Facebook’s Encryption Fight Will Be Harder Than San Bernardino
Facebook is caught in a secret legal fight with the FBI. The fight, which centers on an alleged MS-13 gang member in Fresno California, has been kept out of public court records, but Reuters broke the story on Friday citing sources familiar with the situation. According to Reuters, prosecutors are looking to listen in on all Messenger voice calls from the target , similar to a conventional phone wiretap. Facebook says it’s impossible to comply because of the service’s end-to-end encryption, and the company is risking contempt charges to prove it.
If this seems similar to the San Bernardino case, it should. In that case, the FBI tried to compel Apple to unlock an iPhone linked to a horrific workplace shooting, only to vacate the case when a third-party fix became available. It was a clear win for Apple and encryption more broadly — but there are crucial differences in this new case, and most of them are unfavorable to Facebook. While San Bernardino used a novel legal argument against a hardened device, Facebook’s case uses a well tested legal procedure against a protocol that wasn’t build with this attack in mind. Not all encryption is the same, and every indication is that Facebook’s Messenger encryption simply wasn’t designed to maintain privacy in the face of a court-compelled wiretap. As a result, Facebook is facing a much tougher legal fight with a much less predictable result.
In broad strokes, comparisons to San Bernardino would seem like good news for Facebook — but Apple had a number of important advantages that Facebook won’t have. Most importantly, Apple simply didn’t have the information the FBI was looking for. The company had handed over the contents of the killer’s iCloud account, but it had no way to access his phone’s hard drive. Even with the physical phone in custody, the data was encrypted, and Apple didn’t know the password to decrypt it. Faced with that basic fact, the FBI demanded that Apple code together a poisoned version of iOS, a project that would have had significant security implications for everyone using Apple products. Even worse, the legal authority came from the rarely invoked All Writs Act, which has little precedent for a compelled software case. What seemed like a simple request — to unlock the phone — was far more complex than it looked.
Facebook’s case is different, and potentially much friendlier to the feds. Instead of a locally encrypted hard drive, prosecutors want a wiretap on all the Messenger voice calls to and from a single user. Those calls are encrypted with a session key, generated locally by each device — but crucially, the session key is much less closely guarded than Apple’s passcode. A 2015 analysis of the Messenger profile by researcher Philipp Hancke found that the keys were actually shared with Facebook’s servers as part of the encryption process, a result of Facebook’s implementation of a standard protocol called SDES. We don’t know the full details of Facebook’s SDES implementation or if that implementation has changed in the three years since the report. (Facebook did not respond to a request for comment.) But if Hancke’s research is accurate, complying with the wiretap order might simply be a matter of catching the session keys in transit. Notably, the Reuters story doesn’t mention Facebook’s Secret Conversation’s feature, which runs on the more robust Signal protocol, but doesn’t include VoIP service.
To be clear, experts still don’t think Facebook has a copy of the session keys it can simply hand over to the government. It’s a liability to hold onto the keys, and Hancke told me there are a number of ways Facebook “might protect that data on top of the protocol, whether it’s refusing to log the keys or encrypting the entire handshake.” Former Facebook engineer Alec Muffet told The Verge he believes Facebook “probably does not currently have the necessary keys and means to comply with a wiretap order,” blaming the confusion on conflicting definitions of end-to-end encryption. But if Facebook’s legal fight plays out the way San Bernardino did, the loose handling of the session keys could be a powerful tool for the government.
“They will be able to do a much more plausible denial if they have removed the old SDES stuff altogether,” Hancke says. “If they have not, they might argue that they do not log the keying material as it passes through their servers.”
The most challenging part of the order has nothing to do with encryption at all. Even with the session key, wiretappers would still need to collect a full copy of the encrypted call, which can be a significant challenge. Most online calling services send data directly from client to client for simple performance reasons, which has given the services a troubled history with wiretap requests. Microsoft subsidiary Skype began allowing warrant access to user chats and other data in 2012, but voice calling was simply too technically challenging to arrange. Still, there’s reason to think it’s possible: Microsoft was filing patents for warrant-accessible internet calling systems as early as 2009. The NSA, not surprisingly, has found a way around the issue, although it’s unclear whether the technique would be workable for law enforcement. (Earlier today, Skype introduced an end-to-end encrypted chat feature similar to Secret Conversations, although the service doesn’t extend to voice calls.)
Facebook’s biggest problem is the Wiretap Act itself. Where the San Bernardino case rested on an exotic All Writs Act argument, the Wiretap Act is relatively straightforward. If phone companies receive a wiretap order, then they’re required to give police technical assistance in tapping the phone. Those orders require a higher standard than a warrant, and without such an order, any wiretapping is expressly illegal. The system was designed for companies like AT&T, and it’s relatively uncontroversial for the past 30 years, sometimes put forward as a model of how courts can hold otherwise-invasive surveillance techniques in check. There are ways to contest a given order, arguing it’s too disruptive to the service or otherwise burdensome — or simply that messaging services aren’t subject to the Wiretap Act — but the government’s argument is far more straightforward than what Apple faced.
There’s still a lot we don’t know about the Facebook case. All the relevant documents are under seal, and neither side is sharing much of what they know. It’s entirely possible the two sides will settle quietly before the case reaches the fever pitch of San Bernardino. But both incidents are part of a much larger fight, as law enforcement comes to terms with the limits of its reach in the digital age. Some services will make room for law enforcement while others hold out and still others are caught awkwardly in the middle. But every service will get a turn eventually — and when they do, the thorny details of their encryption protocols may become suddenly, unexpectedly important.