Encrypted messaging services have always presented a tough challenge for government agencies all over the world. On one hand, they allow for freedom of speech, but on the other, they enable miscreants and bad actors to facilitate nefarious deeds. In this regard, on July 2, European law enforcement authorities arrested over 800 individuals that were allegedly partaking in shady activities through the use of an encrypted chat service called EncroChat.
The messaging platform has servers based out of France and claims to provide users with “worry-free secure communications.” According to the BBC, EncroChat has a customer base of more than 60,000 people, more than 10,000 of whom are based in Britain. Immediately after the incident came to light, EncroChat’s official website and messaging service were put on temporary hold. To gain a better overview of the matter, Cryptox reached out to Tim Mackey, principal security strategist for design automation company Synopsys, who said:
“Authorities likely balanced the future value associated with identifying additional criminals against the already identified criminal activity. In effect, they may have determined that stopping a specific impending crime outweighed any potential returns from keeping EncroChat operational.”
A similar outlook is also shared by Brian Kerr, CEO at Kava, a multi-chain DeFi Lending platform, who said that the government was right in accessing Encrochat’s servers to put an end to the criminal activities happening on the network.
Encryption still on the menu?
As issues related to data leakages — especially those in regard to various mainstream messaging services (such as Whatsapp, TrueDialog and Telegram) — continue to surface on a regular basis, many experts believe that it is worth exploring the subject of whether or not most encryption platforms today lay enough importance on privacy and customer security.
On the subject, John Jefferies, CEO of CipherTrace, a crypto forensics firm, told Cryptox that customer privacy should always be taken into prime consideration by platform developers of such end-to-end encryption messengers. He further emphasized the point by saying that it was especially important to focus on privacy during times like these (i.e., the COVID-19 pandemic), where increased usage of digital platforms could lead to more instances of hacks, privacy invasions and data leaks. Jefferies further added:
“Encrypted communication is nuanced so platforms must ensure they have effective implementation of SSL with certificates issued from a known root of trust utilizing strong cipher suites. To further improve security, multi-factor authentication should be available for users joining conferences and the system should double-check users on unknown devices.“
Similarly, Jonathan Zerah, head of marketing for Status Network, an encrypted messenger, told Cryptox that despite there being many “so-called privacy and security-oriented” communication tools available in the market today, most of the security features being offered were built atop protocols that place a large amount of ownership and responsibility on centralized companies.
He further added that more often than not, these centralized communication tools employ a client-server model to transport and route messages throughout the world as well as require users to input their phone numbers or email addresses to set up and create an account — sensitive data that most firms usually store and manage using lax security protocols. Zerah added: “This places a massive responsibility on the companies managing these platforms to protect that data and the servers that store it.”
Lastly, to mitigate privacy issues related to popular messaging apps, experts like Zerah agree that it is time to establish newer safety protocols that return ownership of data to the individual, remove centralized chokepoints and attack vectors seamlessly.
Governments purging encryption-based tech?
Recently, a bill was introduced into the United States Senate that effectively seeks to put an end to using end-to-end encryption in messaging services. A similar issue was also raised in the ministerial meeting of the nations that make up the “Five Eyes” intelligence community comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These developments seem to suggest that law enforcement agencies all over the world are making a concerted effort to eliminate encryption-based privacy technologies.
In Mackey’s view, due to the growing number of data breaches in the world today, there is a steady increase in the volume of data protection legislation being set into motion. These legislative efforts aim to limit the range of data that businesses can collect while increasing the security of any sensitive information that businesses process and retain.
However, even though it may be appealing for governments to attempt to limit the use of encryption technologies under the auspices reducing criminal activity, the situation around EncroChat clearly shows that criminal groups can easily create their own workarounds if the need arises. In this regard, the recently tabled Lawful Access to Encrypted Data Act — which would require companies to implement ways to decrypt data upon court order — could become a viable way through which a fine balance between regulation and encryption could be established.
That being said, Chris Hauk, a consumer privacy advocate as well as author for Pixel Privacy, an online privacy and security blog, believes that no government agency should ever have the legal right to outlaw encrypted messaging platforms. Furthermore, he believes that providing any sort of backdoor access to law enforcement agencies could end up opening new avenues for bad actors to exploit, thus defeating the primary goal of any encrypted messaging platform.
Collaboration between governments and service providers possible?
While the idea of encryption service providers and government agencies coming to a common consensus on handling privacy-related matters sounds like a perfect outcome on paper, in actuality, such a vision seems far-fetched because any review of “harmful content,” by default, requires platform operators themselves to have direct access to their customer information.
Moreover, once such a backdoor is opened, there will be nothing stopping governments from having the ability to go through everyone’s personal correspondence under the guise of public safety — something that has already been suggested by whistleblower Edward Snowden and his team. Leaks in recent years have showcased how governments all over the world, particularly the United States, have been proactively working with tech companies to harvest data in a totally indiscriminate manner.
It’s also worth mentioning that implementing a blanket ban on end-to-end encryption isn’t really possible. While certain legal roadblocks can definitely be deployed, if developers continue to use and devise apps using the technology, there’s not much that anyone can really do. Thus, in essence, government agencies should try and come to an agreement with businesses running such services in order to curb illegal activities on their platforms.
Lastly, providing his point of view on this situation, Chris Howell, co-founder and chief technology officer of Wickr, a messenger with end-to-end encryption, told Cryptox that any encryption service can be used for good or bad.
Although it is disappointing every time that criminals exploit privacy-oriented messengers for their personal gains, he does believe the answer is not to ban such services or destroy encryption, privacy and security for everyone through the use of backdoor gateways. He said, “Our ability to protect data and intellectual property from these same bad actors via strong encryption, solid security products, etc. does far more good for mankind than harm,” adding that:
“I think when a service has privacy and security issues, its legitimate users suffer far more than its bad actors. Of course, no legitimate service wishes to be a haven for bad actors. Most of us expend significant resources honoring law enforcement information requests and believe it is our responsibility to do so. But the reason we build things is for customers and their needs, and I’m not hearing a lot of them ask us to weaken our security so that bad actors might suffer.”