Nevada AG Asks Court to Ban Meta from Providing End-to-End Encryption to Minors
Nevada's attorney general filed a motion this week to prevent Meta from providing end-to-end encryption to users under eighteen who reside in his state.
The request is intended to combat predators who target minors for sexual exploitation and other criminal purposes, the AG states, and to allow law enforcement to retrieve communication between criminals and minors from Meta's servers during investigations.
Lawyers for Nevada Attorney General Aaron Darnell Ford filed a partially redacted brief in federal court in Las Vegas on February 20 seeking a temporary restraining order and a preliminary injunction against the social media platform Meta to prevent it from offering end-to-end encryption on Messenger for anyone residing in the state whom Meta believes may be a minor.
In its request to the court, the Nevada AG's office claims that Meta's decision to enable end-to-end encryption by default is "irresponsible" and "drastically impedes law enforcement efforts to protect children from heinous online crimes, including human trafficking, predation, and other forms of dangerous exploitation."
The AG sought to have a rapid hearing on the matter on February 22, due to what the AG says is "extreme urgency" affecting "the safety and well-being" of children in Nevada who use Messenger. But the court has scheduled it for Monday, February 26. The AG doesn't indicate the reason for the rapid hearing.
Meta, in its response to the filing, says the request makes no sense since it and other messaging services have been offering end-to-end encryption to minors and other users for years, and law enforcement, as acknowledged in the Nevada AG's own filing, can still obtain such messages from the devices used by criminals and minors.
"The State cannot properly assert that it requires emergency injunctive relief—on two days’ notice—blocking Meta’s use of E2EE, when that feature has been in use on Messenger for years and began to be rolled out for all messages more than two months ago," Meta writes in its response.
Riana Pfefferkorn, legal expert and research scholar at the Stanford Internet Observatory, calls Nevada's request "bizarrely aggressive" and says the timing of it is perplexing.
"It seems to come out of nowhere and I don’t know what the motivation is for this to happen now," she says. She says she thinks it may be the biggest attack on encryption in the U.S. since 2016 – a reference to the FBI's attempt to force Apple to undermine the encryption on its iPhones so the agency could access a phone used by the suspect in the San Bernardino terrorism case,
Meta has made end-to-end encryption available to Messenger users since 2016, but last December, the company made it the default setting for all communication sent on Messenger, the application used for private messaging between users on Facebook and Instagram.
End-to-end encryption encrypts communication on the user's device before it's sent. The messages only get decrypted on the recipient's device, which means that Meta and any other system through which the communicate passes on its way to the recipient, cannot read the contents of the communication. Law enforcement investigators can still read the messages, however, if they obtain the device used by either party to the communication and are able to access the device with the password or by bypassing it with forensic tools. This has been the case since 2016 when any user, including minors, opted to enable end-to-end encryption. The only thing that has changed recently, is that Meta is now encrypting all messages by default.
But the AG appears to be asking the court not just to prevent Meta from enabling end-to-end encryption for minors by default, but also to prevent the company from providing the option to use end-to-end encryption at all for minors who reside in the state – even though they've been able to use end-to-end encryption for eight years.
In its response opposing the request for a restraining order and injunction, Meta points out that end-to-end encryption has been available by default for Apple iMessages since 2011, and is also available to users of the Signal communications app and other similar applications. End-to-end encryption has been considered essential for protecting communications for years, it notes.
"Indeed, Nevada law recognizes the value of encryption, requiring data collectors to encrypt personal information," Meta writes in its response.
Pfefferkorn says that if the court grants the restraining order and injunction it would actually make minors less secure than other users of Messenger.
"It’s bizarre for the state to be saying that the AG wants to ensure that only children in Nevada receive less privacy and security protection than any other user of Messenger."
She's also concerned that if the court does grant Nevada's wish other states would follow suit.
"It would serve as copycat inspiration for other states to try and do the same," she notes.
As the basis for its request to obtain a restraining order, the AG's office claims in its filing that in providing end-to-end encryption for minors, Meta is violating Nevada's Unfair and Deceptive Trade Practices Act, which prohibits the violation of laws in the course of selling or leasing goods or services. Nevada law prohibits the use of encryption to commit a criminal offense or conceal a criminal offense or obstruct law enforcement, the AG states, therefore Meta is directly and indirectly aiding and abetting child predators by providing them with end-to-end encryption. The AG also states that Meta further violates the Unfair and Deceptive Trade Practices Act by misstating how the risks minors face in using Messenger.
Meta, the AG says, represents Messenger as a safe application for minors to use but fails to inform them that in using Messenger with end-to-end encryption they are putting their safety at risk. Meta "represent[ed] that Messenger was safe and not harmful to Young Users’ wellbeing when such representations were untrue, false, and misleading," the AG's filing says.
The AG also says that there would be "minimal or no cost to [Meta] in complying with such an injunction, and therefore the burden on the company is light."
Meta takes issue with this, however, saying in its response that its ability to identify users based in Nevada is limited and is based on IP addresses and the user's self-disclosure about their location – both of which are not always accurate.
"To ensure compliance with the TRO, as a result, Meta may have to attempt to disable E2EE on Messenger for all users," the company states. "Due to the truncated timeline here, Meta has not yet been able to assess the feasibility and burdens of doing so."
Oddly, the AG asserts in its filing that the request for a restraining order is tied to a complaint that it sent Meta at the end of January. But, Meta notes, that complaint is based on claims that Meta's services are addictive to users and contribute to mental health issues in teenagers. The complaint barely mentions end-to-end encryption and doesn't reference at all the Nevada Unfair Practices law, which the AG cites as the legal reason for the court to grant the restraining order.
You can read the AG's brief here:
Meta's full response to the brief is here: