Facebook Messenger has added encryption to its voice and video calling features, joining the other encryption-focused messaging apps Facebook owns: WhatsApp and Instagram. This follows the company's announcement that it would begin implementing encryption throughout its messaging suite "from end to end", including private chats, last year.
Moxie Marlinspike, founder of Signal Foundation which works on the encryption protocol Open Whisper Systems created encryption for WhatsApp, said in a statement,
Starting today, we're starting to roll out end-to-end encryption for all communications between our users - completely free of charge. Every call you make on Messenger will be encrypted, as well as every message you send or receive.
Encryption can make it harder for people - including law enforcement or other government agencies - to see what you're sharing on Facebook, but encryption doesn't obstruct that type of content from being reported to us. If we learn of something that violates our community standards, we will report it.
In a statement, Andrew Byrne, policy manager at Facebook Ireland said encryption will not prevent content from being reported if it violates community standards. "Encryption is just one of the tools we use to fight abuse," he added.
Adrian Sanabria, an encryption expert at consultancy firm NCC Group who usually works with law enforcement circles said: "WhatsApp started without encryption back in 2009; Instagram was never encrypted and they made encryption available later (it's been there since 2014). Both these apps have helped investigators by handing over evidence that could be used in their cases.
The encryption that is being rolled out to Facebook Messenger will make it harder for investigators to access the data, but encryption comes at a cost and encryption doesn't prevent the sharing of evidence with law enforcement agencies.
But encryption can be a double-edged sword according to Sanabria who said he was currently working on an investigation into child exploitation imagery where encryption was helping protect those carrying out the crime. Sanabrie said,
Law enforcement has been trying to work with encrypted platforms for around 10 years: they want information from these people and many use encryption as a veil behind which they carry on offending. Encryption is now freely available across multiple messaging apps so I expect we'll see more offenders using encryption to protect their online activities and hide from the authorities.
According to David Gibson, VP of cybersecurity firm Varonis: "This encryption may help thwart would-be hackers or other malicious attackers who have breached an account and are looking for something specific in that user's inbox." However he added encryption could provide the ultimate defense against phishing attacks which seek access to users' credentials by posing as a trusted source.
"The encryption makes these attacks much more difficult by requiring attackers to first decrypt data before they can begin extracting usable credentials," explained Gibson.
Sanabria said encryption key management is also an issue for law enforcement. WhatsApp and Facebook Messenger have a centralised encryption key which allows them to read all messages, which some are concerned about:
The encryption keys on WhatsApp and Facebook messenger are generated by the companies themselves, this means that if these encryption keys were somehow released, then all of the traffic carried over these apps would be readable.
There's another issue with encryption as well - encryption at rest where encryption keys are stored; in most instances this isn't encrypted itself so should someone breach the storage system those keys could easily be stolen.
WhatsApp recently found itself under fire from Brazilian telco, OI which claimed encryption prevented it from providing customer data to law enforcement, a claim denied by WhatsApp.
In an interview with the Guardian earlier this month, Facebook's head of Messenger David Marcus said encryption was "one of the most important things that we can do for keeping people safe". But encryption is not without its negative aspects: encryption has been used to facilitate crime and terrorism - the so called 'dark web' allows nefarious characters to organise crimes online away from prying eyes - encryption provides protection there too.
Marcus continued: "People think encryption is a silver bullet that allows people to hide … but encryption is just one piece of active monitoring systems; you need other algorithms and approaches." He said it was also necessary to understand how encryption could be used to hide crime and how encryption can hinder investigations.
"I'm a big believer in encryption," he said, adding that it was "one of the best things we have going for us". This view is shared by former NSA director Michael Hayden who believes encryption is a necessary element of cybersecurity.
In an interview with Wired magazine earlier this month, he argued: "There are plenty of folks out there on Capitol Hill who do not like encryption." Continuing: "If encryption goes away because legislation makes it impossible to use encryption, bad people will encrypt too." And while these groups may simply shift their operations overseas where encryption remains legal, encryption cannot be legislated away globally.
According to information security expert Prof Alan Woodward the encryption argument is "highly emotional" and one that has to be based on facts. He argues encryption can largely do good for society when it is utilised properly.
"If you are sending any form of information, encryption helps; if I encrypt a message with my public key then only someone who possesses my private key can read it and likewise if you send me an encrypted file then unless someone breaks the encryption they cannot read the contents," he explained in an interview with SCMagazineUK.com.
Woodward believes encryption could potentially help solve data breaches - encryption stops attackers from accessing valuable or sensitive data meaning if that data were to fall into the wrong hands there would be nothing useful in it and therefore less of a breach.
However encryption can, in some cases, be used by criminals: Woodward said encryption is basically a tool "like any other and like all tools it can be used for good or ill". But encryption itself isn't the issue - its how governments and law enforcement utilise encryption that could create problems he said.
"The real problem is not encryption but lawful access to communications; encryption cannot prevent this," he explained. There has been discussion recently about encryption being weakened through the introduction of 'backdoors' into software - essentially providing secret ways for investigators to enter encrypted data when necessary. But Woodward believes introducing backdoors into software would make encryption less secure meaning if you are trying to hide something using encryption "there's point in encryption".
It is hard to argue that encryption shouldn't be weakened, it's something like asking if the police should have access to a safe where a criminal has hidden important documents. The encryption debate appears to me to be an encryption 'yes men' versus encryption 'no men' situation - encryption can do good but equally encryption can do bad.
As encryption evolves there needs to continue to be creativity in providing encryption alternatives where individuals or corporations can limit who has access. This could mean separate encryption keys for different people or even allow an individual to set up a situation whereby documents are only protected when they are online.
He believes there are no easy solutions.