Skip to main content

Brazil, Apple, and WhatsApp: Missing Encryption’s Forest for the Trees

April 26, 2016

Author:

Dan Arnaudo

Apple has been in the news a lot recently. As discussed in Alexander Kegel’s post contextualizing the iPhone encryption debate, the San Bernardino terrorists used an iPhone and the FBI tried to crack it, unsuccessfully. The phone’s encryption system works in such a way that it locks up and erases all the data after ten unsuccessful login attempts. The Feds challenged Apple to write a new system that wouldn’t lock up, a special script they said would be only for this phone, to be completed by Apple on their company grounds in California, deleted, and not set a legal precedent. The FBI’s claim wasn’t true, because there are hundreds of other cases and judges that would demand access to the same system. In the end, the government found another, secret backdoor into the phone (rumored to be a zero day vulnerability they bought from gray hat hackers) and promptly dropped the case. They still haven’t given Apple the details of what they did, so the vulnerability is likely still in everybody’s iPhone.

Zdziarski ss

But the Apple case is just a single, blighted tree in a diseased terrorist grove that the Feds want to point to as an example to gain access to more locked systems. However, there’s a forest of encryption out there that runs much deeper.

Thousands of miles away, a Brazilian judge faced a similar conundrum in a drug trafficking case where a suspect used WhatsApp to exchange information with contacts, and investigators tried and were unable to get access to the messages or log files from WhatsApp or its parent company, Facebook. The judge ordered the Facebook’s Vice President for Latin American operations, Diego Dzodan, imprisoned for refusing to supply WhatsApp’s data for a day, although this was later reversed.

In an interesting contrast, as the Facebook VP was being led into jail, Apple won a victory in a New York court that wanted similar access to the iPhone that the FBI was attempting to access in the San Bernardino case.

In the Brazilian case, the judges targeted corporate leadership with threats of imprisonment. In the American case, the government and the FBI were trying to get Apple to design technological solutions that would act as backdoors into their operating system. Such a request, arguably, threatens the core of their business.

Another judge in Brazil just last year tried another kind of technical solution as a similar kind of threat: He ordered telecoms to shut down WhatsApp on their networks throughout the country for refusing to give up information for another trafficking investigation. The telecoms, often at loggerheads with a service that rides on their infrastructure while paying nothing, did not appeal. The shutdown lasted only 12 hours after an appeals judge ruled it a little extreme, but shocked one of the largest WhatsApp user bases in the world, 93 million strong. The showdown showed the power of the social network but also that of a young democracy to shut it down.

The trials of Apple in the United States were a portent of the larger issues with WhatsApp globally and WhatsApp could prove to be a much bigger challenge. Apple represents just a fraction of the mobile phone market, mostly upscale users, and while it has sold around a billion iPhones, the most current better encrypted phones are still priced out of the reach of most. WhatsApp’s user base is now over a billion people, anyone using the free app has the same strong encryption. A user’s data resides only on their phone, and that of their correspondents.

In both cases, Edward Snowden’s revelations about the US National Security Agency’s surveillance activities in 2013 are now bearing fruit, changing the shape of international networks and the strength of encryption for ordinary users.

WhatsApp has built up its reputation for strong encryption, end to end, and also for the strength of its user base and the speed and efficiency of its software. These factors led to its acquisition by Facebook in 2014. It remains a boutique, startup kind of corporate structure with less than 200 employees. As a result, Facebook is now its primary policy and legal counsel, particularly outside of the US where it has little to no representation. In all of Latin America, the company has only recently acquired a person responsible for examining the country’s legal position in the region, not yet directly responding to cases.

Another partnership WhatsApp made in 2014 is bearing even more crucial fruit for its encryption plans. It engaged Open Whisper Systems, which builds communication apps that ensure complete or “end to end” encryption, including Red Phone and TextSecure, now merged into Signal, Snowden’s preferred messenger. Last week, this partnership came to full fruition with the introduction of end to end encryption in all WhatApp communications. Now any time someone sends a message using WhatsApp to another user it is fully encrypted using OWS’s software.

Ironically, OWS is partly funded by a US government to support encryption systems for democracy activists in places such as Cuba and Iran. This is the same US government that is trying to break phones such as the iPhone in San Bernardino or outlaw encryption without government access through legislation stewing in Congress.

Neither the Apple nor the WhatsApp case is without precedent. In 2012, a judge briefly had the head of Google Brazil imprisoned for refusing to take down a libelous YouTube video against a regional candidate. In both cases of executive imprisonment, despite one being motivated by the urge to censor public content, the other by the need to secure private data, judges used the threat of jail to compel responses from the parent organizations. Politicians in the US have been looking for ways of getting companies to give law enforcement “backdoor” access to telecoms since before the commercial Internet, most notably during the Clipper Chip debates in the 90s. They are still pushing this line, most recently in a proposed Compliance with Court Orders Act of 2016 sponsored by Senators Dianne Feinstein and Richard Burr, which would require tech companies to provide police essentially any data they want, irregardless of encryption. Companies would be legally obligated to build backdoors.

Brazilian lawmakers have made similarly misguided attempts to gain access in this way. During the debate around a Brazilian Internet Bill of Rights (Marco Civil da Internet in Portuguese), passed in 2014 in the wake of Snowden’s revelations, the Congress considered inserting a provision to compel any company with Brazilian users to colocate their servers domestically for police access. New laws, nicknamed the Big Spy Bill (PL Espião) and a parliamentary commission have made recommendations to force Internet companies register users through their national ID numbers and other personal info. Other recommendations by the commission would negate privacy aspects of the Marco Civil, including getting user data without a court order, making it easier for politicians or other public figures to get content taken down, and sanction judges ability to shut down or block apps like WhatsApp.

There is a final concern in all this: A person’s data is at often more at risk in the servers of publicly held companies than it is in the hands of governments, and the security of it is only  important so long as it is commercially viable for these companies to pursue security. That they put more emphasis on it today than ten or 20 years ago is a great thing, but security comes at a price, and individual’s data often constitutes the fee.

WhatsApp also differs in that it is not storing data on central servers as Facebook or Google do. You’ll notice if you use WhatsApp Web on your browser, the service only works if your phone is connected to the Internet. That is because both your phone and computer are acting as servers, there is no centralized system that has copies of your messages, only information about your number, contacts, name and any other information you wish to put in a part of your profile. This metadata, which has a value all of its own.

The US is much more central to the picture because it is the home of companies like WhatsApp, Google, Facebook, and Apple, but it is equally powerless to prevent companies outside of its borders from building better encryption apps without backdoors, or to prohibit American users from building them. Brazil is just one example of a country grappling, largely unsuccessfully, to claw back the same access police had when they only had to deal with telephone wiretaps. As WhatsApp’s founder put it in an interview with Wired: “There was a middle period where the government had a broad ability to surveil, but if you look at human history in total, people evolved and civilizations evolved with private conversations and private speech. If anything, we’re bringing that back to individuals.”

A recent report: “Don’t Panic: Making Progress on the Going Dark Debate” organized by Harvard University’s Berkman Center for Internet and Society backs up this quote, and posits that the value of data to companies such as Google and Facebook will ensure that much of it remains unencrypted, while the growing Internet of Things will provide much more for intelligence and police consumption. Not only academics, but active officials in the US government and intelligence services contributed to the report.  They noted that other than ongoing surveillance using traditional techniques, metadata would continue to be unencrypted: “This is data that needs to stay unencrypted in order for the systems to operate: location data from cell phones and other devices, telephone calling records, header information in e-mail, and so on. This information provides an enormous amount of surveillance data that widespread.”

However, WhatsApp’s new end to end system makes an argument for a certain kind of dark reality that governments will simply have to deal with, not only in terms of encrypted messengers, but operating systems like Apple’s IoS and Tails, an open source operating system designed by the same people who make Tor, an encrypted network that helps hide the Silk Road and other parts of the darknet.

ss 2 dan post copyIn the Wired article where WhatsApp’s founder spoke, it’s also noted that Apple has hired OWS’ security expert as an intern. Interesting to see how that will bear fruit. It comes as one of many signals the days of open networks, operating systems and protocols in Silicon Valley are long gone.

 

This post first appeared on Dan Arnaudo’s webstite on April 12, 2016 under the title, “Missing Encryption’s Forest for the Trees.”

 

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.