[cryptography] Paris Attacks Blamed on Strong Cryptography and Edward Snowden

dan at geer.org dan at geer.org
Wed Dec 9 21:27:16 EST 2015


6 Ways Law Enforcement Can Track Terrorists in an Encrypted World

Nathan Freitas
November 24, 2015

   Government officials want us to believe that encryption is helping
   terrorists, but law enforcement still has plenty of tools to get
   the data.

   The phrase "the terrorists are going dark" has come back in vogue
   after the Paris attacks, referring to assertions that encryption
   is somehow enabling the communication of future attackers to go
   undetected. But the public is being presented with a false choice:
   either we allow law enforcement unfettered access to digital
   communications, or we let the terrorists win. As always, it is
   not that simple.

   It is true that much of the world's communication has shifted
   away from easy-to-intercept text messages and phone calls, to
   mobile apps, such as WhatsApp, Apple Messages, and Telegram,
   which provide free worldwide communications and improved privacy
   and security. Some apps have even added end-to-end "sealed
   envelope" encryption, putting message contents out of reach of
   both law enforcement and the service providers themselves.

   Even so, there is still a great deal of data available that is
   not fully encrypted or even encrypted at all--data that allows
   for the kind of digital detective capabilities that law enforcement
   seek to catch the bad guys. It is disingenuous on all sides to
   pretend it does not.  Some call this metadata, but considering
   the volume and detail of data available, there is nothing meta
   about it. Not all of the approaches to data gathering and intercept
   are clearly legal. Many app developers (including myself) are
   actively working to defend against them and close these gaps,
   as they are often used to unjustly attack and monitor activists,
   journalists, and even estranged loved ones.

   Still, we cannot deny that they exist for now, and so, rather
   than let these data-gathering options linger in the shadows,
   I'll enumerate them here.

   1) If someone is carrying a mobile phone, their every movement,
   phone call, and use of the Internet access is being tracked and
   logged by the mobile service provider. Accessing that data often
   does not require a warrant, just a phone number and a contact
   at the phone company.

   2) Messaging apps like WhatsApp and Telegram require users to
   register their accounts with a working telephone number. Use of
   the app is tied to this number, and to all the phone numbers of
   the people they are communicating with. See number one for what
   you can do with a list of phone numbers.

   3) The kind of encryption implemented in mainstream apps today
   is not automatic. Even in well-regarded implementations by
   WhatsApp and Apple, knowing when and how encryption is active
   and verified is unclear. It is likely possible to disable access
   to or reduce the strength of encryption on a per-user basis,
   without the user knowing.

   4) Even an end-to-end encrypted chat can be monitored if the app
   supports group chat or syncing conversations between multiple
   devices.  If you can compel the app service provider to add a
   new device to an account or participant into a group without
   notifying existing users, then you are in.

   5) Full storage encryption of smartphones is not on by default
   for Android, and only in effect on iOS when the device is powered
   off. Most of these apps are not password-protected on the device
   itself. Get access to a phone with the screen unlocked, or crack
   the screen lock app itself, and you are in. Compel the owner of
   a fingerprint-locked device to unlock it with their thumbprint,
   and you are in. Trick the user into installing (or force their
   app store to do so) a keystroke-logging keyboard or a hidden
   surveillance app and you are in.

   6) Most cloud data is only encrypted to protect it from outside
   attackers, and not from the service provider themselves. Some
   services say, "We encrypt data at rest in the cloud," but they
   mean they do so with an encryption key that they hold, not one
   the user holds. Rather than backdoor the messages in real time,
   just get access to a cloud backup of all the messages, contacts,
   calendars, photos, location data, and more that users often
   unwittingly store there.

   Whether we like it or not, the opportunities for targeted
   surveillance of digital communications are vast and deep, within
   both clearly legal and legally gray areas. I am not encouraging
   legalizing criminal hacking by the police or promoting surreptitious
   methods for infringing on freedom and privacy. In fact, I am a
   firm believer that more encryption is needed, to strengthen our
   personal privacy and defend against actual cybersecurity threats.
   Fundamentally, I hope that through deeper understanding of the
   private data that we all constantly generate and expose, there
   can be more clarity about, and less fear of, the "dark."

   Nathan Freitas leads the Guardian Project, an open-source mobile
   security software project, and directs technology strategy and
   training at the Tibet Action Institute. His work at the Berkman
   Center focuses on tracking the legality and prosecution risks
   for mobile security app users and developers worldwide.

More information about the cryptography mailing list