The Next Front in the New Crypto Wars: WhatsApp
In Saturday’s edition of the New York Times, Matt Apuzzo reports that the Department of Justice is locked in a “prolonged standoff” with WhatsApp. The government is frustrated by its lack of real-time access to messages protected by the company’s end-to-end encryption. The story may represent a disturbing preview of the next front in the FBI’s war against encryption.
For the past month, we’ve been closely tracking Apple’s fight against a dangerous court order issued by a federal judge in the San Bernardino shooting case. In a brief filed last week, the Department of Justice repeated its claim that what it’s asking for is “modest.” Government lawyers accused Apple of trying to “alarm” the court by suggesting that this order could lead to a world where companies are routinely ordered to compromise the security of their products or break their crypto. But contrary to the government's claim that the case is about a single phone used by one of the perpetrators of the horrific attack in San Bernardino, a claim that FBI Director Comey has echoed, the court battle in San Bernardino is important specifically because it will have implications far beyond the one phone.
In an amicus brief—authored by EFF and joined by 46 computer scientists, security experts, and mathematicians including the inventors of modern cryptography—we told the court that forcing Apple to create and digitally sign a custom version of iOS that disables key security features would violate the First Amendment. Another argument we and our friends at Stanford made was that, if upheld, the San Bernardino order would set a legal precedent that could permit the U.S. government to compromise the security of hundreds of millions of people around the globe. The government’s theory, that the All Writs Act gives it the power to compel American companies to write code and design products to ensure law enforcement access to encrypted content, is virtually without limits. No devices, and indeed no encrypted messaging services, would be safe from such backdoor orders. If the government wins in San Bernardino, it could even force companies to give it access to software update systems, and send their users government surveillance software disguised as security patches.
Now, it appears that the Department of Justice is considering pursuing another, similarly dangerous legal attack on encryption. The fact that the government is even considering such an action proves that our worst fears were right.
This time they’re targeting WhatsApp, the Facebook-owned messaging app which started adding strong end-to-end encryption in 2014. According to the New York Times, the government has obtained a wiretap order, authorizing real time acquisition of the WhatsApp messages (probably text chats rather than voice calls, but that’s unclear at this stage) in an ongoing criminal investigation. WhatsApp is, of course, unable to provide decrypted text in response to the wiretap order, just as it was unable to comply with a similar order by a Brazilian court earlier this month. The whole point of end-to-end encryption is that no one but the intended recipient of a message is able to decipher it.
From the New York Times’ reporting, it looks like the government has so far only obtained an initial wiretap order—demanding WhatsApp to turn over message content it can't access. The Department of Justice has not yet decided whether to ask the court for a follow-on order that would compel WhatsApp to decrypt the messages. Presumably, that second order would look similar to the San Bernardino order and direct WhatsApp to write code that would break its own encryption and allow it to provide plain text in response to the wiretap order.
If the government decides to seek that second order against WhatsApp, it would almost certainly be grounded, not in the All Writs Act but in the “technical assistance” provision of the Wiretap Act. So while the result of the All Writs Act litigation in San Bernardino wouldn’t directly control the outcome of any Wiretap Act case against WhatsApp, courts apply similar tests in the two contexts. In both All Writs and Wiretap Act cases, courts evaluate whether compliance with an order would constitute an “undue burden.” Therefore all the rather convincing arguments Apple has made in San Bernardino would be available to WhatsApp as well.
As of now, we’re unable to find any additional publicly available information regarding the order against WhatsApp. The New York Times reports that, unlike in the San Bernardino case, the WhatsApp litigation is being kept under seal. We’ll keep an eye out for any additional documents, and will continue to blog as more becomes public. For now however, we applaud WhatsApp (and Facebook) for standing strong in the face of orders, whether Brazilian or American, to do the impossible or to compromise our security for the sake of enabling click-of-the-mouse surveillance.