[cryptography] Paris Attacks Blamed on Strong Cryptography and Edward Snowden
dan at geer.org
dan at geer.org
Wed Dec 9 21:27:16 EST 2015
6 Ways Law Enforcement Can Track Terrorists in an Encrypted World
November 24, 2015
Government officials want us to believe that encryption is helping
terrorists, but law enforcement still has plenty of tools to get
The phrase "the terrorists are going dark" has come back in vogue
after the Paris attacks, referring to assertions that encryption
is somehow enabling the communication of future attackers to go
undetected. But the public is being presented with a false choice:
either we allow law enforcement unfettered access to digital
communications, or we let the terrorists win. As always, it is
not that simple.
It is true that much of the world's communication has shifted
away from easy-to-intercept text messages and phone calls, to
mobile apps, such as WhatsApp, Apple Messages, and Telegram,
which provide free worldwide communications and improved privacy
and security. Some apps have even added end-to-end "sealed
envelope" encryption, putting message contents out of reach of
both law enforcement and the service providers themselves.
Even so, there is still a great deal of data available that is
not fully encrypted or even encrypted at all--data that allows
for the kind of digital detective capabilities that law enforcement
seek to catch the bad guys. It is disingenuous on all sides to
pretend it does not. Some call this metadata, but considering
the volume and detail of data available, there is nothing meta
about it. Not all of the approaches to data gathering and intercept
are clearly legal. Many app developers (including myself) are
actively working to defend against them and close these gaps,
as they are often used to unjustly attack and monitor activists,
journalists, and even estranged loved ones.
Still, we cannot deny that they exist for now, and so, rather
than let these data-gathering options linger in the shadows,
I'll enumerate them here.
1) If someone is carrying a mobile phone, their every movement,
phone call, and use of the Internet access is being tracked and
logged by the mobile service provider. Accessing that data often
does not require a warrant, just a phone number and a contact
at the phone company.
2) Messaging apps like WhatsApp and Telegram require users to
register their accounts with a working telephone number. Use of
the app is tied to this number, and to all the phone numbers of
the people they are communicating with. See number one for what
you can do with a list of phone numbers.
3) The kind of encryption implemented in mainstream apps today
is not automatic. Even in well-regarded implementations by
WhatsApp and Apple, knowing when and how encryption is active
and verified is unclear. It is likely possible to disable access
to or reduce the strength of encryption on a per-user basis,
without the user knowing.
4) Even an end-to-end encrypted chat can be monitored if the app
supports group chat or syncing conversations between multiple
devices. If you can compel the app service provider to add a
new device to an account or participant into a group without
notifying existing users, then you are in.
5) Full storage encryption of smartphones is not on by default
for Android, and only in effect on iOS when the device is powered
off. Most of these apps are not password-protected on the device
itself. Get access to a phone with the screen unlocked, or crack
the screen lock app itself, and you are in. Compel the owner of
a fingerprint-locked device to unlock it with their thumbprint,
and you are in. Trick the user into installing (or force their
app store to do so) a keystroke-logging keyboard or a hidden
surveillance app and you are in.
6) Most cloud data is only encrypted to protect it from outside
attackers, and not from the service provider themselves. Some
services say, "We encrypt data at rest in the cloud," but they
mean they do so with an encryption key that they hold, not one
the user holds. Rather than backdoor the messages in real time,
just get access to a cloud backup of all the messages, contacts,
calendars, photos, location data, and more that users often
unwittingly store there.
Whether we like it or not, the opportunities for targeted
surveillance of digital communications are vast and deep, within
both clearly legal and legally gray areas. I am not encouraging
legalizing criminal hacking by the police or promoting surreptitious
methods for infringing on freedom and privacy. In fact, I am a
firm believer that more encryption is needed, to strengthen our
personal privacy and defend against actual cybersecurity threats.
Fundamentally, I hope that through deeper understanding of the
private data that we all constantly generate and expose, there
can be more clarity about, and less fear of, the "dark."
Nathan Freitas leads the Guardian Project, an open-source mobile
security software project, and directs technology strategy and
training at the Tibet Action Institute. His work at the Berkman
Center focuses on tracking the legality and prosecution risks
for mobile security app users and developers worldwide.
More information about the cryptography