Hit & Run

Encryption Was Most Certainly Not the Reason Why the Paris Attacks Weren't Foiled

Investigators find phone data wasn't even protected at all.


Not the problem.
Credit: Yu. Samoilov / photo on flickr

Not long after the Paris attacks, surveillance state advocates were quick to try to blame technological privacy for the failure to gather enough intelligence to prevent the bloodshed. Folks like CIA Director John Brennan and Sen. John McCain (R-Ariz.) have attempted to paint targets on reforms to mass surveillance privacy protections and encryption that keeps data out of just anybody's (but particularly the government's) hands.

As I've previously noted, any claims that the USA Freedom Act surveillance reform played any role in intelligence failures surrounding the Paris attacks are politically motivated bunk. I'm talking to you, Sen. Marco Rubio (R-Fla.). To the modest extent that the USA Freedom Act scaled back mass metadata collection, the law applies only to Americans on U.S. soil. There was nothing in the law that restrained our intelligence agencies from tracking the terrorists who attacked Paris. And, as a reminder, the reforms of the surveillance powers don't even come into play until the end of this month anyway.

Similarly, the claims that encryption may have played a role in keeping knowledge of the plot out of the hands of intelligence agencies are also proving to likely be untrue. The theory they had used PlayStation 4 to communicate is probably not true. And more importantly, as the investigation continues, it's becoming clear that the attackers were not using any sort of encryption on their smartphones around the time of the attack. From Dan Froomkin at The Intercept:

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying "we're off; we're starting." Police were also able to trace the phone's movements.

The Telegraph reported that "eyewitness accounts and surveillance of mobile telephone traffic" suggested that Abdelhamid Abaaoud, the suspected strategist of both the Paris attack and one that was foiled in Belgium, was staying at the safe house.

Details about the major ISIS terror plot averted 10 months ago in Belgium also indicate that while Abaaoud previously attempted to avoid government surveillance, he did not use encryption.

A prescient bulletin sent out in May by the Department of Homeland Security assessed "that the plot disrupted by Belgian authorities in January 2015 is the first instance in which a large group of terrorists possibly operating under ISIL direction has been discovered and may indicate the group has developed the capability to launch more complex operations in the West."

Abaaoud was just apparently killed in the most recent raids in France. Abaaoud was a well-known terrorist and one of his previous plots was thwarted, Froomkin notes, because officials were able to intercept his and his accomplices' communications.

Whatever the reason Western countries didn't know enough to stop this attack from happening clearly had little to do with technology or privacy protections. As such, we should reject demands from government officials to weaken the privacy and security of our own communications and data to serve their alleged needs.