[Infowarrior] - The encryption delusion

[Richard Forno]

The encryption delusion

David Meyer

http://www.politico.eu/article/the-encryption-delusion/

Call it the “e-word.”

Every time there is a terrorist attack, with Paris and California the most recent examples, the political ruckus over the balance between liberty and security zeros in on the encryption technology that people use to keep their communications secret.

The chairman of the U.S. Senate’s intelligence committee, Richard Burr, described encryption as “a big problem out there that we’re going to have to deal with.” FBI Director James Comey urged tech companies to abandon end-to-end encryption, which gives customers the keys to their online communications. And the U.K. is pushing an investigatory powers bill that would force online providers to give authorities access to customers’ encrypted communications.

There’s just one catch. Neither in Paris nor in San Bernardino has there been any strong evidence so far that terrorists used encrypted messages to plan or carry out the attacks.

According to some experts, encryption isn’t the biggest problem, and any policy response is unlikely to be the solution.

Statistics from the U.S. Federal Bureau of Investigation suggest encryption is cropping up less and less for law enforcement these days, and experts are flagging up poor information sharing between agencies as a more urgent problem.

“Encryption between organized criminals is a problem, but the evidence is showing us it’s not as much of a problem as it used to be,” said Alan Woodward, a visiting professor at the University of Surrey’s department of computer science and an advisor to Europol, the EU’s law enforcement agency.

Rise of the skeptics

The Paris attacks are a case in point. Although the New York Times reported that Abdelhamid Abaaoud — believed to have been the architect of the attacks — had previously given another terrorist instructions and a software key for using encrypted email, this kind of encryption remains tangential to the current debate.

Encrypted email, which has been around for decades, does not rely on a centralized service in the same way as a messaging system such as WhatsApp or Telegram. Email encryption relies on widespread and freely downloadable tools, and there is no provider that can be swayed by court order or told to insert a “backdoor” to allow its system to be bugged.

In terms of communications tied to the Paris attacks, the publicly disclosed evidence points away from encryption. One of the Paris attackers’ phones contained an unencrypted text message sent to an unidentified person, saying in French: “We are ready, we are starting.”

Citing unnamed officials briefed on the investigation, CNN reported last week that investigators believe the attackers used encrypted apps, including WhatsApp and Telegram. However, neither the Paris police nor the local prosecutor’s office would confirm this.

This lack of clear evidence is changing the political dynamic, with an increasing number of skeptics and privacy advocates, including the center-right European People’s Party (EPP) in the European Parliament.

There is no thorough analysis on the issue of encryption and possible problems in the security area — Monika Hohlmeier

“There is no thorough analysis on the issue of encryption and possible problems in the security area,” said the EPP’s Monika Hohlmeier, a German MEP and member of the Parliament’s civil liberties, justice and home affairs committee.

Hohlmeier said the European encryption debate has largely been driven by claims from the intelligence community and media.

She said the EPP, the Parliament’s largest group, wanted the European Commission and EU countries to produce analysis of “where problems are appearing.”

Sophie in ‘t Veld, a Dutch Liberal MEP, said those who were calling for encryption to be curtailed or sidestepped were  exploiting the Paris attacks.

“They see the Paris attacks as an opportunity to push their agenda through, even if it’s completely unrelated. I find it incredibly cynical,” she said.

“A lot of terrorist preparations take place inside the home,” in ‘t Veld said. “Does that mean you’re not allowed to have a lock on your front door anymore? Nobody would accept that … In most cases, the evidence for necessity and proportionality is missing.”

Snowden and the blame game

The encryption debate has been going in circles since the 1990s, when the U.S. National Security Agency (NSA) designed the “Clipper chip,” an encryption device that was supposed to protect private communications but still allow the authorities to examine data — a so-called “backdoor.”

A public backlash about spying and technological developments swiftly rendered the Clipper chip program obsolete: it was announced in 1993 and scrapped just three years later.

The surveillance revelations of NSA whistleblower Edward Snowden in 2013 prompted renewed interest in encryption.

Snowden showed how easily the NSA and its counterparts around the world were able to access online communications. This led communications providers to boost their security by adding more encryption, which heated up official calls for the use of backdoors.

Those calls in turn prompted a who’s who of the computer security world to yet again insist that backdoors make the general populace less secure.

What’s more, terrorists have been using various forms of encryption for years. As keen as some in the intelligence community are to blame Snowden for what happened in Paris, others were warning back in early 2001 that the likes of Al Qaeda were regularly encoding their communications.

Woodward of the University of Surrey is one of the co-authors of Europol’s annual Internet organized crime threat assessment report, with encryption as his specialty. The 2015 report, published in September, called on EU countries to help quantify the problem.

You can’t blame Snowden for Paris — Alan Woodward

If anything, Woodward said, criminal use of encryption may be declining.

He pointed to statistics from the FBI, which showed the number of state wiretaps that came up against encryption fell from 41 in 2013 to 22 in 2014, and of those 22 only two were undecipherable. Only three federal wiretaps in 2014 were encrypted, with two proving too hard to crack.

The professor suggested criminals and terrorists may be turning to steganography — concealing messages in unencrypted text or images, or even social media activities, that hold hidden meanings.

“When you encrypt something, you can spot something that looks like gobbledygook,” he said, noting that many encrypted services still show who is talking to whom. “It draws attention.”

Citing language in the proposed U.K. surveillance bill, Woodward said there was now a political shift in Europe from simply trying to bypass all encryption to in some cases trying to bug targets’ computers and smartphones. That way, investigators can see what people are writing, by examining their screens or keystrokes.

But even then, the main problems for intelligence services remain a lack of resources (some of the Paris attackers were known to the authorities but not kept under active surveillance) and poor information sharing between national agencies — an issue that may now be resolved through Europol’s enlarged mandate as a clearing-house for cross-border law enforcement collaboration.

“You can’t blame Snowden for Paris,” Woodward said. “It doesn’t actually take a huge amount of communication to plan something like Paris … A lot of the intelligence failures in France are actually being addressed by the sharing of information.”

This article was first published on POLITICO Pro.


--
It's better to burn out than fade away.