Encrypted messaging services have always presented a hardcore challenge for government agencies all over the world. On one hand, they enable freedom of speech, but on another, they enable miscreants and bad actors to facilitate nefarious deeds. In this regard, on July 2, European police authorities arrested over 800 individuals that were allegedly partaking in shady activities by using an encrypted chat service called EncroChat.
The messaging platform has servers based out of France and claims to provide users with “worry-free secure communications.” According to the BBC, EncroChat includes a customer base of more than 60,000 people, more than 10,000 of whom are based in Britain. Immediately following the incident stumbled on light, EncroChat’s official web site and messaging service were put on temporary hold. To gain a much better overview of the problem, Cointelegraph reached out to Tim Mackey, principal security strategist for design automation company Synopsys, who said:
“Authorities likely balanced the future value associated with identifying additional criminals against the already identified criminal activity. In effect, they may have determined that stopping a specific impending crime outweighed any potential returns from keeping EncroChat operational.”
A similar outlook can also be shared by Brian Kerr, CEO at Kava, a multi-chain DeFi Lending platform, who said that the federal government was right in accessing Encrochat’s servers to put a finish to the criminal activities happening on the network.
Encryption still on the menu?
As issues associated with data leakages — specially those regarding various main-stream messaging services (such as Whatsapp, TrueDialog and Telegram) — continue steadily to surface frequently, many experts believe that it really is worth exploring the subject of whether most encryption platforms today lay enough importance on privacy and customer security.
On the subject, John Jefferies, CEO of CipherTrace, a crypto forensics firm, told Cointelegraph that customer privacy must always be taken in to prime consideration by platform developers of such end-to-end encryption messengers. He further emphasized the idea by saying that it had been especially crucial that you focus on privacy during times like these (i.e., the COVID-19 pandemic), where increased using digital platforms could lead to more instances of hacks, privacy invasions and data leaks. Jefferies further added:
“Encrypted communication is nuanced so platforms must ensure they’ve effective implementation of SSL with certificates issued from the known reason behind trust utilizing strong cipher suites. To further improve security, multi-factor authentication ought to be available for users joining conferences and the machine should double-check users on unknown devices.“
Similarly, Jonathan Zerah, head of marketing for Status Network, an encrypted messenger, told Cointelegraph that despite there being many “so-called privacy and security-oriented” communication tools available in the market today, most of the security features to be had were built atop protocols that place a large amount of ownership and responsibility on centralized companies.
He further added that more often than not, these centralized communication tools use a client-server model to transport and route messages throughout the world in addition to require users to input their cell phone numbers or email addresses to setup and create an account — sensitive data that most firms usually store and manage using lax security protocols. Zerah added: “This places a massive responsibility on the companies managing these platforms to protect that data and the servers that store it.”
Lastly, to mitigate privacy problems related to popular messaging apps, experts like Zerah concur that it is time to establish newer safety protocols that return ownership of data to the person, remove centralized chokepoints and attack vectors seamlessly.
Governments purging encryption-based tech?
Recently, a bill was introduced into the United States Senate that efficiently seeks to place an end to using end-to-end encryption in messaging services. A similar issue was also raised in the ministerial meeting of the nations that make up the “Five Eyes” intelligence community comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These developments appear to suggest that police agencies all around the globe are creating a concerted effort to eliminate encryption-based privacy technologies.
In Mackey’s view, due to the growing number of data breaches these days, there is a steady increase in the quantity of data protection legislation being set into motion. These legislative efforts make an effort to limit the product range of data that organizations can collect while increasing the security of any sensitive information that organizations process and retain.
However, though it may be appealing for governments to attempt to limit the use of encryption technologies beneath the auspices reducing criminal activity, the situation around EncroChat plainly shows that criminal groups can simply create their particular workarounds if the need arises. In this regard, the recently tabled Lawful Access to Encrypted Data Act — which will require organizations to implement ways to decrypt data upon court order — could become a viable way by which a fine balance between regulation and encryption could be established.
That being said, Chris Hauk, a consumer privacy advocate as well as author for Pixel Privacy, an online privacy and security blog, believes that no government agency should ever have the legal right to outlaw encrypted messaging platforms. Furthermore, that he believes that providing any type of backdoor use of law enforcement agencies could wind up opening new avenues for bad actors to exploit, thus defeating the primary goal of any encrypted messaging platform.
Collaboration between governments and service providers possible?
While the idea of encryption service providers and government agencies coming to a typical consensus on handling privacy-related matters appears like a perfect outcome on paper, in most cases, such a vision seems far-fetched because any review of “harmful content,” by default, requires platform operators themselves to possess direct access with their customer information.
Moreover, once this type of backdoor is opened, you will have nothing stopping governments from having the ability to proceed through everyone’s personal correspondence beneath the guise of public safety — something which has already been suggested by whistleblower Edward Snowden and his team. Leaks in recent years have showcased how governments all around the globe, particularly the United States, have now been proactively working together with tech organizations to harvest data in a totally indiscriminate manner.
It’s also worth mentioning that implementing a blanket ban on end-to-end encryption isn’t really possible. While certain legal roadblocks will surely be deployed, if developers continue to use and devise apps utilizing the technology, there’s not much that anyone really can do. Thus, in essence, government agencies should try and come to an agreement with businesses running such services in order to curb illegal activities on their platforms.
Lastly, providing his point of view with this situation, Chris Howell, co-founder and chief technology officer of Wickr, a messenger with end-to-end encryption, told Cointelegraph that any encryption service can be utilized for good or bad.
Although it really is disappointing each and every time that criminals exploit privacy-oriented messengers for his or her personal gains, he does believe the solution is not to ban such services or destroy encryption, privacy and security for all through the use of backdoor gateways. He said, “Our ability to protect data and intellectual property from these same bad actors via strong encryption, solid security products, etc. does far more good for mankind than harm,” adding that:
“I think when a service has privacy and security issues, its legitimate users suffer far more than its bad actors. Of course, no legitimate service wishes to be a haven for bad actors. Most of us expend significant resources honoring law enforcement information requests and believe it is our responsibility to do so. But the reason we build things is for customers and their needs, and I’m not hearing a lot of them ask us to weaken our security so that bad actors might suffer.”