This is possibly the longest and politest thread I’ve had on Twitter; it’s required some unpicking to make it into a linear narrative but I’ve done my best, below.
PART 1
THREAD: That’s a great question, and there are benefits to end-to-end technologies in several dimensions – to the people who use it, to the businesses which leverage it, and to the platforms which provide it; and then there are the additional civil rights questions.
To the people who use it: communications are nowhere other than where they need to be; technically this is “reduction of attack surface” which, especially combined with message management such as timed deletion, greatly reduces digital “exhaust trail” and improves privacy.
Notably: if you’ve ever had to burn printed receipts or bank statements, I hope that in the digital age you’re erasing your hard disks when you throw away or sell laptops, phones, etc? Not to mention erasing your old backups?
Use of E2EE minimises, even obviates these risks.
Aside1: recent news stories sourced from e.g. Cummings et al, demonstrate that E2EE is no defense against “leaky” users or “turned” informants; I aver that this is the space upon which the security services should be focusing.
To the businesses which leverage it: stronger, better-authenticated communications than those afforded by untrusted means such as SMS – text messages may be tampered with, spoofed, and entire phone handset numbers may be hijacked by social engineering… however:
However a cryptographic key is (should be) globally unique, so if your bank is communicating with you over Signal or WhatsApp (etc) they can be certain that they are (still) communicating with the same person whom they did, last week.
Worst case: your unlocked phone was stolen.
This is a much reduced risk to communication than (as explained above) SMS, or something like Email where the username and password one uses may be the same as those exfiltrated from some hacked gardening forum which one inadvisably signed-up for.
Aside2: any proposition that E2EE can/should be restricted to fit and proper uses by fit and proper people, is predicated upon an expectation that the internet inherently supports notions of identity for/of all traffic. It does not, and such a proposition WillNotWork™.
To the businesses and civil rights issues: I have written about these at length:
– but even that does not touch upon the cost reductions which E2EE enables.
For the latter: if messages are primarily expected to be stored with the user, then there is reduced, perhaps near zero requirement for central storage; and if only the participants have access, then there is greatly reduced risk, and equally reduced cost of data protection.
This is just a thumbnail; I would be delighted to expand at length, not least because I have just last week welcomed my daughter to the world, and I am particularly exercised to work so that she grows up in a world where she has the privacy she deserves.
<end, for the moment.>
Originally tweeted by Alec Muffett (@AlecMuffett) on 2021/07/08.
PART 2
I would be delighted to, but before I do I would like to pick you up on a point you made, and ask you to clarify:
“they would be arguments against money-laundering controls”
I aver this is not a proportionate, nor liberal, comparison for the following reasons:
Firstly: we haven’t yet banned cash, although there have been considerable attempts to attempt to restrict/track its digital equivalents. Nor is it necessary for all cash transactions to be reported, although above a certain limit there are (again) attempts.
But (secondly) we are not discussing *cash*, we are discussing *speech*, and restricting the ability for two people to have a conversation free from the oversight of a platform, its employees, or even one-or-more Governments, internationally.
Elsewhere I’ve outlined just some of the social impacts of requiring speech to have oversight:
And also:
So I am wondering where you draw the line of necessity to oversee the sensitive and private speech of all 2.7 billion (or more) global internet users, compared to the money-laundering “cap” of 10,000 Euros, below which the law apparently stops caring, except in aggregate?
<end>
PART 3
<BEGIN> Please pardon the delay getting back to you, today has been full of house-husbandry & childcare excitement; also please excuse if I quote-tweet you a bit in order to re-establish a nice linear flow:
https://twitter.com/terrorwatchdog/status/1413403634902110210 [SCREENSHOT]
To your first point, tech *is* exceptional, or at least digital data is a form of matter sui generis; & although it’s often stored in banks (“databanks” ha-ha), the Banking industry is a poor metaphor for online messaging; instead Telephony is better.
A little history:
The automated telephone switch was invented by Strowger (qv) circa 1888 apparently because observation, tampering, & interference by manual “Telephone Operators” were directing business away from his work/funeral home.
https://en.wikipedia.org/wiki/Strowger_switch#History
Strowger’s goal was to take human beings out of the loop, to disintermediate the communications, in order to add privacy & integrity to the telephone system; this/similar is still the same goal of communications security engineers & wonks (like me) today.
Law Enforcement subsequently demanded a “wiretap capability” because the intangible, ephemeral, & fleeting nature of speech-over-the-wire, is harder to (again) observe, tamper, & interfere-with, than tangible telegrams and/or post/mail; hence the metaphorical value.
Notably: Wiretap Capability required transcription or recording; more on that, in a moment.
Neither Telephony nor InternetMessaging have inherent need for the provider to retain a searchable, accessible “data bank” of old messages that have passed through them. That to-date they often have done so is an architectural aberration, largely due to weak client capability.
(rephrase: web browsers & old mobile phones lacked the resource & technical nouse to deliver InternetMessaging without central help “in the cloud”)
But also: InternetMessaging is NOT QUITE like “voice”; being digital data it already exists in a “transcribed” state, and the most important challenge of data security is to *prevent* this data from proliferating.
This is the essence of data protection, and E2EE greatly helps.
Regards “anti-proliferation”, if Telephony providers in their early years were required to cut a vinyl disk of every conversation that was carried, “just in case” the state needed to re-hear it later, we would have no modern telephony providers; or we’d live in a Stasi state.
Aside: Yes I’m aware of compliance obligations upon trading floors to record conversations inbound/outbound because of insider trading risk, etc; but those are the communications of people doing a narrowly constrained *job*, rather than Clapham Omnibus users.
Also: 5+ years of retention for all the world’s video streams, food pictures, whispered sweet nothings, political planning, wanted and unwanted nudes, and dubious jokes[1], would be a vast farm of “spinning rust” not justifying[2] its cost of collection, storage & protection.
Re: [1] [the following tweet is relevant]
Re: [2] personal perspective: there is a gulf between information and knowledge. [exemplified by this google search]
Again: InternetMessaging platforms are transporting *speech* of the public (https://twitter.com/AlecMuffett/status/1413189527619919876) – 2.7 billion people, or more – and the safest thing to do with that is get the data from A to B authentically, without proliferation, interception or tampering.
The goal is to build a communications system that Almon Strowger would be proud of; one which is lightweight, authentic, private, with high integrity, resistant to all who would subvert those qualities upon our truly *global* internet.
E2EE enables this.
Afterword: Whitfield Diffie, inventor of public-key encryption with signatures, notes:
“All that was necessary in the past for two people to have a private conversation, was for them to walk into a field, and talk”
– yet somehow Government has survived to this day. <END>
ps: re: arguments that “authorities today are not necessarily seeking *retention*, merely *access*” — e.g. the @GCHQ “Ghost” proposal — the many issues of implementing even mechanisms such as those are well rebutted in:
1. https://mitpress.mit.edu/blog/keys-under-doormats-security-report
2. https://www.lawfareblog.com/open-letter-gchq-threats-posed-ghost-proposal
Originally tweeted by Alec Muffett (@AlecMuffett) on 2021/07/08.
Part 4
You’re welcome! I have appointments this morning, but would be interested in clarification of your use & scope of the word “detect”? And if possible also, re: my question regarding proportionality? More this afternoon ?
[ps:] For clarity there is a gulf between police usage of the word detect meaning “solve” or “attribute”, vs common or political usage of the word detect as in “smoke detector”
[BEGIN] Excellent!
Tell you what, let’s do both at the same time, because the difference is germane:
In your role I’m sure that you’re aware of the “signals intelligence” tale re: how IRA cells were discovered in the 90s by pulling mobile phone billing records to look for “cliques” (or: “sub-graphs”) of up to five phone numbers which basically only-ever called each other?
Apparently IRA leadership had distributed phones but had a poor grasp of operational security, viz: that functional constraints yield behavioural fingerprints; and that once law enforcement identified/turned a suspect’s number, “fanning out” cliques can find others.
Precisely the same “graph analysis” mechanism is in use today at WhatsApp to combat spam; instead of tipoffs/turning, the WhatsApp system relies upon user reports to spark “fanout”:
So back to the question of “detection”: our grammatical choice is between proactive “discernment” of terrorism (“smoke detection”) vs: “investigation” (attribution, discovery, and arrest) [SCREENSHOT]
“Investigation” is a good fit for end-to-end encryption; just as it wasn’t feasible for MI6 to listen to all Irish phone calls (though they tried: https://www.duncancampbell.org/PDF/Bugging%20ring%20around%20Ireland.pdf) it’s likewise not feasible/ necessary to read WhatsApp messages in order to extract “investigation” value.
But for “discernment” of terrorism amongst all the world’s online conversation one must first “surveil” all the world’s online conversations for “intent” (cf: Capenhurst Tower, qv) AND THEN one must subject “interesting” or “suspicious” content to “review”.
My view is that this is all of: illiberal, disproportionate, misconceived / open to abuse, and (perhaps worst of all) ultimately self-defeating, given the trajectory of technical innovation. In specific:
Illiberal: it requires a fairly narrowly-drawn warrant to emplace a microphone into British homes, and yet those who decry end-to-end encryption would have live-surveillance microphones into all British communications, which are increasingly online-by-default.
Per my earlier tweet (https://twitter.com/AlecMuffett/status/1406319821587947520) this would certainly include “review” of (e.g.) perfectly innocent family activity that happened somehow to trigger the “intent” detector.
In passing, you are doubtless also familiar with @GCHQ‘s “OPTIC NERVE” programme, and the “surprising amount of nudity” that GCHQ staff learned about? [SCREENSHOT]
https://en.wikipedia.org/wiki/Optic_Nerve_(GCHQ)
Disproportionate:
~66 million people in the UK
~2.7 billion WhatsApp users in the world.
What percentage are non-terrorist innocents?
The “backdoor” / hole drilled in end-to-end encryption to permit such surveillance would be a massive “opportunity cost” to their privacy.
Misconceived & open to abuse: these “backdoors” would have to be operated & serviced by the private sector – even the ones who DO NOT WANT THEM – to support a disproportionate minority of cases.
Abuses will occur, either by bent platform employees or bent security services.
Ref: “LOVEINT” – it happened in the USA and Germany, I hardly believe that the UK is any different.
https://en.wikipedia.org/wiki/LOVEINT
Ultimately self-defeating: for me, this is the kicker; there are a growing number of end-to-end encrypted distributed/decentralised apps, where NO CENTRAL PLATFORM exists. e.g. @BriarApp, @r2refresh, @cwtch_im.
It will not be possible to surveil nor ban these.
We saw with the @Snowden revelations the acceleration of adoption of better, stronger encryption & key management.
If governments pursue weakening of end-to-end encryption, the cliques will move to “decentralised e2e” tools, and security services will be blind to them.
Tech companies are rearchitecting how they enable people to communicate, so that deployments are lighter, less expensive, more robust & more private, with less (e.g. GDPR) compliance risk.
Wise governments will encourage this for what innovation it enables, and…
…and further: wise security services will also encourage both this *and* cordial relationships with the platforms, to assure ongoing access to “investigative” clique analysis at the cost of (inevitably doomed) “discernment” content analysis, lest they lose EVERYTHING.
So: “fish, or cut bait?” – access to content is doomed because (e.g. GDPR) makes such expensive to maintain/protect. Mandated law-enforcement access mechanisms will undo the value of end-to-end encryption and drive ACTUAL terrorists from WhatsApp (etc) towards decentralisation.
Thus the answer to your question: the least bad, most strategic, most business- and innovation-enabling means to “detect-investigate” online terrorism, is the selfsame signals-intelligence (SIGINT) who-called-who mechanism that has worked for 100s of years. [FIN]
Originally tweeted by Alec Muffett (@AlecMuffett) on 2021/07/13.
Response!
I am grateful to Mr Hall for the following summary, which can be found hung off this tweet:
Leave a Reply