While the U.S. Federal Bureau of Investigation publicly feuds with Apple over access to the iPhones of criminals, a quiet but monumental shift in mobile security could upend the agency’s plans to keep private lines of communication pried open. Mobile messaging companies are embracing end-to-end encryption, which puts conversations permanently out of reach of both law enforcement and the companies themselves.
This month, Viber and WhatsApp announced end-to-end encryption as a default setting, protecting the communications of 1.7 billion combined users worldwide. End-to-end encryption is a security mechanism that fully encrypts a message from the moment it is composed through its final delivery.
With this method, the key required to decrypt messages is only shared between sender and receiver. It is not known or stored by the company that shuttles messages between two parties. That means there’s no way for law enforcement to force a company to decrypt messages, because the company itself does not hold and cannot access the key to decode them.
The widespread use of this protection on popular messaging apps propels the privacy versus security debate into new terrain. In the United States, the FBI claimed earlier this year that it needed Apple to provide access to an iPhone owned by a man who committed a mass shooting in San Bernardino, Calif., so that the agency could recover information for its investigation.
But iPhone access does not unlock the data held within apps, especially if that data was protected by another passcode or exchanged using end-to-end encryption. Even if law enforcement gains access to iPhones in future investigations, they will likely run up against these barriers. Though WhatsApp and Viber do not have built-in passcode protection, users can download third-party apps to add a password to any app on their phones.
To fight back, several countries including the U.K. and U.S. are weighing legislation and proposals to prohibit companies from using end-to-end encryption. Security experts have argued that these measures are nearsighted, since companies elsewhere could easily build apps that use end-to-end encryption and offer them to users anywhere in the world.
Recent developments reflect a prediction shared with IEEE Spectrum by Matthew Green, a cryptography expert at Johns Hopkins University, in Baltimore: that instant messaging services would be first to roll out end-to-end encryption, even ahead of email providers. Both Google and Yahoo have invested resources into developing end-to-end encryption for email, but the technical challenges are greater than for instant messaging. Implementing this protection would also clash with business priorities such as Google services that automatically schedule flights or meetings by perusing users’ emails.