700 Million People Just Got Encryption That Congress Can’t Touch
Last month, WhatsApp, the hugely popular messaging service that Facebook owns, made end-to-end encryption the default for its 1 billion users. On Tuesday, Viber said it will do the same for the 700 million people who use it.
Although Viber is smaller than WhatsApp, the repercussions of its decision to encrypt every text message, every photo, and everything else shared on its platform could be far greater. That’s because, unlike WhatsApp, Viber is not a US company. It will not be subject to US laws written by lawmakers desperate to regulate technology they do understand. More than anything, Viber offers a powerful example of the futility of legislating encryption.
The company, which launched in 2010, offered some measure of encryption from the start, says COO Michael Shmilov. Fifteen months ago, it began working toward end-to-end encryption for all data passing from person to person and across group chats, be it on a phone, a desktop, or a tablet.
This is a huge step forward for privacy and security. End-to-end encryption is a remarkably powerful tool, because not even the company that administers it can see what’s passing between users once people update their software. Shimlov says the company has already introduced Viber 6.0 in four countries; the idea is to ensure everything works before opening the spigot all the way.
This does not mean 700 million people will suddenly have total encryption. It will take time for Viber’s base to update to 6.0, and not everyone will. “That’s just the way it is,” says Matthew Green, a cryptography expert at Johns Hopkins University. “You always have an upgrade problem.”
The problem with this, of course, is that people with encryption may end up communicating with those who don’t, potentially compromising security. Yet even a 10 percent adoption rate of Viber 6.0 will bring default encryption to a pool of users that exceeds the population of the United Kingdom.
Of far greater concern to Green and others is the fact Viber developed its encryption in-house, rather than getting it from a trusted third party. WhatsApp, for instance, chose an open-source solution from Open Whisper Systems. Effective crypto is hard, and a lot can go wrong. Why risk screwing it up? “Whenever people do go out and try to build their own crypto, they tend to make mistakes,” Green says. “It’s better not to roll your own.”
Still, Green acknowledges, some crypto is better than none at all. And it’s possible Viber didn’t go it entirely alone. “We built [our end-to-end encryption] based on the concept of an established open-source solution with an extra level of security developed in-house,” a Viber spokesperson says, refusing to be more specific.
Whatever the underlying tech, if you use Viber, you’ll know your chat is encrypted if you see a gray padlock icon, and you’ll know it’s going to a trusted contact—thanks to a new Viber authentication process—when that icon is green. If you see either color, rest assured that not even Viber can see what’s passing through.
Viber’s move follows Apple’s epic fight over a court order to help the FBI unlock an iPhone belonging to one of the San Bernadino terrorists. It’s tempting to see that row, and the resulting debate over privacy and security in the digital age, a catalyst. Seeing two major messaging platforms make these kinds of announcements so close together doesn’t usually indicate a coincidence. But in this case, it is.
The tech world is embracing encryption on an unprecedented scale, in large part because messaging apps are central to people’s lives. “It’s not necessarily a marketing feature,” says Shimlov. “We did it because it’s a standard we need to meet. Users share a lot of private data between them, and we want to make sure it’s secure.” Shimlov says users’ increasingly frequent requests for end-to-end encryption has less to do with Big Brother than with a carefree user experience. “We want to make Viber fun to use,” he says. “Part of being fun is users not having to worry about privacy and security.”
You can trace a lot of this concern to the massive hack, in 2014, of celebrity nudes from Apple iCloud accounts, says Green. “People constantly send stuff through these messenger devices they should not be,” says Green. “For me, end-to-end encryption is not about fighting the NSA. It’s about making sure that the really private photos that you’re messaging back and forth, if you’re doing that, are actually safe.”
The Short Arm of the Law
What makes Viber’s announcement especially compelling is the fact Viber is an Israeli company owned by a Japanese conglomerate. Any encryption legislation that clears Congress will have zero impact on Viber’s service, or those who use it. It’s not the first non-US messaging service to offer end-to-end encryption, but it’s the largest by orders of magnitude.
A more illustrative example couldn’t have come at a more important time. A deeply flawed encryption bill is wending through Congress. The House Judiciary Committee and the House Energy and Commerce Committee have created a “working group” to study the issue, and held hearings this week. A separate political faction, headed by Representative Mike McCaul and Senator Mark Warner, has formed a commission of security experts to suss out the issue’s intricacies.
There’s a lot of brainpower and political will being thrown at encryption right now. Any legislation could have potentially crippling implications for companies like Apple (iMessage and FaceTime have supported end-to-end encryption for years) and WhatsApp, but mean absolutely nothing to Viber. Beyond underscoring the futility of trying to undermine, if not ban, encryption, such legislation could actually harm US companies. “If Congress passed a law that undermined security of American-made products, consumers would simply use products and services produced overseas—like Viber,” says Nathan White, digital rights activist with Access Now.
Ultimately, Viber’s embrace of end-to-end encryption is important due to its size, but perhaps more for what it represents. It proves that truly secure encryption is possible on an enormous scale. Legislating it is not. This tension will shape the crypto wars for years to come.