News spread at a viral pace following the deadly Paris attacks Friday around speculation that Islamic State (ISIS) members used a PlayStation 4 (PS4) to send encrypted messages to one another and coordinate the attacks, causing pundits and reporters to raise concerns about whether governments should eschew cybersecurity protections to better prevent attacks in the future.
The PS4 has a network platform where its nearly 25 million owners can send private, encrypted messages but there is no direct evidence that was the case in Friday’s attacks. The original Forbes article linking ISIS to the gaming console has since been corrected, citing a misinterpretation of a Belgian official’s statement.
The fact remains that encryption use is on the rise and has long been used by criminals and terrorists, but governments still haven’t found a way to balance public safety with basic civil rights often sacrificing the latter.
“We still don’t know a lot about the attacks or how individuals have been communicating,” said Neema Singh Guliani, legislative counsel for the American Civil Liberties Union (ACLU). “Sometimes in response to national security crises we see knee-jerk proposals,” but following massive cybersecurity threats such as the China-led attack on the U.S. Office of Personnel Management (OPM) this summer, “this is not a time where we should be looking at policies that would weaken [cyber] protections.”
Governments demonize technologies when they impede gov's ability to spy. Happened with cars, now with crypto. https://t.co/uIcZOcxfcJ
— Christopher Soghoian (@csoghoian) November 15, 2015
Following the Paris attacks, Republican presidential hopeful Donald Trump vowed to minimize threats by putting mosques under heavy surveillance similar to the New York Police Department’s program after Sept. 11 — other programs parlayed into digital tracking.
“There’s no way to prevent people from using encryption,” said Ran Canetti, a cryptography expert and professor at Boston University. “The 10 percent who would want the encryption secrecy will find a way to get it.”
Most consumers aren’t worried enough about their privacy to bother with encryption. Only one in 10 Americans use proxy encryption tools to maintain their privacy, according to a Pew Internet survey released in May, but millions more use it through the default security settings Google and Apple unrolled since 2014.
“The proficiency of criminals with encryption technology has advanced a lot [over the years] and smartphones now have the same parts as the PCs of 15 years ago,” Canetti said. “Strong encryption is widespread. Everybody today who wants to get their hands on strong encryption mechanics, they can do it.”
News reports dating back to 2001 show that encryption use among terrorist groups was problematic for law enforcement. As the Intercept reported Sunday, encryption has been used to plan terrorist attacks across the world including Bali, Madrid, London, and the Boston Marathon, spanning more than a decade.
One key premise here seems to be that prior to the Snowden reporting, The Terrorists helpfully and stupidly used telephones and unencrypted emails to plot, so Western governments were able to track their plotting and disrupt at least large-scale attacks. That would come as a massive surprise to the victims of the attacks of 2002 in Bali, 2004 in Madrid, 2005 in London, 2008 in Mumbai, and April 2013 at the Boston Marathon. How did the multiple perpetrators of those well-coordinated attacks — all of which were carried out prior to Snowden’s June 2013 revelations — hide their communications from detection?
The deaths from those attacks stirred emotions and evoked promises of international solidarity, but they also sparked conversations and legislation that vilified encryption and eroded privacy. But because encryption use is the new normal, governments have to best weigh personal safety and privacy concerns.
As they demonize online encryption due to the #ParisAttacks remember this. https://t.co/nNJUNo4FfI | pic.twitter.com/2zHrrXKlJB
— Michelle Segal (@mhsegal) November 15, 2015
Proposals so far have been to either completely ban encrypted messaging platforms or ask for backdoor access when violent threats were imminent. The government has floated the idea of a master encryption key that, theoretically, only the top intelligence agencies would have, allowing them to peak at communications of verified security threats.
For example, Greece shuttered its backdoor encryption program after hackers infiltrated it, accessing sensitive and personal information from everyday citizens to the country’s prime minister, the ACLU’s Singh Guliani said.
“Experience shows that allowing backdoor access weakens encryption and allows other people to break in [even though] mathematically — in theory — there should be a way around that,” Canetti said. “Even if you do work it out, the information is kept somewhere. How do you keep it from being exposed to the public? The secrets tend get exposed one way or another…By collecting and keeping it in your cellar you’re doing 90 percent of the work for the hacker.”
FBI Director James Comey admitted during his testimony in front of the House Judiciary Committee last month that encryption and the fast-changing technological landscape made it difficult for the agency to find and verify threats.
“We live in a technologically driven society, and just as private industry has adapted to modern forms of communication, so too have terrorists and criminals,” Comey said. “Unfortunately, changing forms of Internet communication and the use of encryption are posing real challenges to the FBI’s ability to fulfill its public safety and national security missions. This real and growing gap, which the FBI refers to as ‘Going Dark’…must be addressed, since the resulting risks are grave both in both traditional criminal matters as well as in national security matters.”
The White House has also rejected legislative proposals that would weaken encryption connections, saying “Any proposed solution almost certainly would quickly become a focal point for attacks.”
To succeed, governments are going to need to resist the impulse to snatch encryption back from the masses when there’s a deadly event.
According to Canetti, Boston University cryptography professor: “[Law enforcement] developing better encryption-cracking tools is a very good thing. But they should concentrate on encryption made by bad guys. Making the everyday encryption of the general public weak isn’t going to get you what you want, [not] when it comes to coordinated terrorist attacks. There’s no silver bullet answer. It took us hundreds of years to get democracy right…It’s going to take time for us to get this right.”