Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward

WhatsApp Hack Shows Why We Don’t Need Encryption ‘Backdoors’

November 2, 2019, 6:25 PM UTC

This is the web version of Cyber Saturday, the weekend edition of Fortune’s daily Data Sheet newsletter on the top tech news. To get it delivered daily to your in-box, sign up here.

WhatsApp is suing an Israeli spyware developer. The Facebook-owned chat app alleges in its complaint that NSO Group, also known as Q Cyber Technologies, exploited a security hole in WhatsApp servers in order to hack 1,400 phones and other devices earlier this year.

NSO Group sells its hacking technology to governments and law enforcement agencies around the world with a stated intention to combat crime and terrorism. All too often it seems these tools are used, however, to go after political opponents, dissidents, human rights activists, and journalists. The Citizen Lab, a security research outfit at the University of Toronto, says it helped WhatsApp determine that at least 100 such civilian targets were victims of NSO Group-linked hacking.

One notorious example: Saudi Arabian agents are said to have used NSO Group tech to spy on the slain Washington Post columnist Jamal Khashoggi in the lead-up to his assassination.

WhatsApp has long been lauded for its top-notch security. The app was a pioneer in using strong, end-to-end encryption, a feature designed to secure messages, calls, and media from interlopers of all sorts. The technology is considered so watertight it prevents even WhatsApp, and its parent Facebook, from reading the contents of people’s communications as the bits and bytes traverse the company’s infrastructure—a tremendous irritation to law enforcement agencies seeking to conduct investigations. (Facebook is planning to roll out the feature to its other apps, Messenger and Instagram, by default in the near future.)

Law enforcement agencies everywhere take issue with this kind of encryption since it impedes their work. U.S. Attorney General William Barr has been pushing tech companies to ditch the protections, for one. He would rather they weaken their systems, introducing so-called backdoors, to enable government access. Here’s the thing though: If tech companies like Facebook are already having such trouble keeping their software secure, why introduce more vulnerabilities that would, undoubtedly, be abused by hackers and spies?

Skeptical of this view? Don’t take it from this columnist—take it from Jim Baker, who worked as the Federal Bureau of Investigation’s general counsel during its high-profile fight with Apple over encryption. Baker has recently changed his tune on the topic. In a recent op-ed written for Lawfare, a national security blog, Baker says, “it is time for governmental authorities—including law enforcement—to embrace encryption because it is one of the few mechanisms that the United States and its allies can use to more effectively protect themselves from existential cybersecurity threats, particularly from China.” He adds: “This is true even though encryption will impose costs on society, especially victims of other types of crime.”

Let’s pause and underscore that point: Baker—the FBI’s former top lawyer during its Apple encryption battle—has pulled a complete about-face. Even he agrees it is time for everyone to promote strong encryption.

In a Halloween-dated letter to the Attorney General, two legislators—Representative Anna Eshoo of California and Senator Ron Wyden of Oregon—shared their concerns about the Department of Justice’s “misguided, hypocritical efforts to pressure technology companies like Facebook into subverting the encryption that protects their messaging apps to enable government access.” The approach is doomed to failure, they say, because “illegal content”—like child abuse imagery—”will simply move to the dark web and to foreign commercial providers who are beyond the reach of U.S. law enforcement, while exposing millions of law-abiding Americans to new cybersecurity threats from stalkers, hackers, and other criminals.”

As the WhatsApp incident shows, our technologies have enough backdoors as it is.

Robert Hackett | @rhhackett | robert.hackett@fortune.com

THREATS

Dusting for prints. More websites are using a technique called "fingerprinting" to identify visitors, including ones who have taken measures to make themselves unknown, such as opting for "do no track" and using an "incognito" browser. Tech columnist Geoffrey Fowler at the Washington Post investigated the privacy invasive tactic in a recent article. He explains how ad targeting tech providers and others use idiosyncratic information about devices and network connections  to distinguish people.

Go see the dean. More than 1,400 schools have signed up for the services of Gaggle, a tech provider that offers to surveil the online accounts of students to ward off mass shootings and other threats. The company's software and human contractors analyze pupils' social media accounts, like Instagram and Twitter, and school accounts linked to Google G Suite and Microsoft 365, in order "to stop tragedies with real-time content analysis." BuzzFeed News asks how much monitoring is too much?

Just doing my job. Two employees of a security consultancy called Coalfire were arrested by law enforcement officers for...doing their jobs. They were hired by the Iowa State Judicial Branch to test the security of its buildings. While performing a break-in—called a physical penetration test, or "pen test," in the business patois—they tripped an alarm, and then they got cuffed. Security researchers and other pen testing companies have been voicing their indignation.

The hero we deserve. Michael Gillespie, a programmer at a repair shop called Nerds on Call, has helped hundreds of thousands of ransomware victims recover their files for free. He helps develop and distribute decryption software to counter the cybercriminal epidemic in his spare time. ProPublica calls him "a real-life version of Clark Kent or Peter Parker." Let's all give him a hand. 

Other news... TikTok is under national security review. Rudy Giuliani continues to show off his cyber skills. North Korean malware was found on an Indian nuclear facility's computers. Uber and Lynda.com hackers plead guilty. Australia wants to scan people's faces to clear them before they watch porn. Untitled Goose Game, the viral video game sensation, had a nasty security hole. Imperva CEO Chris Hylen steps down after data breach investigation. The estranged husband of recently resigned congresswoman Katie Hill may have been hacked?

Apple's phones are fine, but the pizza...

Share today’s Cyber Saturday with a friend.

Did someone share this with you? Sign up here. For previous editions, click here.

ACCESS GRANTED

We're all familiar with the mega data breach at Equifax that affected nearly 150 million North Americans in 2017. What might be less familiar is the incredibly intense psychological stress the hack caused the credit bureau's security team as it dealt with the aftermath. (Of course, that's to say nothing of the many people who have been forced to deal with the stresses of having their personal information stolen...) The BBC recently interviewed David Rimmer, Equifax's European security chief, about what went on inside the company during that crisis. Of note: He argues that employers ought to do more to address people's mental health during such trying times.

In early September 2017 David Rimmer was on the final day of a corporate get-together in the US, organised by Equifax, the giant financial firm he worked for.... At the conference centre, he and a handful of other staff were called aside by the global chief security officer. "[He] told us 'there's something I need to tell you and you're going to need to be here indefinitely for the next couple of weeks'," Mr Rimmer explains.

"In that meeting, where external counsel [lawyers] were also present, some of us were told 'if you tell anyone else about this, you'll be fired on the spot and walked off-site'."

FORTUNE RECON

Europe’s Privacy Laws Are Tough. Meet the Woman Who Could Make Them Costly for Facebook and Google by David Meyer

3 Popular Domain Name Providers Confirm Data Breach by Alyssa Newcomb

With ‘No Music for ICE,’ 1,000 Artists Boycott Amazon Over Its Ties to Government Surveillance by Dan Reilly

Europe Is Starting to Declare Its Cloud Independence by David Meyer

Facebook Sues Israeli Company Over Alleged WhatsApp Malware Attack by William Turton

New AT&T Features Aim to Do More to Protect You From Robocalls by Chris Morris

ONE MORE THING

Real life UFOs? The Drive, an automotive blog, dug into the strange history of antigravity research by corporations, universities, and the U.S. military. The site trawled only unclassified research, so it's not comprehensive—but what does turn up is bizarre and intriguing. You might be surprised to learn how many people have pursued this "'Holy Grail' of aerospace engineering," as journalist Brett Tingley puts it.

The truth is out there...cue The X Files theme.