What the Saudi hack of Jeff Bezos says about the encryption debate

The hacking of Jeff Bezos’s smartphone, allegedly executed via the personal WhatsApp account of Saudi Crown Prince Mohammed bin Salman (a charge the Saudis deny), comes at an interesting time in the encryption debate.

That evergreen discussion has flared up yet again in recent weeks, thanks to attempts by the U.S. administration to secure easier access for investigators to people’s confidential smartphone data.

In an echo of the debate several years ago around the iPhone used by one of the San Bernardino terrorists, Attorney General William Barr and President Donald Trump have both attacked Apple for not unlocking iPhones belonging to alleged Pensacola killer Mohammed Saeed Alshamrani. And on Tuesday Reuters reported that the FBI convinced Apple to back away from plans to let users securely encrypt their iCloud backups.

These are just the latest episodes in a heated conversation that has been running since the 1990s—with technologists generally being on the winning side. But the details of the Bezos hack highlight an important fact: even with strong, “end-to-end” encryption in place, those with the means and motivation to access private data will often still get their way.

The term “end-to-end” refers to systems where the encryption of outgoing messages and decryption of incoming messages take place on the correspondents’ phones or computers. The provider of such a service, whether that’s Apple or WhatsApp, doesn’t get to read the information that passes through its servers—that privilege is only afforded to those on either end of the conversation.

This is a hugely valuable feature for those who wish to communicate privately, because they know that anyone who accesses that data while it’s in transit—whether it’s law enforcement or someone hacking into the systems of the telecoms carrier or messaging service provider—won’t come away with anything readable.

However, if someone can remotely hack into the user’s phone or computer, then all bets are off—they get to see what the user types and sees on their screen, which is of course perfectly legible.

Law enforcement and spy agencies know this, and so do lawmakers. Look at a piece of legislation such as the U.K.’s Investigatory Powers Act of 2016, and you will find language empowering security services to bug people’s devices, with tech firms’ support—the focus isn’t so much on breaking encryption as it is on bypassing it.

The Bezos case illustrates the point splendidly. According to the forensic analysis that blamed the crown prince for infecting the Amazon chief’s phone, the spyware-laden video file came via WhatsApp—a messaging service that features full end-to-end encryption. No matter; once the hack was perpetrated, gigabytes of data were there for the taking.

Spyware of this kind, developed by companies such as Israel’s NSO Group—which last year denied having anything to do with the Bezos hack—is supposed to be used only by governments and security services going about their usual business.

But different governments have different motivations, and commercial spyware has been linked to countless cases of journalists or dissidents being surveilled, tortured and killed. The United Nations’ surveillance expert, David Kaye, last year urged governments to declare a moratorium on the sale and use of such systems, to no avail.

Kaye reiterated that point Wednesday in a joint statement with Agnes Callamard, the U.N.’s special rapporteur on summary executions and extrajudicial killings. “Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse,” they said.

In any case, these tools are readily available on the black market. There is no likelihood of the spyware trade being reined in any time soon. And as security expert Alan Woodward told the BBC in relation to the Bezos incident, such a hack is “horribly easy to do.”

Again, none of this is to say that encryption is useless; as a first line of defense, it remains invaluable. But if the world’s richest man—who no doubt takes security seriously—can find his defensive measures bypassed so effectively, then nobody with a motivated adversary is safe. And claims that investigators can’t do their job when faced with end-to-end encryption need to be taken with an enormous pinch of salt.

Editor’s note: This story was updated on Jan. 22, 2020 at 10:20 a.m. ET with additional information.