Where Congress fails, encryption delivers on privacy

On Tuesday night, Senate Republicans killed the USA Freedom Act, Congress’ flagship effort to reform some of the most invasive surveillance programs revealed by National Security Agency whistleblower Edward Snowden. The bill would have ended the NSA’s bulk collection of Americans’ phone records and metadata under Section 215 of the Patriot Act — a goal backed by major tech companies and civil liberties groups as well as by multiple independent panels that concluded such collection is unconstitutional and hasn’t stopped any terrorist attacks. But even after being watered down and endorsed by the director of national intelligence, the Department of Justice and the White House, the bill fell two votes shy of the 60 needed to proceed to the Senate floor.

That day, the popular messaging service WhatsApp announced it enabled end-to-end encrypted messages by default on Android devices, using software developed by Open Whisper Systems. That means a majority of the service’s 500 million users can now send and receive private messages that no third party (including WhatsApp) can read. The move is likely the largest deployment of such encryption ever, and it will be even bigger once the feature arrives on iPhones and iPads, along with support for encrypted group chats.

There’s room for debate over whether passing the Freedom Act would have been a wise choice for surveillance reform. Some argued the weaker legislation should be pushed through, warts and all; others worried that passing anything less than comprehensive reform would prove ineffective and doom future attempts to rein in the NSA. But one thing is clear: More than a year after Snowden’s revelations, the failure to follow through on any surveillance reform whatsoever has demonstrated how little Congress has challenged the spy agencies it supposedly oversees.

Private companies and citizens know this. That’s why services such as WhatsApp are joining with activists and technologists to embrace encryption as a solution. The logic is simple: If the state isn’t going to protect our privacy, we’ll build technology to protect ourselves from the state.

In the 1990s, the cypherpunk movement advocated strong encryption as a great equalizer, a tool that empowers citizens by putting them on equal footing with governments, corporations and anyone else who might spy on them. The idea is that whether it’s used to secure credit card transactions or protect political dissidents, encryption is just complex math, and no amount of coercion can solve a math problem. In other words, no matter how much a powerful government might threaten WhatsApp or any other end-to-end encryption user, there’s no practical way to decrypt communications without the private key stored on the user’s device. As Snowden said, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”

While many cypherpunk contributions proved eerily prophetic, making encryption accessible to the layperson is a problem we’ve only recently begun to solve. A recent example is Glenn Greenwald, who first reported on Snowden’s NSA files and nearly lost the story because he hadn’t taken the painstaking steps necessary to send and receive encrypted messages with PGP, the vaunted privacy software developed in 1991 by one of the founding fathers of cypherpunk, Phil Zimmermann. In the late ’90s, Zimmermann was charged with violating export law when the U.S. government tried to ban strong cryptography as a military munition.

But much has changed, even since Greenwald’s encounter with Snowden. Tech giants such as Google and Apple are now competing to offer their customers better security and privacy, evidenced by their recent decisions to provide full encryption on devices running Android and iOS. In June, Google released code for its own end-to-end encryption plug-in. Meanwhile, products such as Silent Circle’s Blackphone promise to bring secure communications to the mainstream consumer market, and activists are developing new tools, platforms and protocols that will help people resist mass surveillance around the world.

There’s still reason to be skeptical, especially with commercial encryption solutions. WhatsApp’s move is curious for a number of reasons, not least of which is that its parent company is Facebook. On the surface, it doesn’t make sense: Why would Facebook, a company that profits by collecting and analyzing data about its users, allow its messaging service — which it bought for $19 billion earlier this year — to make users’ conversations unreadable and thus unmonetizable?

To answer that question, we should consider that perhaps the biggest asset Facebook acquired when it bought WhatsApp wasn’t the ability to spy on conversations but rather the phone numbers and social networks of 500 million WhatsApp users. It’s a tacit admission that all that so-called metadata — who you talk to, how frequently, when and from where — is incredibly valuable information, both for how easily it can be graphed and what it reveals (or seems to reveal) about a person’s habits and behaviors. It’s precisely that kind of metadata that Congress failed to stop the U.S. government from collecting in bulk earlier this week.

Another concern is openness. While Open Whisper System’s free TextSecure encryption software is audited and open for public inspection, WhatsApp is built on proprietary code, meaning there’s no way to independently verify its security. That’s significant because even if a battle-tested crypto system is practically impenetrable, the software it runs on will inevitably have bugs that could be exploited by attackers to simply circumvent the encryption.

Fortunately, for-profit corporations aren’t the only ones offering encryption tools. The same day WhatsApp made its announcement, a coalition led by the Electronic Frontier Foundation unveiled Let’s Encrypt, a nonprofit that will help websites offer encrypted HTTPS connections for free. Since the Snowden revelations, major websites, including Facebook and Yahoo, have begun supporting HTTPS by default, and the amount of encrypted Web traffic in North America has more than doubled. This trend has major benefits; the more sites encrypt, the more the Web as a whole becomes resistant to cybercriminals and surveillance dragnets.

What is the end game? When encryption is ubiquitous, passive surveillance (such as the fiber-optic cable taps the NSA uses to ingest entire streams of Internet traffic) becomes much more difficult to do en masse, while targeted surveillance of individual suspects (the kind authorized by a warrant) remains a viable method for catching terrorists and criminals. Members of law enforcement and the intelligence community will of course continue to warn of the dangers of “going dark” and claim that encryption will stop them from catching bad guys. But the truth lies within the NSA’s own documents. As a 2012 NSA intelligence strategy memo put it, we’re living in “the golden age” of surveillance, in which the activities of intelligence agencies are virtually unlimited in power and scope. Encryption simply balances the scales once more.

Washington’s warmongers may continue to shout about terrorists and other vague threats, but widespread encryption is coming, and it promises more effective privacy protections than anything our representatives can likely muster in the near future. We should still strive for comprehensive surveillance reform, and civil liberties advocates should be lauded for continuing the fight on that front. In the meantime, the real battle against mass surveillance is the one unfolding on our phones, laptops and tablets. And unlike Congress, encryption works.