The FBI’s repeated successes in overcoming its problem of “going black” belies protests that it is an existential threat. In some ways, Anom shows just how creative the agency’s workarounds can be. The researchers caution, however, that as more governments around the world seek the power to demand digital backdoors – and some, like Australia, are implementing such laws – the authorities could also cite the Anom case as proof that special access works.
“It seems like from there it’s not a big rhetorical leap to say, ‘It worked so well, wouldn’t it be nice if every app had a backdoor? “This is literally what law enforcement in the United States has said it wants,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at the Center for Internet and Society at Stanford University. If being able to monitor every message on Anom was so effective, the FBI might say, why not just do it more, and in more places?
It is important not to extrapolate too widely from the Anom experience. According to documents released this week, the FBI went to great lengths to work under foreign laws and avoid monitoring Americans throughout the three-year initiative. And there is no immediate threat that the FBI could deploy a completely stolen system inside the United States. The Fourth Amendment protects against “unreasonable” searches and seizures and establishes a clear basis for the requirements of government warrants. In addition, continuous surveillance orders such as wiretapping warrants are intentionally even more difficult for law enforcement to obtain because they allow massive and extensive surveillance. But, as the National Security Agency’s PRISM program has shown, national uncontrolled digital surveillance programs are not outside the realm of possibility in the United States.
One lesson from Anom, however, is that while it has been effective in many ways, it has resulted in potential collateral damage to the privacy of people who have not been charged with any crime. Even a product aimed at crooks can also be used by law-abiding people, inadvertently subjecting those targets to draconian surveillance in an attempt to catch real criminals. And anything that normalizes the concept of full government access, even in a very specific context, can be a slippery slope.
“There’s a reason we have warrant requirements and it takes effort and resources to put the work into investigations,” says Pfefferkorn. “When there is no friction between the government and the people they want to investigate, we have seen what can result.”
These concerns are supported by indications that governments have actively sought out large backdoor authorities. Along with Australia, other US ‘Five Eyes’ intelligence counterparts, such as the UK, have also come up with ideas on how law enforcement could gain end-to-end access to encrypted services. In 2019, for example, UK intelligence agency GCHQ proposed that the services create mechanisms for law enforcement to be added as a silent and invisible participant in discussions or other communications of interest to them. That way, argued GCHQ, companies wouldn’t have to break their encryption protocols; they could just involve another account in conversations, such as adding another member to a group chat.
the reaction against the proposal has been swift and definitive from researchers, cryptographers, privacy advocates, human rights groups, and companies like Google, Microsoft, and Apple. They strongly argued that a tool to add law enforcement ghosts to cats could also be discovered and abused by bad actors, thus exposing all users of a service to risk and fundamentally compromising. the goal of end-to-end encryption protections.
Cases like Anom and other examples of law enforcement agencies operating secretly secure communications companies, may not fulfill law enforcement’s wildest dreams about access to mass communications. But they show, with all of their own escalations, gray areas, and potential privacy implications, that authorities still have ways to get the information they want. The criminal world has not turned as dark as it seems.
“I’m happy to live in a world where criminals are dumb and cram into special purpose encrypted criminal encryption applications,” says Matthew Green, Johns Hopkins cryptographer. “My real fear is that some criminals will eventually stop being stupid and just switch to good, encrypted messaging systems.”
More great WIRED stories