Every six minutes, on average, Facebook gets a request from a U.S. government agency for information about gangs, drug trafficking or other suspected crimes, and the social network generally cooperates, turning over at least some data 86 percent of the time, according to the company’s most recent report on the topic.
But that close relationship could be reshaped by CEO Mark Zuckerberg’s move this week to embrace a technology that law enforcement officials say could stymie their investigations: end-to-end encryption, an unbreakable way to hide the content of messages.
Embraced by privacy and consumer advocates, end-to-end encryption is built by default into some messaging apps, such as the Facebook-owned WhatsApp or smaller rival Signal, and Zuckerberg said he plans to adopt it more widely for Facebook. The change would put the content of more communications out of the reach of police, the FBI and other government agencies that can now get them by executing a search warrant on Facebook.
The FBI labels the trend “going dark.” To get encrypted messages, authorities generally need access to people’s phones or other devices. The FBI on Thursday declined to comment on Facebook’s encryption plans, but on Tuesday, a day before Zuckerberg announced the change, FBI Director Christopher Wray said at a security conference in San Francisco that he remained dissatisfied with the situation.
“It can’t be a sustainable end state for there to be an entirely unfettered space — that’s utterly beyond fully lawful access — for criminals, terrorists and spies to hide their communications,” Wray said at the RSA security conference. He said he wants tech companies and law enforcement to reach a compromise.
The expansion of end-to-end encryption is one piece of a larger rethinking of social media after two years of harsh criticism directed at Facebook by privacy advocates, lawmakers, journalists and users. Zuckerberg, in a post on Facebook, said the company would put a greater emphasis on privacy and direct messaging, moving away from the “town square” that encourages public updates fed into a news feed.
The move puts Facebook squarely in opposition to many law enforcement officials and foreign governments that have claimed end-to-end encryption makes it easier “for criminal and terrorists to find a safe haven to conceal their illegal activities,” as Deirdre Walsh, chief operating officer of the Office of the Director of National Intelligence, wrote in 2016.
Zuckerberg softened the potential blow, making clear that the changes could be years away from taking effect and that he would consult with law enforcement before making them.
Zuckerberg’s announcement adds to growing adoption of end-to-end encryption by tech companies eager to attract consumers at a time when digital privacy is becoming a mainstream issue. Apple’s iMessage, another popular smartphone messaging app, features the encryption as do a variety of privacy-focused apps that have been released in recent years.
WhatsApp adopted end-to-end encryption in 2016, and Facebook’s Messenger includes it as an optional feature.
Katherine Pfaff, a spokesperson for the Drug Enforcement Administration, also declined to comment on Facebook’s plans. She said, though, that the DEA now encounters the use of encrypted applications in the majority of its investigations.
“Like other law enforcement agencies, these surreptitious measures pose significant challenges to DEA; however, investigators around the world continue to work with diligence, precision and sophistication to thwart these efforts,” she said in a statement to NBC News.
In a sign of the federal government’s frustration with encrypted conversations, the Justice Department last year asked a federal judge in California to force Facebook to wiretap encrypted voice calls over its Messenger services, Reuters reported. Facebook objected, and the judge ruled in Facebook’s favor, according to the news agency.
The debate is likely to cross international borders. British lawmakers have debated possible limits on encrypted messages. Last year, Iran and Russia tried to block Telegram, another messaging service that uses end-to-end encryption.
Alex Stamos, a former chief security officer at Facebook, said that in the hours after the company’s announcement on Wednesday, he believed there were likely anxious phone calls between U.S. officials and their close allies abroad.
“Australia in particular has been very aggressive on encryption, and they will be very upset about this,” said Stamos, who is also an NBC News contributor, referring to a measure the Australian Parliament passed in December requiring companies to create backdoor access for encrypted messaging services. A tech trade group that includes Facebook opposed the legislation.
Privacy advocates such as the Electronic Frontier Foundation often praise end-to-end encryption as one way to lower the risk of unwanted surveillance, either by authorities, corporate advertisers, criminal hackers or others. Zuckerberg, in his post, said he wanted to protect dissidents from repressive regimes.
“Encrypting all kinds of communication — that’s going to help people not be blackmailed, not have other people intercept their pictures or their sensitive information,” said Ryan Calo, a University of Washington law professor.
The move has other benefits for Facebook. Critics have hammered the social network for failing to stop the spread of hate speech, harassment and other material that goes against Facebook’s rules, but if the content is hidden with encryption, Facebook may have less of a responsibility to moderate.
Because Zuckerberg’s 3,200-word statement was short on details, some people who specialize in privacy and cryptography have been trying to parse its language for clues about what he will do. They focused, for example, on Zuckerberg’s phrase about “working towards” implementing end-to-end encryption, which they said seemed to hedge against guaranteeing full privacy protections for users.
“There’s a big difference between end-to-end encryption and moving ‘towards’ it,” said Fred Cate, an Indiana University law professor. “It could be like the magician trying to get you to watch the left hand while the right hand is where the action is.”
TIME AND MONEY
Zuckerberg wrote in his post that Facebook was in the early stages of transforming itself into primarily a messaging platform, and that he would consult with law enforcement along the way as he and the company decide what their services will look like. “We have a responsibility to work with law enforcement and to help prevent these wherever we can,” he said.
At the same time, though, critics of Facebook within academia and the tech sector said they were skeptical about whether Facebook would truly do much to scale back its broad data collection operation. Zuckerberg added that the company was working to identify “bad actors” by “detecting patterns of activity or through other means, even when we can’t see the content of the messages.”
Facebook on Friday declined to elaborate on its plans or discuss its relationship with law enforcement beyond Zuckerberg’s post.
One possibility is that law enforcement loses access to the content of messages but ends up gaining access to a different trove of information: information about people’s messages, such as whom they’re contacting, when they’re doing so and their locations — known as metadata.
While end-to-end encryption protects what’s inside of a message, it doesn’t shield messaging services from collecting the broader information, patterns and trends about messaging behavior.
“By merging Instagram and Facebook Messenger and WhatsApp, Facebook is now multiplying their ability to mine the metadata, so they’ll have more information about who people are messaging with,” said Joel Reidenberg, a Fordham University law professor. “That can oftentimes be more valuable information than the content of the messages.”
Reidenberg pointed to a 2016 study of telephone call metadata provided by volunteers that found, for example, that it was possible to draw inferences about potentially sensitive subjects such as health conditions and firearms ownership.
Zuckerberg and Facebook have not provided detailed plans for their use of messaging metadata, a trove of information that experts said would also be valuable to advertisers.
U.S. authorities have downplayed the importance of metadata, saying that nothing can be a substitute for the actual content of messages when investigators are trying to gather evidence.
Zuckerberg said the company would also consult with outside experts and advocates, some of whom have concerns similar to law enforcement. Facebook’s ability to scan images and other content inside its Messenger service has allowed the company to spot photographs of abused children, for example.
“We hope that child safety does not come at the expense privacy concerns,” Rebecca Kovar, a senior program manager at the National Center for Missing & Exploited Children, said in a statement on Thursday. Based on conversations with Facebook, the center believes Facebook will continue to make child safety a priority, she said.