How do terrorists communicate to hide from investigators?
We know little about the means used by those involved in the deadly attacks in Paris, but intelligence and security officials have already launched a new wave of chatter about encryption.
First, The New York Times reported that anonymous European officials were saying they believed the Paris attackers had used some kind of encrypted communication, "but offered no evidence."
Now NBC News is citing unnamed officials as suggesting "the ISIS geek squad is teaching terrorists how to use encryption and communication platforms like Silent Circle, Telegram and WhatsApp."
There was even a Forbes story that suggested the terrorists talked over Sony PlayStation 4, that has now been invalidated.
One thing is clear: The investigation into the attacks is ongoing, and no specific evidence of encrypted or other communications has been confirmed.
Yet it has renewed the debate about encryption and the headaches that intelligence and law enforcement officials say it's created for their investigations.
What we're talking about is not your emails or Web searches, photos or social network posts. Those things get encrypted on your laptop and then decrypted and stored on a big corporate data server. There, law enforcement officials have the technical and legal ability to get access to the content, for instance, with a subpoena.
What's raising the concerns is so-called end-to-end encryption: when data gets encrypted on one device and only gets decrypted when it reaches the recipient's device. Think Apple iMessage, WhatsApp or FaceTime.
And for a while now, the law enforcement and intelligence communities in the United States, and to some extent in Europe, have been asking tech companies (which are pushing back) to give them basically a back door into these kinds of encrypted communications.
"From the law enforcement perspective, we describe this experience of going dark, that we no longer can penetrate the darkness to conduct our investigations," New York Police Commissioner Bill Bratton tells NPR's Ari Shapiro. "It's a very significant negative effect on our ability to detect and disrupt terrorist-related activity."
Safer With Or Without Back Doors?
CIA Director John Brennan made this case against encryption on Monday at the Center for Strategic and International Studies in Washington:
"There has been a significant increase in the operational security of a number of these operatives and terrorist networks as they've gone to school on what it is that they need to do in order to keep their activities concealed from the authorities. And as I mentioned, there are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have the insight they need to uncover it.
"In the past few years because of a number of unauthorized disclosures and a lot of hand-wringing over the government's role in the effort to try to uncover these terrorists, there have been some policy and legal and other actions that are taken that make our ability, collectively, internationally to find these terrorists much more challenging. And I do hope that this is going to be a wake-up call."
The hand-wringing of course refers to the fallout of the Edward Snowden leaks, which showed, among other things, how the National Security Agency tapped into data centers and otherwise dealt with tech companies. That prompted a bigger push toward end-to-end encryption that would limit the companies' role in the surveillance process.
After months of debate, in October, the Obama administration appeared to back down from the push for encryption back doors.
Some of the considerations were these: If America asked for back doors, what would stop China, Russia or any other country from demanding the same kind of access? Or, in light of massive hacks of government data, what would convince the companies that the federal agencies could properly protect the keys they'd be given?
"The reality is that if you have an open door in your software for the good guys, the bad guys get in there, too," Apple CEO Tim Cook told NPR's Robert Siegel in October. "I don't support a back door for any government, ever."
In fact, the notion of law enforcement "going dark" in the face of new technology has floated since the 1990s and the dawn of the Internet, when law enforcement organizations pushed for access to communications services.
A group of computer scientists and security experts that had studied the topic then, reviewed it again in recent months and found high risk of unanticipated, hard-to-detect security flaws.
"We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago," they wrote in the abstract of their July paper for the Massachusetts Institute of Technology.
Tech companies and privacy advocates also argue that the government doesn't need encryption back doors to carry out terrorism surveillance.
"Most consumer-oriented encryption systems that are deployed today protect the content of a message. They do no protect the metadata — they do not hide who is talking to whom," says Moxie Marlinspike, founder of Open-Whisper Systems that created TextSecure, the open-source encryption tool adopted by WhatsApp last year.
"So if you have a network of terrorists communicating with a known 'home base,' intelligence agencies will still be able to see that," he says.
Nate Cardozo, a lawyer on the civil liberties team at the Electronic Frontier Foundation, went even further, suggesting that the back-door push by the intelligence and law enforcement community is less about terrorism and more about collecting as much information as possible. He accused the CIA's Brennan of political opportunism — using the Paris tragedy to push for an existing agenda.
"We are in a golden age of surveillance. Right now it is easier for the CIA, the NSA, the FBI to surveil anyone, anytime, anywhere than it ever has been, even despite encryption," Cardozo tells All Tech.
"If we learned anything from the Snowden revelations, it's that the NSA and intelligence agencies around the world, including in France, are not suffering from the lack of information, rather they're suffering from the exact opposite. They have so much data that they're collecting, they have trouble filtering the signal from the noise."
And ultimately, he says, even if all existing encrypted devices got a back door, there would always be ways of circumventing those back doors — all it takes is a new app to restart the whack-a-mole.
"Trying to regulate encryption is like trying to regulate an idea," Marlinspike says. "It's going to be very difficult if not impossible to do."
Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, summed it up this way:
"It's too early, I think, to say in terms of the attack in Paris to what extent these terrorist may have used encrypted communications," he told NPR on Monday. "Even with the best of intelligence resources, there are still vulnerabilities and ultimately it's going to require us to eliminate that sanctuary in Iraq and Syria."
ARI SHAPIRO, HOST:
The attacks in Paris are recharging the debate about privacy and security. One question is, how easily should the government be able to access electronic communications? We're going to explore that today in All Tech Considered.
(SOUNDBITE OF MUSIC)
SHAPIRO: New York Police commissioner Bill Bratton is one of many officials who warn that new technologies may allow terrorists to go dark and escape government surveillance. I spoke to him today as he was in his car on the way to a press conference.
BILL BRATTON: Good afternoon. Good to be with you.
SHAPIRO: Begin by just briefly explaining what you mean by the phrase going dark.
BRATTON: It refers to the fact that many of the smart phone devices - the manufacturers that make those devices have now consciously designed those phones so they cannot be accessed by anybody. In other words, they've been encrypted so that even if we, in law enforcement, had court orders allowing us to search the phone, if you will, or the device, we would not be able to decipher the encrypted material on the phone.
Additionally, there are many apps that are now available that similarly encrypt messages. And so from a law enforcement perspective, we describe this experience of going dark, that we no longer can penetrate the darkness to conduct our investigations. It's a very significant negative factor in our ability to detect and disrupt terrorist-related activity.
SHAPIRO: And are you aware of any specific intelligence that the people who plotted or carried out the attacks in Paris used encryption technology?
BRATTON: We are waiting for the investigations by the French authorities to go forward to determine what devices these individuals may have been using for communication. Were they, in fact, encrypted types of devices? I think the French have indicated that they had no prior awareness of these attacks, reinforcing the concern that these operations may have been assisted by use of this encrypted technology.
We'll know more as the investigation goes forward. Right now it's speculative on my part, certainly. But for something of this magnitude to have gone undetected - the French have excellent intelligence services - it would be very unusual and also, needless to say now, very troubling in light of the horrific damage that was caused in Paris.
SHAPIRO: There's a piece in Forbes today that argues whatever governments attempt to do, whatever technology they blame, terrorists and criminals will find new ways to protect their communications from snoops. Do you agree with that? And if so, are you just playing whack-a-mole with new technologies, or are you asking for some specific authority that will solve this problem?
BRATTON: The world we're living today - it's evolving faster than any of us can fully appreciate. So that is correct in some sense that, from beginning of time, in the law enforcement world, we're continually trying to stay ahead of the criminal mind. And in this new period of time - the 21st century - we're finding ourselves having more difficulty staying ahead of the curve because of the rapidly advancing technology. So whether it's in cybercrime, identity theft issues, terrorism, we are really, I would say, struggling to stay ahead. As fast as you and I are talking, there's new technologies coming out that we have no idea of their capabilities.
SHAPIRO: And so what specific legal authorities are you seeking to solve that problem?
BRATTON: We are not seeking specific legal authorities at this juncture. I'm certainly not proposing a specific remedy. We're still trying to get our arms around the problem, identify for the American public that it is a problem and one that we're looking at very closely. And we'll seek to identify legislative tools that would assist us to fulfill our obligations to try to protect the American public from traditional crime and terrorism. But increasingly, we are finding ourselves without the tools to do that.
SHAPIRO: That's New York City Police commissioner Bill Bratton. Commissioner Bratton, thank you for joining us.
BRATTON: Thank you - pleasure being with you.
SHAPIRO: And now we're joined by NPR's Steve Henn in Silicon Valley. He's been speaking with privacy advocates and executives at many of the tech companies that make the products and apps that Commissioner Bratton is worried about. Hey, Steve.
STEVE HENN, BYLINE: Hi.
SHAPIRO: Well, how do privacy advocates respond to the concerns that we just heard Commissioner Bratton express?
HENN: So, Ari, the first thing that I think it's important to say is that everyone we've been talking to was horrified by what happened in Paris. But the privacy advocates we've been talking to said they thought it was premature to make the case that strong encryption played a role in making these attacks possible. They say at this point, we really don't know enough about how the perpetrators communicated, to be sure.
And they also make the case that, in fact, we're living in what they call a golden age of surveillance. They say it's never been easier for law enforcement to use the way we communicate to track what we say and what we do. And so they're really already pushing back against this notion that, you know, encryption technologies have allowed terrorist networks to go dark.
SHAPIRO: Well, Steve, explain a little bit more about this encryption that so concerns law enforcement. Are we talking about high-level hacker stuff or just pretty standard stuff in any communications technology?
HENN: Well, right now this kind of technology is built into many of the kinds of tools that we use all the time. End to end encryption is baked into iMessage. It's used by WhatsApp, which is owned by Facebook and used by hundreds of millions of people around the globe. And that basically is when a message is scrambled on my device and it is sent directly to your device. And it's only at that point in your device that it can be decrypted and understood. And that leaves law enforcement unable to read messages after the fact or during an investigation, and that's really what they've been pushing back against.
You know, Ari, we heard Commissioner Bratton say that he wasn't asking for anything in particular. But some in the intelligence community here in the United States and in the intelligence community and law enforcement in Europe have been asking tech companies to consider building back doors into these services for exactly these kinds of emergencies.
SHAPIRO: What are you hearing from tech companies that are sort of caught in the middle of this tug of war?
HENN: Well, they have a couple problems with this request for a back door. They say if they are forced to create a master key that opens a back door into their networks, all of their customers' communications become more vulnerable and not just to law enforcement. They say that kind of back door is going to be a target for national security agencies from every country in the world. It will be a target for sophisticated hackers. And they say if they're forced to build it, it will be impossible to keep it safe.
SHAPIRO: Let me ask you a question I put to Commissioner Bratton, which is, is this just a game of whack-a-mole where ever-evolving technologies will constantly give people who want to evade eavesdropping a way to do it?
HENN: Yeah, absolutely. I mean, I think Commissioner Bratton was right there. And the other thing that's important to note is that really sophisticated, powerful encryption is out there in the public right now. So if these big tech companies are forced by law or convinced by national security agencies to create a back door, there is nothing stopping a kid in a garage from building an app that could keep these messages secret. And that's probably what would happen.
SHAPIRO: That's NPR's Steve Henn in Silicon Valley. Thanks, Steve.
HENN: Thank you. Transcript provided by NPR, Copyright NPR.