What the FBI wants you to know
Preview: RightsCon 2025, Taipei and online (February 24-27, 2025). I'll be hosting two sessions:
- Roundtable with Privacy Regulators (from the Five Eyes!)
- CEOs of the NEW social media.
I'm really looking forward to connecting with the human rights community in the new year. If you're planning to go, please get in touch about encryption, social web and delicious eating adventures.
Please subscribe to the weekly IXP newsletter!
What I want you to know
- W3C publishes a blog post about their Ethical Web Principles. https://www.w3.org/blog/2024/ethical-web-principles-building-a-better-web
- What happened to #chatcontrol and will your encrypted messages remain private? https://www.project-syndicate.org/commentary/eu-encryption-privacy-protections-csar-debate-by-marketa-gregorova-2024-12?h=iWke6VetNUFog9hr7Dv119M%2fKZ%2bguQ%2fBtxrsoPCFXuI%3d&
- From CDT: Victims of non-consensual intimate image sharing Deserve Help. Let’s Build an Effective Takedown System (That doesn’t break encryption): https://cdt.org/insights/ndii-victims-deserve-help-lets-build-an-effective-takedown-system/
- Jigsaw research on 4 applications of LLMs for digital public squares: collective dialogue systems, bridging systems, community moderation, and proof-of-humanity systems, both the promises and perils: https://arxiv.org/abs/2412.09988
- "Digital Governance Needs the IGF More Than It Needs a New UN Office for Digital and Emerging Technologies." https://www.techpolicy.press/digital-governance-needs-the-igf-more-than-it-needs-a-new-un-office-for-digital-and-emerging-technologies
- David Kaye's excellent take on the Cybercrime Treaty and transnational repression: https://www.techdirt.com/2024/12/16/un-cybercrime-treaty-a-trojan-horse-for-transnational-repression
- The Open Tech Fund is supporting a cross-platform implementation of MASQUE (Multiplexed Application Substrate over QUIC Encryption), an IETF standard. https://www.opentech.fund/projects-we-support/supported-projects/invisv-masque-a-fast-cross-platform-transport-method-to-obscure-traffic
- With Iran in an energy crisis, read about their internet access crisis, too: https://www.forbes.com/sites/cyrusfarivar/2024/12/18/inside-irans-thriving-black-market-for-starlink-terminals
- Russia Tests Nationwide Internet Isolation With RuNet https://evrimagaci.org/tpg/russia-tests-nationwide-internet-isolation-with-runet-89574
- There is legal pushback against the £330 million Palantir NHS Federated Data Platform. https://www.foxglove.org.uk/2023/11/30/legal-action-palantir-nhs-federated-data-platform
- US considers banning TP-Link routers over cybersecurity risks. https://www.bleepingcomputer.com/news/security/us-considers-banning-tp-link-routers-over-cybersecurity-risks
- French court refuses to expedite trial of Sky ECC cryptophone distributor. https://www.computerweekly.com/news/366617360/French-court-refuses-to-expedite-trial-of-Sky-ECC-cryptophone-distributor-Thomas-Herdman
- Human Rights Watch is hiring an Operational Security Advisor. https://job-boards.greenhouse.io/humanrightswatch/jobs/7766196002
- Measurement Lab is hiring a contractor to develop a measurement tool Internet Quality Barometer (IQB). https://job-boards.greenhouse.io/codeforsciencesociety/jobs/4608977007?gh_jid=4608977007
- ICYMI (2023): Snowflake, a censorship circumvention system using temporary WebRTC proxies. https://www.usenix.org/system/files/sec24fall-prepub-1998-bocovich.pdf
The FBI Wants You to Know it Has Not Changed its Position on Encryption. And That’s a Problem.
Following my panel at the IGF this week, I wrote for Tech Policy Press.
The debate over encryption is at an important juncture. Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) delivered unambiguous guidance to users, stating that the best practice for your devices and online accounts is to “use only end-to-end encrypted communications.” This reinforces the guidance given to companies by the US government (including CISA, the FBI, and the NSA) and Australia, Canada, and New Zealand on Dec. 3, 2024, on how to better secure communications across services that don’t yet interoperate like iMessage and Android Messages. This was so shocking to so many people that Snopes wrote a fact check on it.
But at an important meeting of experts this week in Saudi Arabia, an FBI official appeared to take a different view, one that suggests the FBI’s perspective on encryption has shifted very little. The annual UN Internet Governance Forum happening in Riyadh this week was a crucial moment to talk about encryption, and the FBI convened a panel to discuss encryption in the context of child safety, of which I was a speaker and including other experts from the UK, Australia, New Zealand, and the US. During the session, FBI section chief Katie Noyes said, “We are very supportive of encryption technologies. We just want them to be managed in a way, much like in telecommunications.”
Similarly, in a video posted by the agency two weeks ago, FBI Assistant Director Bryan Vorndran said, “The FBI has been really, really consistent about our stance on lawful access encryption. We're actually big, big supporters of it, but it has to be reasonably responsibly managed so that we can get what we need on the other side.”
These views are not just held by American officials. Dan Suter, a civil servant who has worked for the UK, Australian, and New Zealand governments, used yesterday’s IGF panel to say, loud and clear, “We need the content!” Presumably, that’s because you can’t put people in jail based on metadata. Despite massive gains in the field of trust and safety, Suter also made it clear he rejects user reporting as a viable measure to combat online abuse. With little time for solutions, fully homomorphic encryption might have been suggested but wasn’t explained or defined for the purposes of common sense policy-making. There has been solid technical progress, but it’s from more than two years ago.
Given everything that happened in 2024, the fact that these perspectives seem so firmly held is disappointing. The FBI–and other Five Eyes agencies–should have reconsidered their position, just on the basis of events from the last quarter alone:
- October: The Salt Typhoon hack put the risk of encryption backdoors in lights. Chinese hackers exploited the backdoors in the telecommunications network Noyes referred to, provisioned by the Communications Assistance for Law Enforcement Act (CALEA). Though it is unclear whether lawful intercept capabilities were the main vector or main target of the hack, they were certainly leveraged in the attack, which is still ongoing. At the very least, it shows that if you build these backdoors, they become the first place adversaries will start looking for ways to exploit a communications system. As my former colleague, Freedom of the Press Foundation senior advisor Caitlin Vogus, so eloquently wrote, “Perhaps if senators and representatives were less worried about grandstanding and more worried about confronting the actual national security threats that China poses to our country, they would have taken a serious look at the backdoors that are threatening Americans’ private data.”
- November: Also this year, the end-to-end encrypted application Session left Australia’s legal jurisdiction over fears that law enforcement would ask it to backdoor its software. This would seem very counterproductive to Australia’s investigations since authorities now do not have jurisdiction to get access even to the metadata that Session might have been able to give them. Other operators of encrypted platforms may similarly to choose leave markets where they believe they must make tradeoffs over users’ privacy.
- December: As if these weren’t enough reasons to put backdoors behind us, the proposed #chatcontrol legislation in Europe is halted potentially for the third and hopefully last time just in 2024. In total it will be nearly three years since the EU Home Office has been stalling common sense protections for children's rights because of the provision to mandate backdoors. European Digital Rights head of policy Ella Jakubowska wrote, “Surveillance extremists have been the reason child protection regulations have stalled for years.” Law enforcement and the intelligence community have been “using” children as an excuse to break encryption for the past several years (dubbed Cryptowars 3.0), which has done a disservice to children. The E2EE backdoor mandate and other issues like age verification have been extremely unpopular. In 2024, we saw innumerable statements against mandated encryption backdoors from the Internet Architecture Board, the scientific community, and human rights groups.
The FBI’s own IGF session– billed as a chance for dialogue on encryption to move forward work on child safety– would have been a perfect occasion for them to introduce an evolved position. But that would require the conversation to have evolved. This is not the first time the FBI has invited an open and platformed dialogue on encryption– in 2022, I joined Darrin Jones, the FBI’s Executive Assistant Director for its Science and Technology Branch, at an IGF session hosted in the US to talk about the exact same thing: child safety. Two years on and after many changes to the political and technical world, the FBI hosted a version of the same, tedious conversation in Riyadh.
Clearly, the FBI isn’t afraid of a public dialogue on encryption. In fact, it’s a core tactic. And yet it would appear that officials saw this week’s panel to set the record straight: They made sure that everyone knows that their position on end-to-end encryption– in no uncertain terms– has not changed whatsoever. And that’s a huge problem.
The FBI should consider changing its stance so we can actually move forward to protect children, protect privacy, and protect communications with ubiquitous, strong encryption. In the meantime, trusted public interest and industry providers of E2EE are going to get back to work providing strong encryption to everyone, interoperably across all services, using open standards. That, at least, is helpful and unambiguous advice from the US government, even if everyone already knew it.