The government vs. encryption war is escalating in Brazil: it’s donned its boxing gloves and punched out WhatsApp.
The same Brazilian judge who threw Facebook Vice President Diego Dzodan in jail for a night over refusing to hand over WhatsApp messages in a drug trafficking case has now ordered the hugely popular service to shut down for 72 hours, starting Monday afternoon.
According to the New York Times, Judge Marcel Maia Montalvão – a judge in Lagarto, a small town in Brazil’s northeastern state of Sergipe – ordered telecom companies operating in Brazil to suspend WhatsApp nationwide for 72 hours.
The Intercept reports that the ruling was issued on 26 April and became public on Monday when it was served on mobile service providers. Brazilians spent the morning on WhatsApp, frantically sending warnings about the impending shutdown before the block took effect.
This is the second time that Brazil has shut down WhatsApp, which is owned by Facebook but considered a separate company.
Another Brazilian court in December ordered a 48-hour shutdown when the company refused to hand over user data demanded by prosecutors in an investigation.
The truncated block – it lasted 12 hours before it was overturned by a higher court – infuriated users and led to angry exchanges on the floor of Congress. The Sao Paulo judge who overturned the block on constitutional grounds said that it was unreasonable to punish millions of Brazilians due to one company’s recalcitrance to comply with data demands.
Regarding the second shutdown on Monday, the NYT quoted a WhatsApp spokesman who said that the company had cooperated to the “full extent of our ability with local courts” and that millions of blocked users are being punished:
This decision punishes more than 100 million Brazilians who rely on our services.
That’s about half of the country’s population of 200 million. Research has suggested that between 86% and 90% of Brazilians with mobile phones have used WhatsApp, making it the most used app in the country, above even Facebook.
Even if they wanted to, they couldn’t
Representatives of WhatsApp have repeatedly said that they can’t hand over the messages, given that the service doesn’t store them.
On top of that, WhatsApp is now encrypted end-to-end, and that covers the whole enchilada: calls, photos, videos, file transfers, and voice messages.
As Naked Security’s Paul Ducklin has explained, that means, among other things, that WhatsApp neither generates nor stores private encryption keys, whether we’re sending or receiving data. It uses a new public key for each message, provided by each user to match private keys generated by that user.
If all the cryptography works as it should, WhatsApp can’t decrypt your messages in transit, even if it wanted to. Nor can one of its staff be forced to do so, be it through legalistic gavel-pounding or cybercrook snoopery.
This is about way more than just WhatsApp
WhatsApp is just one target in the raging war against encryption in Brazil and other countries.
In the US, anti-encryption forces have come into focus particularly around Apple, with a court standoff as the company refused government demands to help unlock a terrorist’s iPhone. That standoff ended in March, with the government dropping the case after the FBI cracked the phone with the help of a mysterious third party.
Apple’s also refused to help unlock an iPhone in a New York case concerning a methamphetamine dealer. After all, it said in the wake of the FBI having figured out how to skirt iPhone security features on its own, it doesn’t look like you need our help anymore.
The war over encryption has spilled into Congress: in April, a new draft encryption bill was released and promptly blasted by internet giants that said it “creates a mandate that companies engineer vulnerabilities into their products and services.”
The draft bill says companies handling communications should protect consumers’ private data through “appropriate data security,” while respecting the “rule of law” and “comply[ing] with all legal requirements and court orders.”
That’s a contradiction, according to some tech companies, including Sophos: securing data means using strong encryption, and unscrambling encrypted data under a court’s order would only weaken that security by creating a “backdoor.”
In Brazil, besides the second WhatsApp assault, the current anti-encryption salvo comes in the form of a counterterrorism bill that Human Rights Watch is warning will endanger basic rights.
As the rights group explains, Brazil’s senate removed a provision that would specify that the term “terrorism” doesn’t apply to political demonstrations, social movements, unions, and religious and professional movements that defend rights and freedoms.
The bill proposes between 16 and 24 years in prison in “terrorism” cases in which no death occurred, and between 24 and 30 years for an act that caused a death.
Brazil’s congress is considering several of the proposals and could vote on them as early as this week.