I am not a cryptographer, but the standard objection to this is that the NSA key will leak, either generally or be stolen by a Russian/Chinese agent. And in implementation, how many keys are we talking about? USA, UK, France, Germany, USA, Australia... Every country's law enforcement will demand a key, and how long will that remain secure?

The best argument is simply that you cannot ban e2e encryption because there’s thousands of people who are able to implement it all over the world. Banning E2E just means that everybody who cares about privacy (including the “bad guys” and privacy conscious users) will switch to a banned implementation, and everybody else will have their privacy put at risk for no reason at all.

Devil's advocate: the answer to that is that perfect is the enemy of good. Most "bad guys" are pretty dumb and won't bother using actually secure communication channels especially if messengers keep advertising that they do end-to-end encryption. And even for those who do care enough, most of them aren't all that tech-savvy and will make mistakes.

All that to say that a ban doesn't have to be 100% effective to make a meaningful difference.

> especially if messengers keep advertising that they do end-to-end encryption

That's probably a crime in UK. It is a crime in plenty of countries.

Anyway, the most impactful an anti-e2e law can be is to force people into getting some functional thing from free-droid, instead of naively getting it from the play store. The bar of intelligence required for that is still pretty low.

That's not a very strong objection.

Firstly, you can just rotate the key if that happens. It's one software update away.

Secondly, protecting keys isn't that hard. That's what HSMs are for. Not only have no secret keys ever leaked from the NSA as far as I know, not even when insiders turned against them and leaked as much as they could, but this isn't a noteworthy achievement either.

Modern messaging protocols, including the Signal Protocol used by WhatsApp, use Diffie-Hellman key agreement for Forward Secrecy. DH requires an exchange between two active parties, who will then agree on an ephemeral session key. Ideally the session key is deleted once it is no longer being used, rendering any captured cipher texts useless.

While we could encrypt sessions keys under an escrow key that the authorities control, that's a very serious degradation of forward secrecy. If an authority's escrow key is ever compromised, then all sessions encrypted with keys escrowed are also compromised. Non-negotiated keys that are re-used are also inherently more vulnerable to cryptanalysis, so it's an invitation for trouble if any cryptographic weaknesses are found in the escrow scheme. These are technical considerations.

WhatsApp already degraded their crypto to achieve their own political ends (they restrict forwarding in order to slow down the propagation of "rumors", which in a textbook e2e crypto scheme wouldn't be possible) [1]. So "it would be weaker" isn't a good argument, they already accepted it.

The other objections are all Type 1 (it would be inconvenient).

[1] https://faq.whatsapp.com/1053543185312573

Impossible to enforce, maybe. Include a counter on each message, incremented by one locally if forwarded. Completely insecure against malicious clients, but the threat model doesn't feature malicious clients so it works well enough.

You’re making the original point - you can have encryption that can include the NSA, but it would also end up including other spies too, as secrets tend to leak the more important and widely used they are. The original point was not that you can’t have a secure leak, but that the secure leak ultimately wouldn’t stay secure forever. You don’t want to build the weapons your enemies end up using against you, and in digital ecosystems it’s often trivial to do this.

AFAIK, Apple and Google have never lost a private encryption key. I see no real reason to think that won't continue forever.

And ultimately keeping private keys secure is extremely easy compared to securing an OS, the app store ecosystem, and messaging app. Finding a zero day there and exfiltrating messages from a phone seems far more likely than a key being lost. We see zero days all the time and the number of lost private keys is something close to 0. If you trust them with the entire chain adding a key to decrypt messages is not a meaningful additional risk.

This is about selling phones and not some moral stand by Apple. They're perfectly happy handing over data to the Chinese government. E2E encryption is denying access to the West with a legal system that provides (somewhat theoretical) legal protection while continuing to hand it over to an autocratic government that has legit concentration camps.

E2E encryption is not a meaningful increase in security and it denies society the legitimate tools it needs to enforce laws. The practical effect is that criminals get away with a lot more crime while legitimate usage is not any safer.

Even if the system behaved like PRISM such that chat apps and network operators used the client-side apps to scan for keywords on specific accounts and reported back, similar to how child porn filters might work today, which would be an end-run around e2e encryption but not require transmission of every message, the risk is that the system itself might end up in a compromised state where any nation could request records of any device and suggest that national security is the reason. And that assumes the system is designed securely using asymmetric encryption and unleaked keys, there’s still data storage on the other end to worry about. I get it though, it’s possible to dive down a rabbit hole where you continuously think up technological ways that this could happen securely and prevent attack vectors as they come up. The point I’m trying to make is that it is indeed a political problem to prevent technology from being abused. Making zero exceptions is still more technologically and politically secure than making even one exception for trusted government use unless you trust every government.

That is a political argument though, not a mathematical one.

And a technical counterargument would be that even computer science is used to solutions that aren't perfect, but whose likelihood of failure is a function of effort, so they become practically usable once you push the likelihood of failure to the region around "would take more than age of observable universe", etc.

Examples include: efficient primality tests, UUIDs, asymmetric cryptography itself.

I feel like it's worth linking here to the big report from a few years ago: https://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSA...

Probably the most relevant part from the summary is:

> Third, exceptional access would create concentrated targets that could attract bad actors. Security credentials that unlock the data would have to be retained by the platform provider, law enforcement agencies, or some other trusted third party. If law enforcement’s keys guaranteed access to everything, an attacker who gained access to these keys would enjoy the same privilege. Moreover, law enforcement’s stated need for rapid access to data would make it impractical to store keys offline or split keys among multiple keyholders, as security engineers would normally do with extremely high-value credentials. Recent attacks on the United States Government Office of Personnel Management (OPM) show how much harm can arise when many organizations rely on a single institution that itself has security vulnerabilities. In the case of OPM, numerous federal agencies lost sensitive data because OPM had insecure infrastructure. If service providers implement exceptional access requirements incorrectly, the security of all of their users will be at risk.