather leave the UK market for good rather than weaken its encryption. The Signal app is one of the most secure instant messaging platforms, with its own state-of-the-art E2EE framework, which was also later adopted by WhatsApp.
Conclusion and Advice
As both a data protection specialist and attorney at law living in Turkey, I would strongly suggest that UK citizens listen to what Mr. Cathcart says about the rules of liberal democracy that are also expected to bind the government.
A horrendous example of what might go wrong in such a case is the infamous “Bylock Case” in Turkey, where government intelligence services broke into the servers of an instant messaging service named Bylock in Estonia. Although the data collected would be rendered as illegal evidence since it was a covert operation and there was no warrant, 1.5 years later, after the data was collected.
Interestingly, Bylock was also claimed to be encrypted, and that feature of encryption was used as evidence that those hundreds of thousands of “terrorists” were trying to hide their personal messages since their motive was “evil”. Downloading and using the application was accepted as direct evidence of being a member of the “terror organization”.
The encrypted Bylock application was just a part of the witch hunting, which affected up to 2 million Turkish citizens (1/40th of the total population) at various levels.
In the end, the whole thing turned into a humanitarian crisis, where more than a hundred thousand citizens were found guilty, most of them with the key evidence that they somehow downloaded, created accounts, or messaged using that famous instant messaging service and served at least 5 years in prison. The lesson here would be that although it is understandable that public security is important to any society, in a democratic society, it shall not come at the cost of personal freedoms.
(1) Guardian Article
(2) Sky Article
(3) Wired Article