If the spooks can’t hack it, the US might ban it – report

A worrying report emerging from the US concerns the future of end-to-end encryption and the on-going security of consumers; if the intelligence community can’t break it, tech firms won’t be allowed to use it.

Hypocrisy and contradiction seem to be languages on the syllabus for every politician in today’s society. This might have been the case for decades, but it seems to be very prevalent in the legislative halls around the globe currently. Today’s example concerns cybersecurity.

According to Politico, there has recently been a secret meeting with all the no.2’s from US intelligence agencies to discuss the possibility of banning end-to-end encryption. The logic is relatively simple; removing the end-to-end encryption barrier would help these agencies catch more terrorists. But then again, the contradiction is also glaringly obvious.

In the pursuit of increased security, the intelligence agencies are suggesting less security. The removal of end-to-end encryption might help these agencies catch more terrorists, but it would also expose the consumer to considerable risks such as fraud or blackmail, while also making it easier for foreign states or criminals to spy on anyone and everyone, including governments.

Fixing one problem by making several problems should not be considered a sensible or logical approach to managing national security. It’s incredibly ill-advised and quite frankly we are surprised this debate rages on.

What is worth noting is this is not a dispute which is limited to the shores of the US; there are short-sighted and dim-witted politicians trying to kill end-to-end encryption all around the world.

Australia passed a law in December to compel technology companies into creating backdoors for security services to make use of, while in the UK, GCHQ directors suggested a similar mechanism called ‘Ghost Protocol’ which received a scathing reception. During 2017, then Home Secretary Amber Rudd attempted to rid the UK of encryption, while the infamous ‘Snoopers Charter’ was a disaster waiting to happen. In France, Article L.871-1 of the Internal Security Code requires technology companies to provide access to data within 72 hours of a request.

There are other approaches as well, which pay a much-needed nod to the importance of end-to-end encryption. In Finland for example, Section 23 of Chapter 8 of the Law on Coercive Measures Act compels persons/companies other than suspects/accused persons to hand over passwords and decryption keys if it is necessary to conduct a search of data contained in a device. This approach is not perfect, but it maintains the integrity of security protocols and the resilience of end-to-end encryption.

Although these agencies might think creating backdoors and the accountability mechanisms to use them is a sensible strategy, it clearly isn’t. If there is a vulnerability created in the security perimeter, the dark web will find out about it and will go searching for it. It will only be a matter of time before someone finds it, either through perseverance or accident, and it will be monetized by nefarious characters.

What is an important factor of the digital economy is the desire and requirements of technology providers to build security into products and services. This desire to build in backdoors undermines any work which is being done. Governments are pressing for increased security, but then insisting it must be weakened. The technology industry is caught between a rock and a hard place.

Why encryption is still impacting mobile video quality of experience

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this article Santiago Bouzas, Director, Product Management at Openwave Mobility looks at some of the underlying issues surrounding video encryption.

At a time when data breaches occur on an almost daily basis, undermining consumer confidence in enterprise IT’s ability to secure and protect private data, it might seem like the best solution is to increase efforts to encrypt data.

While encryption is an important part of securing data, it’s easy to underestimate the amount of complexity it adds to any service or device, especially in terms of the processing power required. On a surface level, encryption transforms one block of data reversibly into another. However, below the surface, encryption requires mathematical computation on data that needs to be read, reread, rewritten, confirmed and hashed.

Encrypting a text message is relatively simple. Encrypting video, however, is quite complicated, as computations occur on massive megabytes of data that’s constantly stored and retrieved. Moreover, video traffic is growing, especially as operators begin deploying 5G networks.

For instance, by the end of 2019, streaming services are expected from Apple, WarnerMedia and Disney+. In fact, video is predicted to account for nearly four-fifths of mobile network traffic by 2022 and almost 90% of 5G traffic according to the Mobile Video Industry Council, underscoring the need for mobile operators to build networks that can effectively handle the massive increase of encrypted traffic their networks are expected to carry.

The growth of video encryption

The increase of encrypted traffic isn’t a new challenge for operators. 4G networks brought about a seismic shift in connectivity and mobility, spurring the launch of millions of disruptive application-based businesses, including Spotify, Uber and Waze. But the unbridled freedom these new players enjoyed was short lived.

In 2013, whistleblower Edward Snowden revealed how global intelligence agencies were accessing mobile data, often in collaboration with technology companies. Quick to react, Facebook, Google and others began encrypting data with secure protocols, and that encryption has remained in place ever since.

By the end of 2018, about 90 percent of mobile internet traffic was encrypted, and there was no single standard followed for encrypting that data. For instance, Google uses QUIC, an encryption protocol based on the user datagram protocol (UDP). By contrast, Facebook and Instagram use zero round trip time resumption (0-RTT).

The QUIC protocol already accounts for between 30 and 35 percent of the market, and it is considered one of the most popular and efficient delivery mechanisms for video streaming. However, both protocols make it extremely difficult for operators to profile or optimize data with conventional traffic management tools, hindering their ability to deliver consistent quality of experience (QoE).

Without question, dedicated streaming services like Netflix and Amazon Prime are contributing to the increase in encrypted video traffic. However, Facebook is quickly becoming the primary channel for sharing video content. Facebook’s strategy is based around sharing video and merging its platforms, including Instagram, WhatsApp and Messenger. And that strategy is clearly paying off.

While Facebook has been sharing video from its vast content delivery network (CDN) for some time, the volume of video data shared across its different properties is 10 percent higher than that shared across all of Google’s entities combined. This is especially true on mobile, where there is a strong demand for social media, for which Facebook and Instagram are the dominant platforms.

Additional advertising investment is further cementing Facebook’s position, so much so that Facebook could soon overtake Google as the key driver of both video consumption and encryption protocols. Interestingly, Facebook is moving away from using the 0-RTT protocol and is also beginning to embrace QUIC.

In time, Facebook is expected to change protocols again, likely to Transport Layer Security (TLS) 1.3, a more robust and secure cryptographic protocol. Those plans have significant implications for mobile operators looking to deliver the best possible QoE.

Additional complications for video

Not only must operators contend with different encryption protocols, they also face challenges from the quality (resolution) of video that traverses the network. For instance, more than half of video traffic is expected to be high definition (HD) by the end of 2019. HD video consumes three times the amount of data as standard definition (SD) and requires three times the bandwidth.

As we near deployment of 5G networks, operators likely will have to contend with ultra-high definition (UHD) video, which will consume three or four times the data as HD video. Moreover, operators won’t just grapple with the need to monitor and manage video data. They’ll need new and different capabilities to detect and manage demand created by the obfuscation of encrypted video traffic.

The deep packet inspection (DPI) method that operators employ to analyze and optimize network usage will need to be sufficiently agile to handle the change in encryption protocols. Heuristic evaluation models and reporting structures will need to adapt, as well. Without these improved capabilities, operators will find it increasingly challenging to deliver the QoE expected for video content.

Failure to adequately address the increasing complexity of video traffic will result in increased buffering times, which is the death knell for consumers of mobile video. In an increasingly competitive ecosystem, customers that aren’t happy with network quality for video will have a myriad of competitors to churn to.

 

SantiagoBouzasSantiago Bouzas is the Director of Product Management at Openwave Mobility and is an expert on mobile internet connectivity. Santiago has over 12+ years of experience in telecoms, holding product management, sales/pre-sales and professional services roles in both global and start-ups.

Tech giants hit back against GCHQ’s ‘Ghost Protocol’

GCHQ’s new proposal to supposedly increase the security and police force’s ability to keep us safe has been slammed by the technology industry, suggesting the argument contradicts itself.

In an article for Lawfare, GCHQ’s Technical Director Ian Levy and Head of Cryptanalysis Crispin Robinson presented six principles to guide ethical and transparent eavesdropping, while also suggesting intelligence officers can be ‘cc’d’ into group chats without compromising security or violating the privacy rights of the individuals involved.

The ‘Exceptional Access Debate’ is one way in which GCHQ is attempting to undermine the security and privacy rights offered to consumers by some of the world’s most popular messaging services.

Responding in an open letter, the likes of the Electronic Frontier Foundation, the Center for Democracy & Technology, the Government Accountability Project, Privacy International, Apple, Google, Microsoft and WhatsApp have condemned the proposal.

“We welcome Levy and Robinson’s invitation for an open discussion, and we support the six principles outlined in the piece,” the letter states. “However, we write to express our shared concerns that this particular proposal poses serious threats to cybersecurity and fundamental human rights including privacy and free expression.”

Levy and Robinson suggest that instead of breaking the encryption software which is placed on some of these messaging platforms, the likes of Signal and WhatsApp should place virtual “crocodile clips” onto the conversation, effectively adding a ‘ghost’ spook into the loop. The encryption protections would remain intact and the users would not be made aware of the slippery eavesdropper.

In justifying this proposal, Levy and Robinson claim this is effectively the same practice undertaken by the telco industry for years. During the early days, physical crocodile clips were placed on telephone wires to intercept conversations, which later evolved to simply copying call data. As this is an accepted practice, Levy and Robinson see no issue with the encrypted messaging platforms offer a similar service to the spooks.

However, the coalition of signatories argue there are numerous faults to the argument. Firstly, technical and secondly, from an ethical perspective.

On the technical side, the way in which keys are delivered to authenticate the security of a conversation would have to be altered. As it stands, public and private keys are delivered to the initiator and recipients of the conversation. Both of these keys match, are assigned to specific individuals and only change when new participants are added to the conversation. To add a government snooper into the conversation covertly, all the keys would have to be changed without notifying the participants.

Not only would this require changes to the way encryption technologies are designed and implemented, but also it would undermine the trust users place in the messaging platform. Levy and Robinson are asking the messaging platforms to suppress any notifications to the participants of the conversation, effectively breaking the trust between the user and the brand.

While GCHQ can think it is presenting a logical and transparent case, prioritising responsible and ethical use of technology, the coalition also argues it is contradicting its own principles laid out in its initial article. Those principles are as follows:

  1. Privacy and security protections are critical to public confidence, therefore authorities would only request access to data in exceptional cases
  2. Law enforcement and intelligence agencies should evolve with technologies and the technology industry should offer these agencies greater insight into product development to help aid this evolution
  3. Law enforcement and intelligence agencies should not expect to be able to gain access to sensitive data every time a request is made
  4. Targeted exceptional access capabilities should not give governments unfettered access to user data
  5. Any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users
  6. Transparency is essential

Although the coalition of signatories are taking issue with all six points, for us, it’s the last two which are the most difficult to grasp.

Firstly, if ‘Ghost Protocol’ is accepted by the industry and implemented, there is no way not to undermine or fundamentally change the trust relationship between the platform and the user. The platform promises a private conversation, without exception, and the GCHQ proposal requires data interception without knowledge of the participants. These are two contradictory ideas.

“…if users were to learn that their encrypted messaging service intentionally built a functionality to allow for third-party surveillance of their communications, that loss of trust would understandably be widespread and permanent,” the letter states.

The sixth principle is another one which is difficult to stomach, as there is absolutely nothing transparent about this proposal. In fact, the open letter points out that under the Investigatory Powers Act, passed in 2016, the UK Government can force technology service providers to hold their tongue through non-disclosure agreements (NDA). These NDAs could bury any intrusion or interception for decades.

It’s all very cloak and dagger.

Another big issue for the coalition is that of creating intentional vulnerabilities in the encryption software. To meet these demands, providers would have to rewrite software to create the opportunity for snooping. This creates two problems.

Firstly, there are nefarious individuals everywhere. Not only in the deep, dark corners of the internet, but also working for law enforcement and intelligence agencies. Introducing such a vulnerability into the software opens the door for abuse. Secondly, there individuals who are capable of hacking into the platforms that developed said vulnerability.

At the moment, encryption techniques are incredibly secure because not even those who designed the encryption software them can crack them. If you create a vulnerability, the platforms themselves become a hacker target because of said vulnerability. Finding the backdoor would be the biggest prize in the criminal community, the Holy Grail of the dark web, and considerable rewards would be offered to those who find it. The encryption messaging platforms could potentially become the biggest hacking target on the planet. No-one or no organization is 100% secure, therefore this is a very real risk.

After all these considerations to security vulnerabilities and breach of user trust, another massive consideration which cannot be ignored is the human right to privacy and freedom of expression.

Will these rights be infringed if users are worried there might be someone snooping on their conversation? The idea creates the fear of a surveillance state, though we will leave it up to the readers as to whether GCHQ has satisfied the requirements to protect user security, freedom of expression and privacy.

For us, if any communications provider is to add law enforcement and intelligence agencies in such an intrusive manner, there need to be deep and comprehensive obligations that these principles will be maintained. Here, we do not think they have.

Aussies determined to undermine security with anti-encryption law

Ten of the world’s largest tech brands have banded together to denounce a recent law passed by the Australian government which could be viewed as the first step towards a Big Brother government.

With the world turning against China and Chinese companies due to the threat of espionage, you have to question whether the Australian’s have a leg to stand on anymore, as personal privacy takes a heavy blow with this legislation.

The signs have certainly been worrying over the last 18 months. Australia might well be one of the first to pass such controversial legislation, but it is certainly not alone. France, Germany, the UK and the US have all made it clear they all have ambitions to make our world less secure and less private with their own attempts. The privacy damn was set to burst, and the Aussies caved. Privacy has taken a backwards step down-under.

The statement below, signed by Apple, Evernote, Dropbox, Facebook, Google, LinkedIn, Microsoft, Oath, Snap and Twitter, signals the opposition from the technology industry.

“One of the core principles of the Reform Government Surveillance coalition (RGS) is that strong encryption of devices and services protects the privacy and data security of our users, while also promoting free expression and the free flow of information around the world,” a joint statement declares.

“RGS has consistently opposed any government action that would undermine the cybersecurity, human rights, or the right to privacy of our users – unfortunately, the Assistance and Access Bill that was just passed through the Australian Parliament will do just that. The new Australian law is deeply flawed, overly broad, and lacking in adequate independent oversight over the new authorities. RGS urges the Australian Parliament to promptly address these flaws when it reconvenes.”

The law itself will allow the Australian police to issue technical notices, compelling technology companies to assist the government to hack, implant malware, undermine encryption and even insert backdoors into security software. Those who resist would face financial penalties. The justified concerns with the legislation are two-fold.

Firstly, the idea of a backdoor or writing algorithms which allow encryption software to be undermined completely defeats the purpose. The presence of such features should be seen as nothing more than a weakness in the software, a weak link in the chain. Whenever there is a vulnerability, nefarious individuals always expose it. It is just a matter of time before cyber criminals identify these vulnerabilities and it doesn’t matter how well they are hidden. It might happen after months of searching, or it might happen by accident.

Secondly, the law is flawed in that it is full of loop-holes and contradictions which leave it open to abuse and mission creep.

The initial remit of the technical notices will be for serious crimes, such as sex offenders, terrorists, homicide and drug offenses, though critics have pointed towards weak and vague language which opens the door for mission creep. And when there is an opportunity to push the boundaries of acceptable, there are people who will do this.

Another example of the problematic rules is the difference between Technical Capability Notices (TCNs) and Technical Assistance Notices (TANs). Both are used to compel technology companies into assistance for pretty much the same exercises and violations of privacy, though TCNs require approval by the Attorney-General, a consultation period and can only be used by the agency which submitted the request. TANs do not but can wield almost exactly the same amount of power.

“As Government and Labor MPs work today to craft amendments to the Assistance and Access Bill, it appears that one of the biggest flaws in the proposed legislation will not be addressed,” said Communications Alliance CEO, John Stanton on the differences between TCNs and TANs.

These are only a couple of examples of the criticism which the bill has faced over the last couple of weeks, though even after public consultation (which attracted 15,000 comments) few amendments were made to the original draft before being passed into law.

“The Australian government has ignored the expertise of researchers, developers, major tech companies, and civil liberties organizations by charging forward with a disastrous proposal to undermine trust and security for technology users around the world,” the Electronic Frontier Foundation said it a statement.

“The issue isn’t whether the Australian government read the 15,000 comments and ignored them or refused to read them altogether. The issue is that the Australian government couldn’t have read the 15,000 comments in such a short time period. Indeed, the bill’s few revisions reflect this—no security recommendations are included.”

In the pursuit of making life easier for the Australian police force, the government has betrayed the consumer and made the digital landscape a haven for hackers. We are unable to think of any examples of genuine encryption software being hacked or compromised to date, but the Australian government has just made life a lot easier for nefarious actors by voluntarily introducing vulnerabilities.

And this is without addressing the opportunity for abuse and violation of individuals human right to privacy.

There have been countless examples from around the world of individuals, either in private organizations or government agencies, being able to respect privacy rights when given the opportunity. Uber employees used the location tracking features of the app to stalk ex’s and celebrities, while Edward Snowden exposed how the CIA illegally undermined the privacy of thousands of its own citizens.

The Australian government has not done anywhere near enough to ensure the rights of citizens will be maintained, or that actions will be entirely justified. This is a very worrying sign for the world, especially with the likes of the US and UK watching very carefully.

Australia is part of the Five Eyes intelligence fraternity, which traces its origins back to the 50s. This intelligence alliance, comprising of Australia, Canada, New Zealand, the UK and the US, generally work hand-in-hand when it comes to intelligence and security, and tend to implement very similar legislation. With Australia setting the pace of making the world a less safe place, it would not be a surprise to see other nations follow suit.

International politics is generally like a dominoes set. All ‘Western’ governments have similar laws, and when one breaks rank usually it back-tracks or the rest get in line. In this case with governments around the world all showing Big Brother ambitions, we suspect it might not be too long before more of these bills are being discussed elsewhere.

Netflix dominates the internet, but keep an eye on gaming geeks – Sandvine

Netflix currently accounts for an incredible proportion of global internet traffic, though the gaming segment is starting to throw its weight around.

According to research unveiled by Sandvine, The Global Internet Phenomena Report, Netflix now accounts for 15% of the total downstream volume of traffic across the entire internet. This is an astronomical number when you consider the service only has 130 million subscribers, a large number but some would perhaps has thought higher, while there are roughly 1.7 billion websites on the internet. Video on the whole accounted for 58% of the traffic meandering along the digital pavements.

Netflix, and video on the whole, dominating trends is not a new idea. This is something the telcos have been preparing for, though the gaming segment has been rarely discussed. Gaming has traditionally been reserved for very niche demographics, though with more content providers targeting mobile applications, the target audience has been increasing substantially, as has the depth and scale of the games themselves.

Looking at the contributions to the bottleneck, in Europe two of the top ten owners of downstream traffic volume are relating to gaming; PlayStation and Steam (focused on PC-based gaming). PC games can be as much as 100 GB in size, owning to consumer demands to make more larger and more immersive environments, though telcos would be wary of the continuing momentum for mobile games. With data becoming cheaper for the consumer and devices becoming more powerful, content developers are being encouraged to introduce mobile games which are more on par with those on other platforms. The sheer breadth, depth and variety of these titles on the app stores is quite staggering.

This of course will stress networks, especially considering many users of these games will use them when out and about, not connected to home broadband or public wifi. Ensuring these mobile games meet the demands of the consumer will be critical, as it may well soon become another stick to hit connectivity providers with.

Another interesting statistic to emerge from the data is the level of encryption. Sandvine estimates 50% of internet traffic is now encrypted, though this might be a conservative guess. The estimate only accounts for sources which are encrypted consistently, the number might well be higher, and it is certainly increasing. For consumers, this is a promising trend set against a backdrop of data privacy scandals and breaches, though it is an added complication for the telcos.

Encryption of course protects the consumer from wandering eyes with nefarious intentions, but it also prevents the telcos from keeping an eye on what is going on. Without visibility into what type of traffic is traversing the algorithmic piste, the telcos cannot tailor the delivery and enhance the experience for the consumer. The blame of poor experience might be thrown towards the telcos, but with encryption trends heading northwards, they are relatively helpless.

Limies, Yanks, Kiwis, Ozzies and Mounties have another crack at killing encryption

In a carefully worded statement, the governments of the US, UK, Canada, Australia and New Zealand have reiterated their desire to crack encryption and snoop on citizens.

The cryptic message to the technology industry seems to be a relatively familiar one; our spies can’t crack your encryption software, so we are going to legally force you to grant us access. What you can expect to see over the next couple of months are various statements in the press, PR campaigns and op-ed pieces building a picture as to why the technology giants are undermining the judiciary system of democratic nations, and how they are toying with the safety of your life, your partners and of your children. It’s a tactic we’ve seen before, and we suspect it is on the horizon once again.

This appears to be the important aspect of the statement:

“Privacy laws must prevent arbitrary or unlawful interference, but privacy is not absolute.  It is an established principle that appropriate government authorities should be able to seek access to otherwise private information when a court or independent authority has authorized such access based on established legal standards.  The same principles have long permitted government authorities to search homes, vehicles, and personal effects with valid legal authority.

“The increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake. Otherwise, court decisions about legitimate access to data are increasingly rendered meaningless, threatening to undermine the systems of justice established in our democratic nations.”

In short, governments want to force technology companies to open up their security features because they are not able to crack though themselves. The encryption software is not only good enough to protect users from the nefarious characters on the dark web, but it is resilient enough to keep the spooks at bay as well.

Of course there are scenarios when privacy and freedom of expression should be sacrificed, in an instance of war or genuine threat to national security. And there are cases where homes or offices could be searched in years gone because of a warrant signed by a judge. These warrants were critical in the pursuit of and prosecution of criminals. The digital world does make it difficult to make these pursuits a reality, but that does not warrant the introduction of backdoors in the software.

If a police force entered your home in years gone to seize information, they would enter through your front door. This is a barrier to protect your home and personal belongings, but allowing a backdoor in security features for intelligence agencies or police forces is also a welcome mat for hackers. The man on the street cannot protect themselves from this threat, therefore these governments are compromising the safety of the vast majority to further their own ambitions.

As it stands, these governments have offered no explanations as to how intelligence agencies would be able to access the information, but securities would remain robust against nefarious individuals on the dark web.

We contacted the UK Home Office which did not respond to our questions.

The Home Office did not respond to how it could justify weakening security in the name of security, or how it would actually work. Neither how it would prevent abuses of any preferential treatment for intelligence agencies or police forces. Finally, it did not offer any explanation for the process of accountability or justification.

Whenever there is progress in the technology world, the government and its agencies are left behind. Industry is lightyears ahead of intelligence agencies and police forces, and the government is attempting to scare the population into agreeing it is necessary to weaken encryption in pursuit of national security. It is a game of PR to justify legally strong-arming the technology companies into compliance.

This statement from the government is simple; we don’t like encryption services. That much is clear. There are circumstances where the government has a right to suspend privacy, assuming there is enough justification, but we are yet to see any evidence the government can ensure the ongoing protections of users whilst also fulfilling its ambitions.

Destroying safety in the name of safety is a complete contradiction; such actions are not a service to citizens.

Tech giant reaffirm stance against government snooping

Reform Government Surveillance, a coalition of some of the world’s largest tech companies, has agreed on a sixth core principle to guide its advocacy efforts going forward.

The sixth principle reaffirms the groups position on encryption and the worrying trend of short-sighted government official’s efforts to force build-on vulnerabilities into software. This is not a new argument, though governments are still standing firm on ignorant foundations, arguing the ridiculous idea that reducing the effectiveness of security features is a good idea.

The principle is as follows:

“Strong encryption of devices and services protects the sensitive data of our users – including individuals, corporations, and governments. Strong encryption also promotes free expression and the free flow of information around the world. Requiring technology companies to engineer vulnerabilities into their products and services would undermine the security and privacy of our users, as well as the world’s information technology infrastructure. Governments should avoid any action that would require companies to create any security vulnerabilities in their products and services.”

While it is an argument which has died down in recent months, it is still bubbling away in the background as other scandals offer politicians the opportunity to get their superficial grins on the front pages. In the UK the tech giants might be glad to see the back of the forgetful former Home Secretary Amber Rudd, who has led a campaign against encryption, though her successor has not revealed his stance just yet; Sajid Javid might prove to be just as idiotic.

At Telecoms.com we appreciate there is a balance to strike between the physical protection of a nation and online security. Governments should be granted access to information when justified, however building vulnerabilities into security features is not the right answer. Should backdoors be built, it would only be a matter of time before hackers and other nefarious actors gain unrestricted access to personal information. The idea is quite frankly ridiculous.

The other principles are as follows:

  1. Limiting Governments’ Authority to Collect Users’ Information
  2. Oversight and Accountability
  3. Transparency About Government Demands
  4. Respecting the Free Flow of Information
  5. Avoiding Conflicts Among Governments

The group features some of the biggest names in the technology world, including Apple, Dropbox, Google, Facebook and Microsoft. Such resistance to ill-advised and ridiculous government ideas such as the weakening of encryption software should be encouraged. It is reassuring to see the tech companies are retaining their firm position against the foolhardy governments and intelligence agencies who have not proved they should be trusted.

WhatsApp boss exits, possibly over privacy concerns, but we’re not convinced

WhatsApp founder Jan Koum is exiting the Facebook family under the guise of privacy concerns, but he might just have gotten all of his bonus.

Using the social media platform to convey his message, Koum did not give any details, though sources close to the matter claim there was a disagreement with executives at parent-company Facebook over privacy, the use of personal information and the potential weakening of encryption software. This might be the reason, or it might just be a good way to justify exiting while maintaining an anti-capitalist image.

“I’m leaving at a time when people are using WhatsApp in more ways than I could have imagined,” said Koum. “The team is stronger than ever and it’ll continue to do amazing things. I’m taking some time off to do things I enjoy outside of technology, such as collecting rare air-cooled Porsches, working on my cars and playing ultimate frisbee. And I’ll still be cheering WhatsApp on – just from the outside. Thanks to everyone who has made this journey possible.”

The Facebook post followed a report in The Washington Post detailing the clash between executives and misaligned values between the two parties. The protection of the users personal information is a core value at WhatsApp, and part of the reason so many have flocked to the service. Back in 2014 when Facebook bought the service, WhatsApp posted a blog promising nothing would change following the acquisition, though the WhatsApp values have certainly been eroded over the years.

Initially it was promised security would be maintained, personal information would not be used and advertising would not appear on the platform. In attempting to change terms and conditions in 2016, and introducing new opportunities for business to connect with customers in January, two of these promises have been compromised. Should the rumours about efforts to weaken encryption be true, all three values have been walked out the door.

As you can imagine, under-fire Facebook CEO Mark Zuckerberg has done his best to calm the waters in replying to the post:

Zuckerberg post

In complementing the WhatsApp encryption advances, Zuckerberg is seemingly attempting to play-down any concerns the protections might be diluted. Zuckerberg has not denied Facebook is weakening the encryption software, but simply calming any potential euphoria. Right now is not a good time for news to leak to the press about weakening privacy protections at Facebook considering the scrutiny the platform is facing in light of the Cambridge Analytica scandal.

While it is very chivalrous for Koum to stand-down over compromises and erosion of WhatsApp principles and core beliefs, we can’t believe he is that naïve. Facebook is an information business and will constantly searching for new ways to improve the advertising platform. When the social media platform bought WhatsApp for a monstrous $19 billion, did Koum honestly believe it was as a philanthropic exercise? Of course Facebook wanted to access the user data.

We are not 100% convinced by these reports. Generally when a company is acquired, especially on this scale, the former management team are incentivised to stay to manage the transition and integration. These incentives are usually spread over a couple of years. Considering it has been 3.5 years since the acquisition was completed, we wonder whether Koum has realised all of his transition bonuses and now just wants out. Jumping on the ‘Facebook is a privacy monster’ train might just be a way to save face. He’s doing it for moral reasons, not because he’s got as much money as possible out of the situation.

In martyring himself, Koum has likely removed one of the final hurdles the Facebook advertising machine had in harvesting the personal information vaults of WhatsApp. Some might argue Facebook has destroyed the principles of the brand, but Koum and co-founder Brian Acton told us how much their values are worth; $19 billion. Considering the reasons for creating WhatsApp in the first place, privacy and a disdain for ads, Koum and Acton effectively did a deal with the devil.

Reports might claim he is making a moral stance against the company, but the high-horse is simply trotting Koum away from any responsibility while dragging the loot over the principles of WhatsApp which now lay tattered and tarnished in the dirt.

French messaging efforts show how selfish governments actually are

France is reportedly considering building its own encrypted messaging platform to protect itself from espionage, completing the full U-turn from last year’s efforts to limit the encryption powers of messaging services.

According to Reuters, a spokesperson from the Digital Ministry confirmed 20 civil servants are testing a new, encrypted messaging app which has been designed by a state-owned developer. The aim will be for every government employee to use the platform by the summer.

This is certainly a change in opinion compared to last year. During August, French Interior Minister Bernard Cazeneuve and German Federal Minister of the Interior Thomas de Maizière met to discuss how data protection laws could be altered to allow intelligence agencies greater insight into the lives of citizens. The idea would have been to build a back-door in the encryption software, which would allow spooks access and permanently weaken the security feature of the platforms.

It would appear that spying on its own citizens is perfectly acceptable, but the threat of President Emmanuel Macron’s lunch order leaking to the Daily Mail is one step too far. We understand and accept certain aspects of government need to be kept under the strictest of confidence, but privacy is a right to European citizens, even from elected officials.

The ‘do what I say, not what I do’ attitude of governments around the world is starting to taste very bitter.

The French government version of an encrypted platform is based on opensource code found on the web, and could eventually be available for French citizens to use as well. What has not been confirmed is whether the encryption software has had a backdoor built into it, an objective for governments all around the work to improve snooping capabilities. If this was the case, it would surprise very few people, however it would also make the offering fundamentally flawed from the outset. A backdoor is a weakness in the security perimeter, which will eventually be found by hackers; nothing is 100% secure.

To date, French government employees have reportedly been using instant messaging applications from defence group and IT supplier Thales. Citadel instant messaging smartphone app is one offering listed on the website, though President Macron is supposedly a fan of the currently under-fire Telegram platform, which is facing a ban in Russia for refusing to hand over encryption keys to security services.

This is one example of a government which doesn’t like an idea until it benefits the bureaucratic machine. A government owned application will be designed with its own parameters and objectives in mind; this might be another way for intelligence agencies to poke their noses into places they are not wanted.

These agencies and governments have already proved incapable of cracking the encryption software of the likes of WhatsApp and Telegram, therefore a work-around would be required. Considering the scandal Facebook, owner of WhatsApp, is facing, this might prove to be a very good time to pry loyal users onto a platform with zero commercial interests and the promise of never being on your own.

Government gets another weapon in the battle against privacy

Government intelligence agencies and police forces have been briefed on a new tool known as ‘GreyKey’ which promises to unlock iPhones running iOS 10 and 11.

The tool is brought to you by a low-key start-up called Grayshift, about which little is known, but Forbes believes the group is run by ex-US intelligence agency contractors and an ex-Apple security engineer. It’s only in the last couple of weeks Grayshift has been touting its services, and even gaining access to the website is strictly controlled (as you can see here), however Forbes has a friendly which granted it access. And it is as interesting as it is worrying.

How the tool actually works is unknown for the moment, though the vulnerability is likely to stay hidden. Considering the ease at which governments around the world seem to sweep aside data privacy rights of citizens, Grayshift could have quite a captive market. Governments have shown they are incapable of cracking encryption techniques or bending the will of the technology giants, so companies like Grayshift will certainly be of interest.

The tool itself, GreyKey, is available for $15,000 which permits 300 unlocks for the purchaser, but for $30,000 those nosey spooks can use the offline product. The more expensive version comes with unlimited use which will sound like a bargain for Prime Minister Theresa May and Home Secretary Amber Rudd, both of whom have tried their darndest impression of Big Brother (Rudd attacks data encryption and May’s Snoopers Charter). The ads claim to be able to unlock the latest version of the iPhone software, iOS 10 and 11, though an update has been promised to tackle iOS 9 before too long. A demo has also claimed to have cracked the iPhone X.

While details of how the tool works remain unknown, it is assumed ‘brute forcing’ is the favoured technique here. Cracking the encryption software doesn’t seem to be a viable option here (which is one of the few positive notes of this story) as the tool appears to make repeated guesses at passcodes.

The appearance of companies like Grayshift, similar to Cellebrite who offer similar services from Israel, is a thorn in the side of the industry which needs to ensure data privacy is top of the agenda. For the digital economy to flourish, there needs to be trust in it. Unfortunately, with companies exploiting vulnerabilities and refusing to report them, or governments trying to force others to programme backdoors into encryption techniques, the trust will be undermined. There will always be a worry about insecurities in the matrix, and therefore always a hindrance for complete acceptance and adoption of the connected world.

While there are circumstances where privacy will have to be sacrificed for the greater good of society, these instances should be considered incredibly rare. This does not seem to be the approach of governments around the world, who seem quite whimsical with the approach to personal rights. What baffles us is the way in which hacking is becoming legal. Instead of condemning and tackling the problem of vulnerabilities in our lives, governments seem to be encouraging them.

The last 18 months has seen governments act immaturely. The readiness to undermine the digital economy seems far to accessible.