In Saturday's edition of the New York Times, Matt Apuzzo reports that the Department of Justice is locked in a prolonged standoff with WhatsApp. The government is frustrated by its lack of real-time access to messages protected by the
company's end-to-end encryption . The story may represent a disturbing preview of the next front in the FBI's war against encryption.
It appears that the Department of Justice is considering pursuing another, similarly dangerous legal attack on encryption. The fact that the government is even considering such an action proves that our worst fears were right.
This time they're targeting WhatsApp, the Facebook-owned messaging app which started adding strong end-to-end encryption in 2014 . According to the New York Times, the government has obtained a wiretap order, authorizing real time acquisition of
the WhatsApp messages (probably text chats rather than voice calls, but that's unclear at this stage) in an ongoing criminal investigation. WhatsApp is, of course, unable to provide decrypted text in response to the wiretap order, just as it was
unable to comply with a similar order by a Brazilian court earlier this month. The whole point of end-to-end encryption is that no one but the intended recipient of a message is able to decipher it.
From the New York Times' reporting, it looks like the government has so far only obtained an initial wiretap order--demanding WhatsApp to turn over message content it can't access. The Department of Justice has not yet decided whether to ask the
court for a follow-on order that would compel WhatsApp to decrypt the messages. Presumably, that second order would look similar to the San Bernardino order and direct WhatsApp to write code that would break its own encryption and allow it to
provide plain text in response to the wiretap order.
If the government decides to seek that second order against WhatsApp, it would almost certainly be grounded, not in the All Writs Act but in the technical assistance provision of the Wiretap Act . So while the result of the All Writs Act
litigation in San Bernardino wouldn't directly control the outcome of any Wiretap Act case against WhatsApp, courts apply similar tests in the two contexts. In both All Writs and Wiretap Act cases, courts evaluate whether compliance with an order
would constitute an undue burden. Therefore all the rather convincing arguments Apple has made in San Bernardino would be available to WhatsApp as well.
As of now, we're unable to find any additional publicly available information regarding the order against WhatsApp. The New York Times reports that, unlike in the San Bernardino case, the WhatsApp litigation is being kept under seal. We'll keep
an eye out for any additional documents, and will continue to blog as more becomes public. For now however, we applaud WhatsApp (and Facebook) for standing strong in the face of orders, whether Brazilian or American, to do the impossible or to
compromise our security for the sake of enabling click-of-the-mouse surveillance.
Last week, US Attorney General William Barr and FBI Director Christopher Wray chose to spend some of their time giving speeches demonizing encryption and calling for the creation of backdoors to allow the government access to encrypted data.
You should not spend any of your time listening to them.
Don't be mistaken; the threat to encryption remains high . Australia and the United Kingdom already have laws in place that can enable those governments to undermine encryption, while other countries may follow. And it's definitely dangerous when
senior U.S. law enforcement officials talk about encryption the way Barr and Wray did.
The reason to ignore these speeches is that DOJ and FBI have not proven themselves credible on this issue. Instead, they have a long track record of exaggeration and even false statements in support of their position. That should be a bar to
convincing anyone--especially Congress--that government backdoors are a good idea.
Barr expressed confidence in the tech sector's ingenuity to design a backdoor for law enforcement that will stand up to any unauthorized access, paying no mind to the broad technical and academic consensus in the field that this risk is
unavoidable. As the prominent cryptographer and Johns Hopkins University computer science professor Matt Green pointed out on Twitter , the Attorney General made sweeping, impossible-to-support claims that digital security would be largely
unaffected by introducing new backdoors. Although Barr paid the barest lip service to the benefits of encryption--two sentences in a 4,000 word speech--he ignored numerous ways encryption protects us all, including preserving not just digital but
physical security for the most vulnerable users.
For all of Barr and Wray's insistence that encryption poses a challenge to law enforcement, you might expect that that would be the one area where they'd have hard facts and statistics to back up their claims, but you'd be wrong. Both officials
asserted it's a massive problem, but they largely relied on impossible-to-fact-check stories and counterfactuals. If the problem is truly as big as they say, why can't they provide more evidence? One answer is that prior attempts at proof just
haven't held up.
Some prime examples of the government's false claims about encryption arose out of the 2016 legal confrontation between Apple and the FBI following the San Bernardino attack. Then-FBI Director James Comey and others portrayed the encryption on
Apple devices as an unbreakable lock that stood in the way of public safety and national security. In court and in Congress, these officials said they had no means of accessing an encrypted iPhone short of compelling Apple to reengineer its
operating system to bypass key security features. But a later special inquiry by the DOJ Office of the Inspector General revealed that technical divisions within the FBI were already working with an outside vendor to unlock the phone even as the
government pursued its legal battle with Apple. In other words, Comey's statements to Congress and the press about the case--as well as sworn court declarations by other FBI officials--were untrue at the time they were made .
Wray, Comey's successor as FBI Director, has also engaged in considerable overstatement about law enforcement's troubles with encryption. In congressional testimony and public speeches, Wray repeatedly pointed to almost 8,000 encrypted phones
that he said were inaccessible to the FBI in 2017 alone. Last year, the Washington Post reported that this number was inflated due to a programming error. EFF filed a Freedom of Information Act request, seeking to understand the true nature of
the hindrance encryption posed in these cases, but the government refused to produce any records.
But in their speeches last week, neither Barr nor Wray acknowledged the government's failure of candor during the Apple case or its aftermath. They didn't mention the case at all. Instead, they ask us to turn the page and trust anew. You should
refuse. Let's hope Congress does too.