The FBI’s Anom Stunt Rattles the Encryption Debate

The FBI’s repeated success in overcoming its “going dark” problem belie the protestations that it’s an existential threat. In some ways, Anom shows just how creative the agency’s workarounds can be. Researchers caution, though, that as more governments around the world seek the power to demand digital backdoors—and as some, like Australia, implement such laws—authorities could also point to the Anom case as evidence that special access works.

“It seems like from there it’s not rhetorically that big of a leap to say, ‘This worked so well, wouldn’t it be nice if every app had a backdoor?’ Which is literally what law enforcement in the US has said it wants,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s Center for Internet and Society. If being able to surveil every message on Anom was so effective, the FBI might say, why not simply do it more, and in more places?

Extraordinary Circumstances

It’s important not to extrapolate too broadly from the Anom experience. According to the documents released this week, the FBI went to great lengths to work under foreign laws and avoid surveilling Americans throughout the three-year initiative. And there’s no immediate threat of the FBI being able to deploy a totally backdoored system inside the United States. The Fourth Amendment protects against “unreasonable” search and seizure, and sets out a clear foundation for government warrant requirements. Furthermore, continuous surveillance orders like wiretap warrants are intentionally even more difficult for law enforcement to obtain, because they authorize expansive bulk surveillance. But, as the National Security Agency’s PRISM program showed, unchecked domestic digital surveillance programs are not outside the realm of possibilities in the US.

One lesson to take from Anom, though, is that while it was effective in many ways, it came with potential collateral damage to the privacy of people who have not been accused of any crime. Even a product geared toward crooks can be used by law-abiding people as well, subjecting those inadvertent targets to draconian surveillance in the process of trying to catch real criminals. And anything that normalizes the concept of total government access, even in a very specific context, can be a step on a slippery slope.

“There’s a reason we have warrant requirements and it takes effort and resources to put the work into investigations,” Pfefferkorn says. “When there is no friction between the government and the people they want to investigate, we’ve seen what can result.”

These concerns are buttressed by indications that governments have actively sought expansive backdoor authorities. Along with Australia, other “Five Eyes” US intelligence peers like the United Kingdom have also floated ideas about how law enforcement could have access to mainstream end-to-end encrypted services. In 2019, for example, the UK’s GCHQ intelligence agency proposed that services build mechanisms for law enforcement to be added as a silent, unseen participant in chats or other communications of interest to them. This way, GCHQ argued, companies wouldn’t have to break their encryption protocols; they could simply make another account party to conversations, like adding another member to a group chat.

The reaction against the proposal was swift and definitive from researchers, cryptographers, privacy advocates, human rights groups, and companies like Google, Microsoft, and Apple. They argued firmly that a tool to add law enforcement ghosts to chats could also be discovered and abused by bad actors, exposing all users of a service to risk and fundamentally undermining the purpose of end-to-end encryption protections. 

Cases like Anom, and other examples of law enforcement agencies secretly operating secure communication companies, may not fulfill law enforcement’s wildest dreams about mass communication access. But they show—with all of their own escalations, gray areas, and potential privacy implications—that authorities still have ways to get the information they want. The criminal underworld hasn’t gone nearly as dark as it may seem.

“I’m happy living in a world where the criminals are dumb and cram themselves onto special-purpose encrypted criminal encryption applications,” says Johns Hopkins cryptographer Matthew Green. “My actual fear is that eventually some criminals will stop being dumb and just move to good encrypted messaging systems.”


More Great WIRED Stories