By Gail Kent, Facebook Global Public Policy Lead on Security
Hard Questions is a series from Facebook that addresses the impact of our products on society.
End-to-end encryption is a powerful tool for security and safety. It lets patients talk to their doctors in complete confidence. It helps journalists communicate with sources without governments listening in. It gives citizens in repressive regimes a lifeline to human rights advocates. And by end-to-end encrypting sensitive information, a cyber attack aimed at revealing private conversations would be far less likely to succeed. But like most technologies, it also has drawbacks: it can make it harder for companies to catch bad actors abusing their services or for law enforcement to investigate some crimes.
I joined Facebook after two decades with the British National Crime Agency working on international investigations. My job was to work with law enforcement agencies around the world — including Interpol and Europol — to study how criminals communicate with each other.
We used encryption on a daily basis. It made it possible to communicate securely within our own organization as well as other agencies and sources in the field. But it could also create challenges in obtaining evidence. So I have experienced the trade-offs of encryption first hand. Yet I feel strongly that society is better off with it.
How It Works
End-to-end encryption is used in all WhatsApp conversations and can be opted into in Messenger. End-to-end encrypted messages are secured with a lock, and only the sender and recipient have the special key needed to unlock and read them. For added protection, every message you send has its own unique lock and key. No one can intercept the communications.
From my law enforcement days, I understand the frustration of this technology, especially when a threat may be imminent. And now that I’m at Facebook, which owns WhatsApp, I hear from government officials who question why we continue to enable end-to-end encryption when we know it’s being used by bad people to do bad things. That’s a fair question. But there would be a clear trade-off without it: it would remove an important layer of security for the hundreds of millions of law-abiding people that rely on end-to-end encryption. In addition, changing our encryption practices would not stop bad actors from using end-to-end encryption since other, less responsible services are available.
While some officials publicly acknowledge the benefits of end-to-end encryption, they simultaneously push for work-arounds that would allow them access to at least some information. A report by the Electronic Frontier Foundation earlier this year identified an effort, likely by a foreign nation, to trick people into installing spoof versions of messaging apps for intelligence purposes. And proponents of so-called “backdoors” imagine a hidden way of bypassing encryption, somehow accessing only the conversations of suspected criminals or terrorists while continuing to protect everyone else.
But cybersecurity experts have repeatedly proven that it’s impossible to create any backdoor that couldn’t be discovered — and exploited — by bad actors. It’s why weakening any part of encryption weakens the whole security ecosystem. And we rely on open source encryption protocols, encouraging people — and governments — to test the security of our systems. This constant auditing is another reason why decrypting certain conversations on behalf of governments, even if legal under local law, would not go unnoticed.
Working With Governments to Keep People Safe
My work involves working with government and law enforcement agencies to help keep people safe.
While we can’t access encrypted conversations, WhatsApp does have some limited personal information about users that they collect in order to provide their service. WhatsApp has shared these details to help law enforcement when we get valid legal requests to help them close in on a suspect. To help them understand, WhatsApp has hosted a number of training sessions around the world, including in Europe and Brazil, for the police, judges and others. And we plan to host more sessions in the coming months.
WhatsApp’s response to an emergency request from law enforcement in Brazil helped rescue a kidnapping victim — and in Indonesia, it helped law enforcement prosecute a group spreading child exploitive imagery.
When it comes to encryption services, we know that working with governments can be controversial. But we believe it’s part of our broad responsibility to the communities we serve, so long as it’s consistent with the law and does not undermine the security of our products. Twice a year, we release a Transparency Report laying out every government request we get across Facebook, WhatsApp, Instagram and Messenger. We scrutinize each request for legal sufficiency and challenge those that are deficient or overly broad.
We’re constantly working to make sure that people understand how they can control their privacy and security. This means explaining both the strengths and limitations of end-to-end encryption so people can make the choices best for them.
For example, if someone gains access to your device they will be able to see your messages. End-to-end encryption does not provide protection should you decide to download a chat to your computer or back them up to a cloud provider. Businesses you communicate with also may use other companies to store, read or respond to messages. Some technologies are better than others in supporting your privacy in these scenarios.
The debate around end-to-end encryption won’t and shouldn’t end anytime soon. People need secure ways to communicate and strong safeguards against every day threats. We believe both of these goals can be achieved, and that end-to-end encryption need not be compromised in the process.