The odds are stacked against Facebook in the latest encryption fight
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

The odds are stacked against Facebook in the latest encryption fight

Unlike with Apple, the DOJ has a very good chance in its case against Facebook

The US Department of Justice wants to wiretap Facebook messenger. That would involve the social media giant breaking the encryption on its messenger application so that the feds could listen to the voice conversations of an MS-13 suspect. MS-13 is a Mexican and Republican boogey-man.

Currently, in California, a case between the DOJ and Facebook is proceeding under seal, reports Reuters.

The judge in the Messenger case heard arguments [last] Tuesday on a government motion to hold Facebook in contempt of court for refusing to carry out the surveillance request, according to the sources, who spoke on condition of anonymity.

While both the DOJ and Facebook refused to give Reuters a comment, the issue originally arose in Fresno, California as a result of an investigation in the MS-13 gang. If this smacks of a similar case that occurred several hours south in San Bernardino, that’s because it was the catalyst for a heated dispute between Apple and the feds over encryption on iPhones. That case was later vacated after a third-party company was able to crack the shooter’s phone.

But while there are some superficial similarities between the two cases, there are some pretty big differences between the two situations, too. While Apple had a strong case not to decrypt the shooter’s device, Facebook’s legal standing in this case is much more tenuous.

Why is the Facebook case not like the Apple case?

Well, to begin with, (and please, dear reader, forgive me for this pun) you’re kind of comparing apples to oranges. Apple’s encryption secured the device itself. And while Apple had already handed over the contents of the shooter’s iCloud, it was never in control of the device’s data. Nor could it access the device on account of not having the shooter’s password, nor his private key. The FBI’s answer was for Apple to design a workaround that would have created far more risk than was warranted to unlock a single iPhone. From a utilitarian standpoint, it was a really bad ask. There were other legal distinctions, too. The FBI was trying to derive its authority from the All Writs act, which authorizes federal courts to “issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”

Facebook logoHere’s all you need to know about why that was silly. The All Writs act was passed in 1789, literally in the very first session of the very first congress. The updated version we use today was passed in 1911. Computers were not a thing when this was conceived of. It doesn’t apply well to modern cases about encryption.

Facebook is not so lucky because in its case the DOJ are going with the Wiretap Act. And unlike the nearly 250 year old law the FBI decided to try and argue, the Wiretap Act does apply to this case and there is even some precedent on the feds’ side. The Wiretap Act is actually Title I of the Electronics Communications Privacy Act and it’s pretty clear about phone companies’ obligation to comply with wiretap orders given by law enforcement. Further complicating matters is that Microsoft started providing access to Skype in 2012, though at the time providing access to voice calling was not technically feasible.

There are technical differences, too. While Apple’s case was in relation to a locked physical hard drive, in the Facebook case the feds want a wiretap on all Facebook messenger calls sent and received by one suspect. And unlike with device encryption, you’re attempting to encrypt this data in transit, which means that you’re going to be generating less secure symmetric session keys to communicate to avoid degradation of performance.

These session keys are generated by the devices, locally, and security is not as emphasized as with Apple’s passcodes. In fact, in 2015 Philipp Hancke discovered that the session keys were being shared with Facebook’s servers. And while Facebook is typically tight-lipped about its configurations and could have changed things in the past few years, that still doesn’t bode well.

Will Facebook have to comply with the DOJ?

The question is probably less, “will they have to” and more “can they?”

Former Facebook engineer Alec Muffet told The Verge he believes Facebook “probably does not currently have the necessary keys and means to comply with a wiretap order.” That’s owing to the fact the holding on to other people’s keys is not a good decision (eh, Mr. Trustico?).

The most challenging part of the order has nothing to do with encryption at all. Even with the session key, wiretappers would still need to collect a full copy of the encrypted call, which can be a significant challenge. Most online calling services send data directly from client to client for simple performance reasons, which has given the services a troubled history with wiretap requests.

Apparently, the NSA has found a workaround for this (of course they have), but whether or not it would work for the Facebook situation is another story.

There’s frankly a lot we don’t know, and likely won’t know about this case until more news leaks about it or a resolution is reached.

As we’ve done with the encryption debate up until this point, we will keep you posted.

Feel free to leave any comments or questions below.

Be the first to comment

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *

Author

Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.