![\"crypto\"](\"https:\/\/hcsblogdotorg.files.wordpress.com\/2016\/03\/crypto.jpg\")
<\/p>\n<\/p>\n
IF THERE\u2019S ANYTHING <\/span>the world has learned from the standoff over the encrypted iPhone of San Bernardino killer Syed Rizwan Farook, it\u2019s that the FBI doesn\u2019t take no for an answer. And now it\u2019s becoming clear that the government\u2019s determination to access encrypted data doesn\u2019t end with a single iPhone, or with Apple, or even with data stored on devices. It may extend as far as any app that encrypts secrets in transit or in the cloud.<\/p>\n Messaging service WhatsApp, which is owned by Facebook and has encrypted messages between its Android users for the past two years, is the next tech firm to be drawn into the widening battle between U.S. law enforcement and Silicon Valley over encryption. As the New York Times<\/em> reported over the weekend<\/a>, the Mountain View, California-based company told a court it can\u2019t comply with a wiretap warrant that compels it to reveal a user\u2019s data in a criminal case, arguing that the data is encrypted with keys it doesn\u2019t control. And technologists and privacy lawyers say that order should serve as a broader warning to any app developers that value their users\u2019 privacy: After Apple and WhatsApp, they should prepare to be the next to face the Justice Department\u2019s decryption demands.<\/p>\n \u201cThis is definitely the first in what we can be confident will be a multi-pronged attack on apps,\u201d says Nate Cardozo, an attorney with the Electronic Frontier Foundation. \u201cThe most important thing for developers to take away is that they need to develop their apps to make this kind of thing very difficult.\u201d<\/p>\n Cardozo warns that the WhatsApp order, coming on the heels of the Apple case, signals that the Justice Department is taking a more aggressive stance toward software companies that use end-to-end encryption<\/a> to put the the power to decipher communications exclusively in device-owners hands. He says he\u2019s worked with \u201ca handful\u201d of those companies over the last 18 months who have all have been contacted by the FBI and warned that pedophiles, criminals or terrorists had used their privacy-preserving app, and asked that the app be re-engineered to give law enforcement access to \u201cplaintext\u201d\u2014decrypted communications. \u201cThey say, \u2018If you don\u2019t cooperate with us and modify your system to give us plaintext going forward\u2026you\u2019ll have to face the public consequences that the FBI can come out and say you hindered an investigation,’\u201d Cardozo describes the FBI\u2019s position. \u201cThat\u2019s a strong threat.\u201d<\/p>\n Though the FBI backed down in each instance that Cardozo has encountered, WhatsApp\u2019s case is different. The fact that the FBI and the Department of Justice went so far as to issue a wiretap order\u2014despite almost certainly knowing that WhatsApp couldn\u2019t comply due to its encryption architecture\u2014may have been a formality that presages more pressure to come, says Cardozo; he cautions that the next order could cite the requirement for \u201ctechnical assistance\u201d in the Wiretap Act<\/a> to try to force WhatsApp to change its code to make law enforcement eavesdropping easier, just as the FBI is trying to force Apple to create a weakened version of its mobile operating system to crack Farook\u2019s iPhone.<\/p>\n Neither WhatsApp nor the Justice Department responded to a request for comment on the wiretap dispute. But unnamed sources told the Times<\/em> that the Justice Department remains split on whether to push its wiretap order further, with some officials instead opting to wait for promised congressional legislation<\/a> that would mandate companies help law enforcement decrypt data. President Obama weighed in on the broader debate Friday when he told the audience at SXSX in Austin, Texas, that tech companies need to find a way to give the government access to encrypted communication when necessary. \u201cIf, technologically, it is possible to make an impenetrable device or system, where the encryption is so strong that there is no key, there is no door at all, then how do we apprehend the child pornographer?\u201d the president asked.<\/p>\n Meanwhile, app makers seem to be taking positions on the opposite side of the encryption\u00a0conflict: The Guardian<\/em> todayreports<\/a> that Facebook, Google, Whatsapp, Snapchat, and more, plan to extend encryption services in the near future. And as that crypto war becomes more entrenched, the security community has warned for weeks that app developers might be the next target in the FBI\u2019s campaign to break into uncrackable communications: Apps like Signal, Silent Circle, Telegram, Wickr, and even Apple\u2019s own iMessage all already implement varying degrees of end-to-end encryption to prevent anyone from the NSA to their own administrators from reading people\u2019s messages.<\/p>\n \u201cAs Apple faces court orders to backdoor its own devices, developers should be thinking about securing their own apps,\u201d Jonathan Zdziarski wrote on Twitter<\/a> just after the FBI\u2019s iPhone order became public nearly a month ago, offering an Amazon link to a book on \u201cHacking and Securing iOS Applications.\u201d In the wake of the WhatsApp wiretap order, Johns Hopkin University computer scientist Matthew Green repeated that warning, cautioning developers against any system in which they might have access to decryption keys that could be commandeered to spy on users:<\/p>\n But even end-to-end encrypted apps that don\u2019t have any central control of users\u2019 decryption keys may still have weaknesses that could allow eavesdroppers to gain a foothold. WhatsApp\u2019s Android app has been using the same crypto protocols as the encrypted messaging app Signal since late 2014<\/a>. But it has yet to implement a feature in Signal that allows people to check the key \u201cfingerprint\u201d of the person they\u2019re communicating with. That could allow the FBI, particularly with WhatsApp\u2019s forced compliance, to act as a \u201cman-in-the-middle,\u201d impersonating someone to intercept their communications. Apple\u2019s iMessage suffers from the same problem. And both apps have their messages backed up by default to iCloud or to the user\u2019s iTunes, potentially creating an unencrypted copy for the cops.<\/p>\n Signal, by contrast, avoids backing up users\u2019 messages by default to prevent that sort of accidental leak, says Frederic Jacobs, a former lead developer for the app\u2019s iOS version\u00a0who will join Apple as an intern this summer<\/a>. It allows users to check key fingerprints to prevent man-in-the-middle attacks. And it\u2019s open source, which in theory allows anyone to audit the app\u2019s code for a sly backdoor secretly mandated by a sealed court order. All of that may be more than most app developers can do to prepare for an FBI wiretap demand, Jacobs admits. But at the very least, they can avoid collecting unnecessary user data. \u201cMore data is a liability,\u201d he says. \u201cIf there\u2019s any data you can avoid taking from the phone and sending to the server, that\u2019s a start.\u201d<\/p>\n But if the Justice Department goes so far as to legally demand that companies change their apps as a form of \u201ctechnical assistance\u201d in wiretap orders, app makers won\u2019t be able to depend on security engineering alone to protect people\u2019s privacy, warns the EFF\u2019s Cardozo. \u201cI don\u2019t think you can fight law with tech. You can fight tech with tech and law with law,\u201d Cardozo says. In other words, tech firms that offer encrypted communications should also be prepared for the possibility of a legal fight. \u201cBe aware that just because the FBI tells you to do something doesn\u2019t mean you have to do it. And talk to a lawyer.\u201d<\/p>\nTaking Sides in a New Crypto War<\/h3>\n