HeadlinesBriefing favicon HeadlinesBriefing.com

Why Web-Based Encryption Is Fundamentally Broken

Hacker News •
×

Web-based encryption systems are technically incoherent because the same entity that operates the server also distributes the client-side code, making any claim of securing against server operator malice inherently false. This applies to web applications, WhatsApp, and Signal, where companies ship the client software they claim protects users from themselves. Since malicious operators can simply push different JavaScript or app updates, the encryption provides no real security.

The author argues this 'cryptography theater' serves primarily legal rather than technical purposes. Companies like Meta adopt end-to-end encryption not to protect user data but to create legal distance from warrant compliance. By claiming they cannot access encrypted data, these services aim to exempt themselves from legal obligations to honor subpoenas and court orders, treating encryption as a 'magic spell' that avoids liability rather than delivers security.

This legal strategy faces significant vulnerabilities. The argument that companies cannot be compelled to compromise their systems conflicts with U.S. government positions and existing case law. The Lavabit incident showed the FBI attempting to force the email provider to modify client-side code to decrypt Snowden's communications. Similarly, the FBI-Apple case demonstrated government attempts to compel system modifications, even when the vendor technically retained the ability to comply.

Cryptography theater fundamentally misrepresents technical reality as legal protection. When governments routinely coerce companies into surveillance cooperation—often illegally—the legal safeguards these systems purport to offer prove unreliable. Users trusting web-based encryption for genuine privacy are mistaken.