Encryption wars heating up in wake of terror attacks

·National Correspondent, Technology
Tourists visit the Eiffel Tower following the terrorist attacks on Nov. 13. (Amr Nabil/AP Photo)
Tourists visit the Eiffel Tower following the terrorist attacks on Nov. 13. (Amr Nabil/AP Photo)

It took nearly two weeks for French officials to piece together how a team of nine terrorists planned the deadly Nov. 13 terrorist attacks in Paris that killed 130. And during that time, intelligence officials filled the media vacuum with their own theories for what happened.

A Nov. 15 New York Times story (which was later silently pulled) said the attackers were “believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation.” The following day, former CIA deputy director Michael Morell pointed to the secure communications tool — which jumbles messages so that they can be decoded only with a key — in connection with the attack. “We don’t know yet, but I think what we’re going to learn is that [the attackers] used these encryption apps, right?” he said on “CBS This Morning.” On Nov. 18, FBI Director James Comey reiterated his position that the bureau needs to access encrypted communications. Encryption, he said, permits “the needle [in the haystack] we’ve been searching the entire nation to find” to go “invisible.”

Although these comments may have been news to those searching for answers in the days following the attack, many encryption activists and experts felt as if they were experiencing déjà vu.

“In Internet years, this rhetoric is ancient at this point,” Nate Cardozo, a staff lawyer at the Electronic Frontier Foundation, told Yahoo News. “We’ve been hearing it since the mid-’90s.”

SLIDESHOW – Attacks in Paris >>>

And, in the case of the Paris attacks, officials’ statements were also inaccurate. Aside from a few minor encrypted interactions, investigators found that the terrorists hatched their attack out in the open, booking online hotel reservations with their real names, exchanging Facebook messages and sending SMS texts on an unencrypted phone that police found discarded near one of the shooting sites.

But the issue is a long-standing one in the European and U.S. intelligence communities. Since the early ’90s, regulating encryption has been a contentious topic among technologists and government officials — a debate that is often renewed after major terrorist attacks. Government officials have insisted they need special access to encrypted networks to ensure terrorist communication does not slip by unnoticed. Technology companies, backed by activists and academics, have countered that doing so would irreparably compromise the security of our products and their economic viability.

Now, in the wake of the numerous incidents that have been traced to the Islamic State, otherwise known as ISIS or ISIL, academics and security advocates say officials are again seizing on public fear to push more aggressive surveillance legislation. This month, the French newspaper Le Monde obtained documents from the Ministry of Interior considering legislation to block the use of the Tor anonymity network, a series of virtual tunnels that allow people to share information online without compromising their privacy. The documents also show discussion to “forbid free and shared Wi-Fi connections” used in public places like cafes and airports, during a state of emergency.

Similarly, the British Parliament is in the process of passing something called the Investigatory Powers Bill, which, according to its current draft, would drastically expand the government’s online surveillance privileges and require Internet and phone companies to have “permanent capabilities” that can intercept and collect data passing through their networks.

“It makes for a very good narrative,” Phillip Rogaway, a professor and cryptographer at the University of California, Davis, told Yahoo News. “A principal piece of this narrative is this world is inhabited by bad guys and privacy is a boon to them, and unless we can make encryption infeasible, then we run the risk of going dark and going into this world of blackened closets. There’s all this kind of visual scary imagery: the terrorists and the darkened closets.”

But according to Matthew Olsen, the former director of the National Counterterrorism Center, the potential use of encryption by terrorists is a dangerous threat that must be addressed.

“There should be an opportunity for the government and technology companies to sit down together and have a constructive dialogue about the ways in which the government may be able to get access to encrypted communications with a warrant,” he told Yahoo News. “It seems like a worthwhile endeavor to try to determine whether that can be achieved, given the serious threat that we face from groups like ISIS.

SLIDESHOW – Shooting in San Bernardino, California >>>

Officers look over the evidence near the remains of a SUV involved in the Dec. 3 San Bernardino attacks. (Mario Anzuoni/Reuters)
Officers look over the evidence near the remains of a SUV involved in the Dec. 3 San Bernardino attacks. (Mario Anzuoni/Reuters)

In defending encryption, privacy advocates do not necessarily deny that it’s a tool used by terrorists. As Yahoo News reported, research centers have seen encryption guides being circulated on known ISIS forums online, offering evidence that the terrorist group is becoming more aware of the security procedures required to keep their communication under wraps. And many owners of encryption software companies cannot guarantee their user base is terrorist-free. However, experts argue that to compromise encryption products in the United States would not stop terrorist groups from accessing software from other countries, or making their own.

“It’s clear that terrorists might use a service everyone else uses,” Cardozo said. “That is just something we need to grapple with in the 21st century.”

The power struggle over encryption — dubbed the Crypto Wars — began as early as 1993, with something named the Clipper Chip. The device, which was developed by government engineers, was designed to be inserted into consumer telephones and protect private conversations while also allowing intelligence agencies access to unencrypted clips of that communication if needed. The invention was met with intense opposition from privacy advocates, company leaders and technologists who worried that setting such a precedent would threaten civil liberties and cybersecurity. A year later, after a computer scientist discovered a security flaw in the Clipper Chip’s design, legislation stalled and the gadget never came to be. Since then, debate has raged on.

“No government has provided a concrete example of when encryption has stopped them from getting information that they deemed necessary to investigate a terrorist attack, that they weren’t able to get through other means,” Amie Stepanovich, the U.S. policy manager for Access Now, a nonprofit dedicated to defending digital rights, told Yahoo News. “When you look at the reaction of the United States to the attacks in Paris, you see this playing out once more.”

Homeland Security Secretary Jeh Johnson listens at left as President Barack Obama speaks at the National Cybersecurity and Communications Integration Center in Virginia. (Evan Vucci/AP Photo)
Homeland Security Secretary Jeh Johnson listens at left as President Barack Obama speaks at the National Cybersecurity and Communications Integration Center in Virginia. (Evan Vucci/AP Photo)

Past legislative moves to control the spread of encryption are still showing their negative effects in the privacy industry. A 1992 export law, for instance, required weak encryption keys to be used in any U.S. software or hardware products that were sent to other countries. Those same 512-bit keys were linked to the spread of a security flaw dubbed the “FREAK bug” that was discovered in March of this year.

Rogaway also notes that after the terrorist attacks on 9/11, the government was able to successfully gain public support for vastly expanding its digital surveillance powers, most of which were later revealed by documents published by Edward Snowden in 2013.

“We kind of set the script by which you could use terrorist incidents to push an agenda,” he said.

When it comes to policymaking, privacy advocates are concerned with government officials’ lack of technical knowledge of encryption technology. For example, the Foreign Intelligence Surveillance Court — which makes judicial rulings on intelligence community activities in a classified setting — recently appointed a panel of five advisers to aid its judge. As Stepanovich notes, all five were lawyers and none were technologists.

“Too few of the people who are in our U.S. Congress have technologists on staff or someone they can consult with on these issues,” Stepanovich said. “Getting those people into the key positions that they need to be in in order to provide this information is really important.”

In some cases, that lack of technical knowledge extends to the advisers and proposals of politicians. In a conversation with Re/code’s Kara Swisher in June, Hillary Clinton suggested the rift between Silicon Valley and legislators could be solved by a “real conversation” with tech executives. “I think the conversation, rather than ‘you don’t understand privacy and you don’t understand security,’ ought to be ‘OK, let’s figure out how to do this,” she said. During a speech at the Brookings Institution on Sunday, Clinton called on technology companies to “disrupt ISIS” and called for an “urgent dialogue” between industry giants and law enforcement officials.

To Cardozo, this is evidence that the current Democratic frontrunner does not understand that adding a backdoor to encryption inherently compromises it.

“That dialogue happened in the ’90s,” he said. “And the answer now is the same as it was then. The lawmakers and the law enforcement side of this aren’t talking to the security experts and the academic cryptographers that they need to talk to.”

Related:

Following Paris attacks, encryption services face new scrutiny

Here's the manual ISIS uses to teach its soldiers about encryption

How encrpytion works and why people are so freaked out about it