WebProNews

Tag: end-to-end encryption

  • Google Expands Access to End-to-End Encryption in Gmail

    Google Expands Access to End-to-End Encryption in Gmail

    Google is rolling out end-to-end encryption (E2EE) for Gmail, expanding access to the beta for eligible customers.

    E2EE is an important security feature that ensures even Google can’t read a person’s email when it resides on their servers. Google announced the change in a blog post:

    We’re expanding customer access to client-side encryption in Gmail on the web. Google Workspace Enterprise Plus, Education Plus, and Education Standard customers are eligible to apply for the beta until January 20th, 2023.

    Using client-side encryption in Gmail ensures sensitive data in the email body and attachments are indecipherable to Google servers. Customers retain control over encryption keys and the identity service to access those keys.

    E2EE is the gold standard for encryption and security and its nice to see Google expanding access to it.

  • Twitter May Roll Out End-to-End Encryption for Direct Messages

    Twitter May Roll Out End-to-End Encryption for Direct Messages

    Twitter is the latest platform interested in end-to-end encryption (E2EE), reportedly looking to roll it out for Direct Messages.

    E2EE is a common feature in most major communication apps, such as Signal, WhatsApp, iMessage, and Google’s RCS messages. E2EE protects communications, ensuring only the sender and recipient can read them.

    According to BGR, Twitter is working to implement E2EE in Direct Messages. While the company originally began working on the feature in 2018, it never actually implemented it.

    The renewed interest in E2EE was uncovered by Jane Manchun Wong, a well-known app researcher. Wong discovered references to the feature in code for the Android Twitter client. Interestingly, Elon Musk replied to Wong’s tweet with a winking emoji.

    There’s not official word on the feature, and certainly no release date, but E2EE will be a welcome upgrade whenever it debuts.

  • Experts Warn the EU’s DMA Will Break Encryption

    Experts Warn the EU’s DMA Will Break Encryption

    Another day, another attack on encryption, with security experts warning the EU’s DMA legislation will likely break, or severely weaken, encryption.

    The EU unveiled the Digital Markets Act (DMA) as its latest effort to crack down on Big Tech. In addition to severe fines, and even possible breakups, of companies that fail to abide by the legislation, the DMA calls for “gatekeeper companies” to make their services interoperable with smaller rivals.

    Messaging, in particular, is one of the most obvious areas impacted by this clause, with services like WhatsApp, Facebook Messenger, and Apple’s iMessage likely forced to open up and work with competitors. Unfortunately, since all of these services provide end-to-end encryption (E2EE), experts warn there is no easy way for the the services to work with each and still maintain the level of security and privacy they currently offer.

    In speaking with The Verge, one expert used a very low-tech example to illustrate the issues, especially with compatibility and accountability between various services.

    “If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Alec Muffett, former Facebook engineer and internet security expert, said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

    Similar questions plague potential implementation of the DMA. How will messages be securely sent across various platforms? If two different services use two different types of encryption, which company will modify its service to be compatible with the other? Will services opt to simply drop encryption when sending messages across services? Or will companies adopt some method of decrypting and re-encrypting as the message is passed from one service to another, making the communication vulnerable to interception, and thereby compromising privacy and security?

    Unfortunately, as has been stated time and time again, the encryption protocols people, companies, and governments rely on for privacy and security are not created, managed, or dictated by policies. They are, instead, bound and constrained by basic mathematics.

    Unfortunately for privacy and security, the mathematics of the DMA don’t quite add up.

  • UK Government Planning Full Media Assault on End-to-End Encryption

    UK Government Planning Full Media Assault on End-to-End Encryption

    The UK government has hired a high-powered ad agency for a full-fledged assault on end-to-end encryption (E2EE).

    The UK government has long been opposed to E2EE. Despite the importance of E2EE in virtually every aspect of digital life, critics criticize it for making it harder to catch criminals. Politicians in the US, the UK, and other countries often call for encryption backdoors to be created, seemingly oblivious to the mathematical impossibility of simultaneously having strong encryption that protects government officials, journalists, civil rights activists, and everyday users, while also providing authorities with a backdoor.

    According to Rolling Stone, the UK’s latest effort involves an appeal to the public, portraying E2EE as an impediment to protecting children online and preventing child exploitation. This particular argument is one of the most commonly used, since everyone agrees with the importance of protecting children.

    Unfortunately, using the ‘protect the children’ argument often results in actions that undermine the safety of the very children it purports to protect. As a result, industry experts are calling the UK’s proposal “scaremongering.”

    “The Home Office’s scaremongering campaign is as disingenuous as it is dangerous,” said Robin Wilton, director of Internet Trust at the Internet Society, told Rolling Stone. “Without strong encryption, children are more vulnerable online than ever. Encryption protects personal safety and national security … what the government is proposing puts everyone at risk.”

    It seems the Home Office’s immediate target is WhatsApp, and its plans to extend E2EE. Should it succeed in its plans, however, it’s a safe bet E2EE in all its uses, and any platform that uses it, will be the next target.

  • Germany May Block Telegram Over Hate Speech

    Germany May Block Telegram Over Hate Speech

    Germany is looking to address hate speech on the Telegram messaging platform, even leaving open the possibility of banning the service.

    Telegram is a messaging service that offers end-to-end encryption (E2EE), making it a prime competitor to WhatsApp and Signal. In addition to E2EE, the app has strong support for groups, making it as much a chat as messaging platform.

    As with all E2EE services, some use Telegram for illegal and unwanted behavior. Germany has been struggling with far-right groups, something the country is especially sensitive to, given its past.

    In response, Interior Minister Nancy Faeser, left open the possibility of banning the app in statements to Die Zeit, via The Independent

    “We cannot rule this out,” she said. “A shutdown would be grave and clearly a last resort. All other options must be exhausted first.”

  • End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    End-to-End Encryption Comes to Microsoft Teams One-to-One Calls

    Microsoft has rolled out end-to-end encryption (E2EE) to one-to-one calls in Microsoft Teams.

    E2EE is considered the gold standard for messaging and communication, as it encrypts the messages so that only the sender and recipient can view them. Not even the service provider can access the information.

    Microsoft announced the rollout in a blog post, significantly improving the privacy and security of one-on-calls.

    In October, we announced the public preview of end-to-end encryption (E2EE) support for Microsoft Teams calls. Today, we are happy to announce that E2EE for Teams calls is now generally available. IT admins will have the option to enable and control the feature for their organization once the update has been received.

  • Facebook Rolling Out End-to-End Encryption in Messenger

    Facebook Rolling Out End-to-End Encryption in Messenger

    Facebook has started rolling out end-to-end encryption (E2EE) across Messenger, continuing its efforts to bring E2EE across its platforms.

    E2EE is the gold standard in secure communications, encrypting data so that only the sender and recipient can read the messages. WhatsApp already included E2EE for messaging, and recently rolled it out for chat backups.

    The company is now implementing E2EE across Messenger. CEO Mark Zuckerberg made the announcement in a Facebook post.

    End-to-end encrypted voice and video calls are now rolling out on Messenger, and we’re introducing opt-in end-to-end encryption for group chats and group audio and video calls too. I’m proud that we continue to extend encryption across more services.

  • WhatsApp Adds End-to-End Encryption for Chat Backups

    WhatsApp Adds End-to-End Encryption for Chat Backups

    WhatsApp has added a major new feature, making it possible to encrypt chat backups with end-to-end encryption.

    WhatsApp is one of the most popular messaging platforms. While the app has offered end-to-end encryption for years, if a user chose to backup their chats via iCloud or Google Drive, those backups did not have the same level of encryption.

    The company has now added that, with Mark Zuckerberg making the announcement on Facebook, and emphasizing the technical hurdles that were overcome.

    We’re adding another layer of privacy and security to WhatsApp: an end-to-end encryption option for the backups people choose to store in Google Drive or iCloud. WhatsApp is the first global messaging service at this scale to offer end-to-end encrypted messaging and backups, and getting there was a really hard technical challenge that required an entirely new framework for key storage and cloud storage across operating systems.

    The feature is good news for all users and adds another significant layer of privacy and security.

  • WWW Inventor Sir Tim Berners-Lee Joins ProtonMail Advisory Board

    WWW Inventor Sir Tim Berners-Lee Joins ProtonMail Advisory Board

    Sir Tim Berners-Lee, known for inventing the World Wide Web and the first web browser, has joined ProtonMail’s advisory board.

    ProtonMail, despite recent controversy, is one of the most private and secure email platforms available, featuring full end-to-end encryption. While Sir Tim Berners-Lee may be best known for inventing the web, in recent years he’s become a staunch privacy advocate, making him a natural fit for ProtonMail.

    The company made the announcement on their blog:

    We are proud and humbled to announce that Sir Tim Berners-Lee, a fellow former scientist from the European Organization for Nuclear Research (CERN) and the inventor of the World Wide Web, will be joining Proton’s advisory board.

    Our vision is to build an internet where privacy is the default by creating an ecosystem of services accessible to everyone, everywhere, every day. It is what drives everything we do, from our development of transparent and encrypted services to our advocacy for better data protection laws.

    “I’m delighted to join Proton’s advisory board and support Proton on their journey. I am a firm supporter of privacy, and Proton’s values to give people control of their data are closely aligned to my vision of the web at its full potential,” said Sir Tim.

  • Messenger Calls and Instagram DMs Get End-to-End Encryption

    Messenger Calls and Instagram DMs Get End-to-End Encryption

    Facebook has added major security features to Messenger calls, as well as Instagram DMs, upgrading both with end-to-end encryption (E2EE).

    E2EE is a form of encryption that secures communication in such a way that only the participants can access the conversation. Even the software or service provider is unable to decrypt the communication.

    While Messenger has supported E2EE in one-on-one text chats since 2016, Facebook is now rolling it out — on an opt-in basis — to audio and video calls in Messenger.

    Disappearing messages are also getting an upgrade, with more fine-tuned controls over how long the timer lasts, from 5 seconds to 24 hours, before a message disappears.

    Similarly, the company is testing opt-in E2EE DMs in Instagram. The test is fairly limited, with only adults in certain countries able to participate.

    The upgrades are good news for Messenger and Instagram users, adding an extra layer of protection and security.

  • Google Rolling Out End-to-End Encryption in Messages

    Google Rolling Out End-to-End Encryption in Messages

    At long last, Google is rolling out end-to-end encryption (E2EE) in its Android Messages app.

    Android messaging has lagged behind Apple iMessage for some time. In most ways, Android messaging has been little better than standard text messages. In contrast, Apple iMessage has offered read receipts, group administration, E2EE, sending files and more.

    Google has been working to move Android Messages to the RCS standard, which is far more comparable to iMessage. After waiting for carriers to adopt the updated standard, Google finally took matters into its own hands and started implementing it in Android. RCS was available globally in November 2020, but E2EE wasn’t included initially.

    The company is now rolling out E2EE, although with some caveats. Needless to say, both parties must have RCS enabled in order to benefit. In addition, E2EE only works for one-on-one conversations, not groups messages.

    While still not as comprehensive as iMessage, the improvements in Google’s Messages will be a welcome upgrade for users.

  • Ring Adds End-to-End Encryption For Video Streams

    Ring Adds End-to-End Encryption For Video Streams

    Ring has announced it is now offering end-to-end encryption to protect videos through the entire process.

    Ring made headlines in late 2019 when a number of users reported their video streams being hacked, and outsiders watching what was happening in people’s homes and even speaking to them. In some cases, the incidents took very disturbing turns, with strangers talking with children or going on racist rants.

    It’s little wonder that Ring is rolling out end-to-end encryption, which the company is calling a technical preview at this point.

    By default, Ring already encrypts videos when they are uploaded to the cloud (in transit) and stored on Ring’s servers (at rest). With End-to-End Encryption, customer videos are further secured with an additional lock, which can only be unlocked by a key that is stored on the customer’s enrolled mobile device, designed so that only the customer can decrypt and view recordings on their enrolled device.

    Privacy, security and user control are foundational to Ring, and video End-to-End Encryption demonstrates Ring’s ongoing commitment to continually delivering enhanced privacy, security, and control to customers.

    Ring’s announcement is a welcome upgrade…even if it is long-overdue.

  • Cellebrite Did NOT Break Signal’s Encryption

    Cellebrite Did NOT Break Signal’s Encryption

    The BBC broke a story that seemingly indicated Cellebrite had broken Signal’s encryption — only it’s not true.

    Signal is a popular messaging app, boasting some — if not the best — security and end-to-end encryption of any messaging platform on the planet. It’s so secure that some military units, the US Senate and the EU Commission all recommend their members use it. In addition to politicians and military personnel, Signal is widely used by journalists, activists, political dissidents and others for whom privacy is paramount. The app even has features, such as the ability to blur faces in photos, to help protect that privacy.

    Celebrate, in contrast, is an Israeli company that specializes in hacking encrypted devices. The company’s products are used by the FBI, other law enforcement agencies, and have even been purchased by school districts for use on students’ phones.

    The BBC reported that Cellebrite claimed to have cracked Signal’s encryption, potentially casting doubt on the platform. In fact, the BBC’s article was entitled: “Signal: Cellebrite claimed to have ‘cracked’ chat app’s encryption.”

    Signal has written a blog post to set the record straight, calling the BBC’s headline “factually untrue.” Even the blog post Cellebrite wrote outlining their efforts, a post Signal called “embarrassing” (for Cellebrite), has been significantly altered and shortened, toning down the company’s claims from the original version (accessible via archives here).

    So what happened? Did Cellebrite break Signal’s encryption? The short answer is No.

    Cellebrite’s entire “success” depended on having physical access to an Android phone that was already unlocked with the screen on. In the realm of computer security, a simple rule is: If someone has physical access to your device, all bets are off. Once physical access is obtained, it’s usually only a matter of time before security measures are compromised to some degree or another.

    More to the point, however, Signal, like other similar apps, is designed to protect messages and communication from electronic eavesdropping — not from someone who has unfettered access to the devices the messages reside on. As Signal’s blog points out, it’s a simple matter to open up any app, take screenshots of the contents and thereby “compromise” the data on the device for which someone already has unlocked, unfettered, physical access.

    In essence, the Cellebrite Physical Analyzer does just that. It simply automates the process of accessing and recording the contents of apps on an unlocked phone. In the world of programming, this is neither complicated nor difficult.

    As a side note, if a person is concerned about that possibility, it’s easy to enable disappearing messages in Signal. This added step ensures there is nothing to recover from a device that has been physically compromised.

    As Signal’s rebuttal post point out, the entire episode is an embarrassing situation for Cellebrite, a company that so many law enforcement agencies depend on.

    It’s hard to know how a post like that got out the door or why anyone thought revealing such limited abilities was in their interest. Based on the initial reception, Cellebrite must have realized that amateur hour was not a good look, and the post was quickly taken down. They then must have realized that a 404 error isn’t any better, and replaced that again with a vague summary.

    It’s also hard to know how such an embarrassing turn of events became anything other than a disaster for Cellebrite, but several news outlets, including the BBC, published articles about Cellebrite’s “success,” despite the existence of clarifying information already available online.

    The takeaway is that Cellebrite essentially accomplished nothing with their so-called “success.” They did not break Signal’s encryption and they did not compromise the messaging platform. Cellebrite’s entire “success” was no more of an accomplishment than being handed an unlocked phone, perusing it and taking screenshots of the contents.

    John Scott-Railton, a senior researcher at internet watchdog Citizen Lab, out of the University of Toronto, agreed with Signal.

    https://twitter.com/jsrailton/status/1341421365371559938?s=21

    The evidence is clear: Signal remains one of — if not THE — most secure messaging platforms on the planet.

  • Google’s RCS Messaging Available Globally, End-to-End Encryption Soon

    Google’s RCS Messaging Available Globally, End-to-End Encryption Soon

    Google has announced the global availability of RCS messaging, with end-to-end encryption coming soon.

    Messaging is an area where Android has lagged behind Apple’s iOS ecosystem. Apple’s iMessage offers features that go far beyond basic text messaging, including the ability to send files, see read receipts, typing notifications and more. iMessage, like Signal and WhatsApp, also includes end-to-end encryption.

    Google tried waiting for carriers to implement RCS, the natural successor to SMS text messages. Unfortunately, wireless carriers drug their feet, forcing Google to roll RCS out via Android. The company started with a rollout in the US, but have now made it available worldwide.

    “Today, we’ve completed our global rollout of chat features to make this modern messaging experience universal and interconnected for everyone on Android,” writes Drew Rowny Product Lead, Messages. “Now anyone using Messages around the world has access to modern chat features either from their carrier or directly from Google.”

    Rowny says end-to-encryption is coming soon.

    “We recognize that your conversations are private and it’s our responsibility to keep your personal information safe. We’re continually improving security protections to safeguard your privacy and will be rolling out end-to-end encryption, starting with one-on-one RCS conversations between people using Messages. End-to-end encryption ensures that no one, including Google and third parties, can read the content of your messages as they travel between your phone and the phone of the person you’re messaging. This will roll out to beta testers beginning this month and continue into next year. Your eligible conversations will automatically upgrade to be end-to-end encrypted. End-to-end encryption is only available when both you and the person you’re messaging have Messages installed and chat features on.”

    The announcement is an important step forward for Android messaging and will help customers enjoy modern texting features without having to use a third-party service.

  • Senators Introduce Legislation Attacking Encryption

    Senators Introduce Legislation Attacking Encryption

    Another day, another attack on the encryption standards that protect every single person using the internet and computing devices.

    Senators Lindsey Graham, Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act in a bid “to bolster national security interests and better protect communities.”

    It’s hard to tell whether the authors are trying to attack encryption, or if they simply don’t understand how it works…or both. Either way, the result is the same: This legislation will gut the end-to-end encryption (E2EE) billions of people rely on.

    Case in point:

    “After law enforcement obtains the necessary court authorizations, they should be able to retrieve information to assist in their investigations. Our legislation respects and protects the privacy rights of law-abiding Americans,” says Graham.

    Similarly:

    ”This bill will ensure law enforcement can access encrypted material with a warrant based on probable cause and help put an end to the Wild West of crime on the Internet,” said Cotton.

    The announcement specifically states:

    “Encryption is vital to securing user communications, data storage, and financial transactions. Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of ‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.”

    These statements ignore some of the basic facts involved in the encryption debate. Let’s break this down.

    1. All of the above statements place a great deal of emphasis on a warrant. The encryption debate has never been about tech companies’ willingness or unwillingness to abide by a warrant. The issue, plain and simple, is that you cannot have strong encryption that has backdoors. Experts have been warning about the dangers of weakening encryption for years. They’ve done so here, and here, and here, and here, and here, and here and here, as well as countless other places too numerous to list.

      Ultimately, this is not a case where these senators can ‘have their cake and eat it too.’ Either everyone has strong encryption that protects them, or no one does. Even these senators rely on encryption to conduct their business. Signal is widely considered to be the most secure messaging app on the planet, in large part because of the type of encryption this legislation targets. It is so secure that the Senate specifically encourages Senate staff to use Signal.

      Yet this legislation is so dangerous to the very type of encryption that Signal relies on that the company has already warned that, if it passes, Signal will likely stop being available in the US altogether.

      Again, either everyone has strong encryption or no one does…including the senators targeting encryption.

    2. The legislation wrongly asserts that companies fail to cooperate with law enforcement, “even when criminal activity is clearly taking place.” Again, this is not a matter of intentionally failing to cooperate; it is a technical impossibility.

      Companies simply cannot create strong encryption that can simultaneously be accessed at will, either by the company, law enforcement or anyone else. In many cases, such as Apple, companies cooperate as much as they possibly can, but they cannot change the laws of physics.
    3. The assertion that “‘warrant-proof’ encryption adds little to the security of the communications of the ordinary user” ignores how the technology is frequently used by the “ordinary user.” The fact is, E2EE protects private communication, securing text messages, video chats, emails and voice calls, ensuring people can communicate without fear.

      Businesses rely on E2EE on a daily basis to ensure they can freely discuss internal matters without fear of corporate eavesdropping and espionage. Victims of abuse often rely on these services to communicate with loved ones without their abuser being able to find them. Journalists and activists in areas ruled by oppressive regimes rely on E2EE for their very lives.

    The announcement cites several examples where E2EE thwarted attempts by law enforcement. While true, the question remains: How is that different from any other technology?

    One example encryption proponents cite is shredder manufacturers. Do these companies have to create shredders that reconstitute a document just because some bad actors use paper shredders to cover their tracks? Of course not. While some do use shredders to cover illegal activity, the vast majority of individuals use them for perfectly legal reasons.

    The same is true of E2EE. There will always be those who use any technology for illegal, immoral and unethical reasons. The vast majority, however, will use it as it was intended, for perfectly legal activity.

    If passed, however, this new legislation will punish the whole on behalf of the few.

  • Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom Charts Path Toward End-to-End Encryption For All Users

    Zoom is adding end-to-end encryption (E2EE ) for all users, reversing a decision made just weeks ago to reserve the highest security for paid plans.

    Zoom has been in hot water more than once in recent months over its encryption claims and policies. Originally, the company’s marketing led customers to believe it provided E2EE when it did not. Once the company finally rolled out the upgraded encryption, it said it would only be for paid subscribers.

    The rationale for the decision was that free plans were more likely to be used for illegal activities, and the company wanted to be able to work with the FBI and local law enforcement. Needless to say, the stand was not a popular one.

    It appears the company has changed direction, and charted what it believes will be a compromise solution that will allow it to offer E2EE to free users.

    “To make this possible, Free/Basic users seeking access to E2EE will participate in a one-time process that will prompt the user for additional pieces of information, such as verifying a phone number via a text message,” writes CEO Eric S. Yuan. “Many leading companies perform similar steps on account creation to reduce the mass creation of abusive accounts. We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our Report a User function — we can continue to prevent and fight abuse.”

    The move is measured solution that will likely satisfy most critics.

  • The Case For Paid Zoom Plans: Free Plans Don’t Have End-to-End Encryption

    The Case For Paid Zoom Plans: Free Plans Don’t Have End-to-End Encryption

    Following Zoom’s addition of end-to-end encryption, the company’s CEO made it clear that only paying customers benefit from it.

    Zoom has become one of the dominant video communication platforms during the coronavirus pandemic, going from 10 million daily users to well over 200 million, and hitting 300 million at times. In spite of its dominance, Zoom has faced significant criticism for weak security. The company was forced to put a 90-day moratorium on new features, as it pivoted to security fixes.

    One of the biggest criticisms was the type of encryption Zoom used, with its marketing giving the impression it was end-to-end when, in fact, it was not. Zoom quickly moved to address the issue and offer true end-to-end encryption.

    In spite of that, not everyone will benefit from the upgrade. According to Bloomberg, in a call with analysts, CEO Eric Yuan indicated free users are out in the cold.

    “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” said Yuan.

    The move is already receiving criticism and it will be interesting to see if Zoom sticks to its guns or upgrades free users as well.

  • Google Bringing End-to-End Encryption to RCS Messages

    Google Bringing End-to-End Encryption to RCS Messages

    Google appears prepared to bring end-to-end encryption to RCS messages, helping it better compete with Apple iMessages.

    RCS is considered the successor to basic text messages, offering a number of feature not possible with the older technology. Larger groups chats, read receipts, chat over WiFi, typing indicators, group management (adding/removing participants) and more. These are features Apple iMessages have had since the beginning, but only work when communicating with other Apple devices.

    The one area where RCS has lagged behind, however, is security. While RCS does have encryption, it does not support end-to-end encryption, which is considered the gold-standard of protecting user privacy. Now, that appears to be changing.

    According 9to5Google, APKMirror has discovered one of Google Messages internal “dog food” builds. The term “dog food” is used in software development to describe using your own product to find the flaws in it, before asking customers to use it—as in “eat your own dog food.”

    There are a number of interesting features Google appears to be working on. Just as iMessages can fall back to SMS or MMS, Google Messages will have the same option. In an improvement over iMessages, however, Google Messages will warn the user that SMS and MMS does not support encryption when falling back to it. Similarly, Google will ask if a user wants to grant access to encrypted messages to apps that otherwise have access to standard messages.

    Overall, this is a welcome upgrade to RCS messages, especially since Google rolled them out to all users in the US late last year.

  • Facebook Beefs Up Messenger Security

    Facebook Beefs Up Messenger Security

    Facebook has announced significant new measures to increase the security of Messenger, as well as combat predators and scammers.

    Tech giants have increasingly been under pressure to do more to protect their users, especially minors. Social media and online platforms have become the tool of choice for many individuals looking to prey on children. Even adults are often faced with a plethora of security risks and potential scams.

    In a blog post, Jay Sullivan, Director of Product Management, Messenger Privacy and Safety, outlines a number of new features the company is implementing.

    Facebook is moving its messaging service to end-to-end encryption, which will provide a far greater degree of privacy. At the same time, it has required the company to come up with new ways to help protect its users, since end-to-end encryption prevents it from reading or monitoring messages. Instead, Facebook has turned to machine learning to analyze patterns of behavior that could indicate something is amiss.

    “Keeping minors safe on our platforms is one of our greatest responsibilities,” writes Sullivan. “Messenger already has special protections in place for minors that limit contact from adults they aren’t connected to, and we use machine learning to detect and disable the accounts of adults who are engaging in inappropriate interactions with children. Our new feature educates people under the age of 18 to be cautious when interacting with an adult they may not know and empowers them to take action before responding to a message.”

    Facebook is also using new safety notices as a way to better educate people and help them spot scams sooner. Overall, these features are welcome news from Facebook and should go a long way toward protecting its users.

  • Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Coming or Going? In the Encryption Debate, U.S. Government Doesn’t Know

    Senator Blumenthal has issued a call for the FTC to investigate Zoom’s security, illustrating a schism within the government over the issue of encryption.

    Few issues have polarized politicians, scientists, researchers and citizens as much as end-to-end encryption. Many officials, including multiple FBI directors, have warned that strong encryption makes it nearly impossible to properly investigate cases and contributes to criminals “going dark.” Others, such as Senators Ron Wyden and Rand Paul, have been staunch proponents of strong encryption. Similarly, mathematicians and security experts have repeatedly made the case that strong encryption cannot have backdoors or built-in weaknesses and still offer the necessary protection.

    Currently, the biggest threat to encryption in the U.S. is the upcoming EARN IT Act. The bill is designed to combat online sexual exploitation of children. While absolutely a worthwhile goal that should be a priority for companies, governments and individuals alike, the bill is a pandora’s box of uncertainty when it comes to encryption. The bill addresses protection under Section 230 of the Communications Decency Act, wherein companies are not held liable for things people say or do on their communications platforms.

    Under the proposed EARN IT Act, in order to maintain their protected status under Section 230, companies would need to comply with vague “best practices” established by a committee. This committee, and the U.S. Attorney General, would have wide discretion to determine what those “best practices” are. So what happens if the Attorney General is William Barr, an individual who has voiced staunch opposition to end-to-end encryption? Might “best practices” include the requirement that companies build in backdoors? Very likely.

    Backers of the bill, have said the bill is not an attack on encryption and that necessary safeguards are in place. However, nearly every expert who has reviewed the bill has arrived at a completely different conclusion, and believe the bill will absolutely lead to an all-out attack on encryption.

    Should that happen, many companies will have to choose between weakening their encryption, and thereby endangering their users, or move their businesses outside the U.S. One example is the encrypted messaging app Signal, ussed by the U.S. military, as well as senators and their staff. Signal developer Joshua Lund made it clear (an excellent read) the app will likely no longer be available in the U.S. if EARN IT passes.

    What makes this story all the more interesting is a recent tweet by Senator Richard Blumenthal, one of the sponsors of the EARN IT Act:

    I am calling on FTC to investigate @zoomus. Zoom’s pattern of security failures & privacy infringements should have drawn the FTC’s attention & scrutiny long ago. Advertising privacy features that do not exist is clearly a deceptive act.

    The facts & practices unearthed by researchers in recent weeks are alarming—we should be concerned about what remains hidden. As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy & security.

    Richard Blumenthal (@SenBlumenthal) April 7, 2020

    One of the biggest privacy and security issues with Zoom is the fact that it advertised end-to-end encryption, but failed to deliver. Based on Senator Blumenthal’s tweet, the message is clear: end-to-end encryption is a wonderful thing for government officials, so long as said government officials can still spy on the average citizen.

    In other words, the U.S. government is stuck in a strange dichotomy where it wants to punish companies for not supporting end-to-end encryption, while at the same time undermining and legislating backdoors in that very encryption.

  • Zoom Pivots to Security Amid Ongoing Criticism

    Zoom Pivots to Security Amid Ongoing Criticism

    Zoom is taking drastic measures to improve its security and privacy amid criticism and scrutiny as it serves hundreds of millions of users.

    As the pandemic sweeps the globe, individuals, corporations and organizations of all types are making drastic changes to their daily workflows and routines. Zoom has become an integral part of those routines, and hundreds of millions of users have begun to rely on the platform for school, work and socializing.

    Unfortunately for the company, the increased usage has also brought increased scrutiny, especially in the realm of privacy and security. The company has been called to task for not using end-to-end encryption, as its marketing claims; for leaking email addresses; for sending data to Facebook without informing users, before finally removing the offending SDK; and for a rash of Zoom-bombing incidents where outside individuals gain access to a Zoom meeting and make a nuisance of themselves.

    In view of these challenges, Zoom is taking drastic action to beef up its security and privacy. In a blog post on the company’s site, founder and CEO Eric Yuan said the company is enacting a freeze for 90 days in order to shift all “engineering resources to focus on our biggest trust, safety, and privacy issues.”

    The company also plans to conduct a comprehensive review with third-party experts and release a transparency report. It will also enhance its bug bounty program, and engage in a number of white box penetration tests. Zoom has also improved its privacy policy, apologized for not handling its encryption issues clearly and tried to help individuals address Zoom-bombing.

    In short, the company is pulling out all the stops in an effort to improve its privacy and security, no small task given how quickly the platform has grown.

    “To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million,” writes Yuan. “In March this year, we reached more than 200 million daily meeting participants, both free and paid.”

    As we said in a previous article, “the increased scrutiny of Zoom is a good reminder to companies that privacy and security should never be an afterthought. Instead, they should be a core feature, built in to an app or service from day one.”

    That statement remains true—security and privacy should never be an afterthought. At the same time, it’s time to give credit where credit is due: Zoom is stepping up to the plate and doing everything possible to provide its users with the privacy and security they expect and deserve.