WhatsApp and What’s Next?

During the course of the government’s aborted attempt to force Apple to create a backdoor to access the San Berdoo shooter’s iPhone, the geeks kept muttering under their breath, “WhatsApp.”  They weren’t crazy. This time.  It just wasn’t the issue on the table at the moment. Focus isn’t their strong suit.

But now that the government has pretended to have cracked the iPhone problem, in the face of a potential scorched earth ruling like the one they were handed in Brooklyn, with tons of people arguing that they were full of shit and only a handful of Nancy Grace fans thinking that Jim Comey and Cy Vance were particularly handsome devils, the heat is off Apple. The time has come to consider the next new thing in encryption.

Mountain View is home to WhatsApp, an online messaging service now owned by tech giant Facebook, that has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. This means that only Facebook itself runs a larger self-contained communications network. And today, the enigmatic founders of WhatsApp, Brian Acton and Jan Koum, together with a high-minded coder and cryptographer who goes by the pseudonym Moxie Marlinspike, revealed that the company has added end-to-end encryption to every form of communication on its service.

The first disturbing thing is that WhatsApp is owned by Facebook. It’s not that Facebook isn’t entirely trustworthy, though it’s not entirely trustworthy and the snotty kid in charge would sell you out in a second.  But even assuming Zuckerberg would take a hit by defying the government as he simultaneously datamines your life to sell to anyone with a buck, WhatsApp seems to offer a means of privacy that even he can’t screw up.

From the outset of the debate over digital privacy, it was my view that the nerds didn’t “get” how the government, the courts, would deal with it.  They argued code. They’re so naïve, I responded.  Some judge will eventually get bored listening to a lawyer explaining the technical details of encryption, turn to his courtroom deputy and say, under his breath, “enough of this shit, call the Marshals.” He would then announce, in his best stentorian voice, “you are held in contempt for your refusal to comply with this court’s order. Marshals, take charge.”

The law is a bludgeon.

security
I would give the nerd a week in the pokey, unable to sit down, before he starts begging to code, hacking like his life depends on it.  Can you see Zuckerberg eating nutraloaf? I can’t. It’s hard after you’ve experienced a ’62 Margaux.

In other words, the government doesn’t have to outsmart encryption. It just needs to get a judge, one judge, one dinosaur judge, to drop the hammer.  The law doesn’t need to explain itself to everyone’s satisfaction. It just needs some simple black letter rule, like “the law is entitled to every man’s evidence,” to make its ruling stick.  How you get to that evidence is your problem. How the law makes you get there is easy. Bludgeon.

But maybe, just maybe, in the war of attrition between the government and devs, there is another factor at play that alters the calculus.  If the government “cracks” one iPhone, a new app will spring up to take its place.  If the government jails the guy who refuses to spew about the next encrypted drive, ten new apps will appear. A hundred. A thousand.

You see, it’s not that the Department of Justice doesn’t have a bunch of smart, zealous lawyers working for it, all bent on getting either a corner office at Biglaw or a bench of their own someday. They’re up to their eyeballs in future Bill Otises, until they get a new paymaster (at which point they’ll “see the light”).  And they certainly don’t lack for funds, since there will always be more money in your pocket from which to fund their critical mission to save us from the terrorists.

No, the DoJ’s got a strong hand to play. But there are nerds out there. Lots of nerds. Lots and lots of nerds. And if they start writing code, start creating apps, start encrypting, and keep encrypting, they may create more nightmares for the government than the court has bludgeons.

Sure, some will suffer. The early adopters, the thought-leaders, the ones who have the grave misfortune of finding themselves in the government’s cross-hairs. They may even be tortured, if the government is shifty enough. Could they withstand porn-boarding, being forced to learn that sexual relations exist off the internet but just out of their reach beyond the cell door?  Would they hold up?

There would be “messages” sent to the other coders, that if they persist in defying the government’s bludgeon, they too will find themselves unable to check their twits.

But if they are strong enough to withstand the pressure, to be willing to take one for the team, to find strength in binary numbers, they could prevail.  WhatsApp may be the latest flavor of encryption, end to end, but if there is more, a hundred more, a thousand more, can the government beat them all?

28 thoughts on “WhatsApp and What’s Next?

  1. Martin Goodson

    Forgive the question (IANAL) … what would be the appropriate legal remedy available to a wee nerd’s lawyers if a judge locked him up for contempt for failing to provide the literally impossible?

    It’s no use saying the prisoner is ‘holding the keys to his own cell’ if he literally cannot provide the key. Excuse the pun.

    1. SHG Post author

      Nothing in this blog constitutes legal advice. This is free. Legal advice you have to pay for.

      That even applies to non-lawyers.

      1. Martin Goodson

        I was not looking for legal advice, I was merely interested in how a lawyer might respond to such a dilemma.

        Thank you for taking the time to respond.

        1. Bruce Coulson

          “Son, you’re staying in jail; I’m going to lunch.”

          Not every lawyer; but certainly some of them would respond in a such a fashion.

          1. SHG Post author

            At least Martin had the good sense to say IANAL. You could show him the same courtesy, since he can’t see your tin foil hat.

  2. paul

    While i don’t trust zuckerberg, tech giant is a good thing. Its why apple, which had the resources, public awareness, and intelligent lawyers turned out drastically different from lavabit.

    When nerds own and/or run billion dollar companies the equations change a bit.

    1. SHG Post author

      While it may not have been Apple’s “sole” interest, the fact that privacy also happened to also be a good marketing pitch didn’t hurt Apple’s motivation to put its resources toward fighting. As the govt noted, it’s not like Apple put up a fight before.

      1. paul

        Yeah, zucks would probably jump at a chance to “help”. But should he opt for privacy (you never know…i mean look what the mpaa did recently) i dont see nutraloaf on the menu.

        1. SHG Post author

          Just as I wouldn’t bank on the MPAA coming out the right way next time, I wouldn’t count on “Zucks.”

          1. NBNBNBNB

            What about Matter of 381 Search Warrants Directed to Facebook, Inc. (New York County Dist. Attorney’s Off.)? I thought that was a good attempt. They still lost and they still handed over the materials, but they at least tried to litigate. It’s up at the COA.

            We should all thank Snowden; making privacy dovetail from conspicuous consumption.

            1. SHG Post author

              I have some personal familiarity with that particular case. It was a particularly egregious and burdensome outlier. Don’t take the blind leap that FB hasn’t been more than friendly under other circumstances. Fighting one battle isn’t enough to constitute a principled stance, given the times they were only too happy to hand over the goods.

  3. rjh

    The geeks will not be alone in this. The national security community are also entering the fray. See for example statements by Michael Hayden (former director of the National Security Agency (DIRNSA), the first principal deputy director of National Intelligence (PDDNI), and director of the Central Intelligence Agency (DCIA)) about making the appropriate tradeoff between national security (which needs strong encryption) and law enforcement convenience (which doesn’t).

    I suspect that national security feedback is part of why the FBI backed off.

    This probably means that nobody gets everything that they want in the end. The social tradeoffs needed around different kinds of public safety and civil society will not be simple or emotionally satisfying.

    1. SHG Post author

      Notice that Hayden had nothing useful to say until after he was out? They only get religion after they’ve relinquished authority.

      1. rjh

        Could be. Or they only discuss their opinion internally until after they’ve safely retired.

      2. Dragoness Eclectic

        There’s a lot more people who know the score, but will never be able to say anything useful in public. The classified information NDAs are life-long, and national security-type agency use of encryption is one of those issues that tends to very classified.

          1. Dragoness Eclectic

            You are entirely correct. It is a serious conundrum of public policy that those in a position to know for certain various facts about important matters of public policy cannot inform the public–which votes or pressures their representatives to vote on those matters of public policy. Instead, confusion and deliberate disinformation spread through the news media, and people make up their minds based on that.

            TL;DR: Secrets are bad for democracy.

  4. Christopher Best

    This same thing happened, on a smaller scale, the last time the Feds fought (and lost) an encryption war in the ’90s. They pushed the Clipper Chip. In response there were freely available, open source encryption like PGP, PGPfone, and Nautilus (so named because Nemo’s Nautilus blew up Clipper Ships). When they tried to crack down on PGP, GnuPG popped up in Germany out of their reach. This was all before anyone was really using the Internet–in particular anyone making money.

    This was also before massive movements of people doing things for the lulz. Even (especially?) programmers appreciate the lulz… Gonna suck for those guys who get bludgeoned, but if it doesn’t stop the pirates it isn’t gonna stop someone who believes they’re doing something to protect people.

    1. SHG Post author

      The feds are more serious about it now. I wonder how far they’ll go. And if the pirates are outside the jurisdiction, they’re also unprotected by our Constitution. Those are some interesting dots to connect.

  5. James Simpson

    Simplest form of encryption: two people meet, exchange a password (preferably an XKCD style password – google it) and use that to create encrypted ZIP files that can be emailed add ordinary attachments. Basically recreates everything Snapchat has just done.

    So yeah, there’s enough encryption tools and “parts” already out there to build whatever level of complexity you need in a crypto solution with minimal to zero coding needed. It ain’t going away.

    There’s also a pair of constitutional problems.

    Coded messages were used during the US revolution against the British so this is a form of speech the founders knew all about. They didn’t exclude it from 1st Amendment protection.

    More recently the US government has at various times declared hard crypto to be a weapon of war. During the attempted prosecution of Phil Zimmerman about 25+ years ago he was under threat for “arms export” when his PGP crypto made it onto the early internet. This case (along with the Steve Jackson Games fiasco) caused the EFF to form (and get funded).

    So is banning crypto that the makers of it can’t crack a violation of the 2nd Amendment?

  6. Syme

    The term of art between cryptographers for this is “rubber hose cryptanalysis” ….

    And PGP was sorta within reach…it’s just Bill Clinton’s DoJ stopped short of banning&burning the book of PGP sourcecode that MIT published.

Comments are closed.