DON'T LOSE ACCESS:
Your IP access to ForeignPolicy.com will expire on June 15.
To ensure uninterrupted reading, please contact Rachel Mines, sales director, at firstname.lastname@example.org.
Paris Attacks Reopen Crypto Wars
From Apple to WhatsApp, tech companies are using sophisticated encryption technologies to thwart government spying. After Paris, top officials want to force firms to lower those walls.
For months, U.S. intelligence officials have warned that the proliferation of strong encryption technologies has hampered their ability to detect terrorist plots — including last week’s deadly attacks in Paris. The question now is whether Washington and its allies will force Silicon Valley to give law enforcement agencies a way around those technologies.
The bloody attacks in Paris that killed 129 have prompted searing questions over how the intelligence services of multiple countries failed to detect what was an organized plot involving multiple individuals and extensive planning in at least three countries. One answer, according to the top law enforcement official in the United States: the ease with which militants can use encrypted messaging tools, such as Apple’s iMessage, WhatsApp, and Signal, that have such strong security measures that Western intelligence services can’t unscramble communications.
Testifying before the House Judiciary Committee on Tuesday, Attorney General Loretta Lynch said that the use of such advanced encryption technologies has hampered investigations of individuals plotting violence in the United States. Citing unspecified investigations, Lynch said that terrorist suspects have switched from traditional communications tools to ones with end-to-end encryption, which even providers can’t unlock when served with court orders to do so. By using such tools, suspects ensure that officials “no longer have visibility into those discussions” about plots, Lynch said.
Speaking on MSNBC, Sen. Dianne Feinstein, the top Democrat on the Senate Intelligence Committee, all but accused tech companies — such as Apple, which has built sophisticated encryption measures into its iPhones — of complicity in international terrorism. “Silicon Valley has to take a look at their products,” Feinstein (D-Calif.) said Monday. “Because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner — that’s a big problem.”
Senate Armed Services Committee Chairman John McCain, meanwhile, said companies should be forced to build a backdoor into their systems to let law enforcement personnel bypass their encryption measures. “It’s time we had another key that would be kept safe and only revealed by means of a court order,” McCain (R-Ariz.) said on MSNBC. “Recruitment and training and equipping can go on on secure sites, and we cannot let that continue to happen, in all due respect to my friends in Silicon Valley.”
It is still unclear whether the Paris attackers actually used encrypted communications technology in their planning. The New York Times reported Monday that European officials are working under the assumption that the attackers used encrypted tools to communicate, but no evidence has been made public to back up that claim. Asked by Foreign Policy whether the attackers had used encryption to shield their planning from authorities, U.S. officials declined to comment, but pointed to public statements by senior officials about how encryption has hampered efforts to uncover terrorism plots. The National Security Agency did not return requests for comment. A spokesperson for the Paris prosecutor’s office did not return a request for comment.
FBI Director James Comey has spoken of his investigations “going dark” as suspects’ communications remain shielded behind a wall of cryptography. In October, Nick Rasmussen, the director of the U.S. National Counterterrorism Center, warned Congress about “the increasing ability of terrorist actors to communicate with each other outside our reach.”
But these warnings have mostly fallen on deaf ears. In October, the White House concluded it would not seek legislation to force American tech companies to unlock user communications for law enforcement and intelligence agencies. On Capitol Hill, many lawmakers are uneasy about trying to force tech companies to make it easier for law enforcement agencies to access voice and data communications.
The question now is whether the brutal attacks in Paris will change that calculus. In an August email to his colleagues that was obtained by the Washington Post, Robert Litt, the general counsel for the Office of the Director of National Intelligence, presented a dark analysis of the political landscape. Although “the legislative environment is very hostile today” to a decryption mandate, Litt wrote, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
As in the aftermath of the 9/11 attacks, the carnage in Paris has put France on a war footing, with President François Hollande seeking to extend a state of emergency for three months and updating laws on taking military action abroad. On Monday, French police feverishly broke down doors in pursuit of suspects. French jets pounded Islamic State targets in Syria at unprecedented rates. A mere 10 months after the slaughter at the office of Charlie Hebdo, the attack has shaken French politics and may result in right-wing, xenophobic figures such as Marine Le Pen gaining support in the polls.
At a public appearance Monday, CIA Director John Brennan was pressed as to how the American intelligence community failed to detect the Paris attack. Brennan said that while the United States had “strategic warning” that such an attack might take place, “technological capabilities” available to terrorist groups “make it exceptionally difficult” for “intelligence and security services to have the insight that they need to uncover” plots.
What to do in response is a politically charged debate both at home and abroad. The Islamic State has in recent weeks turned to the Russian messaging service Telegram, which also uses strong encryption systems and is similar to WhatsApp, to spread its propaganda. State Duma Deputy Alexander Ageyev suggested Monday that the Russian FSB should block the service, prompting a derisive response from Communications Minister Nikolai Nikiforov.
“Blocking Telegram or some other messenger in Russia because Islamic State terrorists use them is as reasonable as, for example, banning the use of Toyotas in Russia because they’re also popular among Islamic State terrorists,” Nikiforov said, according to Meduza, an independent news site.
Telegram founder Pavel Durov went one step further. “I propose banning words,” he wrote on VKontakte, the Russian Facebook equivalent. “There’s evidence that they’re being used by terrorists to communicate.”
Indeed, efforts to solve the problem could wind up making it worse. Computer security experts say there is no way to build an encryption system that allows for decryption on demand without creating a high risk that hackers will also be able to decrypt that information. “It turns out that making something secure until you don’t want it to be secure is something of a paradox,” said Matthew Green, a cryptologist at Johns Hopkins University.
Many cryptographic systems operate using so-called “keys,” strings of text and numbers that are plugged into an algorithm to unscramble an encrypted communication. McCain’s proposal that a separate key be kept in order to decrypt information raises the possibility that hackers would steal it and use it to decrypt data. Besides terrorist groups, companies and individuals use encryption to keep their corporate, financial, and personal information safe, and creating a backdoor into such systems risks allowing hackers and spies to break into a huge variety of data.
And if Congress requires American companies to maintain a system to decrypt user communications, terrorist groups will likely just use foreign messaging systems. Tech executives often argue that consumers buy products based on their privacy features, and a U.S. requirement to decrypt user information would all but certainly hurt Silicon Valley’s profits.
Dan De Luce contributed reporting to this article.
Photo credit: KENZO TRIBOUILLARD/AFP/Getty Images