Republican Senator Richard Burr, chairman of the U.S. Senate Intelligence Committee, told reporters, “We can’t tell you today specifically that they were using a specific encrypted platform. We think that’s a likely communication tool because we didn’t pick up any direct communication…I think it’s safe to say that there are 30 end-to-end encrypted software packages that you can download for free. And, given the fact that between iTunes and PlayStation, the number of apps that are added on a weekly and monthly, yearly basis, and I think we anticipate that everything from this point forward will have an encrypted communications to it,” he said.
Leaving aside the fact that Senator Burr apparently doesn’t know the difference between Google’s Play Store (from which Android apps are downloaded) and Sony’s PlayStation gaming console, his assumption that terrorists must have used encrypted communication because intelligence agencies failed to pick up communications between them is fundamentally flawed.
California Senator Dianne Feinstein, ranking Democrat on the Senate Intelligence Committee, told MSNBC that the terrorists are “sophisticated, they have apps to communicate on that cannot be pierced even with a court order.”
“I have actually gone to Silicon Valley, I have met with the chief counsels for most of the big companies, I have asked for help, and I haven’t gotten any help,” Feinstein said, “I think that Silicon Valley has to take a look at their products because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, take down an airliner, that’s a big problem.”
Senator Feinstein’s inflammatory remarks were clearly calculated to advance the U.S. government’s surveillance agenda. As a staunch supporter of the NSA, Feinstein knows exactly how those capabilities are used. Documents leaked by Snowden made it clear that the surveillance activities threatened by end-to-end encryption extend far beyond counterterrorism.
Feinstein must be aware that governments and businesses rely on encryption to protect sensitive information and that U.S. government surveillance is one of the major factors driving consumer demand for more secure products. Developing software with end-to-end encryption does not implicate a company in terrorism any more than automobile manufacturers are responsible for drunk driving. Individuals have the right to communicate in private, and the sooner governments accept that fact and refocus resources on more effective counterterrorism techniques, the better.
It is possible that terrorists used messaging apps with encryption. It is also possible that they simply left all their electronic devices at home and met at a coffee shop, restaurant, a private home, or on a public street. Soldiers have conducted coordinated attacks for centuries without the aid of computers and mobile phones. Synchronized watches were more than sufficient.
Similarly, covert operatives of the past relied on tradecraft such as dead drops, trusted couriers, messages concealed in newspaper advertisements, and shortwave numbers stations that transmitted coded messages. It would be naive to believe that terrorists do not understand at least the general nature of Internet surveillance and take active avoidance measures.
The theory that terrorists are using encrypted mobile phone apps to avoid interception by intelligence agencies presupposes that the terrorists are capable of determining which of the many apps available are good enough to do so. That’s no easy task. The encryption has to be perfectly implemented, metadata must not reveal relationships, and the company providing the service must not intentionally or unintentionally provide data to intelligence agencies.
The assumption that data must be have been encrypted or it would have been detected also fails to take into account that detecting terrorist communications it not an exact science. As others have written, the task is not even looking for a needle in a haystack; it is looking for a needle in a needlestack. However, it is easier for opportunistic politicians to blame Silicon Valley.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…