// In this blog post, I’ll explore media and government reactions to acts of terror in both Paris and San Bernardino, California. FBI Director James Comey and California Democratic Senator Dianne Feinstein suggest radical changes to how we look at cryptography in the United States, often in direct defiance of security and civil rights experts.
A few weeks ago, just before Thanksgiving and the subsequent attacks in Paris and San Bernardino, the ongoing War on Terror’s chapter surrounding the role of an encryption technology backdoor hit what many saw as a turning point. Encryption technology, simply put, scrambles the content of a message or file in a way that only the intended sender and recipient can read it coherently.
Despite a strong lobbying effort from FBI directory James Comey, the White House “made a long-awaited decision on the thorny issue of how to deal with encrypted communications [in the United States.]” After civil liberties and security experts weighed in as well, the White House announced it would stop pursuing what is known as a ‘Backdoor‘ strategy.
Comey’s Backdoor plan, which aligned with most of the Federal security apparatus, would have required US telecommunications companies (think Apple, Google, Amazon) to provide a mandatory master key. This ‘Backdoor’ would allow law enforcement agencies to decrypt private communications like chat logs, search and browsing history, email, and online purchases so long as they had a warrant.
Simply put, this plan is as flawed as it is shortsighted.
“Lawmakers should not risk the real economic, geopolitical and strategic benefits of an open and secure Internet for law enforcement gains that are at best minor and tactical.”
A venerable who’s-who of security experts published an academic paper, calling out Comey’s Backdoor strategy as well:
A paper released on Tuesday, called “Keys Under Doormats”, said the transatlantic effort to insert backdoors into encryption was “unworkable in practice, raise[s] enormous legal and ethical questions, and would undo progress on security at a time when internet vulnerabilities are causing extreme economic harm”.
So to review, the Backdoor plan fails on the following fronts:
- Automatically a target for nefarious hackers, foreign and domestic
- Only applies to US-based telcos, ignores legacy, foreign and homegrown crypto
- Stops people from using personal encryption legally. Criminals and terrorists would still use it illegally*
X Marks the Spot
This ‘backdoor’ effectively works as a master-key, allowing for the decryption of any message or content when deemed warranted by law enforcement.
For starters, a backdoor/master-key will immediately draw unwanted attention from adversaries’ growing base of malicious hackers. In October of this year, research firms Ponemon Institute and CounterTack surveyed 639 IT practitioners, from technicians to senior executives:
Thirty-five percent were certain their company had been the target of a “nation-state attack,” and three-quarters said they expected to be impacted by one within the next five years. Seventy-five percent admitted they are unprepared, unable to detect or combat such attacks — yet only half reported taking measures to prevent or deter them.
Call me a scruffy looking nerf herder, but this hardly seems like the time to announce the existence of a lone exhaust port to our biggest threat.
Foreign, Homegrown and Legacy Crypto
Another major issue with Comey’s backdoor proposal is jurisdiction. Should this go through, implementation would be very difficult.
To begin with, the policy would apply only to US-based telecommunications companies. While that does account for a large percentage of the web, it is certainly not all of it.
Should ISIS or a similar terrorist group decide to use encryption, all they would have to do is rely on a service based outside of the US. Our strongest enemies in cyber war games (think Russia, China, North Korea) are also the most likely to provide these tools to the highest bidder.
Similarly, as groups like ISIS become more technologically sophisticated, they are more likely to develop their own crytpo technology, rendering Comey’s Backdoor completely useless (unless your goal is actually domestic signals intelligence #burn). If anything, a public announcement of this type of Backdoor would only spur homegrown solutions. I’d posit that Comey’s Backdoor, more so than Snowden leaks, is the guilty party in our next unspeakable act of terror.
Another issue with Comey’s backdoor plan is the consideration of legacy technologies. These older protocols – basically any form of encryption developed before the implementation of a backdoor – would be potentially exempt. There’s no practical way to retroactively decrypt every message sent, let alone doing so for a variety of protocols (the algorithm used to encrypt/decrypt which has changed and evolved over time).
Calm Before the Storm?
For the time being, it seemed as if things had settled; academics and civil liberties advocates had made their points well, the White House finally took a position on Backdoors, and Comey went back to the belt line with his tail between his legs.
Privately, law enforcement officials acknowledged that prospects for congressional action this year are remote. Although “the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by the [Washington] Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
All of this changed weeks later, however, when we watched on in horror at events unfolding both abroad on the streets of Paris, and in our own backyard in San Bernardino, California.
Despite strong warnings just weeks prior from academia, security professionals, civil liberties advocates and private citizens, James Comey and Senator Dianne Feinstein (D-California) launched into action.
Unsurprisingly, the duo took the recent tragedy as reason enough to start the debate all over again.
Deja View Source – Here We Go Again
Pro-censorship legislators jumped at the opportunity to use the recent attacks in Paris and San Bernardino to reignite the conversation.
They argued that terrorists communicate with encryption technology, keeping law enforcement and anti-terror groups from effectively monitoring communications and thus unable to deter acts of terror.
Again, despite subject experts and civil liberty advocates shouting warnings from the rooftops, the finger pointing continued.
As is to be expected in the immediate aftermath of such horrific events, news media tried desperately to understand the situation. Stories from credible sources flooded our timelines and Twitter feeds that labeled encryption as the immediate enemy. This, as always, brought in the ‘nothing to fear if you have nothing to hide’ logic that has plagued online privacy debates continuously.
It was the best of the Times, it was the worst of the Times
The New York Times quickly posted, and then redacted a quote from unidentified “European officials” who told the paper the attackers coordinated their assault on the French capital via unspecified crypto technologies:
“It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”
Users looking for the original article on NYT.com are redirected to a more recent article, with general language that does not include the word ‘encryption’. Thanks to the Internet Archive, however, we can see the original in all of its reactionary glory.
“Why Terrorists Love Playstation 4”
Politico also published a story that week, “Why Terrorists Love Playstation 4”:
Quoting “Belgium Interior Minister Jan Jambon naming PlayStation 4 as a difficult communication platform to “decrypt.” French authorities said they confiscated at least one of the video game consoles from one attacker’s belongings.
“It’s unclear if the suspects in the attacks used PlayStation as a means of communication,” the article continues. “But the sophistication of the attacks raises questions about the ability of law enforcement to detect plots as extremists use new and different forms of technology to elude investigators.”
Strength in Numbers
Forbes followed up with an article shortly after, explaining the PS4 connection. To be clear, there has been no evidence that the culprits of the attacks in Paris were coordinated via PSN, Sony’s online gaming communications platform:
“It has not been confirmed, as originally written, that a console was found as a result of specific Belgian terror raids. Minister Jambon was speaking about tactics he knows ISIS to be using generally.”
Forbes explained that the “PlayStation platform isn’t necessarily encrypting would-be terrorists communications, but rather makes it difficult for authorities to surveil certain in-game methods of communication, such as chats via headset in private game sessions or writing messages via in-game functions, like spelling words with dropped items or shooting walls.”
Cooler Heads Prevail
While it would take a few days of talking head punditry, sensible understanding did arrive. Patrick Howell O’Neill for The Daily Dot writes:
“That blame seems a bit far-fetched, given that terrorist organizations have been using encryption of various sorts for more than 15 years at least. And additional details shared by officials since the attack suggest that metadata from the encrypted communications provided early warning that an attack in France was imminent.
US intelligence officials warned the French government nearly two months ago that ISIS was planning an attack in France. The French Air Force struck targets in Raqqa, Syria—ISIS’ proclaimed capital—on October 8, based on that intelligence, in an attempt to take out those planning and coordinating the attacks.
Worth noting is that the valuable metadata mentioned above is not hidden when message content is encrypted. In short, encrypting the messages did nothing to hide the information needed to identify an imminent attack on French soil.
Telegram for Mongo
In fact, reading through the ISIS internet guide and an October report from the Middle East Media Institute (MEMRI) reveal that the group relies heavily on Russian-based messaging service, Telegram instead of PSN, WhatsApp and other American based telcos. In the event of a James Comey Backdoor, Telegram would continue to operate unaffected.
Don’t let that Backdoor hit ya on the way out.
The lack of evidence showing that encrypted communications played a role in either the Paris attacks, which killed 129 people, or the San Bernardino shooting, which killed 14 people, has not deterred law enforcement, who believe the technology is making their job more difficult and Americans less safe. – Patrick Howell O’Neill
As Joshua Kopstein wrote for Motherboard, “the claim that [investigators found “levels of built-in encryption” in the phones of Syed Farook and Tashfeen Malik, the married couple who killed 14 in a mass-shooting in San Bernardino, California] is both vague and nonsensical…
Every phone and computing device currently sold in the US has “levels of built-in encryption.” If they didn’t, criminals would still be able to easily intercept your calls when your phone connects to a cell tower, and a common thief who steals your device would get access to your bank account info, login details, pictures, and any other sensitive data you stored on it.
In other words, saying you found “built-in encryption” in a modern cellphone is about as meaningful as saying you found a battery and a touchscreen.”
Senator Dianne Feinstein (D-California) took a major step last Wednesday, however, when she told the Senate Judiciary Committee that she “would seek a bill that would give police armed with a warrant based on probable cause the ability to look into an encrypted Web.”
This is being done despite everything we’ve discussed today folks. The White House position, the outpouring of articles and statements from industry experts and civil liberties advocates, a distinct lack of proof in both Paris and San Bernardino, and so on.
I understand that as a senator from California, inaction on Feinstein’s part would look awful in the wake of San Bernardino. But action for the sake of action does not necessarily guarantee results.
“I suspect what happened was in the aftermath of Snowden, particularly Europe got very conservative with respect to encryption. The companies back away. Now, that’s changing with Paris and God forbid what might happen in the future. So what I’m trying to say is, I think this world is really changing in terms of people wanting the protection and wanting law enforcement, if there is conspiracy going on over the Internet, [then] that encryption ought to be able to be pierced.” – Senator Dianne Feinstein, D – California
Technical specifics, civil liberties, the free and open internet, and our own national security bedamned.
*There, are you happy gun lobby?