The battle between the FBI and Apple over law enforcement access to encrypted communications may have died down a bit, but the international War on Crypto rages on. Brazil's recent action against the Facebook-owned messaging service WhatsApp is only the latest in a series of government jihads against strong online-security practices.
WhatsApp, which allows users to send SMS texts, media files, and audio messages to friends' phones using XMPP, is the most popular cross-platform messaging system in the world. People are drawn to the platform for its ease of use, flexibility, and affordability. By February of this year, WhatsApp had accumulated over one billion users, and it shows no signs of slowing down—unless government suppression criminalizes its business model, that is.
Notably, WhatsApp allows individuals to communicate without needing to purchase expensive unlimited phone service plans, making the messaging service especially popular in rapidly developing countries such as Brazil, India, and Mexico. These nations harbor a new global middle class that is eager to plug into the connected world through their smartphones, although perhaps not yet able to shell out for an unlimited data plan.
Curiously, the usual government voices for human rights and an open internet had little to say in defense of WhatsApp when the Brazilian government compelled internet service providers to block access to the messaging app. This may be because Brazil's war on strong encryption is largely in service of the international War on Drugs.
The crusade once again came to a head in May, when Judge Marcel Montalvão of the northeastern Brazilian state of Sergipe directed telecom operators to block WhatsApp access for 72 hours in conjunction with a drug-trafficking investigation gone sour. With that one court order, 100 million Brazilians woke up to discover that they could not access one of their primary means of connecting with the world.
Such discoveries are becoming routine for Brazilians. A different judge blocked access to the messaging app for 48 hours last December, due to its non-compliance with a criminal drug investigation. And Judge Montalvão made an even bigger splash in March when he ordered that a São Paulo-based Facebook executive be put in jail in conjunction with—you guessed it—a drug case. Meanwhile, the Brazilian Congress has been considering legislative measures to roll back the online protections citizens were guaranteed in the recently-passed Marco Civil da internet, or "internet bill of rights." If implemented, these new measures will dramatically limit Brazilians' privacy and security online.
Unfortunately, Brazil is far from an outlier in its antagonism toward strong security for digital messaging. We cannot simply chalk these aggressive actions up to government corruption or cultural difference. Intelligence agencies across the world have an incentive to undermine strong encryption techniques, even though these technologies improve online security for citizens. Brazil may simply be a harbinger of things to come.
Because WhatsApp is so popular, it is a prime target for government data mining. But WhatsApp takes data security very seriously. And it is not like a typical messaging platform that can easily comply with government data demands.
In its first few years of operation, WhatsApp suffered from a few embarrassing security oversights that called the platform's integrity into question. So it brought in the big guns, teaming up with developers at Open Whisper Systems, an open source project that maintains the Signal encryption suite popularized by Edward Snowden, to integrate end-to-end encryption into WhatsApp messaging. By April of this year, WhatsApp had accomplished its goal: over a billion WhatsApp users now enjoy the protection of seamless forward secrecy by default.
This makes WhatsApp a trailblazer in the world of professional messaging services. The app boasts a respectable six out of seven marks on the Electronic Frontier Foundation's (EFF) Secure Messaging Scorecard (as a proprietary platform, WhatsApp loses marks for not submitting its code to public review). For context, AIM, BBM, Skype, and Yahoo! Messenger score only one out of seven, while Facebook chat, Google Hangouts, and SnapChat do little better with two out of seven. The key difference between these other popular platforms and WhatsApp is that WhatsApp encrypts all communications on its platform so that the company itself cannot access the data—even if it wanted to.
In other words, there is no central repository of plain-text messages that the company can access to comply with a court subpoena. Nor is there a "universal key" that can be used as a government backdoor to decrypt information. When a user sends a message on WhatsApp, he or she can feel fairly confident that no confidence man in the middle lurks between them and the intended recipient of a message. Such security is a very strong selling point in this age of constant data breaches and headache-inducing identity thefts.
In the world of information security, the best way to protect user data is to minimize the number of access vulnerabilities. As last year's Ashley Madison incident made all too clear, trusted third parties that store user data are a major target for malicious actors. A hacker would only need to target one party to gain access to millions of individuals' data. By removing itself from the equation, WhatsApp has provided a good service for its users and virtually eliminated the incentive for hackers to target the company itself.
This obviously drives governments crazy. Brazil only provides the latest (and most dramatic) case study. Public officials from China, India, and Saudi Arabia have singled out WhatsApp for public criticism or retaliatory policies. Unfortunately, they are joined by leaders of Western governments that claim to represent liberal values. David Cameron has called for a legislative "solution" to clamp down on secure technologies like WhatsApp in the U.K. Meanwhile, in the U.S., law enforcement groups battle with WhatsApp more quietly over access to encrypted data.
The FBI had hoped to parlay the emotionalism of the San Bernardino terrorist attacks into new legislative or judicial authority to undermine encryption. WhatsApp has so far been spared from the full force of Sauron's public eye, but that could very quickly change the moment a terrorism case can be connected to the platform in any way.
The recent Brazilian blockage was quickly overturned by another court. In the meantime, tech-savvy citizens wasted little time in downloading alternative secure messaging services that had not been blocked. Governments engaging in a counterproductive war on cryptography would do well to learn from this experience. Wise policymakers will reject this counterproductive road and choose instead to focus resources on making better use of the information that law enforcement can access.
I'm not betting that many will follow this path, however. We can expect a lot more headaches from government encryption blunders over the coming years. At least, for now, we have options.