
Facebook, WhatsApp Will Have to Share Messages With U.K.? - phissk
https://www.bloomberg.com/news/articles/2019-09-28/facebook-whatsapp-will-have-to-share-messages-with-u-k-police
======
wcathcart
We were surprised to read this story and are not aware of discussions that
would force us to change our product.

We believe people have a fundamental right to have private conversations. End-
to-end encryption protects that right for over a billion people every day.

We will always oppose government attempts to build backdoors because they
would weaken the security of everyone who uses WhatsApp including governments
themselves. In times like these we must stand up both for the security and the
privacy of our users everywhere. We will continue do so.

Will, Head of WhatsApp

~~~
rdl
If so, sounds like someone from FB Legal and the SEC should have Words with
Bloomberg. Wouldn't be the first time they've intentionally maliciously
misrepresented/lied about an infosec issue to the detriment of a company in
order to move the market (Supermicro "grain of rice"...)

~~~
2arrs2ells
Looks like more crappy security reporting from Bloomberg:
[https://twitter.com/alexstamos/status/1178308065268920320](https://twitter.com/alexstamos/status/1178308065268920320)

------
brenden2
If the source code isn't available for audit by 3rd parties (or yourself), and
you can't build it from source, then it was never really "secure" anyway. What
lawmakers do or don't say is just noise.

Platforms that rely on trust (in this case, trusting that FB isn't doing bad
things) provide very weak guarantees about privacy/security. They could easily
include a keylogger in WhatsApp and bypass the e2e encryption, for example,
and us regular folk have no way of knowing.

~~~
londons_explore
The Whatsapp binary is sufficiently transparent to enable someone determined
to write their own client. Thats enough info for an expert to verify their
"messages are end to end encrypted and we don't know the key" claim.

The fly in the ointment is the client might have additional functionality to
leak the e2e encryption key. That is far harder to find, but if it's use were
widespread, it would be found by researchers.

The whole point is moot though - whatsapp is designed to (by default) upload
cleartext chat logs to google/apple servers. Since all chats have 2+
recipients, the conversation is only safe from snooping if _nobody_ in the
chat has backup enabled, which is unlikely.

~~~
brenden2
Yep, the chat log backup basically renders WhatsApp completely insecure. They
also constantly nag you inside the app to enable it. This is how they caught
Michael Cohen (and presumably others). Unfortunately Signal does it, too.

~~~
gsich
Signals backups are encrypted.

~~~
vbezhenar
How are they restored? Is it password-encrypted?

~~~
henryaj
Yes, you're given a random password when you enable backups that you need to
use when restoring. They don't get uploaded to the cloud. On iOS there's no
backup feature at all AFAIK.

------
nindalf
Yes, this is something that literally everyone who reads HN will oppose.
Meanwhile do you hear the deafening silence from the average Joe who thinks he
has "nothing to hide"?

Don't hate the politicians who keep pushing this. They're just trying not to
get fired. And the surest way to get fired in a western country right now is
to be _seen_ doing nothing about the terrorism problem and then having
terrorist acts committed under your watch. So the politician asks the security
forces "what can we do to stop terrorism?" Security says "get us access to
messages of terrorism suspects". Seems reasonable, let's go ahead with it.

Yes, we know that it doesn't stop with terrorism suspects. Then law
enforcement wants to read the messages of drug kingpins, then drug suspects,
then shoplifters, then jaywalkers, then _everyone_ , just to be on the safe
side.

But as long as people are told that they need to give up some privacy in
exchange for security, they'll take the latter every time.

~~~
spo81rty
You are absolutely right. I also already assume the government can access
virtually anything I am doing anyways. I think we are all naive to believe
otherwise.

I also have nothing to hide :-)

~~~
Lutzb
My questions to people who say they have nothing to hide:

\- what are the things you and your significant other are doing in the private
of your house?

\- which co-worker do fantasize about, be specific in what you like to do.

\- As teenager what legal/illegal drugs did you consume. How often did you
pass out, who where the people you consumed these drugs with?

\- What are your political leanings?

\- How much do earn, where are your savings invested in.

\- Which illnesses do you currently have, which exist in your social circle.

\- what private information was shared with you by other parties. Are you
aware of any wrong doings/illegal activity by other people? Be specific esp.
friends and family.

Be aware that I will share this information with anyone in your social
group/work/volunteering work whenever I feel like it. I may also share this
data with extremists groups on the other side of the spectrum, if helpful.
Lastly I can use this data to fabricate "helpful" information about you if
necessary. Thank you.

~~~
Yajirobe
> Be aware that I will share this information with anyone in your social
> group/work/volunteering work whenever I feel like it. I may also share this
> data with extremists groups on the other side of the spectrum, if helpful.
> Lastly I can use this data to fabricate "helpful" information about you if
> necessary

Citation needed

~~~
Lutzb
East Germany pre unification.

Edit: upvoted you. Asking the question, if and when this happened is important
for further generations.

------
Gys
> Social media platforms based in the U.S. including Facebook and WhatsApp
> will be forced to share users’ encrypted messages with British police under
> a new treaty between the two countries, according to a person familiar with
> the matter.

This sounds as if the platforms are already sharing with the US authorities.
So this being about them sharing it now with UK authorities.

~~~
tiernano
If I'm reading that right, they are getting the encrypted messages, not the
decrypted ones. Either whoever wrote the article doesn't know the different or
the uk police have been fucked over by the us...

~~~
semi-extrinsic
It's been true for a long time that since intelligence agencies aren't
supposed to spy on their own citizens, they agree to spy on each other's
citizens instead and subsequently share the data.

[https://en.wikipedia.org/wiki/Five_Eyes](https://en.wikipedia.org/wiki/Five_Eyes)

------
bobthepanda
The title is editorialized - it's not _just_ Whatsapp, it's all social media
platforms.

~~~
cwyers
And it's misleading -- the article and the article's headline say nothing
about adding a backdoor. There's not enough detail in the article to say
exactly how this decision will affect WhatsApp.

(The headline on Bloomberg, "Facebook, WhatsApp Will Have to Share Messages
With U.K. Police" is more restrained.)

~~~
smudgymcscmudge
On re-reading the sort article, I realize it only says they will be compelled
to share "encrypted messages" and "information to support investigations". It
never says anything about decrypting the messages. If that is literally all it
is, then it is quite misleading.

~~~
ryeights
What use would ciphertext be to GCHQ? I’m fairly certain that “encrypted
messages” describes which messages they will have to provide in plaintext, not
the format they will come in.

~~~
Buge
Your interpretation is likely right. But it's interesting to consider the
other. Maybe they can get metadata from the ciphertext, such as size. Or maybe
they are just interested in other metadata such as time. Or maybe they have
some cryptographic attacks, maybe involving extracting a shared key from the
peer's phone, or key injection via sim spoofing.

------
Barrin92
from whatsapps official homepage, respectively
([https://faq.whatsapp.com/en/android/28030015](https://faq.whatsapp.com/en/android/28030015),
[https://faq.whatsapp.com/en/general/26000050](https://faq.whatsapp.com/en/general/26000050))

 _> WhatsApp has no ability to see the content of messages or listen to calls
on WhatsApp. That’s because the encryption and decryption of messages sent on
WhatsApp occurs entirely on your device. Before a message ever leaves your
device, it's secured with a cryptographic lock, and only the recipient has the
keys.[...]_

 _> A search warrant issued under the procedures described in the Federal
Rules of Criminal Procedure or equivalent state warrant procedures upon a
showing of probable cause is required to compel the disclosure of the stored
contents of any account, which may include "about" information, profile
photos, group information and address book, if available. In the ordinary
course of providing our service, WhatsApp does not store messages once they
are delivered or transaction logs of such delivered messages, and undelivered
messages are deleted from our servers after 30 days. WhatsApp offers end-to-
end encryption for our services, which is always activated_

Very interested to see what their response is and if their promise holds that
they do not have technical access to content but merely to account
information.

~~~
ComputerGuru
I’m _much_ more interested in the wording of “in the ordinary course,” which I
don’t think is just a quirk of the language and I believe it is an indication
that certain differing measures can take place after being compelled to
provide information.

~~~
likpok
The case law references records kept “in the ordinary course of business”.
Such records are admissible, other records are not (being hearsay).

[https://en.m.wikipedia.org/wiki/Business_records_exception](https://en.m.wikipedia.org/wiki/Business_records_exception)

------
GordonS
The idea that moves like this will "keep us safe" is utterly preposterous;
there are a multitude of other ways in which terrorists (or the boogeyman _de
jour_ ) could communicate - are the UK and US governments going to insist on
backdooring IRC, Slack and face-to-face conversations? Are they going to
outlaw encryption libraries?

I truely fear for the future that western governments, in particular the 5
eyes members, are hell-bent on creating. They denounce China and Russia for
their human rights records in one breath, and seek to strip us of privacy and
personal rights in the next - the hypocrisy is simply staggering.

What's perhaps even more frightening is that so many people believe that moves
like this are to keep us safe, _will_ keep us safe.

This can not end well...

~~~
blobs
The keeping safe argument from government is indeed preposterous. As if that
was their mission to keep us safe. Why are they allowing our nature to be
destroyed in favor of money/economy? This years heatwaves killed many
thousands of people in Europe only, some estimates are in the tens of
thousands. This is real deaths in 1 year, not because of terrorist attacks, no
fucking backdoor will stop this. And what are they doing? Measures that won't
make any difference. The cars will keep driving, the factories continue to
produce poisons. Pesticides will still be allowed for better economy at the
cost of entire insect species being wiped from this planet in just a few
decades. The list goes on and on. It is so sad that I don't really want to
listen to politicians anymore. They are the only ones who can change things by
law, not me. And what law are they coming with for my safety? A backdoor for
Whatsapp and Facebook.. We better ignore all this shit and try to enjoy our
little lives for as long it will last.

~~~
grawprog
>They are the only ones who can change things by law, not me.

I had this thought yesterday as I read about several prominent politicians in
Canada, including the prime minister, actively participating in the climate
'protests' that occurred yesterday. Who were they out there protesting?
Themselves? They're the ones with the power to change things. Why were they
outside with signs instead of in their offices doing something about it?

~~~
qroshan
Not all politicians have equal power. In the US, the nominations of important
positions, the laws and policies are determined by 20 Senators in GOP.

Those 20 senators (from Alaska, Missouri, Arkansas) are answerable to the
demands of their constituents. Those people are not asking for Climate Change
Policies. It has nothing to do with money, but the values and culture of the
constituents.

It is incredible how HN and majority of the supposedly 'smart' crowd
completely fail to understand the dynamics of how policies and laws are passed
or made in this country or anywhere else.

It is also incredibly stupid to paint all politicians with the same brush,
because if you are an immoral, evil politician you'd exactly want that
situation. "All politicians are the same", "All media is the same" is the
foundational strategy of bad actors.

~~~
alexilliamson
It has nothing to do with money? How are the values and culture of those
constituents determined, if not through vast sums of money spent on
propoganda? Protecting the earth - not shitting where you eat - is an
inherently sensical idea. The only way that people can align themselves
against such an idea is when they are manipulated to believe it is part of a
broader conspiracy to ruin their lives. It takes a lot of money.

Also, so what if the bad actors want us to believe that all politicians are
the same? What if it were true that they're all the same and evil? Would it
still be "incredibly stupid" to accurately assess the state of affairs?

------
sandworm101
>> while the U.S. won’t be able to use information obtained from British firms
in any cases carrying the death penalty.

Lol. So I guess it cannot be used for actual terrorism. They can use it up
until an act of terrorism occurs. Then, now that murder charges are on the
table, they cannot use the same date source to catch the perpetrators? The US
isn't going to waive the death penalty on every terror case. That isn't
politically possible.

We have to just admit that US laws are increasingly incompatible with those of
the rest of the world. Treaties are getting harder and harder to reconcile.
The US needs to back off its departure from international norms.

~~~
tboughen
But it can facilitate parallel construction in cases mandating the death
penalty.
[https://en.m.wikipedia.org/wiki/Parallel_construction](https://en.m.wikipedia.org/wiki/Parallel_construction)

------
nabla9
Nowhere in the article is backdoor mentioned. Only sharing data that is
encrypted.

US an UK governments can't just force FB to add backdoor. It would require new
legislation. FB must play ball for that to happen.

Since WhatsApp has forward secrecy and end-to-end encryption, giving access to
encrypted data is not easy to use. There might be some useful metadata that
helps though.

~~~
shostack
There's also value in storing and archiving encrypted data because at some
point in the future technology may enable them to decrypt it. Certain
communications could prove quite valuable, even if old.

~~~
Nasrudith
Having a large base of encrypted messages to work from is essentially a
prerequisite for pattern analysis related attacks and finding weaknesses.

------
A4ET8a8uTh0
I am weirdly.. giddy about this development. The more goverments try so hard
to publicly force companies to, effectively, mandate backdoors, the more
public will be aware of it. Added benefit is that FB will lose some market
share.

The sucky part is.. my mom loves Whatsapp. She was able to use it wo any
issues. There are few alternatives that she was able to use so easily.

All that said, I wonder. What is the breaking point for people surveillance-
wise? I was so wrong a lot about the tolerance already..

~~~
fsloth
Unless your mom is planning to involve herself in illegal activities I don't
see a problem. Most electronic communication channels are compromised anyway.
If you don't want eavesdroppers, don't use electronics.

~~~
jedberg
> Unless your mom is planning to involve herself in illegal activities I don't
> see a problem.

I assume you'd be happy to post all your credit card receipts and emails for
all of us to see then. You're not doing anything illegal, right? That would be
the only reason you don't want those things to be visible.

~~~
hnthrow0693
What exactly leads you to believe that posting your credit card number on
hacker news is somehow equivalent to not being outraged by the U.S. sharing
_encrypted_ messages of suspected terrorists with the UK? Let’s not pretend
the world is so black and white.

~~~
jedberg
I was arguing against the idea of "if you're not doing anything wrong you have
nothing to hide".

It's a bad attitude to have because allowing the government to have that power
at all is a problem, even for terrorists and murderers and pedophiles. Because
we don't know if people are those things until we investigate them, which
means the government gets broad powers to investigate people to look for those
kinds of crimes, and maybe find other people they want to get for other
reasons.

I used to investigate computer crime. Yeah, my job would have been a lot
easier if I had unlimited access to anyone's email. But instead I had to
investigate and build a case without privileged access. It was harder, but I
was glad that the system couldn't be abused.

Why should governments or law enforcement have privileged access?

~~~
Sammi
Also because "good" democratic governments that respect human rights and
personal freedoms deteriorate to oppressive tyrannies all the time. What's to
say that your country won't?

Who'll protect you when they come knocking on your door to talk about that
thing you posted about somewhere online, which used to be quite legal and no
problem, but now is super illegal for some oppressive reason or another?

    
    
        First they came for the socialists, and I did not speak out—
    
             Because I was not a socialist.
    
        Then they came for the trade unionists, and I did not speak out—
             Because I was not a trade unionist.
    
        Then they came for the Jews, and I did not speak out—
             Because I was not a Jew.
    
        Then they came for me—and there was no one left to speak for me.

------
fossuser
Without more details I’m pretty skeptical, currently WhatsApp metadata gets
turned over in warrant requests but no message content (metadata includes the
times messages were sent and who they were sent from/to).

It’d be a big deal to force FB to modify WhatsApp for message content
interception and I think it’d be challenged in court.

------
AnssiH
Is there any more detailed info out there?

I would expect such an accord between countries to enable data sharing, not
force companies to record more data. So I'm sceptical of the article's claim
for now.

~~~
Pete_D
(disclaimer, speculation) The Times article says this has been in progress for
four years, so I suspect that this is the culmination of
[https://wiki.openrightsgroup.org/wiki/UK-
US_Bilateral_Agreem...](https://wiki.openrightsgroup.org/wiki/UK-
US_Bilateral_Agreement_on_Data_Access). Which was originally planned to be
encryption-neutral, but maybe things have changed in the past two years.

------
jarjoura
Why is this article Facebook focused? Is this click-bait? Telegraph and
iMessage also support unbreakable end to end encryption.

Also, if we're talking backdoors, why not just force Apple to unlock devices
so that police can just read the messages in WhatsApp directly? That's
something I could get behind as it means the intelligence community has to at
least have the physical device on hand.

Do people have actual links to this treaty they're about to sign and what the
exact wording is? I remember there being this 5-nation meeting in the summer
with Canada and Australia that was specifically looking to lobby Facebook to
open WhatsApp. Haven't seen anything new since.

~~~
OrgNet
> [...] has to at least have the physical device on hand.

not really since most of them are connected 24/7

------
burtonator
Here is what is most frightening.

So let's say this law passes BUT someone builds a really good open-source
messenger.

You can't install it now because you can't side-load apps on devices.

You alpha geeks can but the other consumers can't.

What we need is a law requiring some type of side loading.

It needs to be possible to go to a website, and install an app there directly
and have it support all of the native platform features.

~~~
Erlich_Bachman
> You alpha geeks can but the other consumers can't.

Isn't it literally enabled by 1 simple setting in developer options on an
Android device?

------
markstos
When the article says "share users’ encrypted messages", it's not clear if
it's referring to the messages in their encrypted state, or is referring to
messages have been decrypted before sharing.

------
jchw
Does anyone have any advice for what platform might be best to migrate to? I'm
not overly concerned with group E2E, but it is a nice-to-have. Telegram and
Discord seem like two of the most practical options, Keybase and Matrix seem
like two of the most ideal from a security standpoint. I wonder what offers
the best cross-section of features and user experience.

~~~
coolspot
Telegram is not EtE encrypted by default. Only special “private chats” are and
they unavailable on desktop.

~~~
jchw
Yeah, I am aware of that. E2E isn't necessarily a hard concern, but E2E with
backdoors actually feels worse to me than just not having E2E to begin with (I
_do_ wish Telegram were less misleading about this issue, however.)

------
jka
Going by the original Sunday Times (UK publication) article[0], it looks like
this headline relates to _upcoming_ data sharing legislation which UK Home
Secretary Priti Patel[1], who took that office this July, is expected to sign
in October 2019.

It's worth putting scrutiny both on the UK's desire to create these backdoors
in social media apps (a path that many would argue could lead to eventual
exploitation and abuse of that backdoor by unintended parties), and also
WhatsApp's ability to deny the existence of such backdoors, now or in future.

[0] [https://www.thetimes.co.uk/article/police-can-access-
suspect...](https://www.thetimes.co.uk/article/police-can-access-suspects-
facebook-and-whatsapp-messages-in-deal-with-us-q7lrfmchz)

[1]
[https://en.wikipedia.org/wiki/Priti_Patel](https://en.wikipedia.org/wiki/Priti_Patel)

------
_emacsomancer_
A backdoor that will be exploited by criminal third-parties. Even if you
(against all sense and reason) trust the US and UK governments, this is a move
that will expose your data to criminals.

~~~
vbezhenar
Not necessarily. Simplest implementation is to use government public key to
encrypt session key and include that encrypted session key into a message. You
can implement it with open source code, yet only government who possesses
corresponding private key can decrypt the message.

I think that it'll be secure enough. If private company can keep their CA key
in secret, government can do that too. Hardware Security Module stored in
defended military place and guarded by soldiers, available for use only by
authenticating of the few key politiancs.

~~~
_emacsomancer_
> only government who possesses corresponding private key can decrypt the
> message

Yes, that sounds like a secure system. Surely no private keys would ever leak
out of a government through incompetence or corruption.

------
kd3
Looking forward to what the people at Signal have to say about this.

------
Lordarminius
At what point did the world adopt the standard that all private communication
is government business ?

~~~
rocgf
As a lot of other things, it happened step by step, with the main catalyst
being 9/11\. We somehow accepted that it's an acceptable trade-off to have no
privacy in the name of stopping "the terrorists".

"You're either with us, or a terrorist" Bush once said. And now we're at a
stage where it's acceptable to say things like "if you've got nothing to hide,
why are you so worried about this stuff?".

------
jarjoura
Ok, I'm starting to think this article is click-bait. There is no need for a
backdoor with WhatsApp because messages are stored on the device. If police
have the device on hand, they should be able to see the messages (assuming
they can unlock it.)

[https://www.facebook.com/safety/groups/law/guidelines/](https://www.facebook.com/safety/groups/law/guidelines/)

> International Legal Process Requirements

> We disclose account records solely in accordance with our terms of service
> and applicable law. A Mutual Legal Assistance Treaty request or letter
> rogatory may be required to compel the disclosure of the contents of an
> account. Further information can be found here.

~~~
DanBC
That would be overt surveillance, and the security services are claiming they
need the backdoor for covert surveillance.

------
formatkaka
Off the topic, how much can we trust the keyboard we are typing on (on
mobile). They probably collect everything we type.

Wow !! Just realized that.

~~~
stordoff
As Gboard used to demonstrate:

> Share snippets: Automatically share snippets of what and how you type in
> Google apps to improve Gboard [enabled by default]

------
johnisgood
Yes, this is exactly what I meant when I said that you either do what the
Government says, or you go down. This is why I do not believe statements of
privacy from Apple (such as we keep your data safe, 100% secure, etc.), for
example. If they really have no backdoors or any other ways for the Government
to access your data, then the Government would go after Apple. If the
Government were to request your data, they would hand it over, right? Is this
incorrect? If yes, why?

~~~
chillacy
Apple fought a court battle over this and won. If the government just beat the
CEO over with a rubber hose until they built in backdoors, why would they
bother publishing a public treaty or trying to amend the laws?

------
usgroup
I think the implication is just that Whatsapp has to hand over encrypted
messages ...

I'd imagine if the police are then in control of the target mobile they can
decrypt those messages.

Tbh, if my understanding is correct, I'm not sure I see any problem there.
It's targeted at specific individuals for good reason (presumably following a
warrant process) and requires both the messages (from Whatsapp) and they keys
(from the individual's device). What's the problem?

------
rvz
This is essentially a worrying prospect if these developments are actually
implemented or advance further. The users trust in the social media service is
breached if a backdoor where to be placed in their products (It also defeats
the purpose of the end-to-end encryption argument). If you reside in the UK
and especially in London, things have just become 500% more Orwellian.

>Priti Patel, the U.K.’s home secretary, has previously warned that Facebook’s
plan to enable users to send end-to-end encrypted messages would benefit
criminals...

In London alone, it is not possible to pay for public transport with cash. A
debit card/oyster is required but for anonymous travel, an oyster can be
topped up via cash and reduces transport surveillance, unlike using credit /
debit cards. Their reasons for doing this because it "benefits criminals" is
echoing the "ban encryption" nonsense.

> The U.K. and the U.S. have agreed not to investigate each other’s citizens
> as part of the deal...

This I don't believe.

EDIT: Use a oyster card for public anonymous transport, refrain from using a
credit / debit card for this.

~~~
cosmodisk
I live in London.It has already gone way beyond of what Orwell could have ever
imagined. However,despite of all the surveillance, London is the crime capital
of the world.This is probably the best place for criminals,as unless you pull
a machine gun on a crowd,not much will be investigated.

~~~
gambiting
>>not much will be investigated.

I live in the UK and I feel like this is the crux of the issue. I am an active
member of a sports car forum in the UK and it's terrifying how little police
does in case of theft, even when the house was broken into to get the keys. If
you get someone to come out and write down a report that is a miracle in
itself - in 90% of cases you are just given a case number and told to speak
with your insurer, nothing is ever done. I know a guy whose Range Rover was
stolen, he reported it, no one came out - then few days later found it parked
in a car park nearby, he rang the police to tell them that he found his stolen
car, where it is, and asked if they want to come over and maybe catch whoever
comes for it(or you know, maybe take fingerprints and such)? Nah, he was told
that if he still has the key he can just take it, they don't have any officers
to actually come out anyway. I have friends who were robbed, burgled ,and
literally nothing is ever done. There is zero police on the roads around where
I live, I'm actually surprised people still follow the rules of the road
because realistically, the chances of ever running into a police car are
somewhere around zero.

It just feels like police in the UK has been gutted to the point that unless
you are literally being shot/stabbed, there is not enough resources to
actually help or investigate anything. It's a shell of a functional service.

~~~
poooogles
>It's a shell of a functional service.

I can't say this in any less of a politically charged way but 10 years of
austerity will do that.

------
Nextgrid
Curious what this means for other end-to-end encrypted services such as
iMessage.

~~~
i_am_proteus
I'm equally curious what this means for Signal and any other open-source
encrypted services.

In the US, ITAR could hypothetically be used to make open-sourcing of
cryptographic algorithms illegal. This technique is used for robotics software
that could be dual-purposed for weapons guidance.

~~~
colejohnson66
> In the US, ITAR could hypothetically be used to make open-sourcing of
> cryptographic algorithms illegal.

Wikipedia has some good info re: export of cryptography[0].

In addition, two circuits (Ninth[1] and Sixth[2]) have ruled that source code
is protected by the First Amendment.

[0]:
[https://en.wikipedia.org/wiki/Export_of_cryptography_from_th...](https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States)

[1]:
[https://en.wikipedia.org/wiki/Bernstein_v._United_States](https://en.wikipedia.org/wiki/Bernstein_v._United_States)

[2]:
[https://en.wikipedia.org/wiki/Junger_v._Daley](https://en.wikipedia.org/wiki/Junger_v._Daley)

~~~
i_am_proteus
This case law only applies as long as the algorithm is not classified. As soon
as any Original Classification Authority classifies the algorithm, it falls
under a new category on the U.S. Munitions List and the government could then
restrict its distribution.

Obviously, classifying something that has already been open source just makes
it more difficult to use and numerous local copies will be retained, but it
does make further distribution illegal.

This is the only mechanism I can think of by which the US government could
kill Signal in its existing open-source form. It's ugly, but not unthinkable.

~~~
floatboth
Signal doesn't _have_ to be distributed from the US though (well, apk for
sideloading at least, app stores are US based..)

OpenBSD in the 90s used to emphasize that they're from Canada and have strong
crypto because of that.

------
cfv
> "The U.K. and the U.S. have agreed not to investigate each other’s citizens
> as part of the deal"

Sweet Jesus this people are insane

------
HashThis
US Citizens don't need to worry. All of your private information will be
turned over to the NSA / US Gov. If the US wants a US citizens private info,
they just request it of the UK's intel services. The UK Intel services get it
from Facebook, and they then hand it to the US Gov. For your convenience.

------
cyphar
It's interesting this is even necessary -- Australia's legislation to this
effect passed last year could've been used just as easily (in combination with
the 5-EYES pact).

(As an aside, there was meant to be a parliamentary review of the Assistance
and Access Act earlier this year -- but I haven't heard anything about it.)

------
lttlrck
IMHO editorializing this as a ‘back door’ is inflammatory.

Users need to learn to not have any expectation of privacy when using social
networks. It extends far beyond PII leaks.

Perhaps complaints should be directed at the root of corruption/abuse of such
systems, at least as much as the capability itself. The capability is inherent
to the technology just as tapping a phone line is.

Telcos have to provide interception capabilities (CALEA in the US) or they are
not allowed to operate. This has been true for decades, most people do not
know how that works but they do know it is possible. As these social media
communications services become more entangled in our lives perhaps they too
could be deemed essential infrastructure and treated as utilities.

~~~
DanBC
I agree. The proposed law is a bit confusing. The UK already has forced key
disclose under RIPA.

[https://www.legislation.gov.uk/ukpga/2000/23/part/III](https://www.legislation.gov.uk/ukpga/2000/23/part/III)

------
concordDance
> serious criminal offenses including terrorism and pedophilia

 _sigh_

"Pedophilia" is not a crime, child rape is.

------
zaro
I see some comments are raising this topic with nothing to hide.

But people on both sides, do you think it's OK for you to have nothing to
hide, but the government that rules you has something to hide?

For me it's not so much whether I hide something or or, but rather that if
I'll be living under nothing to hide paradigm then the people controlling that
should also live under the same. And actually not only the people but rather
the institutions. So if an institution is having access to all citizens data
that is being collected then the citizens should also have transparency on
each decision made and each cent spent by this institution at any time.

------
einpoklum
In other news: US, UK subjects agree to stop using WhatsApp in favor of
Telegram and Signal:

[https://telegram.org/](https://telegram.org/)

[https://www.signal.org/](https://www.signal.org/)

These are free software, not controlled by a giant corporation (although both
are limited liability companies; Telegram in London/Dubai, Signal in San
Francisco IIANM); with the developer/company not having unencyrpyed access to
your data.

~~~
damnyou
Telegram group chats are not e2e encrypted, while Signal is notorious for
being unreliable at actually delivering messages. Also, if you change your
phone number the official Signal recommendation is to manually tell all your
friends about the new number. WhatsApp just lets you do it.

I use both apps regularly but neither of them is perfect.

~~~
smcleod
Out of interest what is your citation for Signal being nutritious or having
messages going missing?

Anecdotally speaking, neither I or my friends that have been using Signal for
years have every had any messages go missing, so I’m just interested as to why
you might be experiencing this.

~~~
damnyou
Every single person I know who uses Signal has complained about this. I'm glad
Signal is reliable for you but that is not our experience.

~~~
smcleod
Interesting! I just took a sample (be it small) of 5 people I speak with -
none of them have noticed this as a problem.

I wonder if it’s something like geography based? By chance are your contacts
mostly in the same country - if so which country?

Everyone I speak to on Signal is based in Australia, mostly in Melbourne but a
few in Brisbane and Sydney.

------
theobeers
Another reminder that there are no secure platforms; there are _protocols_
with (one hopes) the potential to be secure. The difference becomes more
important by the day.

~~~
Erlich_Bachman
There are more-or-less secure platforms (which are secure up until the point
where you literally try to blow up a whole country up or something). It's just
that (oh shocker!) a closed-source platform held by a US corporate entity,
with a privacy history of Facebook no less - no that's not a good platform to
assume it will be secure. There is plenty of other much more secure options.

------
cosmodisk
There's a funny,rag level newspaper in the UK, called DailyMail. I suggest
reading comments under the article about this, gives a good idea of how naive
people can be. [https://www.dailymail.co.uk/news/article-7514787/Facebook-
fo...](https://www.dailymail.co.uk/news/article-7514787/Facebook-forced-
reveal-encrypted-messages-terror-suspects-paedophiles.html#comments-7514787)

~~~
noir_lord
Nothing funny about the Daily Mail, it's the mouth piece of the reactionary
idiots on the right (there are just as many on the left before I get tagged as
a liberal) and has been for a century give or take.

This is the newspaper that had an editorial starting with "Hurrah the
Blackshirts".

[https://www.globaljustice.org.uk/blog/2017/oct/31/horrible-h...](https://www.globaljustice.org.uk/blog/2017/oct/31/horrible-
history-daily-mail)

Other than using it as a way of keeping an eye on what some people in my
society will believe (because the Mail told them to) I see zero merit in it's
continued existence.

It's a cancer with a masthead.

~~~
NeedMoreTea
The rest aren't much better.

The Express and Telegraph were right facing, honest but partisan newspapers
forty or fifty years ago. Now the Express is a racist comic, and since the
famously and comically reclusive Barclay brothers bought it, the Telegraph is
working on getting down to the Mail's level. The Mail are currently working on
buying the i.

There really isn't much left on the right that you can rely on. Which is
depressing considering most of our press is right leaning.

~~~
cosmodisk
That's why I read Financial Times, however even they started leaning towards
extreme left,instead of simply being a newspaper of facts with no political
bias.

------
tehjoker
Just a reminder that anytime they breach communications like this, it's
because they want to be able to spy on their own citizens in order to subvert
and control opposition political movements. For example, climate activism,
whistle blowers (e.g. Snowden, Reality Winner, the guy that talked about the
Ukraine deal if it wasn't an official CIA leak), animal rights, anti-
imperialists, etc.

------
pier25
Why would anyone wanting to exchange incriminating information use Whatsapp or
Facebook?

It seems this would only serve to catch the most stupid small-time criminals.

~~~
classified
In every comment thread where quitting Facebook is discussed I find commenters
saying they can't because Facebook is so indispensable for them. Maybe the
same is assumed for criminals?

------
johnisgood
Feels like the perfect time to read the "Anatomy of the State" by Murray
Rothbard. It is only 62 pages long.

You can find the book here:
[https://upload.wikimedia.org/wikipedia/commons/4/45/Anatomy_...](https://upload.wikimedia.org/wikipedia/commons/4/45/Anatomy_of_the_State.pdf)

------
lordnacho
Not my area of expertise but would it not be relatively easy for someone to
make their own app using open source and put it in an apk for ordinary phones?

I've messed around with the open source cryptography libs before and I don't
see why someone could not do that.

There's even a fair bit of advice about how not to misuse such libs.

------
mayop100
The title is inaccurate. This does not require a backdoor. The agreement
changes nothing about the use of encryption.

[https://twitter.com/mmasnick/status/1177979730932297728?s=21](https://twitter.com/mmasnick/status/1177979730932297728?s=21)

------
nairboon
So to which messenger should we finally switch to? Telegram, Signal, Threema,
Wire or some other newcomer?

~~~
OrgNet
matrix seems pretty good, but it is still young and buggy (at least with the
the client that I use, riot.im)

~~~
ptman
What's buggy?

~~~
OrgNet
One example is that voice calls only ring on one side, sometimes (on the
calling side).

Another is that when some rooms get updated, you can get unread notices from
the old room and your client keeps telling you that you have new messages even
if you don't.

Another thing that I think should be considered a bug, is that when you enable
encryption in a room and you have multiple devices on the same account, you
have to approve all your devices separately so that they will be able to
decrypt the messages...

There are more bugs related to how the encryption process works and I stopped
using encryption because of it (some might have been fixed by now...)

~~~
ptman
The encryption things are being worked on. Encryption is still in beta. I
think riot fixed that problem with the unread notices. Have you reported the
bug about calls only ringing on one side?

------
ISL
Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of speech, or
of the press; or the right of the people peaceably to assemble, and to
petition the Government for a redress of grievances.

~~~
jedberg
I believe the courts have ruled previously that your speech is not limited
just because the government has access to it. Otherwise wiretaps would be
illegal already. This is just an extension of wiretap law.

In both cases they need to be fought from another angle than freedom of
speech, because we've already lost that battle.

~~~
ISL
If I wish to send you, jedberg, a message that looks like:

C8hWgwo5YeC5ojiOaDe3JVaLev+3zaZDfRVTAjvqNCA=

("Jedberg is thoughtful.", encrypted with AES key jedberg).

I must be able to do so. To compel a backdoor is to make some speech illegal.

~~~
jedberg
The courts have already ruled that it’s ok to make speech illegal in the name
of public safety.

~~~
ISL
To me, C8hWgwo5YeC5ojiOaDe3JVaLev+3zaZDfRVTAjvqNCA= is a lot less harmful than
shouting "Fire!" in a crowded theater.

Banning C8hWgwo5YeC5ojiOaDe3JVaLev+3zaZDfRVTAjvqNCA= is akin to banning
shouting in a theater, for any purpose. In particular, the banning of
political speech is highly protected. One cannot readily show that
C8hWgwo5YeC5ojiOaDe3JVaLev+3zaZDfRVTAjvqNCA= is not political speech (and
indeed, here, it is).

------
ac2u
Mods: Is this title accurate? It makes it sounds like an encryption back door,
but from reading it sounds more like social media companies being forced to
provide the cyphertext.

(with the authorities then being in a position to compel the end users to give
access to devices).

~~~
rahuldottech
> Social media platforms based in the U.S. including Facebook and WhatsApp
> will be forced to share users’ encrypted messages with British police under
> a new treaty between the two countries, according to a person familiar with
> the matter.

This might mean "...must share messages that are otherwise encrypted", it's
not completely clear from the language used.

------
m0dest
Mods, please fix the post title. The idea of a backdoor is speculation that is
not substantiated by the article.

"will be forced to share users’ encrypted messages with British police"

So far, all the article is saying is that _ciphertext_ will have to be shared.

------
jimnotgym
So we are back to using code words, one time pads etc?

This will do nothing except intrude on civil rights.

------
nradov
Is this literally a _treaty_ that will be submitted to the US Senate for
ratification and thus carry the force of law, or is it merely an executive
branch agreement on cooperation? Does anyone have a link to the actual treaty
text?

------
fortran77
Encryption are "munitions", right? I wonder if there's an argument in the U.S.
that this violates our right to "bear arms".

It's also interesting how the Left and Right flip positions when arms are
digital.

------
corndoge
"Social media platforms based in the U.S. including Facebook and WhatsApp will
be forced to share users’ encrypted messages with British police"

Does this mean they're sharing ciphertext or plaintext? Anyone know?

------
whycombagator
> Social media platforms based in the U.S. including Facebook and WhatsApp
> will be forced to share users’ encrypted messages with British police

If true, I wonder if this includes other US based apps like Signal

------
verizonuser
One can infer that the NSA cannot break strong encryption used in WhatsApp.

~~~
stordoff
Or they want political cover to avoid revealing their capabilities, or to
enable that data to be used more easily in court or for a wider range of
offences.

------
natch
I am not one to believe what I read on Bloomberg but the story does say "will
be forced to share _encrypted_ messages..."

If that's all this is, good luck to them doing anything with those.

------
lone_haxx0r
If you're logically consistent, then outlawing encryption implies outlawing
computers and mathematics.

We are venturing straight into a totalitarian nightmare, and are totally fine
with it.

------
jonplackett
I agree it would be good for police to be able to look into a criminal’s
phone, but how will they actually achieve this without wrecking the encryption
for everyone?

------
andrerm
There are really smart and empowered people just waiting for really dumb but
empowered people to make the move that opens the path to constant mass
surveillance.

------
phkamp
Sounds familiar...

Ohh, right:
[https://queue.acm.org/detail.cfm?id=2508864](https://queue.acm.org/detail.cfm?id=2508864)

------
angel_j
Police can only search what belongs to the company. If it the data is yours,
and the keys are yours, then the company can only provide it by theft (if at
all).

------
Havoc
UK seems to be doing all sorts of crazy shit right now so not all that
surprised that people are finding out about this via news

------
guiomie
What are the alternatives to facebook and whatsapp? Is there anything open
source and p2p that can be used to replace facebook?

~~~
XCSme
Depends on what you use Facebook for.

------
neonate
[https://outline.com/9LpW2E](https://outline.com/9LpW2E)

------
eitland
Isn't there any laws against this?

I would think this should at least be against one or another amendment for
Americans?

~~~
UncleEntity
Most of what the federal government does is against one or another amendment
(the 10th mostly) but gets slipped by under the commerce clause as that's how
the system turned out.

------
Fakira
I have long stopped using American social media for anything. I think everyone
else should do the same.

------
daodedickinson
In before a gov't forces someone into pregnancy through the "front door" just
cuz

------
andrerm
Is this treaty public? Where is it?

------
tinus_hn
Not sure what they’re planning to do with these encrypted messages though.

------
villgax
I think everyone needs to focus on protocol more than apps per se.

------
decafbad
I thought there are backdoors already. This must be a diversion.

------
johnflan
I wonder does this also apply to services like Apple iMessage

------
akerro
Ok, so next years WhatsApp will have backdoor and ads.

------
jcriddle4
I suspect Facebook has wanted an excuse to remove the end to end encryption
and avoid the negative publicity at the same time. Done.

------
newman314
NOBUS is going to work well. Not.

------
chooseaname
> Social media platforms based in the U.S. including Facebook and WhatsApp
> will be forced to share users’ encrypted messages with British police under
> a new treaty between the two countries, according to a person familiar with
> the matter.

Would Apple's iMessage qualify? (I can't read the whole article because of the
paywall).

------
avip
@mods pls change title

------
louwrentius
In The Netherlands a government VPN solution was left unpatched for many
month, exposing critical infrastructure to any third-party hacking nation
state.

I'm not a right-wing anti-government nutcase. I do believe that the government
will not be able to keep such a back door secure.

------
JohnJamesRambo
Is Signal still safe?

~~~
rurban
Signal was never safe:
[https://web.archive.org/web/20180914145702/https://sanderven...](https://web.archive.org/web/20180914145702/https://sandervenema.ch/2016/11/why-
i-wont-recommend-signal-anymore/)
[https://news.ycombinator.com/item?id=12880520](https://news.ycombinator.com/item?id=12880520)

The safe variant LibreSignal was killed by Signal.
[https://github.com/LibreSignal/LibreSignal/wiki/What-to-
do-a...](https://github.com/LibreSignal/LibreSignal/wiki/What-to-do-after-
LibreSignal-was-abandoned%3F)

~~~
move-on-by
This comment is absurd. Your linked article even says:

> To be clear: the reason for this is not security. To the best of my
> knowledge, the Signal protocol is cryptographically sound, and your
> communications should still be secure. The reason has much more to do with
> the way the project is run, the focus and certain dependencies of the
> official (Android) Signal app, as well as the future of the Internet, and
> what future we would like to build and live in.

Beyond the author flat out saying that it’s secure- the title of the article
is why they will not recommend it. It has nothing to do with it being
compromised.

~~~
rurban
We are not talking about the protocol and simple one to one chats, we are
talking about the app. They are several major weaknesses in Signal which have
nothing to do with the protocol.

------
ga-vu
TFA says just UK...

~~~
bobthepanda
> Social media platforms based in the U.S. including Facebook and WhatsApp
> will be forced to share users’ encrypted messages with British police _under
> a new treaty between the two countries_ , according to a person familiar
> with the matter.

------
perfectstorm
why are they exempting Apple's iMessage then?

------
nicky0
If WhatsApp is end to end encrypted, how can they share the messages?

~~~
blocked_again
End to end encryption does not exist.

~~~
kd3
Please elaborate?

~~~
packet_nerd
Not the parent, but true in a sense. Communication is the act of conveying
information from one person's consciousness to another. In the usual encrypted
chat scenario, that path is unencrypted at two points (plaintext input, and
plaintext output at the far end).

It is entirely possible though to have a true end-to-end encrypted channel if
both parties are able to do the encryption in their heads without the plain
text message ever being visible. A trivial practical example would be a single
bit message with a single bit one time pad (agree ahead of time that if I say
yes on the phone, it means no and vice versa).

------
dehrmann
Meanwhile, the US government (mostly Trump) is banning Huawei equipment over
spying concerns. Apparently the only concern is that we weren't the ones doing
the spying.

This really hurts our credibility on a government level outside the Five Eyes.

------
pmlnr
1) If someone wants to find something you are "hiding", they will anyway. It's
always been like this. Encryption is never a protection against this.

2) Personally I still think e2e encryption is not a secure solution on
operating systems that runs godmode 3rd party, eg. google play services: it
relies on a key that can be stolen too many ways too easily. Signal included.

3) internet eons (20 years) ago we nearly all used plain text IRC, closed
source ICQ, AIM, etc, apart from a few. Recently I started to question the
usefulness of "encrypt everything": we do need a way to verify the content
from end to end, but is encryption really the way to do so? Are there any
other ways, signatures, hashes, etc?

4) All that said, I'm not surprised. Skype used to be p2p, until M$ moved it
to server-client, because "battery life". Everything is moving back to the
Eternal Mainframe in this cycle.

~~~
the8472
The landscape changed. More people use the internet, more spy agencies from
multiple countries siphon traffic en bulk, information of higher value is
exchanged over the internet, more untrusted parties are involved (e.g. wifi
hotspots).

I mean go ahead, do everything unencrypted. But I surely won't entrust data to
you if you're leaking like a sieve.

~~~
pmlnr
> I mean go ahead, do everything unencrypted.

That is not what I wrote. I wrote "encrypt everything". There is valuable and
useful use of encryption, I'm just not certain everything everywhere needs it
or benefits from it.

~~~
the8472
It's a sensible default since the developers don't know when users will need
it and users don't want to bother to choose for every single action they take.
And they may not even know in advance that they will need it. An innocent
conversation can quickly turn into something confidential or private.

That said, I do agree that p2p is preferable since it cuts out a central party
that can be strongarmed by government being in control

