Does Encryption Really Help ISIS? Heres What You Need to …

There's the war on terrorism, and then there's the war on how to fight the war on terrorism.

With recent attacks in Paris, Beirut and Mali, some in governments and law-enforcement agencies are renewing their calls to expand electronic surveillance to thwart potential attacks. Communications that cant be tapped or unscrambled pose aseriousnational-security risk, authorities argue, because they can be used by terrorists tohidetheir activitiesand planning. Technology companies and cybersecurity experts generally takeadifferent view: If encrypted communications can be accessed by the government or a company -- or anyone other than the sender and intended recipient -- they inherently are vulnerable to bad actors and prying eyes.

Why is this such a complex and often heated debatewith noapparentresolution in sight? For starters, encryption is really complicated. Here's what you need to know to understand the issues:

Encryption, sometimes called crypto by techies, is a fancy word for a type of code. Encryption schemes transform words into seeming gibberish. Heresa mereportionofencrypted textthat,if printed in full,would translate to"happyholidays:"

hQIMA2dX93ZaYL95AQ//ZSZ/n0VSK7ZZ9kkRk3X8nn+m2YLzHj5L4zrsrCesPOKw ZQG5FXuHz9/02Be3tyXelAiFpGdCh+Tdnx0r1wLOChitSPaydW0hcReG6cp9Nplk QZL5sYRr0NYWjx2EkwFO0j6lNcGMNo3qAoxMNe3rfENPjxpv1UCRl6nHfEmSk1BO swjBOUXrsWxbbphdJqSZtdWoPLlOnFftRjgqLe9hC9rmWF/Q7/RIkZ5TEYmSfJkI aGB3Vrf/XEwXOHuss+HgE9z/XalJtaNLCZeCgNgO/Lk26nVyS0R5XfNz9VtFszhT pjk2rpxMecOlCs4a62oSYykI63E04G0OZkZaPrUlir4GoSV4OVivFgbFDNtIq5Lk hX1TF3y/PsuVb8bF7XhvqCt/q9HF0n0LY9v+tJfMOT885c6uNX9Rm6ZUUFR++jgv X4EfNYSmX6HjmYTflqQyivWeTpGl13tQP7b+UppJr0v9vH7Wd0PmRdvLDhKHqCiq

Only a user or machine with the so-called encryption key can unscramblethe message to get its meaning. So the same phrase -- "Happy Holidays" -- would be encrypted differentlydepending on the software used and the people involved.

Once the province of spies, encryption is widely used on the Internet. The little padlock next to a Web address indicates the connection is encrypted. Wi-Fi routers, Gmail, Yahoo mail, Snapchats, tweets and 4G cellular phones all use some form of encryption,to protect personal information, such as passwords, location coordinates, bank-account and credit-card numbers and sometimes -- depending on the type of encryption used -- the text of messages and other content.

In addition to those receiving the data who need to decipher it, the companies that employ this technology typically hold keys, sothey canget to the information if they need to. Among other things, this letscustomers reset passwords, etc.It also allows companies to decrypt messages for the authorities when faced with lawful requests for customer records or the contents of communications.

In the past few years, several tech companies have adopted encryption schemes for which they say they dont hold the keys. Most notably, Apple Inc. and Alphabet Inc.s Google in 2014 released smartphone operating systems that, by default, they said precluded them from unlocking phones for law enforcement, even with a warrant.That's because the companies said they would no longer maintain a key to unlock their devices' encryption. Those keys would only be on the devices themselves and could only be unlockedwith users' passwords.Before the switch, companies could comply with court orders to unlock phones, and usually did.

Here is FBI Director James Comey -- who has called these actions an assault on law enforcement --testifying before Congress on the issue:

But tech and telecommunications companieswerecriticized after documents leaked byEdwardSnowden showedsomefirms cooperating with governmentsto allow access to some of their users' communications. Companies also said the government was overstepping its monitoring activities without their knowledge, compromising user confidence in the privacy of their information. A lot of trust between the two sides was broken. Companies say that thenew encryption protocolswill make their products safer, because thieves and spies would have a harder time seeingand stealingtheir contents or communications.

Here's Apple CEO Tim Cook, making this point at the Wall Street Journal's WSJDLive tech conference in October:

The debate has widened as U.S. and European officialsalsostarted criticizing makers of apps designed to encrypt messages, such as Wickr, Signal and Telegram.Makers of theseapps have not changedtheir systemssince the Paris attacks.ButTelegram, which features both private chat and a Twitter-like public bulletin feature, saidrecently thatit had deactivated some public channels linked to the Islamic State. The shift, if small, was notable given Telegram founder Pavel Durov's previous statements that his company "shouldn't feel guilty" for reports that the app has been used by terrorists.

There is no evidence it played a role in the shootings and bombings in Paris. To the contrary, French media have reported some of the attackers coordinated using ordinary SMS text messages, which usually are easy for law enforcement to tap. However, Islamic State members have documented that they use some messaging apps that rely on strong encryption. Some U.S. officials have said this is a problem if the goal is to prevent another Islamic State attack. Here's a tutorial used by the Islamic State to rate the relative strength of various communication apps:

Several reasons. One, technology companies in general chafe at the idea of the government telling them how to make products. When the Clinton administration in the 1990s proposed a system where the government would maintain the ability to decipher commercial communications through a so-called "Clipper chip," the proposal was beat back due to civil liberties concerns. One alternative would have technology companies maintain all or part of the so-called master key, which they would only use if faced with a court order. Technology companies don't like this solution because they fear it makes the key a target for hackers. In short, if someone steals the digital key,everything is potentially lost.It's also unclear how such a system would work in practice.

Privately,some government officials say technology companies are overstating the risks of creating such a system. But technology companies counter the risks are real. The catch is that a lot of the risks are assumed and hypothetical. Building extra keys and loopholes into secure systems could, for example, introduce weaknesses from bugs, but it's hard to know what those bugs are ahead of time. "The complexity of todays Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws," wrote 15 cryptographers in a paper published by the Massachusetts Institute of Technology this summer. There is some precedent though for this concern. Washington once required American firms sell foreign customers only weaker, more easily cracked encryption to help U.S. spies keep tabs on overseas targets. Even though that requirement was dropped in the 1990s, the weakened encryption can still be found on computers and can now be exploited by other hackers. Lobbyists for tech firms such as Apple argue these problems would only be worse now. Because companies do more business overseas, they would likely have to replicate any deal they make with the United States. For instance, Apple sells a lot of iPhones in China. What if overseas governments demand the same types of keys?

In that case, all bets could be off. For instance, if an iPhone user uses iCloud backups for the content on their phone, Apple is able to hand over the latest backup if faced with a court order, the company says.Some cloud providers automatically erase such data after a period of time, but policies and procedures vary.

In January, Mr. Obama said, If we find evidence of a terrorist plot and despite having a phone number, despite having a social media address or email address, we cant penetrate that, thats a problem. The president and Mr. Comey have said they believe Silicon Valley should be able to come up with a solution. Congress also is examining the issue. On the other hand, former NSA Director Mike McConnell and other retired national security officials have publicly said that finding a way to maintain access to encrypted communications could be bad for security. The Obama administration has indicated that, for now, it doesnt want to issue orders to tech firms or push Congress for new laws.

Here's Adm. Michael Rogers, head of the National Security Agency, at the WSJDLive conference urging government and the tech industry to bridge the gaps:

In 1999, a federal appeals court more or less ended the first "Crypto wars" when it ruled computer code, including encryption schemes, is protected speech under the First Amendment. Apple is fighting the Justice Department in a New York federal court over whether it should be forced to figure out a way to unlock an encrypted iPhone.

White House and congressional staffers have reached out to some Silicon Valley executives, asking them to come to Washington, D.C., for another round of encryption talks. Some lawmakers are seeking a so-called "Blue Ribbon" committee that would include experts from both sides of the debate. Sen. John McCain (R., Ariz.) has pledged to conduct hearings on the matter and pursue legislation. The British parliament meantime is exploring a new spy powers measure that could give authorities more power to force companies to be able to unscramble customer data.

More here:
Does Encryption Really Help ISIS? Heres What You Need to ...

Related Posts

Comments are closed.