The FBI Says Warrant-Proof Encryption Is A Public Safety Problem - Here's What It Means

The FBI is vocally upset that tech companies won't make it easier to seize your private messages and data. That's made clear in a blog post from the agency decrying what it refers to as "warrant-proof encryption." You may know this technology better as end-to-end encryption, or E2EE. It's the reason your texts on iMessage or Google Messages can't be stolen by attackers if Apple or Google get hacked. It's a tool that allows journalists to report on those in power while keeping sources protected, and it allows political dissidents living under oppressive regimes to organize. But according to the FBI, it's stopping them from prosecuting "child molestation, human trafficking, and murder." The agency appears also to be employing the term in reference to on-device encryption that prevents phone thieves from getting past your lock screen.

End-to-end encryption protects your data as it travels between devices. For example, if you send a text on iMessage, only you and the recipient can see that message. If a rogue Apple employee or a sophisticated hacker breaching Apple's servers were to capture it, they would only see a bunch of gobbledygook. Or, as the FBI succinctly puts it, "Warrant-proof encryption prevents anyone other than end-users or device owners from seeing readable, decrypted digital content." For users, end-to-end encryption is a crucial component of digital security and safety. For the FBI and other law enforcement agencies, it's the reason they can't make Apple turn over the contents of your iPhone when they investigate you. Even if the feds have a warrant, all Apple (or any encrypted provider) can do is shrug because they don't have the data being requested. As you may imagine, the FBI dislikes this state of affairs.

The clearest-cut example of the encryption dilemma in action remains a mass shooting case from 2015. A gunman in San Bernardino, California, opened fire at a social services facility, killing 14. The FBI swooped in to investigate, but could not gain access to the shooter's encrypted iPhone. The FBI then publicly demanded that Apple create a tool to break its own encryption so agents could search the smartphone.

Apple refused the FBI's request, and for good reason. Any backdoor created in popular encrypted messaging apps, even if intended only for use by law enforcement, would be a deliberate hole in that encryption. The FBI might be the only entity with knowledge of that vulnerability, but someone else would eventually find it  – and that someone could be anybody, from an identity thief or a pervert to a state-sponsored threat actor from a hostile power like China or Iran. Had it given the FBI a backdoor to the iPhone, Apple would likely have been inundated with similar requests from governments around the globe.

The FBI claims it doesn't want to harm encryption standards. However, it is either confused or disingenuous. In its own words, the agency says, "The FBI is a strong advocate for the wide and consistent use of responsibly managed encryption — encryption that providers can decrypt and provide to law enforcement when served with a legal order." That's an oxymoron. If a provider can decrypt the data, then it is not truly encrypted. The FBI's position is analogous to demanding that every front door have a master key, which the lock manufacturer can hand out when served with a warrant. In either scenario, you're creating a centralized point of failure for everyone who relies on that security.

While the FBI and other law enforcement entities publicly balk at end-to-end and on-device encryption, they're quietly developing ways to circumvent it, but privacy advocates are sounding the alarm.

Currently, the most effective workaround appears to be dredging up a device's push notification data. When you receive an encrypted message, you receive a notification from your device. Oftentimes, that notification contains the text of the message along with a preview of any media attached. While the app itself and communications therein may be encrypted, law enforcement has figured out that the notification data is a separate and substantially less secure attack surface. The only way to protect against notification scraping is to turn off content previews in your device's notification settings, which means you'll have to tap into each notification to see what's happening in the group chat.

Meanwhile, the FBI has acquired third-party tools to crack a phone's encryption, as have other agencies – including the Department of Homeland Security. Once a state-level actor has obtained your smartphone, laptop, or other device, you should assume it's been breached. It's one reason why you should never voluntarily hand your phone to a law enforcement officer. And the FBI itself has warned that Russian agents are compromising devices by sending messages containing encryption-breaking malware over applications such as Signal.

The hard truth is that the cost of reduced privacy for even the most dangerous criminals is reduced privacy for everyone. In a twist of irony, breaking encryption for criminals only provides more opportunities for crime.