The Whistleblower And Encryption: Everyone Has An Angle, And Not Everyone Is A Policy Expert

from the nuance, nuance, nuance dept

Over the weekend, the Telegraph (not the most trustworthy or reliable in a batch of UK news organizations that have long had issues with accuracy in reporting) claimed that the latest (and most high profile) Facebook whistleblower, Frances Haugen, was prepared to come out against encryption. This (quite rightly) raised the hackles of multiple encryption experts. As people were getting pretty worked up about it, the Telegraph (silently, and without notice) changed the headline of the piece (from “Facebook whistleblower warns ‘dangerous’ encryption will aid espionage by hostile nations” to “Facebook whistleblower warns company’s encryption will aid espionage by hostile nations”) as well as the actual text of the story, to suggest a slightly more nuanced (but still not great) view — effectively saying she supported encryption, but was concerned that Facebook would use encryption as a “see no evil” kind of blindfold to problems on its platform.

Ms Haugen said that she is generally pro-encryption, which enhances users’ privacy. However, she added that Facebook’s plan was also way for the company to “sidestep” harmful content happening on its platform rather than address it.

She said: “End-to-end encryption definitely lets them sidestep and go ‘look we can’t see it, not our problem’.”

Of course, context and motives matter here, and the Telegraph — which tends to be quite supportive of the current UK government, seemed to be twisting Haugen’s (admittedly confused) statement in support of UK Home Secretary Priti Patel’s positively dangerous plan to get rid of end-to-end encryption in the UK. It sure looks like the Telegraph went looking for a way to support that argument, and used Haugen’s words to that effect.

A few hours later, Haugen actually testified before a UK Parliamentary committee and claimed her words were taken out of context. She said that she’s strongly pro-encryption… but then tried to claim that her comments to the Telegraph were more about how she doesn’t trust Facebook to actually implement encryption. Which is… a strange and almost nonsensical claim.

“I want to be very, very clear. I was mischaracterised in the Telegraph yesterday on my opinions around end-to-end encryption,” she said. “I am a strong supporter of access to open source end to end encryption software.

“I support access to end-to-end encryption and I use open source end-to-end encryption every day. My social support network is currently on an open source end-to-end encryption service.”

[….]

“Facebook’s plan for end-to-end encryption — I think — is concerning because we have no idea what they’re doing to do. We don’t know what it means, we don’t if people’s privacy is actually protected. It’s super nuanced and it’s also a different context. On the open source end-to-end encryption product that I like to use there is no directory where you can find 14 year olds, there is no directory where you can go and find the Uighur community in Bangkok. On Facebook it is trivially easy to access vulnerable populations and there are national state actors that are doing this.

“So I want to be clear, I am not against end-to-end encryption in Messenger but I do believe the public has a right to know what does that even mean? Are they really going to produce end-to-end encryption? Because if they say they’re doing end-to-end encryption and they don’t really do that people’s lives are in danger. And I personally don’t trust Facebook currently to tell the truth… I am concerned about them misconstruing the product that they’ve built — and they need regulatory oversight for that.”

But… here’s the thing: Haugen may be a wonderful data scientist. And, she may have done the world tremendous good by leaking tons of internal Facebook documents, giving the world some insight into what’s going on at the company. But that doesn’t make her an expert on encryption. And, it shows. As Alec Muffett, a security expert who actually used to work on encryption at Facebook, noted in a detailed thread, what Haugen is asking for here is dangerous and shows a real lack of understanding about encryption.

First, she claims that there should be a government review of any Facebook end-to-end encryption to make sure it’s legit. And, yes, there are many reasons to not trust Facebook, but introducing the idea that government needs to review and approve encryption is worse. Is she completely unaware of the government’s history of constantly trying to undermine and backdoor encryption? I mean, it’s not exactly secret. And the US government has been trying to undermine and backdoor encryption pretty aggressively lately. Suggesting that there needs to be some government entity blessing the encryption opens the door to all sorts of mischief.

The separate issue is claiming that end-to-end encryption for Facebook is somehow different because you can use Facebook for more than just messaging, and it’s bolted on to other services. Again, as Muffett explains, this kind of thinking is dangerous as well. It suggests that encrypted chat needs to be silo’d and kept distant from tons of internet services, when the reality is often that many more internet services should be embracing encryption much more widely to protect their users.

This is also why it’s difficult to understand Haugen’s claims — as they seem somewhat contradictory. Even if we take the Telegraph’s mission-driven editing with a grain of salt, Haugen doesn’t deny her claim that encryption makes it harder to protect Uighurs:

“A key part of [Chinese operatives’] strategy was to send malware to Uighurs who lived in places that weren’t China, as if they could compromise one phone they could compromise a whole community. We said we won’t be able to see the malware anymore [with encryption].”

But, that’s backwards. Do we think Uighurs will be more protected with encryption, or without it? As Riana Pfefferkorn pointed out just last week, encryption and security go hand in hand. It is not — as law enforcement would falsely have you believe — that encryption and security are at odds. Encryption provides security — especially against oppressive governments trying to genocide and entire culture. Uighurs need encryption much more than they “need” Facebook to be able to see what the Chinese are doing to protect the Uighurs.

Haugen’s statement on the Uighurs seems ridiculous when thought about: it’s basically arguing that without encryption Facebook can better protect the Uighurs from the Chinese government. Does anyone actually believe that? Or would they be better off with access to encryption? They shouldn’t necessarily rely on Facebook’s encryption, but arguing that it shouldn’t be there to better protect them is just silly.

Again, Haugen has likely done the world a great benefit in leaking a bunch of internal documents (I’ll have more on those soon). But it’s important to remember that just because she blew the whistle regarding Facebook research, it doesn’t make her an expert on everything else. She’s not an expert on content moderation, or antitrust, or encryption. She may be a useful source for exploring what Facebook’s research showed, or some of Facebook’s decision making, but it’s depressing how quickly eager politicians looking to gain support for their already existing plans are exploiting her to argue for their position on topics she’s really not qualified to comment on. Indeed, it’s also dismissing the hard work of tons of actual experts on these topics, from practitioners in the field to the academics who study these issues.

Filed Under: , , , ,
Companies: facebook

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The Whistleblower And Encryption: Everyone Has An Angle, And Not Everyone Is A Policy Expert”

Subscribe: RSS Leave a comment
12 Comments
Anonymoussays:

When will people realize that encryption is working if only communicating parties can read the messages, and broken if anybody else, including governments, can also read the messages? Its not possible to have working end to end encryption if some third party, including those providing messaging services, can read the messages, then that is encryption between users and the servers, and NOT end to end encryption; and selling it as such is false advertising.

Anonymoussays:

As she said there’s a problem with Facebook pushing harmful negative content to maximize user engagement fb is rapidly losing young users
She’s s data expert the uk government has for years with the 5 eyes been pushing to ban encryption and erase privacy from surveillance for the ordinary user
Does she really think getting rid of encryption will help protect uighers from the Chinese government
Wtf?
Fb has problems but we must remember every day millions of users use it for free to talk to friends and relatives and it’s a major platform for business too
Also other tech websites have reported fb and Google have conspired to fix the ad market to keep prices high by not really competing with each other see project jedi

I think it’s been obvious for years most of the time Facebook chooses profit over the mental health of users by displaying negative content like conspiracy theory’s fake news etc

Anonymoussays:

I think YOU may be confused

She says she wants to know the end-to-end encryption REALLY IS end-to-end encryption … considering the source. She’s saying that if Uighurs trust their encryption and it’s bollocks, they have trouble … though from what I’ve read, I’m not sure there is anything a Uighur can do to avoid trouble, apart from hanging himself to spare the government the inconvenience.

I don’t think a Facebook whistleblower is too likely to get a fair treatment in the mass media, given as they apparently are all, by virtue of still being in business, utterly abased servile worshippers of the company who would offer up their children on an altar for a modest degree of goodwill from the company.

From Crypto AG to the first https in Netscape to whatever that "secure encryption company" targeting the drug dealers last year was called, companies’ claims they offer "real crypto" are at least 90% false. The other 10% we just don’t KNOW are false yet. Why should Facebook get a pass?

James Burkhardtsays:

Re: I think YOU may be confused

you might want to re-read the article:

First, she claims that there should be a government review of any Facebook end-to-end encryption to make sure it’s legit. And, yes, there are many reasons to not trust Facebook…

That right there is Mike stating your position, that she wants code review. Mike then continues to points out an issue with that plan, not just that she misunderstands the issue.

First, she claims that there should be a government review of any Facebook end-to-end encryption to make sure it’s legit. And, yes, there are many reasons to not trust Facebook, but introducing the idea that government needs to review and approve encryption is worse. Is she completely unaware of the government’s history of constantly trying to undermine and backdoor encryption? I mean, it’s not exactly secret. And the US government has been trying to undermine and backdoor encryption pretty aggressively lately. Suggesting that there needs to be some government entity blessing the encryption opens the door to all sorts of mischief.

The title and initial comments in your post completely ignore what was actually said in the article. Mike isn’t confused, he knows the request is for code review. You are because you didn’t read. The issue is can you can trust a government who wants to undermine encryption (cough the US Government cough) to tell you encryption is safe? Do you really think if the CIA finds a backdoor the CIA will tell anyone it exists? No, they will exploit that discovery for themselves and tell everyone the encryption is safe. I don’t know why you think differently.

Anonymoussays:

Additionally...

She is making the claim that if the encryption really is good, it will make it harder for … someone… "to detect malware". So if she holds both those positions, they are mutually contradictory.

No one should be scanning other people’s messages on the wire, anyway. And the history that we know, since so much involving the biggest scanners of communications is secret, is that no one has ever stopped anything by live signals intelligence / malware scanning. It just gives them a later excuse at some point in the future to get up in peoples’ private lives (including parties who are victimized), or simply use malware, exploits, and compromised endpoints to their own ends.

Now, if you wanted some open cryptographic org to review the crypto and implementation, that would be sensible. Haugen apparently wants it both ways, but with govenments doing the crypto verification and spying on supposedly encrypted communications.

Maybe if governments didn’t hoard explouts, and demanded patching of all the things, including telecom vulnerabilities existing since time out of mind, and all the IoT bullshit, someone might have the slightest hint of an argument here.

Jono793says:

I’m having some serious reservations about Ms Haugen, her objectives and motivations.

The fact she’s endorsing the lurching atrocity of the Online Harms Bill doesn’t inspire much confidence for a start! A bill that proposes everything from forcing sites to take down content that’s not illegal, to curtailing encryption, to mandating "politically neutral moderation" whatever that’s supposed to mean. (Presumably giving terfs and UKIP supporters an avenue to complain next time they get kicked off private websites).

Obviously it’s not finalized yet. But as the only mainstream pushback to the bill here in the UK, is that it doesn’t go far enough (!) I’m not expecting any last minute improvements!

Jono793says:

Re: Not even a whistleblower

That’s a very good point, and one that’s getting the short shrift across most of the coverage. The Hoeg Law YouTube channel discusses that in some detail

Don’t get me wrong, I think it’s a good thing that these documents are coming into public scrutiny, . And I don’t think Facebook would want the bad PR of trying to sue or prosecute Ms Haugen, who’s largely being portrayed as a brave woman speaking up against an evil megacorp.

Still, what’s the underlying criminal activity? Being profitable isn’t illegal. Malleable concepts like ‘misinformation’ and ‘spreading hate’ aren’t illegal. (at least under 1st Amendment jurisprudence). And Section 230 absolutely forecloses the argument that Facebook is legally liable for user generated content; the entire crux of Ms Haugen’s activism!

Take away any alleged legal wrongdoing, and you’re legally (if not morally) close to situations like Palmer Luckey or Anthony Levandowsk: Disgruntled ex-employees walking out of their jobs with a sack of stolen documents and trade secrets.

That One Guysays:

Out of the frying pan into the forest fire

If Facebook doesn’t make use of working encryption, whether intentionally or simply due to getting something wrong that’s bad but once it’s been caught there’s a chance that it can be fixed with sufficient pressure.

If governments are the ones deciding what encryption is or is not ‘good enough’ then you might as well assume that any encryption that gets the go-ahead either already had a known vulnerability or had one added(in neither case should it be trusted), because with the multiple governments around the world showing open animosity towards encryption the odds that they will be vetting it in good faith is staggeringly low.

Facebook not properly implementing encryption is most certainly a potential problem worth keeping an eye on but the ‘solution’ presented is just so much worse it’s difficult to understand how she missed the glaring problems with it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it