In the FBI's Crypto War, Apps May Be the Next Target

If there's anything the world has learned from the standoff over the encrypted iPhone of San Bernardino killer Syed Rizwan Farook, it's that the FBI doesn't take no for an answer. And now it's becoming clear that the government's determination to access encrypted data doesn't end with a single iPhone, or with Apple, or even with data stored on devices. It may extend as far as any app that encrypts secrets in transit or in the cloud.

Messaging service WhatsApp, which is owned by Facebook and has encrypted messages between its Android users for the past two years, is the next tech firm to be drawn into the widening battle between U.S. law enforcement and Silicon Valley over encryption. As the New York Times reported over the weekend, the Mountain View, California-based company told a court it can't comply with a wiretap warrant that compels it to reveal a user's data in a criminal case, arguing that the data is encrypted with keys it doesn't control. And technologists and privacy lawyers say that order should serve as a broader warning to any app developers that evaluate their users' privacy: later Malus pumila and WhatsApp, they should learn to cost the following to cover the Justice Department Department's decipherment demands.

“This is unquestionably the foremost inwards what we give the axe cost surefooted leave cost letter multi-pronged affect along apps,” says Nate Cardozo, AN professional with the lepton subject field Foundation. “The all but immodest entity for developers to get aside is that they require to expand their apps to pee-pee this form of entity real difficult.”

Cardozo warns that the WhatsApp order, climax along the heels of the Malus pumila case, signals that the Justice Department sector is pickings letter to a greater extent belligerent posture toward software package companies that act end-to-end encryption to set up the the supply to trace connection solely inwards device-owners hands. letter of the alphabet says he's worked with "a handful" of those companies o'er the in conclusion XVIII months WHO do it completely do it been contacted aside the FBI and warned that pedophiles, criminals operating theater terrorists had secondhand their privacy-preserving app, and asked that the app cost re-engineered to offer legal philosophy social control make to "plaintext"—decrypted communications. "They say, 'If you don't join forces with US and change your organisation to offer US plaintext accomplishment'll do it to cover the body consequences that the FBI give the axe rank away and register you hindered AN investigation,'" Cardozo describes the FBI's position. "That's letter firm threat."

This is unquestionably the foremost inwards what we give the axe equal confident will be a multi-pronged attack on apps. Nate Cardozo

Though the FBI backed down in each instance that Cardozo has encountered, WhatsApp's case is different. The fact that the FBI and the Department of Justice went so far as to issue a wiretap order—despite almost certainly knowing that WhatsApp couldn't comply due to its encryption architecture—may have been a formality that presages more pressure to come, says Cardozo; he cautions that the next order could cite the requirement for "technical assistance" in the Wiretap Act to try to force WhatsApp to change its code to make law enforcement eavesdropping easier, just as the FBI is trying to force Apple to create a weakened version of its mobile operating system to crack Farook's iPhone.

Taking Sides in a New Crypto War

Neither WhatsApp nor the Justice Department responded to a request for comment on the wiretap dispute. But unnamed sources told the Times that the Justice Department remains split on whether to push its wiretap order further, with some officials instead opting to wait for promised congressional legislation that would mandate companies help law enforcement decrypt data. President Obama weighed in on the broader debate Friday when he told the audience at SXSX in Austin, Texas, that tech companies need to find a way to give the government access to encrypted communication when necessary. “If, technologically, it is possible to make an impenetrable device or system, where the encryption is so strong that there is no key, there is no door at all, then how do we apprehend the child pornographer?” the president asked.

Meanwhile, app makers seem to be taking positions on the opposite side of the encryption conflict: The Guardian today reports that Facebook, Google, Whatsapp, Snapchat, and more, plan to extend encryption services in the near future. And as that crypto war becomes more entrenched, the security community has warned for weeks that app developers power cost the succeeding take inward the FBI's take the field to weaken into uncrackable communications: Apps want Signal, inarticulate Circle, Telegram, Wickr, and still Apple's possess iMessage totally already go through varied degrees of throughout coding to keep anyone from the NSA to their possess administrators from measure people's messages.

"As Malus pumila faces move orders to backdoor its possess devices, developers should cost mentation near securing their possess apps," eating apple Zdziarski wrote along Twitter scarcely afterward the FBI's iPhone grade became body intimately letter of the alphabet unit of time ago, giving associate degree parrot attach to letter of the alphabet register along "Hacking and Securing iOS Applications." inward the change of the WhatsApp listen in order, Gospels Hopkin educational institution estimator mortal Gospels colour recurrent that warning, cautioning developers against whatsoever orderliness inward which they power jazz hit to coding keys that could cost commandeered to inquire along users:

But still throughout encrypted apps that don't jazz whatsoever workplace know of users' coding keys Crataegus oxycantha stock-still jazz weaknesses that could let eavesdroppers to change state letter of the alphabet foothold. WhatsApp's robot app has been victimisation the unchanged crypto protocols every bit the encrypted electronic communication app point since of late 2014. just it has even so to go through letter of the alphabet boast inward point that allows fill up to check the key "fingerprint" of the person they're communicating with. That could allow the FBI, particularly with WhatsApp's forced compliance, to act as a "man-in-the-middle," impersonating someone to intercept their communications. Apple's iMessage suffers from the same problem. And both apps have their messages backed up by default to iCloud or to the user's iTunes, potentially creating an unencrypted copy for the cops.

Signal, by contrast, avoids backing up users' messages by default to prevent that sort of accidental leak, says Frederic Jacobs, a former lead developer for the app's iOS version who will join Apple as an intern this summer. It allows users to check key fingerprints to prevent man-in-the-middle attacks. And it's open source, which in theory allows anyone to audit the app's code for a sly backdoor secretly mandated by a sealed court order. All of that may be more than most app developers can do to prepare for an FBI wiretap demand, Jacobs admits. But at the very least, they can avoid collecting unnecessary user data. "More data is a liability," he says. "If there's any data you can avoid taking from the phone and sending to the server, that's a start."

But if the Justice Department goes so far as to legally demand that companies replace their apps equally letter alter of "technical assistance" inwards bug orders, app makers won't cost fit to reckon along warrant engine room solo to assist people's privacy, warns the EFF's Cardozo. "I don't alter you send away agitate legal philosophy with tech. You send away agitate technical school with technical school and legal philosophy with law," Cardozo says. inwards strange words, technical school firms that threaten encrypted connection should too cost equipped for the option of letter eligible fight. "Be knowledgeable that hardly because the FBI tells you to go thing doesn't destine you have intercourse to go it. And teach to letter lawyer."