WhatsApp, a popular encrypted messaging app, was briefly shut down throughout Brazil earlier this week after a regional judge ordered the country’s telecom providers to temporarily block the app. The court order was, for all intents and purposes, retribution against the service and its parent company, Facebook, for failing to hand over data to the state as part of an ongoing drug trafficking investigation. Five telecom carriers reportedly complied with the shutdown before an appellate court overturned the original order.
As of this writing, consumers’ access to WhatsApp is restored, but this is not likely the end of the story. Previous suspensions have been ordered (and upheld), and Facebook’s Vice President for Latin America was even arrested back in March for “repeatedly failing to comply with judicial orders.” Never mind that WhatsApp and many other privacy apps like it were built with end-to-end encryption for the sole purpose of keeping tech companies from having to play the middle man in legal cases. Tech companies have, in fact, a long history of complying with criminal investigations and supplying information that has allowed law enforcement to further cases against the bad guys. For many reasons (which have already been covered extensively), tech innovators like Facebook, Apple, and Microsoft have developed devices and services that put control over user data into the hands of the data owners—the users themselves. Needless to say, encryption services have become extremely popular in recent years, as evidenced by the hundreds of millions of consumers around the globe using them regularly.
Everybody’s got a choice to make
What’s really interesting about the latest WhatsApp debacle is twofold: First, a court was able to force telecom carriers to do its bidding and affect 100 million Brazilians who are not linked to drug trafficking. The court couldn’t make Facebook turn over data it can’t access (because that data is encrypted and not stored on Facebook’s servers), so they instead set their sights on companies they could control (in part, by imposing fines of ~$142,000 USD/day). Even in the FBI vs. Apple case, the FBI didn’t demand Verizon, AT&T, or Sprint to shut off network service to all iPhones.
The second point, and one that should raise the shackles of security practitioners, is that government is yet again using scare tactics, the same kind of FUD practitioners have been railing against for many years, to further its agenda. In the enterprise we’ve seen over and over that FUD is not a long term, effective solution, and in this case, the Brazilian court appealed to public sentiment to rally against security and privacy. They peer pressured private enterprises into blackballing companies that provide strong encryption and privacy protection. This should infuriate security practitioners! This order didn’t merely ask for a backdoor into secure apps; it disallowed users to access the app altogether!
Unfortunately for Brazil, North Korea, the UAE, and others that have banned privacy apps, there are (fairly simplistic) ways to bypass geo-blocks. The list of countries looking to block end-to-end encryption services is ever-growing, so some of these measures may soon be necessary in a country near you. The MIT Technology Review even declared that Brazil’s WhatsApp Ban is a Harbinger of International Encryption Battles. Draft laws are in process in the U.S. and U.K., and China last year passed an anti-terrorism bill requiring decryption assistance when requested.
Of course, there are many privacy apps from which to choose if your favorite is blocked by your local overreaching government. Telegram Messenger, for example, shared on Twitter news about a boost in business immediately after the ban was enacted.
Don’t you want to take the wheel and steer?
Tech companies aren’t going to give up the ghost any time soon, which means the fight between makers and legislators will rage on. What should concern security practitioners (in addition to the possible infringement of personal privacy rights), even if their organizations aren’t building encryption products, is just how far governments are willing to go to get their hands on data when they want it. Consider this: Terrorists and criminals purchase products and services just like the rest of us. They shop in stores, they drive cars, they have bank accounts and credit cards. Security practitioners protecting companies’ networks and customer data—which might include that of criminals—should be wary of the potential for intrusion into and interruption of the security they’re building. When it’s not a consumer device or app, when it’s corporate databases and files that are shut down or when the information contained therein is required to be handed over in bulk, unencrypted, significant concern should arise.
This is not to say security pros don’t have a responsibility to help law enforcement when necessary or requested. Security practitioners (at least the ones I know) aren’t anti-law enforcement by any stretch of the imagination; they’re helpers and doers by trade. What is becoming obvious, though, is the need for security to become more involved in legislation efforts and to think about enterprise security the way tech innovators are building for consumer data privacy. There’s a big hurdle ahead, but as the spotlight remains on security and privacy, it’s security’s responsibility to lead the conversation rather than lag behind and be forced to react when a situation comes along.
