How do terrorists communicate to hide from investigators?
We know little about the means used by those involved in the deadly attacks in Paris, but intelligence and security officials have already launched a new wave of chatter about encryption.
First, The New York Times reported that anonymous European officials were saying they believed the Paris attackers had used some kind of encrypted communication, "but offered no evidence."
Now NBC News is citing unnamed officials as suggesting "the ISIS geek squad is teaching terrorists how to use encryption and communication platforms like Silent Circle, Telegram and WhatsApp."
There was even a Forbes story that suggested the terrorists talked over Sony PlayStation 4, that has now been invalidated.
One thing is clear: The investigation into the attacks is ongoing, and no specific evidence of encrypted or other communications has been confirmed.
Yet it has renewed the debate about encryption and the headaches that intelligence and law enforcement officials say it's created for their investigations.
What we're talking about is not your emails or Web searches, photos or social network posts. Those things get encrypted on your laptop and then decrypted and stored on a big corporate data server. There, law enforcement officials have the technical and legal ability to get access to the content, for instance, with a subpoena.
What's raising the concerns is so-called end-to-end encryption: when data gets encrypted on one device and only gets decrypted when it reaches the recipient's device. Think Apple iMessage, WhatsApp or FaceTime.
And for a while now, the law enforcement and intelligence communities in the United States, and to some extent in Europe, have been asking tech companies (which are pushing back) to give them basically a back door into these kinds of encrypted communications.
"From the law enforcement perspective, we describe this experience of going dark, that we no longer can penetrate the darkness to conduct our investigations," New York Police Commissioner Bill Bratton tells NPR's Ari Shapiro. "It's a very significant negative effect on our ability to detect and disrupt terrorist-related activity."
Safer With Or Without Back Doors?
CIA Director John Brennan made this case against encryption on Monday at the Center for Strategic and International Studies in Washington:
"There has been a significant increase in the operational security of a number of these operatives and terrorist networks as they've gone to school on what it is that they need to do in order to keep their activities concealed from the authorities. And as I mentioned, there are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have the insight they need to uncover it.
"In the past few years because of a number of unauthorized disclosures and a lot of hand-wringing over the government's role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability, collectively, internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call."
The hand-wringing of course refers to the fallout of the Edward Snowden leaks, which showed, among other things, how the National Security Agency tapped into data centers and otherwise dealt with tech companies. That prompted a bigger push toward end-to-end encryption that would limit the companies' role in the surveillance process.
After months of debate, in October, the Obama administration appeared to back down from the push for encryption back doors.
Some of the considerations were these: If America asked for back doors, what would stop China, Russia or any other country from demanding the same kind of access? Or, in light of massive hacks of government data, what would convince the companies that the federal agencies could properly protect the keys they'd be given?
"The reality is that if you have an open door in your software for the good guys, the bad guys get in there, too," Apple CEO Tim Cook told NPR's Robert Siegel in October. "I don't support a back door for any government, ever."
In fact, the notion of law enforcement "going dark" in the face of new technology has floated since the 1990s and the dawn of the Internet, when law enforcement organizations pushed for access to communications services.
A group of computer scientists and security experts that had studied the topic then, reviewed it again in recent months and found high risk of unanticipated, hard-to-detect security flaws.
"We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago," they wrote in the abstract of their July paper for the Massachusetts Institute of Technology.
Tech companies and privacy advocates also argue that the government doesn't need encryption back doors to carry out terrorism surveillance.
"Most consumer-oriented encryption systems that are deployed today protect the content of a message. They do no protect the metadata — they do not hide who is talking to whom," says Moxie Marlinspike, founder of Open-Whisper Systems that created TextSecure, the open-source encryption tool adopted by WhatsApp last year.
"So if you have a network of terrorists communicating with a known 'home base,' intelligence agencies will still be able to see that," he says.
Nate Cardozo, a lawyer on the civil liberties team at the Electronic Frontier Foundation, went even further, suggesting that the back-door push by the intelligence and law enforcement community is less about terrorism and more about collecting as much information as possible. He accused the CIA's Brennan of political opportunism — using the Paris tragedy to push for an existing agenda.
"We are in a golden age of surveillance. Right now it is easier for the CIA, the NSA, the FBI to surveil anyone, anytime, anywhere than it ever has been, even despite encryption," Cardozo tells All Tech.
"If we learned anything from the Snowden revelations, it's that the NSA and intelligence agencies around the world, including in France, are not suffering from the lack of information, rather they're suffering from the exact opposite. They have so much data that they're collecting, they have trouble filtering the signal from the noise."
And ultimately, he says, even if all existing encrypted devices got a back door, there would always be ways of circumventing those back doors — all it takes is a new app to restart the whack-a-mole.
"Trying to regulate encryption is like trying to regulate an idea," Marlinspike says. "It's going to be very difficult if not impossible to do."
Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, summed it up this way:
"It's too early, I think, to say in terms of the attack in Paris to what extent these terrorist may have used encrypted communications," he told NPR on Monday. "Even with the best of intelligence resources, there are still vulnerabilities and ultimately it's going to require us to eliminate that sanctuary in Iraq and Syria."