Frances Haugen, widely known as "the Facebook whistleblower," surprised opponents of government surveillance over the weekend by speaking skeptically of end-to-end encryption in an interview with the London Telegraph.
Haugen is testifying today before a committee of the British Parliament, as lawmakers there hammer out an online "safety" bill intended to tell online platforms what content the government will and will not allow.
Haugen has come forward with internal Facebook documents she believes show a lack of concern with the safety and welfare of platform's users. One might think, then, that Haugen would be happy to see Facebook implementing end-to-end encryption on its private messaging. End-to-end encryption helps protect users from predatory hackers and corrupt governments by making it much harder for them to secretly access your data.
But Haugen, apparently, has fallen for the idea that it's important for the "right" people to have access to encrypted information. She attempts to paint Facebook's privacy feature as a way for the social media giant to avoid responsibility. Strangely, the example she gave suggested that Facebook needs to have looser encryption in order to somehow protect Uyghurs in China from government attempts to implant spyware onto their phones.
"She warned that Facebook will not be able to uncover such operations if it goes ahead with its controversial plans to encrypt its Messenger app as well as Instagram's direct messages—meaning not even the company will see what users are sending," The Telegraph reported. According to Haugen, this means Facebook would not be able to intervene or even know if Chinese operatives were sending malware through messages and wouldn't be able to stop them.
Rather than providing better privacy protection to users, she argues, Facebook is implementing end-to-end encryption in order to "sidestep" such malware problems and say, "Look if we can't see it, it's not our problem."
A Facebook spokesperson responded to The Telegraph with what we all should realize at this point is the responsible approach to encryption: "The reason we believe in end-to-end encryption is precisely so that we can keep people safe, including from foreign interference and surveillance as well as hackers and criminals." There is no such thing as encryption back doors that only the "right" people can access. If they exist, they can eventually be found or accessed by others.
Haugen's comments drew the attention of Alec Muffett, who used to lead the Facebook team implementing end-to-end encryption on Facebook Messenger. He left the company in 2016, and his internal farewell essay—which Haugen leaked—described his burnout and frustration that Facebook was prioritizing growth and profit over protecting its users.
That may sound a lot like Haugen, but Muffett is dismayed by her attack on encryption. In a blog post Sunday, he writes: "Frances, if you read this, do please tell the [Department for Digital, Culture, Media, and Sport] committee up front (and don't let them distract or dissuade you) that people need the privacy which end-to-end encryption can bring to them, and that keeping people 'safe' does not require their communications to be interfered with by platforms or governments."
Further down, Muffett notes what should be obvious to somebody with Haugen's knowledge: that damaging encryption would make Uighurs more vulnerable to surveillance. He says her ill-considered criticisms of encryption are "playing squarely into the hands of despots, censors, and corrupt politicians—those who want to break the Internet into parochial 'splinternets' that foist local mores onto a global audience."
Muffett also reasonably asks on Twitter, "Should Facebook be responsible for protecting #EU citizens from state-sponsored malware deployed by [Government Communications Headquarters—the United Kingdom's intelligence agency]?" Weakening encryption would make it easier for Western governments to introduce malware to users' systems. This isn't just the province of China and Russia. If Facebook has a responsibility to protect users from China's surveillance, wouldn't the same be true of England's or America's surveillance too?