As big a win for privacy advocates as it was a setback for U.S. intelligence agencies, WhatsApp’s move this week to fully encrypt its popular messaging service was funded in part by a little-known Washington initiative, launched during the Arab Spring. Its mission: to help activists get around censorship and communicate without being nabbed by authorities.
By adopting a highly sophisticated encryption algorithm for text messages, phone calls, and file transfers, WhatsApp has given its more than 1 billion users the ability to communicate in near-complete secrecy – and made it potentially impossible for law enforcement authorities to listen in.
The development of that encryption technology was funded by a small, government-backed nonprofit, the Open Technology Fund, which is part of Washington’s efforts to promote free expression and security online.
Few senior Obama administration officials have been more eager to support Internet freedom than former Secretary of State Hillary Clinton. Beginning in 2010, she argued the Internet could be a powerful tool for development and political change and said the U.S. State Department would support “the development of new tools that enable citizens to exercise their rights of free expression by circumventing politically motivated censorship.”
But Sen. Richard Lugar, R-Ind., then-ranking member of the Foreign Relations Committee, complained Foggy Bottom was taking too long to fund projects aimed at combating online repression. And in 2011, Congress stripped the State Department of one-third of its $30 million budget to fund Internet freedom initiatives and instead turned over the money to the Broadcasting Board of Governors, which runs America’s government-supported overseas broadcasting arms, such as Radio Free Asia.
With that funding boost, Radio Free Asia established what is known as the Open Technology Fund, a government-backed nonprofit that supports projects aimed at promoting liberty and security online. Among its most successful and prominent grantees is a dreadlocked, charismatic hacker who goes by the pseudonym Moxie Marlinspike.
Between 2013 and 2015, Marlinspike’s Open Whisper Systems, which makes encrypted messaging tools, received $2.3 million in funding from the Open Technology Fund. With that funding, Marlinspike developed the encryption algorithm that was folded into WhatsApp on Tuesday.
Just as Apple would not help the FBI access data stored on an iPhone belonging to one of the Islamic State-linked gunmen who killed 14 people during a December 2015 shooting rampage in San Bernardino, California, WhatsApp will be unable to comply with any court order to serve up customer messages. The social network was acquired by Facebook in 2014 for $22 billion.
Facebook, by contrast, doesn’t offer end-to-end encryption for its messaging service and complied with government orders to turn over user data to U.S. spy agencies, according to documents revealed by NSA whistleblower Edward Snowden. In WhatsApp, the company has acquired a service willing to adopt technological solutions to prevent compliance with many types of court orders.
Indeed, WhatsApp’s expansion of its encryption has U.S. officials sounding the alarm. FBI General Counsel James Baker said during a Tuesday conference appearance that WhatsApp’s expansion “presents us with a significant problem.” According to a former senior U.S. intelligence official, encrypted “data in motion” – information moving across a network – is far more difficult to intercept and decode than similar data stored on a phone or disk.
The technologists making encryption available to the masses aren’t sympathetic to warnings by FBI Director James Comey that investigations are “going dark” as suspects turn on encryption. “I think that we should be skeptical that the same organization which once tried to convince Dr. Martin Luther King to kill himself using audio surveillance tapes that they collected is trying to tell us that their surveillance capabilities are good for our society,” Marlinspike told Foreign Policy in an interview on the sidelines of the RSA Conference last month in San Francisco.
The former official, who spoke to FP on condition of anonymity, said U.S. intelligence services have developed fairly sophisticated efforts to crack encrypted messages or find workarounds. Sometimes metadata – information about whom communicated with whom and when – can be sufficient to an investigation. Collaborations with foreign intelligence agencies can help fill in the gaps. The NSA and CIA can work together to build a fuller picture and supplement analyses with the vast array of data collected by the intelligence community, including, for example, satellite imagery.
The situation is far more difficult for the FBI. Clandestine methods used by intelligence agencies cannot be used in court as evidence, and the FBI has far more stringent restrictions on how it operates on U.S. soil. Law enforcement “is a different game than national security,” the official said.
On the heels of terrorist attacks in Brussels and Paris by operatives well-versed in encrypted communication tools, the debate over whether intelligence and law enforcement agencies should be able to access scrambled data has only gained momentum.
Clinton, now running for the Democratic nomination for president, has had to walk a fine line on supporting Internet freedoms while sounding strong on national security.
In a speech one day after the March 22 Brussels attacks, Clinton said “impenetrable encryption provides significant cybersecurity advantages but may also make it harder” to “investigate plots and prevent future attacks.” The Islamic State, she said, “knows this too.”
“There may be no quick or magic fix,” Clinton told a Stanford University audience. “The tech community and the government have to stop seeing each other as adversaries and start working together to protect our safety and our privacy.”
As secretary of state, Clinton described the promotion of secure messaging tools and other technology to fight censorship as one tool of 21st-century statecraft, said Chris Soghoian, the principal technologist at the American Civil Liberties Union. Six years after she delivered the first of three major speeches on Internet freedom, the promise of that initiative is “finally happening” with more than 1 billion WhatsApp users able to use sophisticated encryption, Soghoian said.
Repressive regimes routinely target activists and journalists merely for using encryption to shield their data. Last year, authorities in Turkey detained and charged three Vice News journalists after one was found to have encryption software similar to that reportedly used by the Islamic State. In China, authorities target and block encrypted Internet connections, according to Reporters Without Borders. Around the world, more governments are either demanding “back doors” to encryption systems or banning such services outright, according to Freedom House’s 2015 Freedom on the Net report.
“The desire to protect people’s private communication is one of the core beliefs we have at WhatsApp, and for me, it’s personal,” Jan Koum, the company’s Ukrainian-born co-founder, wrote in a blog post. “I grew up in the USSR during Communist rule and the fact that people couldn’t speak freely is one of the reasons my family moved to the United States.”
The rollout of strong encryption by a service with a billion users represents a major milestone for the cryptologic community. “I think that a lot of the dream of encryption is in fact coming true,” said Jon Callas, a pioneer in making encryption widely available and co-founder of Silent Circle, which makes secure messaging tools and devices. “The way to stop mass surveillance is to be using encryption in a lot of places.”
For years, cryptologists have struggled with how to make computer systems both secure and user-friendly. The genius of WhatsApp’s encryption lies in the fact that it is essentially invisible to the user. Strong security features are turned on by default and require no additional work to function.
And it’s that ubiquity Marlinspike is aiming for. He worked with WhatsApp to implement the encryption system and hopes to work with other messaging platforms to put similar features in place. The Open Technology Fund and its work with Marlinspike offers a promising model for how to improve the availability of encryption and other privacy tools.
“I’m interested in taking the technology that we develop and getting it integrated into products with large deployments,” Marlinspike said.
“Hopefully, we’ll put ourselves out of business,” he said with a grin last month.
Before that happens, Marlinspike, WhatsApp, Apple, and other purveyors of encrypted communication tools will have to navigate a roiling debate in Washington over whether the government should be able to access scrambled data.
But most cryptologists, when asked why they got into their field, will say they mostly were fascinated by the technical problem of keeping messages and data secure – not bruising for a political fight. “I just wanted to do cryptography because it was interesting,” said Matthew Green, a cryptologist at Johns Hopkins University, who last month demonstrated a method for intercepting and decrypting some data on Apple’s iMessage platform.
“But the ability to speak freely is something that is under threat in many parts of the world,” he added. Cryptography can help preserve that right, but the deck is all too often stacked in the favor of autocrats.
“China and Russia have industrialized the process of censorship,” Green said. “We have the Open Technology Fund. It’s sad how different the level of resources are.”
(c) 2016, Foreign Policy · Elias Groll