November 17, 2015

U.S. state and federal law enforcement officials appear poised to tap into public concern over the terror attacks in France last week to garner support for proposals that would fundamentally weaken the security of encryption technology used by U.S. corporations and citizens. Here’s a closer look at what’s going on, and why readers should be tuned in and asking questions.

encryptedeyeDespite early and widely repeated media reports that the terrorists who killed at least 128 people in Paris used strong encryption to disguise their communications, the evidence of this has failed to materialize. An initial report on Nov. 14 from Forbes titled “Why the Paris ISIS Terrorists Used PlayStation4 to Plan Attacks” was later backpedalled to “How Paris ISIS Terrorists May Have Used PlayStation 4 to Discuss and Plan.” Turns out there was actually nothing to indicate the attackers used gaming consoles to hide their communications; only that they could do that if they wanted to.

Politico ran a piece on Sunday that quoted a Belgian government official saying French authorities had confiscated at least one PlayStation 4 gaming console from one of the attacker’s belongings (hat tip to

“It’s unclear if the suspects in the attacks used PlayStation as a means of communication,” the Politico story explained. “But the sophistication of the attacks raises questions about the ability of law enforcement to detect plots as extremists use new and different forms of technology to elude investigators.”

Also on Sunday, The New York Times published a story that included this bit:

“The attackers are believed to have communicated using encryption technology, according to European officials who had been briefed on the investigation but were not authorized to speak publicly. It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate. Intelligence officials have been pressing for more leeway to counter the growing use of encryption.”

After heavy criticism of the story on Twitter, The Times later removed the story from the site (it is archived here). That paragraph was softened into the following text, which was included in a different Times story later in the day: “European officials said they believed the Paris attackers had used some kind of encrypted communication, but offered no evidence.” To its credit, the Times today published a more detailed look at the encryption debate.

The media may be unwittingly playing into the hands of folks that former NBC reporter Bob Sullivan lovingly calls the “anti-encryption opportunists,” i.e., those who support weakening data encryption standards to make it easier for law enforcement officials to lawfully monitor people suspected of terrorist activity.

The directors of the FBI , Central Intelligence Agency and National Security Agency have repeated warned Congress and the technology community that they’re facing a yawning intelligence gap from smart phone and internet communication technologies that use encryption which investigators cannot crack — even after being granted the authority to do so by the U.S. courts.

For its part, the Obama administration has reportedly backed down in its bitter dispute with Silicon Valley over the encryption of data on iPhones and other digital devices.

“While the administration said it would continue to try to persuade companies like Apple and Google to assist in criminal and national security investigations, it determined that the government should not force them to breach the security of their products,” wrote Nicole Perlroth and David Sanger for The New York Times in October. “In essence, investigators will have to hope they find other ways to get what they need, from data stored in the cloud in unencrypted form or transmitted over phone lines, which are covered by a law that affects telecommunications providers but not the technology giants.”

But this hasn’t stopped proponents of weakening encryption from identifying opportunities to advance their cause. In a memo obtained in August by The Washington PostRobert Litt, a lawyer in the Office of the Director of National Intelligence, wrote that the public support for weakening encryption “could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

To that apparent end, law enforcement officials from Manhattan and the City of London are expected on Wednesday to release a “white paper on smartphone encryption,” during an annual financial crimes and cybersecurity symposium at The Federal Reserve Bank of New York. A media notice (PDF) about the event was sent out by Manhattan District Attorney Cyrus R. Vance Jr., one of the speakers at the event and a vocal proponent of building special access for law enforcement into encrypted communications. Here’s Vance in a recent New York Times op-ed on the need for the expanded surveillance powers.

Critics say any plans designed to build in secret “backdoors” that allow court-ordered access to encrypted communications ultimately would backfire once those backdoors were discovered by crooks and nation states. In her column titled “After Paris Attacks, Here’s What the CIA Director Gets Wrong About Encryption,”’s Kim Zetter examines security holes in the arguments for weakening encryption.

The aforementioned Bob Sullivan reminds us that weakening domestic encryption laws would simply ensure that the criminals we wish to monitor use non-US encryption technology:

“For starters, U.S. firms that sell products using encryption would create backdoors, if forced by law.  But products created outside the U.S.?  They’d create backdoors only if their governments required it.  You see where I’m going. There will be no global master key law that all corporations adhere to.  By now I’m sure you’ve realized that such laws would only work to the extent that they are obeyed.  Plenty of companies would create rogue encryption products, now that the market for them would explode.  And of course, terrorists are hard at work creating their own encryption schemes.”

“There’s also the problem of existing products, created before such a law. These have no backdoors and could still be used. You might think of this as the genie out of the bottle problem, which is real. It’s very,  very hard to undo a technological advance.”

“Meanwhile, creation of backdoors would make us all less safe.  Would you trust governments to store and protect such a master key?  Managing defense of such a universal secret-killer is the stuff of movie plots.  No, the master key would most likely get out, or the backdoor would be hacked.  That would mean illegal actors would still have encryption that worked, but the rest of us would not. We would be fighting with one hand behind out backs.”

“In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.”

Where do you come down on this debate, dear readers? Are you taking advantage of the kinds of technologies and services — like Signal, Telegram and Wickr — that use encryption the government says it can’t crack? Sound off in the comments below.

111 thoughts on “Paris Terror Attacks Stoke Encryption Debate

  1. Mark

    Why doesn’t the government just skip to the chase and demand what they really want… a camera, microphone, and GPS embedded in everybody’s noggin. 😉

      1. G

        Spot-on, Mike.

        Kurzweil & his Singularity pals have a goal: to build conscious human-level AI that bootstraps itself into godlike omniscience, and then to “upload” their souls/minds into it to achieve eternal life. Seriously. Between now and then, they are obsessed with merging biological brains with silicon devices in any way possible, the better to achieve their goal of immortality.

        First of all, it’s pseudoscience. An electronic or mechanical simulation of a biological process is only a simulation, not a replication. Transistors can’t produce consciousness any more than gears can produce a baby.

        Second, it’s computer-god religious cultism: a reincarnation belief dressed up in tech to make it appear scientific. If you can reincarnate into a computer, you can also reincarnate into a cat.

        If anyone’s interested, I’ll be happy to explain both points at greater length.

        Third, Kurzweil, as you probably know, was hired by Larry & Sergey as Google’s chief of engineering, with an unlimited budget. Larry & Sergey have plenty of company, with the likes of Mark Zuckerberg and Larry Ellison also being Singularity True Believers. These are people who are shaping our world.

        And fourth, the logical implication of the idea that consciousness is an algorithm that can run on a classical computing platform, is that minds are wholly-deterministic, which means you have no free will (“no” as in “zero”). Very convenient convergence with the business activities of these billionaire Singularitarians, that are geared toward predicting consumer behavior down to the level of each individual’s every choice.

        Prediction = control. If I can predict you, I can control you.

        The fact that The Singularity has so many True Believers in high places in tech, who are shaping the technology ecosystems of today & tomorrow, makes it a dangerous cult, in the same manner as if half the people in Congress were Moonies or Scientologists.

        We really do not want to give Kurzweil and his palls Root on our brains.

        1. B_Brodie

          Such an amusing notion, that one’s ‘consciousness’ can be downloaded into an external system.

          That’s like saying you can download a radio announcer over the air live, into your living room.

          Let them have at it – it’s going nowhere fast.

          1. G

            B.Brodie- It may not get them immortality, but their quest for omniscience is driving a Big Data obsession that makes NSA look like small beans by comparison. See also Google Glass, “Nest,” and their robot automobiles festooned with cameras & microphones, inside and out, like surveillance drones on wheels. Orwell would spin in his grave.

        2. Some guy

          A friend of mine that travels in such circles was sat next to Kurzweil once at some charity gala and was unbelievably excited to speak with such a well-known genius. As the conversation drifted around to areas that my friend has expertise in (internationally-known lecturer on the subject), he realized that Kurzweil was completely talking out of his ass. He described the moment to me as being deeply disappointing.

          1. G

            Some Guy- Not surprising, and here’s the deep structure of this:

            Kurzweil is a smart guy, but his smarts are over-specialized and he lacks wisdom.

            As an atheist, Kurzweil does not believe in the soul. Most atheists manage to come to terms with that, and the corollary that there is no afterlife and death is the cessation of individual existence. Most atheists also hold that the belief in the finite nature of their own existence, impels them to think and act morally in ways that they can articulate clearly.

            However, for some, the belief that death is the cessation of their existence, is terrifying in the utmost. (Here another piece of ancient wisdom, the detachment from self/ego that is one of the core precepts of Buddhism, could be highly helpful, and does not entail any sort of belief in a deity.)

            Clearly Kurzweil is terrified of his own death, as is Larry Ellison (“I don’t understand why I should have to die”). Toward the end of putting off “the end,” he subscribes to various forms of “life extension” quackery such as theories about acid and alkaline balance being the key to all illness and health (look up the blog “Respectful Insolence” on Scienceblogs, and search out the author’s takedowns of this), and he takes about 150 supplement pills a day (most of which have exactly zero scientific backing).

            He is seeking to live long enough to see his god-box (golem) built, and then “upload” himself to it. (Oh Boy! is he in for a surprise, or rather, the lack of one if his mind simply ceases to exist at death.)

            The root motivation for The Singularity cult, is the fear of death. It’s all about “heaven for atheists who should know better.” Same case for “cryogenics & nanotechnology” as a key to immortality: and it’s all pure quackery.

            For which reason I actually have some compassion for the guy. He really needs to learn meditation & contemplation, and then spend much time contemplating nothingness until he loses his fear of it.

            In the end, fear is a sh–ty motive for doing anything, and it leads to warped personalities and bad decisions, whether in personal life, in business, or in government. Fear of “The Other” motivates racism and all manner of bigotry and prejudice. Fear of terrorism motivates draconian laws and policies such as banning crypto. Fear of death has motivated Kurzweil and various Silicon Valley billionaires to try to build god-boxes and the surveillance nightmare needed to feed them.

            The best motive for doing science is sheer curiosity about the natural world. The best motive for doing engineering is sheer creativity to build something good and worthwhile (as with the arts). And in common with both of those, the best motive for living an ethically consistent and personally satisfying life is the combination of love and compassion that overcomes fear, seeks the common ground among all people, and practices good will.

            1. Peter

              I agree with some of your comment regarding Kurzweil’s motivations, but what is so bad about fearing death? Death is nearly always bad by all ethical standards (consequentialist, deontologist, virtue ethicist).

              Kurzweil certainly has some far-fetched beliefs, but these beliefs are more because his view of the present is probably 100-200+ years more advanced than it actually is in many cases. It’s quite possible that in a few centuries, nanotechnology, cryogenics, gene therapy, or other advances may dramatically extend human life. And I think that is a good thing.

              Sure, he’s probably not going to live long enough to attain biological immortality himself. But maybe through his and others’ efforts, it will come 50-100 years sooner than it might have otherwise. Maybe he’s helping to ensure a child born in 2090 will have a shot at a very long and healthy life.

              You are also insinuating that only narcissistic atheists and billionaires want to live forever, that it is a selfish or hedonistic delusion, an obsession infecting the global elite. I think that’s ridiculous. I make a modest income and live a middle class lifestyle, and I have a lot of problems in my life, but I’d definitely prefer to live 10,000 years rather than 85 years. I know I’m not going to, but I think it’s good people are working towards that.

              Fear can lead to a lot of bad decisions, for sure, but it can also lead to humanity’s best and most beneficial work. Britain’s fear led to Bletchley Park, major advances in cryptanalysis and computing, and helped save many citizens across the world. Fear of death and disease and suffering is solving a lot of problems.

              Also, I see utterly no connection to desire for longevity and desire for global surveillance or omniscience. That’s ridiculous. The singularity, if it ever happens (and I’m somewhat skeptical, or at least I think it’s much much further off than Kurzweil imagines), could lead to a near-omniscience, but extrapolating that to NSA’s surveillance is grasping at straws. Some people who associate themselves with longevity or longevity may support global surveillance, but many others are firmly against it, like myself.

              All of that would still be true if Kurzweil was a big NSA supporter… but he is not. He opposes them.

              Finally, what point does it make if he believes in an afterlife or not? Are you somehow suggesting afterlife non-believers are foolish for trying to optimize their current life instead of either giving up or clinging to the hope of an afterlife?

              I’m not really sure what overall point you’re trying to make here. If it’s that he works for Google and Google is destroying our privacy (they are to an extent, but not nearly as much as government intelligence agencies), why prattle on about his religion, fears, and Jewish ethnicity?

              1. Mike

                There is a healthy fear of death that is life preserving keeps a person from jumping off buildings (generally).

                Then there is a more irrational fear of death that becomes de-humanizing when a person cowardly curls into a corner and can no longer step infront of a bullet for someone they supposedly love.

                Some things in this world ARE worth putting your life on the line for. Then there are those thing that are just plain ridiculous. Understanding this concept really should be considered part of what makes up the idea of “common sense”. There really isn’t anything about it that is all that confusing. It is what separates us from the rest of the animals on the planet.

                Being willing to die for a DVD player is stupid. Being willing to die for your country or for someone you love is not. What makes all these terror attacks so stupid is that is takes human life without a reason. Oh they have a reason, but it’s a stupid reason and ultimately leads to more anger. It is that anger that morphs into their so-called reason. These things feed on themselves.

                You cannot achieve immortality via a willingness to die for a DVD player (a drive to transfer your essense/soul into a machine). Immortality is achieved by procreation and by being the greatest person you can. We still talk about the pharaohs of Egypt, George Washington, Christopher Columbus, Tesla, and Jesus. They represent the closest we have ever been a person being immortal. Their spirit lives on and becomes a driving force that cannot be matched.

            2. S Meyer Seven

              Fascinating. I would like to hear more. Do you have a blog? How can I follow you? What you discuss is something I have contemplated for years, regarding biotech and conscience. I hear the Singularity spiel too.

        3. bill

          Laughing at these Jews trying to build a Techno-Golem™ to upload their souls into. Frickin’ hilarious

          1. G

            Bill – Bingo!, exactly right.

            For those who don’t know this: there are traditional Jewish teaching-stories about the dangers of creating “golems.” A golem is a clay figurine of a person, bearing a scroll with magic words to bring it to life. As wise Rabbis tell these stories, the people who attempt to make golems (usually as servants) end up with the golems taking over and causing much grief.

            A clay figurine of a person, brought to life by magic words, is hardware animated by software. The analogy between conscious AI boxes and golems is precisely correct. Anyone with an upbringing in, or education about, the Jewish or Christian traditions (and possibly also the Muslim traditions) should recognize the analogy in a second. Regardless of whether they are religiously observant, agnostic, or atheistic.

            The fact that Kurzweil is ethnically Jewish (though not observant), only adds irony to the mix. If he attended synagogue, no doubt his Rabbi would take him aside and warn him that what he is doing is the height of hubris and flies in the face of timeless wisdom.

            From where I’m standing, as an engineer with a science-based worldview and some education in comparative religion & social sciences, there are elements of ancient wisdom that are convergent with a secular scientific outlook. Certain dietary prohibitions are obvious (foodborne illness risk), core moral principles are as well (the Golden Rule, love thy neighbor, practice detachment from ego and compassion for others, right livelihood, etc.). The prohibition on creating golems, along with the prohibition on worshiping inanimate objects, are also convergent with secular objections to attempts to build god-boxes.

            To bring it back to the subject at hand (crypto), the Singularitarians are seeking a type and degree of omniscience that, when combined with Big Data, will produce an Orwellian nightmare if given half a chance. Those of us who care about freedom and the privacy that protects it, would do well to make our objections go viral, to the point where the general public understand why computer-god immortalism goes hand-in-hand with panoptic dystopia.

            1. Joe

              Being jewish is not an ethnicity, it’s a religion. You mean culturally jewish.

    1. G

      Do you carry a “smart”phone? Use any other networked device with camera & microphone in it? Surprise!

      30 years in technology speaking here, and I have none of the above.

      But it’s not the .govs I worry about, it’s unregulated private-sector Big Data. Because the difference between NSA on one hand, and Facebook, Google, etc. on the other, is that we all get to vote for NSA’s boss every four years. Meditate on that.

      1. Mark

        I have occasion to work on some very sensitive projects (or at least the clients seem to think they are sensitive).

        My desktop machine has no camera or microphone. Laptop has a camera (taped over) and microphone (unsoldered). Wi-fi/bluetooth disabled everywhere. Net connection has a packet monitor (and wicked-ass firewall) and a little un-networked photosensor/logger over the activity LEDs. Any un-expected traffic gets noticed rather quickly.

        If I am within around 10 feet of my desktop machine, any cell activity causes the speakers to click and tick. I know the phone is going to ring 5 seconds before it does. When I had a 2G phone the speakers would scream from 30+ feet away.

        I also built a little passive RF monitor with a loop antenna and rectifier/detector circuit. If the phone (or anything else) is transmitting it gets noticed…

      2. H

        “But it’s not the .govs I worry about, it’s unregulated private-sector Big Data. Because the difference between NSA on one hand, and Facebook, Google, etc. on the other, is that we all get to vote for NSA’s boss every four years. Meditate on that.”

        Funny because I didn’t know Facebook or Google forces a person to sign up and use their service..and even if you did all Facebook and Google want to with the data they collect is to..gasp..sell you stuff..the NSA which a subset of government is about controlling your life and last I checked Google or Facebook don’t jail(or worse) you for violating their laws. They just delete your account not your life.

        To answer the question on the blog, i don’t trust the government and they are using terrorism as an excuse to shred the Bill of Rights. One is more likely to be killed crossing the street than by terrorism

  2. Nikon1

    Let the Government F.U.D. begin again. It started with 9/11 and has increased around every terrorist attack.

    “we need to be able to read your (select medium) to protect you from these terrorists. It’s for your own good. Trust Us!” Yeah – the Snowden papers really supports that Government hyperbole.

    We have to stand strong against this erosion of our Constitutional Rights – if we allow our “elected” officials to cave under these various 3 letter agencies, we will soon be a Bigger Brother state than we currently are. What’s next – a Dictator like North Korea suffers under?

  3. Mike

    I agree with Nikon1


    With all the lack of security/vulnerability issues surrounding Block and various others, it should be so obvious that government does NOT need to be in control of this. It’s either that they don’t know what they are doing or that they do know and are purposefully trying to destroy any portion of the web they cannot directly take control of. We all see the ineptitude surrounding the Clinton email server. Why on Earth would anyone actually want ‘net neutrality’? Isn’t it crystal clear that these people are NOT working in your best interests? Yet, so many people are still looking to government for all the answers.

    It’s no real amazing leap to see why the Euro-chapter of Anon jumps into action right after it is suggested that Playstations are used by ISIS. It should also be obvious to the entire world that Anon owns the Playstation Network. Sony just pays for it. While your little children are spending their lives tucked away seemingly sunk into a Playstation game…..They sit within a battle field between hackers, governments, corporations, politics, Anon, and appearantly ISIS. It doesn’t surprise me at all that the bad guys would use things like this to communicate and recruit.

    The vast majority of the adult population seems to still believe that they don’t need to learn anything about computers or how the internet works. All they see is something that someone else is responsible for that their little children absolutely must have for school. Something where all they need to stay safe is the newest Microsoft/Apple update.

  4. retepenn

    This is an ends justify the means approach by law enforcement – “We need to be able to monitor EVERYTHING, so you need to make it easier for us.”

    Democracy, rights, privacy, due process, oversight – they all get in the way too and you see (and suspect) how they are bending those.

    2 other thoughts
    – Like all security, it comes down to how much risk are you willing to live with – law enforcement says none since they will be held accountable. People of the world need to reach their own conclusions on how much privacy they want to trade to reduce risk (large attacks). Just know you will not get it back once you give it up.
    – If you compromise the end point, encryption is not a big impediment. I am sure there are active programs to compromise potentially interesting endpoints. Just means they need to take a few more steps to track encrypted traffic back to the end point.

  5. Dana

    As I understand it, when quantum computers become perfected and viable, encryption will be useless anyway. But I’m not, in any way, advocating weakening what we have now.

    1. Steve

      Not really. Quantum computers can factor efficiently, so the current widely used approaches to cryptography become easy to break. But there are other algorithms for cryptography for which no good quantum computing approaches are known. Granting that transitioning the current infrastructure away from prime factoring would be extraordinarily expensive, and that specialized computers, quantum or otherwise, may one day break these other approaches, there’s no need to fear that your communications are soon to become insecure.

  6. OMZ

    The fear mongers will use any excuse to destroy the rights given to by the constitution and bill of rights. Corporatism and the Oligarchy wants to enslave us all.

  7. Ollie Jones

    Governments have proven, time and again, that they have difficulty defending high value secrets (like backdoor decryption keys).

    For the sake of argument only, let us assume the secret police (of any jurisdiction) have a legitimate need for a backdoor means to decrypt messages. Let us assume, for the sake of argument only, that the average internet user agrees with that need. (It’s a stretch, but stay with me for a moment.)

    Then the question becomes, “how d0 said secret police protect their own interests?” There are a couple of possible ways, both of which result in a widespread breach of the secret police secrets.

    1. security through obscurity. They use secret methods to protect their own secrets. That will work until it fails spectacularly.

    2. two classes of security tech, one with the backdoor and another without. One mistake on the part of the secret police and their security fails.

    3. their opponents aren’t stupid. there’s plenty of tech that doesn’t have the back doors.

    We already know that government agencies, in the USA anyway, don’t have the capability to protect secrets flawlessly. They are simply too big, too compartmentalized, and too opaque, to be sure they can protect tremendously high-value secrets. Look at the penetration of the US federal government human resource systems, for example. (Not to mention the massive NSA data dump.)

    By comparison, look at the DNS root certificate signing ceremony. It’s used, once per calendar quarter, to protect a high-value secret.

    It’s transparent: it’s streamed in live video on the public net. It’s apparently secure enough for the purpose. It has defense in depth. It’s designed to be trustworthy. It doesn’t have secret compartments and doesn’t rely on security by obscurity.

    My point is this: Their very nature as “secret” police organizations makes it dangerous TO THEM as well as to the rest of us to entrust them with secrets that can compromise their communication and ours.

    They will have to start by eliminating their opacity if they want that trust, and do things more like the IANA does them.

  8. Darth V

    When encryption is outlawed, only outlaws will have encryption.

    Funny how people can make the statement “In the end, it’s a familiar argument: disabling encryption would only stop people from using it legally. Criminals and terrorists would still use it illegally.” when it comes to encryption, but have just the opposite attitude towards legal guns (I’m not saying he does, but I’d bet a lot of people do).

    It all comes down to this – whether it’s encryption or guns (or nuclear weapons, for that matter), they’re simply tools that can be used for good or evil. For good – to protect yourself and defend yourself against potential enemies. For evil – well, you saw that in Paris.

  9. Dan

    Something I’ve yet to see addressed by any of these anti-encryption lobbyists is how they think they’d be able to enforce the introduction of ‘backdoors’ on FOSS projects, such as GPG, that nobody actually ‘owns’. Surely the entire debate is missing the elephant in the room: controlling strong encryption is simply not legally nor practically possible, even if it were justified – which it’s not.

  10. Andre

    I think as always the assumption is that attacks, criminal acts, or disasters are a failure of technology. However, mostly always they are a failure of people and processes. With all the surveillance already going on, why did governments fail to heed the warnings? Not because they did not have the tools, but because they don’t have the people and processes in place to filter out the noise from their dragnet. Then there is the assumption that keeping countries, cities, people, technology safe can be accomplished with enough investment. Add to that lack of imagination and politics and no matter what tools you give them, as all readers of this site know, it will always be cover your tracks and protecting against last time’s threat, while the perpetrators move one. Just pay me (security vendor, government organization) and we will keep you safe. So the bottom line is this: read all Brian’s articles about security failures and ask again why should we trust a technology fix when people are the weak link?

  11. patti

    Some problems are difficult enough to be said they don’t have a clear solution (e.g., the Tragedy Of The Commons). This Encryption issue may be one of those. But we don’t have enough people (don’t have enough money/resource left to pay them, actually) to watch everyone, so what we’re really talking about is yielding to algorithms which watch us. Codebreaking helped in WWII – but will it help civilian life? Probably not.

    1. patti

      … and it’s not absolutely clear the level of proxy war action is supporting international terrorism. State sponsors are much clearer targets, so the calls to remove encryption may be Crisis Capitalism or Atrocity Propaganda (see wikipedia).

  12. John

    The call to backdoor encryption is pure laziness at best. If they legally have the right to monitor a person’s communications, then they can probably get a warrant to attack or modify their phone. I can’t image they couldn’t throw a keylogger, screen grabber, or RAT on a phone or computer using either a Stingray or physical access and read whatever they want. With a Stingray they could even intercept and modify updates to apps like the ones listed above.

    I can only imagine the backdoor would be useful in forensic recovery after the fact and for mass surveillance without a warrant (which I would guess is more likely their motive). While the first one is understandable, the second is already the topic of a much larger debate-one that has nothing to do with encryption.

  13. Old School

    OBL used couriers, a non-tech solution that enabled him to hide out until intelligence caught up with him. IMO, I think it’s safe to say ISIS no doubt used the same method, and possibly burner phones, with the story of using PS4 as a red herring, encryption not even considered an option for day to day operations.

  14. A Telco Security Dweeb

    Discussions of this type completely miss what is the most important point.

    The REAL target of surveillance state demands to cripple consumer-grade encryption (for example, the type found in iPhones and Android handsets), is NOT repeat NOT “terrorists” — The Authorities already know that the terrorists are, and will remain, one to five steps ahead of The Authorities, in this game.

    The bogeyman of “terrorists using encryption” is just a red herring designed to bafflegab the average voter, who doesn’t have a clue about the facts involved, and who has no interest at all, in learning the facts. These “disinterested” or “low-information” voters are the Happy Hunting Ground for advocates of the surveillance state, because they will believe (almost) anything that The Authorities say, particularly if “it’s to keep us safe from terrorism”.

    So who, then, are The Authorities REALLY interested in targeting, in the encryption wars… if they already know that “terrorists” will be completely immune to the kinds of ‘backdoors’ that are under discussion?

    The answer is obvious — the REAL targets of “backdoored” encryption are groups like “Occupy”, the NRA and other gun rights groups, civil liberties and whistle-blower groups, “Black Lives Matter”, the Tea Party, environmentalists, consumer groups, animal rights protesters, etc. — all the NGOs whose agitation and noisy protests, disturb, upset and challenge the power of The Authorities.

    The terrorists are too geographically diverse, well-financed, well-disciplined and well-motivated to fall for “backdoored” encryption, but all of the above groups are largely domestic, largely volunteer (and / or part-time) and they might indeed be easy victims of “backdoored” encryption, if it was made illegal to acquire or use any other form of it, within the United States.

    They know that they can’t get ISIS or Al-Qaeda to use “backdoored” encryption — but they might be able to use it to snoop pervasively on ordinary Americans who naively think they can exercise basic Constitutional rights, without being spied on. So (for example), every time that there is a (supposedly) private “Black Lives Matter” meeting, The Authorities will know precisely where and when the protest rally is scheduled to be held, so the police can show up and shut it down before it ever gets going.

    This, I will submit, is The Authorities’ REAL, long-term goal. Only a fool — or somebody who knows nothing about the history of the U.S. surveillance state — thinks that it’s really to get at “the terrorists”.

  15. Sasparilla

    I agree with what many others have said above – we need to protect our constitutional right to privacy. Keep in mind this ability to collect and then read everyone’s communications wasn’t available to law enforcement and 3 letter agencies 25 years ago and they did just fine before that.

    In the last century, whether it was President Nixon, or Senator McCarthy or former FBI director Hoover – they all demonstrated that when illegal levers to manipulate and use private information were available – there would be those in power that would do just that and abuse it for all its worth.

    You can’t have a functioning democracy when nobody has privacy and everyone knows all their communications are collected and stored for future possible reference against them – the Stasi would be envious at what the U.S. has set up to monitor their citizens / suspects (and everyone else of course). It will get dreadfully abused at some point (can you hear the next Sen McCarthy / Hoover / Nixon asking for a list of all the Muslim’s that have Google Searched ISIS in the last 3 yeas? We could fire up the internment camps from WW2…).

    Nice interview with Snowden on what he thinks most people should do to reclaim their privacy (isn’t that much really):

    I’ve played with Signal and it seems to work very well – we’re all iOS so we get encrypted (blue) texts with that (iOS only) already, but Signal would be better (plus you get privacy for Android messages with it). Phone is encrypted (by default) nothing to do there. Don’t do too much else, although if I had a laptop I carried around I’d definitely encrypt the drive (in case it got stolen). Looking forward to a new e-mail protocol that gives us true privacy (unlike the current even encrypted version which has meta data sticking out) – looks like years for this though, here’s one initiative from the guy who gave us PGP but progress is slow:

  16. Carlos

    Why don’t we (the security aware citizenry) offer our government this trade-off: pass legislation that protects our PII as well as the EU (ideally even better), and we’ll gladly allow back doors in the encryption. After all, the argument I see most proffered is that the Public needs to be able to protect its data from all the corporations that would harvest and profit from it. Why not prevent this than allow the NSA to peek into our emails and phone calls.

    1. capnkrunch

      Why would we want to do this? Strong encryption is a far better protection of our privacy than any legal mechanization could ever be.

  17. P.L. Campbell

    Once I learned that Signal is partially funded by the U.S. government, I switched to Threema, which is independent.

    1. CaptainObvious

      You’re thinking of Tor. Signal was created by Moxie Marlinspike, et al from Open Whisper Systems.

  18. Harry S

    These days bad guys can write their own crypto. I have to think that the professional criminals and terrorist organizations are more than capable of hiring top tech guys to implement whatever they need. Yes they might make mistakes that the good guys can eventually discover, but I bet they can do pretty well. So adding deliberate back doors to products and services will not help much here, and only expose the good guys to risks if the measures backfire against them.

    Backdoors can still have their place in certain contexts if military and law enforcement insist upon it. They can catch the majority who are not tech savvy or have limited connectivity options. The ubiquity of general encryption makes their job harder though I am sure.

    Treating crypto as munitions in the 1990s and subject to export restrictions might have worked then, but it doesn’t make much sense now. The cat is out of the bag and there is no going back.

  19. billie

    I would just like to stick my $.02 worth into the encryption discussion. There is one mistake that all the pro-strong encryption advocates are making. They think the terrorists are stupid; that they start taking dumb pills as soon as they join a terror cell and travel to join ISIS. Naw, I don’t think so. ISIS is a large organization. In any organization that large you will naturally have some very intelligent people. In fact, odds are, you will have some geniuses in the mix. And some of these smart guys will be good with computers.

    And some of these smart ISIS guys will be reading all this talk about sticking in back doors to encryption systems. Notice that a lot of news about weakening encryption has been showing up on-line where it can easily be accessed overseas. In fact, I would not be surprised if at least one Jihadi from the Middle East reads Krebs. If the US, or whoever, decides to weaken encryption, the terrorists will know about it. And they certainly will not use any application using back-doored encryption. Al Qaida has known for years not to use any kind of electronic communication. They will simply come up with other ways to communicate.

    In digging around on the web about Paris, cell phones, and the like I came across an article by Ken Greenwald: Of particular interest was the section “Operational Security: Spies v. Jihadis”. It is a table that compares the cell security steps that GCHQ (the British NSA) to the “Jihadis Handbook”. They look oh, so similar. The terrorists simply are not a dumb as many law enforcement people think they are.

    One of the objectives that Al Qaida had when the WTC was attacked was to damage or destroy the American economy. They actually did a fairly good job with that. But it’s interesting that the NSA/FBI/CIA etc. seem to be intent on doing the same thing. They are intent on making American computer hardware and software completely undesirable. The NSA intrusions into the corporate IT infrastructure have made companies like Google, Apple, and Microsoft very suspect. CIA intrusions into Cisco’s, and others’, routers have made them suspect also. These days if it American it’s suspect. This means that foreign buyers will try to avoid American products whenever possible. Earnings for these and other American companies will be hurt and foreign competitors will be able to get a foot hold. Looks like Al Qaida will still be getting its wish, only this time the NSA/FBI/CIA will be implementing the attack.

  20. jdgalt

    There’s a strong parallel between the proposed encryption control and gun control laws.

    In both cases, of course, the serious bad guys that the law is really meant to stop will disobey it, so they’ll most likely be unaffected by the law (at least until they’re caught, probably after they’ve killed someone, in which case it can be used to increase their sentences, but what difference does a few extra years make when he is already charged with murder and maybe terrorism?)

    And in both cases, if you really want those serious bad guys to be caught for breaking the [gun control or crypto control] law before they can kill, you’re going to have to gut what’s left of the Bill of Rights and institute enforcement measures that make Snowden’s revelations look tame. For instance, NSA could start hoovering up every single Internet mail message and looking for strings that indicate PGP encryption, but if they did, we’d just create new mods for PGP that disguise its messages as photos, music files, or executables, or even create whole new darknets, so NSA would have to try to get as creative as the entire coder community.

    There’d be plenty of false positives, and juries would start refusing to convict people of the crime of using encryption.

    1. capnkrunch

      Except that as has already been pointed out, there is no legitimate reason to own a gun and gun control saves lives by preventing accidental deaths and suicides in addition to homicides.

      1. Nate

        No reason to own a gun? Really? You have consumed too much of the Kool-aid.

        “Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote!” – Ben Franklin

        1. SeymourB

          Just because you live your life in perpetual fear doesn’t mean the rest of us are afflicted with your neurosis.

          The money you spend on firearms would be better spent on therapy.

  21. Perspective

    No matter how much surveillance you have you can’t stop cowards who like to hurt others. The cowards in this case killed ~120 people out of a metropolitan area of 10 million. One coward with a gun in Roseburg, OR killed 9 people out of a population of 20,000. The coward in OR killed 30 times more people per capita than the cowards in Paris. No amount of surveillance would have stopped the incident in OR. You can’t stop cowards with guns from killing people.

    We can avoid being cowards ourselves and giving away our rights out of fear.

  22. JC

    Encryption is necessary, but perhaps it should be regulated like firearms?

    If one can sue a gun company for the use of a gun in a crime, who is to say software vendors will not be taken to court for software used in a crime?

  23. Karen Stewart

    Though attackers communicated with encryption. Does government have any solutions on these kind of attack with encryption? So care can be taken in future to avoid such situation.

    1. Chris

      It’s now known the attackers did NOT use encryption, they used ordinary SMS. See the story “After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS.” So if you think governments had a duty to protect people then it’s obvious they FAILED to do so. Because governments don’t protect people, they protect themselves.

  24. Mike

    Anonymous takes down the main messaging forum used by ISIS:


    As far as I’m concerned, let them do it. If it pushes them deeper into the dark web of TOR, then they will be less likely to be up front and in the faces of so many teenage kids that can be so easily brainwashed. Besides, what difference would it make to the government intellect community anyway? They want deeper levels of access which will give them plenty of ability to get pass it all anyway.

    I say:
    everyone everywhere needs to fight them and push them back any way possible. Drive this insanity back any way you can. Sure, watch and monitor them. But doing that does not mean the rest of the world should be put at risk in the process. Otherwise, what’s the point in any of this at all?

  25. Steve Sidner

    To answer your question, no, I don’t use any of those apps. For one thing, it is kind of a red flag to law enforcement. Sad but true. That is why I applaud the device and other technology manufacturers making it ubiquitous. And then there is the supreme challenge in engineering any cryptosystem: key management.

    The issue of key escrow is a repeat of the Clipper chip controversy from the ’90s. Read this Wikipedia page to come up to speed: (I have some colleagues from the ANSI X9F6 working group who experienced extreme pressure from both the Clinton administration and even their own employers to mute their public criticism of the idea and their refusal to release a standard. They stood their ground and won. I am very proud of these patriots.)

    High power systems require good insulators.

    Them: Well, if you’ve done nothing wrong, why do you care?
    Us: Well, if you have no evidence, why are you snooping?

  26. Jeff silverman

    Is anybody in this discussion claiming that openssl is broken? If openssl is not broken, then it is possible to make it arbitrarily secure by increasing the key length. You could further protect a message using stenography and protect it even further through a one time pad. I don’t think that the authorities can stop secure communication by breaking the encryption.

    1. Mike

      Using servers that is still vulnerable to Heartbleed specifically to take advantage of such a vulnerability for the purposes of hidden communications would certainly be an interesting way of doing things. It does seem like Sony’s systems were vulnerable. Maybe they were all fixed. Maybe some were not.

  27. Pjo

    I use Signal and have installed it for others. I don’t need it as I have no particular secrets but I intend to assert my right to privacy. The NSA and GCHQ have behaved despicably and I decline to be cowed by their fear-mongering into surrendering my right to privacy. I can’t be sure it hasn’t been backdoored, however, but I have no intention of doing nothing.

    The article Billie points to (in one of the on topic responses) is important, relevant, and has not been refuted. I follow Greenwald on Twitter and trust him more than the mainstream media who have been backdoored by government agencies long ago.

    And, yes, I’d rather take my chances of dying in a terrorist attack than live in a surveillance state. The level of data collection we are increasingly subject to is beyond the dreams of a totalitarian despot (my TV reports what I watch and uses encryption to communicate! — just the latest example). All this needs regulation and defining where the boundaries are.

    The US hasn’t adhered to its own constitution and has treated allies like enemies. The blowback, thoroughly deserved, is and will continue to be, a loss of both respect and trust that will have important economic and moral consequences.

Comments are closed.