Facebook Plans Don't Include End-to-End Encryption

· · Link

Unsurprisingly, Facebook’s messaging apps won’t have true end-to-end encryption, with messages scanned before being encrypted.

In Facebook’s vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user’s device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.

The company even noted that when it detects violations it will need to quietly stream a copy of the formerly encrypted content back to its central servers to analyze further, even if the user objects, acting as true wiretapping service.

Unlike Forbes‘ clickbait headline, the “encryption debate” certainly isn’t over or dead. Now it’s about trying to convince the government that encryption backdoors don’t work. There are also plenty of Facebook alternatives.

William Barr Wants You to Accept Encryption Backdoor Security Risks

· · News

U.S. Attorney General William Barr suggested that Americans should just accept encryption backdoor security risks (via TechCrunch). Encryption Backdoor Risks In a speech today, William Barr called on tech companies to help the federal government to access devices with a lawful order. In other words, ignore the security risks and put a backdoor into their…

Trump Administration Talking About Banning Encryption

· · Link

Politico reports that the Trump administration is in talks about banning encryption, or at least certain forms of it that law enforcement can’t crack.

The encryption challenge, which the government calls “going dark,” was the focus of a National Security Council meeting Wednesday morning that included the No. 2 officials from several key agencies, according to three people familiar with the matter…Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it…

Great. I can’t wait for Russia and China to intercept all of our insecure communications.

Google Builds HTTPS Directly Into Top Level Domains

· · Link

More websites have encrypted their traffic than ever, but there is a loophole. Some use a mixture of HTTPS and unsecure HTTP. Google is closing this by building HTTPS protection directly into certain top level domains.

Which means that today, when you register a site through Google that uses “.app,” “.dev,” or “.page,” that page and any others you build off it are automatically added to a list that all mainstream browsers, including Chrome, Safari, Edge, Firefox, and Opera, check when they’re setting up encrypted web connections. It’s called the HTTPS Strict Transport Security preload list, or HSTS, and browsers use it to know which sites should only load as encrypted HTTPS automatically, rather than falling back to unencrypted HTTP in some circumstances. In short, it fully automates what can otherwise be a tricky scheme to set up.

Governments Are Terrible at Securing Data

· · Link

It absolutely infuriates me when agencies like the FBI, and governments like Australia, the U.S., Germany, and more want us to break encryption or circumvent it with a back door. As Mathew Gault writes, they are completely inept at securing data. Even the NSA, which likes to think it’s the “world leader in cryptology” got hacked.

Regular phone and internet users remain vulnerable, forced to take individual protective measures, like a poor wage-worker without health insurance who’s told to secure her nest egg by cutting out morning lattes.

4 Privacy Features Apple Should Add

· · Link

Apple has made a good start when it comes to privacy, but there are more private features the company can add. Here are four.

…based on Apple’s marketing focus as of late, which has centered on privacy, it’s reasonable to assume that the company will unveil additional privacy protections for users and their data in its next operating systems. What those privacy protections might be is anyone’s guess–but here are my hopes.

End-to-end encryption for iCloud backups is definitely on my wish list. But it should remain optional, because people who forget their password would be unable to access this kind of backup.

Firefox Send Lets You Share Big Encrypted Files

· · Link

Firefox Send is a free tool that lets you send encrypted files up to 1GB in size, or 2.5GB if you sign in with a Firefox account.

What sets Send apart is its ease of use. It works in any browser; just go to send.firefox.com. Upload or drag and drop files, and Send will generate a link that you can set to expire after a certain number of downloads—up to 100—or a certain amount of time, ranging from five minutes to seven days.

Being able to use any browser is probably the best part about this tool.

Be Sure to Properly Remove Data from Devices

· · Link

David Nield implores us to make sure we properly remove data from our devices before we get rid of them.

Your personal data—be it financial spreadsheets or web searches—is not something you want to be leaving behind for other people to find, and totally wiping your activity off devices or the web takes a few more steps than you might have realized. Don’t worry though, as we’re going to walk you through the process.

FBI: Encryption Infects Law Enforcement Community

· · Link

The FBI really really dislikes end-to-end encryption, saying that it’s a problem that infects the law enforcement community (paywall).

The so-called going-dark issue…is a problem [that] infects law enforcement and the intelligence community more and more so every day,” said Amy Hess, executive assistant director with the FBI, in an interview. Ms. Hess, who previously oversaw the FBI’s science and technology branch, testified to Congress on the problem during Apple’s 2016 clash with the bureau.

Apple and others are worried about Australia’s encryption ban, and it could be a test case for the rest of the Five Eyes.

Sorry, Facebook Messenger Decryption is Secret

· · Link

Yesterday a U.S. judge ruled that a secret government effort to compel Facebook to decrypt Messenger voice conversations won’t be revealed.

Groups including the American Civil Liberties Union argued that the public’s right to know the state of the law on encryption outweighed any reason the U.S. Justice Department might have for protecting a criminal probe or law-enforcement method.

One word: PRISM.