Second Thoughts on E2EE
In my last experience log I discussed the idea of E2EE in messaging applications such as Signal. At the end of the article I cited a recent announcement from Facebook to first provide E2EE by default on both of its other messaging platforms (Instagram and Facebook Messenger), and then to unify the three platforms, allowing cross-app communication. I remarked that this was quite intriguing, and it will significantly expand the user base of encrypted messaging applications while also providing even greater opportunities for interaction.
However, since then a counter-argument has lingered in the back of my mind. Is this a solely beneficial change? What are the full implications of E2EE? Before diving in, I would like to qualify my position. In class we learned 3 archetypes for individuals in the domain of privacy: the unconcerned, the fundamentalist, and the pragmatist. I would most likely group myself in the final category; I do believe protecting privacy is important and access to information, even if well intended at first, can pose dangerous opportunities for abuse. However, I certainly do recognize areas where it can be conceded for great benefit to everyone.
Last year while Mark Zuckerberg was testifying before Congress, one senator asked “Can Facebook see emails I send on WhatsApp?” Aside from the confusion present, I see this as a very reasonable question. Numerous types of encryption exist, and some provide more or less access to data. It is understandable that users would be confused and perhaps think that Facebook could read messages sent on WhatsApp, but they genuinely have no possible means of doing so. While inherently protecting the privacy of individuals on the platform, this also provides no means of regulation for the content of messages, and this is a problem.
During Brazil’s presidential election last year, numerous political slander and misinformation campaigns took place on WhatsApp. Information spread like wildfire and neither authorities nor Facebook admins had any ability to regulate content. Misinformation is not unique to WhatsApp by any means, but there is a lack of control here. Private messaging on other platforms can be regulated, directly viewed, and retroactively banned if found exceedingly problematic. What could Facebook able to do with WhatsApp? They banned known bot accounts which disseminated these messages and implemented a forwarding cap which prevented messages from going too viral. This isn’t the first time such a situation arose. Back in 2017 rumors spread on WhatsApp in certain rural areas of India ultimately led to the death of some women, and a forward cap was likewise imposed.
What other options exist? These scenarios are quite unfortunate, but the nature of the platform limits top-down regulation greatly. Yes, existing users in chats can report certain groups, but this requires an agent on the inside. Homomorphic encryption here would be a godsend; in its fully realized form it would provide a means of blocking certain information while keeping the contents of other messages unknown. While we can certainly dream though, this solution doesn’t provide answers to the immediate problems faced by our society.
Is the world truly ready for ubiquitous E2EE? What other solutions can be devised to help tackle these problems? Forwarding limits come across as a band aid solution and possibly restricted to genuine intentions. If users don’t appreciate the constraints imposed by one platform, they may very well switch to another and the problem begins again, and I have no doubt in my mind that clever hackers are already working on circumventions to the constraints imposed.
I don’t mean to suggest that Facebook’s decision is completely bad or that E2EE is bad. My last article was a defense of such systems. I just want to bring awareness to the new challenges that may be ahead of us.