In the wake of the terrorist attacks in Paris that killed nearly 150 people, U.S. officials have called again for policies that would force tech companies to build 'backdoors' into their software, allowing government access to encrypted apps that may have been used to coordinate similar attacks.
On Monday, the long-running debate on personal privacy versus national security was revived in Washington, Time reported, as officials from both the Obama and former Bush administrations discussed how government intelligence agencies can monitor communications between suspected terrorists who use encrypted messaging apps such as Telegram or SilentCircle.
A recent U.N. Report says encryption is a human right, “providing the privacy and security necessary for... the right to freedom of expression in the digital age”.
But FBI director James Comey has argued often that the availability of encrypted communications apps impairs law enforcement agencies' ability to prevent crime, including terrorism.
Secure messaging apps feature end-to-end encryption that can be decrypted only by the sender's and receiver's devices, so that parent companies cannot read messages – nor grant government agencies access to do so.
It has not been confirmed whether such apps were used in coordinating the Paris attacks. But according to the Wall Street Journal, followers of the Islamic State terrorist group (ISIS), which claimed responsibility for the Paris attacks, were provided with a list of 33 chat apps, ranked by their encryption, with Telegram ranked as “safe”; and apps like SilentCircle and Redphone ranked safest. (As for more mainstream apps, WhatsApp was deemed “unsafe” while Apple's iMessage, Facebook's Messenger and BlackBerry Messenger were all deemed “moderately safe”.)
The New York Times reports that government officials said ISIS has used encryption technologies over the last year and a half, many of which the National Security Agency (NSA) has been unable to crack.
For example, according to a Middle East Media Research Institute report, jihadist groups and terrorist organisations had chat channels on the secure messaging app Telegram, sharing such content as “manufacturing weapons” and “launching cyberattacks”.
A backdoor policy that legally requires tech companies to build decryption keys into their software would enable the NSA and other law enforcement agencies to monitor communications between suspected criminals and, in theory, prevent major crime.
However, security experts have repeatedly said that such cryptographic backdoors make systems more vulnerable to attacks. Allowing a government official armed with a warrant to read communications between suspected criminals would also allow stalkers, fraudsters and other criminals to steal data from innocent people as well as companies and national agencies.
“Backdoors will only degrade our security — perhaps against the very criminals and terrorists the government is trying to protect us from in the first place,” says Jeremy Gillula, staff technologist at privacy advocacy group Electronic Frontier Foundation (EFF). “[As well] adding complexity, like a backdoor, increases the chance that bugs or vulnerabilities will be introduced to the code,”
Tech companies have taken a similar line. Re/code reports that while Google has scrubbed YouTube videos affiliated with terrorist groups and passed account information to authorities in response to direct government request, the search giant maintains that agencies do not have backdoor access to simply “help themselves to users' data”.
In any case, banning full encryption is unlikely to prevent criminals from communicating unobserved. Encrypted messaging apps have not been the only means for terrorist communication; Belgian federal home affairs minister Jan Jambon claims that the Sony PlayStation 4 has been used by ISIS members. Though, he provided no evidence or examples to support this claim. Means of messaging on the PS4 include voice-chat, messages over the PlayStation networking online gaming service, and in-game messaging.
As for the recent Paris attackers, we don’t know fully yet how they handled their communications. From what we do know, some of the coordination was done via standard cell phone texts and, given that a group of the attackers lived in the same town in Belgium, likely, person-to-person communication. And unencrypted data from a cell phone found at the scene of the Paris stadium attack was successfully used to track down ringleader Abdelhamid Abaaoud and disrupt another terrorist cell.
“Additionally, there will always be developers writing other end-to-end encrypted apps, all over the world,” Gillula says. “At least some of these apps won't have backdoors and they'll become magnets for terrorist communication.”
The Electronic Frontier Foundation's
Secure Messaging Scorecard
|Encrypted in transit?
|Encrypted so the provider can’t read it?
|Can you verify contacts’ identities?
|Are past comms secure if your keys are stolen?
|Is the code open to independent review?
|Is security design properly documented?
|Has there been any recent code audit?
|Google Hangouts/Chat "off the record"
|Telegram (secret chats)
|Jitsi + Ostel
|Off-The-Record Messaging for Mac (Adium)
|Off-The-Record Messaging for Windows (Pidgin)
|ChatSecure + Orbot
|PGP for Mac (GPGTools)
|PGP for Windows Gpg4win
|Signal / RedPhone