Paris Terrorism No Excuse for Anti-Encryption Efforts
Inconveniently for the U.S. intelligence community, the Paris attacks had nothing to do with encrypted communications.
Terrorist attacks like this month's atrocities in Paris are intended to sow discord and confusion. They also provoke an unfortunately predictable reaction from government authorities, who quickly took to the airwaves following the violence to declare jihad against strong encryption techniques. Such techniques, they claimed (with little evidence), surely figured in planning the Paris attacks.
This narrative serves to justify a decades-long campaign to undermine encryption—and with it, our security online.
The presence of even a single encryption vulnerability can expose massive portions of Internet activity to gaping security holes for years, as the recent FREAK, Logjam, and Heartbleed fiascos remind us. And these breakdowns occurred when our best and brightest were not trying to purposefully weaken already delicate security. The enormous risks to which we would expose ourselves through an intentional handicap on security technologies should immediately outweigh any theoretical benefits. Yet for some reason, much of the U.S. intelligence community cannot internalize this simple wisdom.
The intelligence community's latest offensive against encryption technologies was opposed by virtually every technology player that would be needed to actually implement their wild schemes, including Apple and Google, and buttressed only by authorities' active imaginations. They were certain that lurking baddies evaded their sophisticated grasp through encryption, but found it very hard to come up with even one real example of this ever occurring. For a while, it looked like their fantasy of conquering encryption would have to be shelved yet again this year.
But top intelligence attorney Robert S. Litt encouraged his colleagues to keep their chins up—all that was needed was some "terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement," he told colleagues in August, in an email obtained by The Washington Post. Best to keep their "options open for such a situation," he counseled. Eventually, some "dead child or terrorist act" would present itself, allowing the government to persuade the public of the perils of secure encryption once and for all.
This opportunity arose with Paris. The intelligence community wasted little time in tailoring a narrative amenable to their interests. Former CIA official Michael Morell took to television to inform us of his suspicion that "what we're going to learn is that [the attackers] used these encrypted apps, right?" CIA Director John Brennan quickly blamed the catastrophe on "hand-wringing" over mass surveillance and government back-doors into secure-message technologies. FBI director and long-time crypto-Cassandra James Comey emphasized that encryption is a "prominent feature of … a group like ISIL," while Attorney General Loretta Lynch called upon the technology industry to work with law enforcement so that none of their "services or devices [are] used by these psychotic killers."
Poor reporting helped spur this rhetorical offensive. The New York Times published one article stating that the attackers communicated with ISIS using encryption, only to mysteriously remove it later without explanation and redirect the link to another piece. Other outlets, including Yahoo News and ABC, likewise reported that the Paris attackers employed encryption techniques, without much in the way of evidence.
One memorably absurd report from Politico featured a Belgian minister's colorful theory that terrorists encrypt communications over the PlayStation 4 network. A few outlets ran with this hot scoop about the Paris attackers until it was pointed out that the PlayStation network does not allow end-to-end encryption and this minister's comments preceded the attacks by three days. Oops.
Inconveniently for the intelligence community, it looks like the Paris attacks had nothing to do with encryption at all. Recent reports from France and Belgium suggest that most planning for the attacks took place over good, old-fashioned, unencrypted text messages that investigators were able to access using good, old-fashioned law enforcement techniques.
Interestingly, the suspects and their associates implicated in earlier plots were aware of this traditional government surveillance and actively tried to evade it. But they did not "go dark," despite all the squawking we hear from the intelligence agents tasked with watching them. Rather, the conspirators merely changed cell phones and numbers sporadically to throw the spooks off their trail.
What's more, many suspects actively collaborated in the online equivalent of broad daylight: Facebook groups that were explicitly labeled for ISIS members. The modern jihadi is no stranger to social media and can often be found loudly advertising his (or her) bloody dreams of conquest after many a haram night of boozing and brotherhood. These punks are despicable, but they are hardly the "masterminds" that officials would have us believe.
But the particular facts of the Paris case are ultimately irrelevant to the authorities who broached this public conversation. Their intention all along has been to subvert encrypted communications, be it via government access points (or "back doors") integrated into encryption standards or an effective ban on encryption through hamfisted legislation.
The same arguments wielded during the "War on Crypto" in the 1990s are being applied to the ongoing "Jihad on Crypto" today. In particular, anti-encryption opportunists—both then and now—have argued that law enforcement will be unable to monitor terrorists, child predators, and all-around ne'er-do-wells if such individuals are able to communicate in ways that evade traditional surveillance methods.
As computer security experts continue to warn us, however, terrorist attacks like those in Paris do not justify government destruction of the encryption technologies that keep us safe online. There is no evidence that the Paris terrorists used any encryption at all. Yet in our current rhetorical climate, expect to hear much more about the Paris attacks from encryption opponents eager to clamp down on these technologies once and for all.