Tag: Facebook

Facebook to add end-to-end encryption to Messenger app

Facebook to add end-to-end encryption to Messenger app

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.

Controversy

Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

UK’s lower house eases up on encryption

UK's lower house eases up on encryption

The United Kingdom’s House of Commons approved far-reaching authority for spy agencies to access cyber data Tuesday, but pulled back some restrictions on encryption opposed by Apple and Facebook.

The so-called “snooper’s charter,” officially the Investigatory Power Act, codifies intelligence agencies’ use of metadata analysis and malware to hack computers that has been ongoing in the U.K. It requires communications companies to maintain records of customers’ web browsing for a full year to assist investigations.
But the final version eased up on restrictions on encryption. Early drafts of the law mandated encryption include backdoor access – an issue that recently sparked a battle between Apple and the FBI in the U.S. The version passed Tuesday requires only that companies help break encryption if it is reasonable in terms of cost and technology.

That would keep the kinds of encryption used on Apple phones and Facebook’s newly announced end-to-end encrypted messaging service off the table. When properly implemented, neither would be technologically possible to crack.

The changes to encryption were one of a few amendments meant to assuage concerns about the law’s effect on privacy. Civil liberties groups are still unhappy with the complete product, though interior minister Theresa May called the safeguards “world leading.”

The final vote on the IPA was 444-69. It now heads to the House of Lords for their approval.

Is Facebook making end-to-end encryption on Messenger opt-in only?

Is Facebook making end-to-end encryption on Messenger opt-in only?

Facebook’s native chat is due to be silenced: Facebook’s reportedly going to kill it off, forcing users to instead use Messenger.

Rumor has it that Facebook Messenger will also offer the option of end-to-end encryption sometime in the next few months.

The Guardian, relying on input from three unnamed sources close to the project, earlier this week reported the end-to-end encryption news. Facebook hasn’t confirmed it, declining to comment on rumors or speculation.

The timing of these two things isn’t clear, but it would make sense for them to coincide – kill the native chat app just as a more privacy-protecting version of Messenger is ready to pull users in.

Ars Technica reports that some users are already getting pushed off the mobile version of Facebook’s native chat and onto the free, dedicated Messenger app.

Users of the regular Facebook mobile app were evicted a while ago. Now, it’s happening to those who access it via their phones’ web browsers or via third-party apps such as Tinfoil or Metal, Ars reports.

Some Android users are even being booted off chat automatically, shunted over to Google’s Play store to download Messenger when they try to check out their messages on the mobile site.

End-to-end encryption would shield conversations from all but the sender and receiver. That includes the prying eyes of both government surveillance outfits or from tech companies themselves.

The tradeoff: if Facebook can’t see conversations or get at users’ personal data, it can’t use artificial intelligence (AI) to chime in and do helpful things.

And, as we reported yesterday, Facebook’s on track to do a lot more language processing to figure out, for example, who’s messaging about needing a ride and therefore might want to have an Uber link pop up.

End-to-end encryption in Messenger would also put it on par with other encrypted messaging apps, including Apple iMessage, WhatsApp and Google’s new Allo messaging app.

Both Facebook and Google are trying to balance users’ demands for secure messaging with their thirst for services enhanced by the use of users’ personal data. Their solution: offer the end-to-end encryption as an opt-in feature.

As you might expect, some users are displeased with the notion of being forced onto Messenger, while some privacy experts are displeased with the idea that the speculated end-to-end encryption is opt-in rather than default.

The Guardian quoted Kenneth White, a security researcher and co-director of the Open Crypto Audit Project, which tests the security of encryption software:

Is Facebook making end-to-end encryption on Messenger opt-in only?

The timing on killing native chat and releasing the Messenger crypto feature isn’t known, but The Register reports that it’s already been released for Windows 10 Mobile users.

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.

In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.

The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.

They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.

As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.

The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.

They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.

The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.

They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.

They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.

Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”

The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”

They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.

The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.

They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.

Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.

They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term – which other countries may seek to emulate and even abuse – is important,” they say.