Earlier this week video conferencing service Zoom said it will not offer its forthcoming, complete version of end-to-end encryption to its free users so that it can work better with law enforcement to curb abuse on the platform. Matthew Green, who teaches cryptography at Johns Hopkins, looks at the broader implication of this move: Obviously I don’t think you should have to pay for E2E encryption. The thing that’s really concerning me is that there’s a strong push from the US and other governments to block the deployment of new E2E encryption. You can see this in William Barr’s “open letter to Facebook.” But this is part of an older trend. Law enforcement and intelligence agencies can’t get Congress to ban E2E, so they’re using all the non-legislative tools they have to try to stop it. And, it turns out, this works. Not against the big entrenched providers who have already deployed E2E. But against the new upstarts who want to use crypto to solve trust problems.
And the Federal government has an enormous amount of power. Power over tools like Section 230. Power to create headaches for people. But even without Congressional assistance, the executive branch has vast power to make procurement and certification decisions. So if you’re a firm that wants to deploy E2E to your customers, even if there’s a pressing need, you face the specter of going to war with an immensely powerful government that has very strong negative feelings about broad access to encryption. And this is a huge problem. Because some companies have infrastructure all over the world. Some companies carry incredibly valuable and sensitive corporate data (even at their “free” tiers) and there are people who want that data. Encryption is an amazing tool to protect it. The amazing thing about this particular moment is that, thanks to a combination of the pandemic forcing us all online, more people than ever are directly exposed by this. “Communications security” isn’t something that only activists and eggheads care about. Now for companies that are exposed to this corrupt dynamic, there’s an instinct to try to bargain. Split the baby in half. Deploy E2E encryption, but only maybe a little of it. E2E for some users, like paying customers and businesses, but not for everyone. And there’s some logic to this position.
The worst crimes, like distribution of child abuse media, happen in the free accounts. So restricting E2E to paid accounts seems like an elegant compromise, a way to avoid getting stepped on by a dragon. But I personally think this is a mistake. Negotiating with a dragon never ends well. And throwing free-tier users into the dragon’s mouth feels even worse. But the real takeaway, and why I hope maybe this issue will matter to you, is that if the Federal government is able to intimidate one company into compromising your security. Then what’s going to happen to the next company? And the next? Once the precedent is set that E2E encryption is too “dangerous” to hand to the masses, the genie is out of the bottle. And once corporate America accepts that private communications are too politically risky to deploy, it’s going to be hard to put it back. Anyway, this might be an interesting academic debate if we were in normal times. But we’re not. Anyone who looks at the state of our government and law enforcement systems — and feels safe with them reading all our messages — is living in a very different world than I am.