The world has been – understandably – engrossed by COVID-related news cycles and information. Well, that and TikTok videos.
All the while, something interesting has been happening in the world of computer security. End-to-end encryption has had a growth spurt. For those of you who haven’t been keeping score at home, let’s recap:
Zoom exploded on the scene and promoted their strong end-to-end encryption, which turned out to not be so end-to-end. IT teams and consumers subjected to pornography and racial slurs realized that actually, almost no video conferencing and collaboration products are truly end-to-end encrypted. For instance, take Google’s stance on the end-to-end encryption in Meet. Yes, the data is end-to-end encrypted — as is ALL data in transit by default between the client and Google for video meetings in a web browser.
Zoom’s acquisition of Keybase and their public statements about a 90-day plan to build Video Conferencing That Doesn’t Suck (at security) are huge steps forward for end-to-end encryption — and the fact that Zoom will be publishing protocols on May 22 for public review is perhaps the biggest step forward. One can only hope others will follow suit and that the broader community now understands that when a company says “encryption at rest protects your data on our servers” that this does not mean it is end-to-end encrypted.
WhatsApp says “no” to advertising, for now
End-to-end encrypted WhatsApp retreated from jamming advertising into the platform in an obvious nod to security and privacy. This may be a short-lived win for end-to-end encryption as Facebook has been persistent in their intent to have advertising on the platform.
Just before the pandemic really burst onto the scene, Senators Graham, Blumenthal, Feinstein, Durbin, and others introduced the EARN-IT Act aimed at curbing child exploitation by removing legal protections from organizations who built encrypted platforms used by those endangering children. A number of cybersecurity experts remain afraid that this is AG Barr’s strategy to undermine the 4th amendment and strong encryption.
Side note, I found myself less bothered by this Act than many in our industry, if only because it was the first step away from a hawkish demand for a magical backdoor. This has been a multi-decade long, largely for show debate that hasn’t protected a single child nor created meaningful bridges between law enforcement and technology. In fact, while this debate has plodded along, Congress has never debated a bill that would explicitly weaken encryption nor has anyone provided a technology that can provide strong situational privacy.
Invest in Child Safety Act
The Invest in Child Safety Act was introduced by Senators Wyden, Gillibrand, Casey, and Brown as a counter to the EARN-IT Act. This counterproposal looks to protect strong encryption and focus instead on combating online child sexual exploitation through increased funding for law enforcement and the National Center for Missing and Exploited Children. The bill is thoughtful and runs purposefully away from undercutting end-to-end encryption.
NSA weighs in on WFH
On April 24, the NSA published a document aimed to provide “simple, actionable, considerations for individual government users—allowing its workforce to operate remotely using personal devices when deemed to be in the best interests of the health and welfare of its workforce and the nation.” The best practice highlighted in the document was – of course – end-to-end encryption.
In 2010, there was a small community adamant that end-to-end encryption was necessary for website security. Some of you may remember Firesheep created by Eric Butler as a tool to raise awareness of the loath security in websites all over the world. Indeed, research done by Mr. Butler and others finally caught the attention of big technology and we now see https: everywhere we go. Perhaps Zoombombing will be this generation’s Firesheep? Let’s hope so.