Paris attacks stir global debate over online encryption

Intelligence sources say Islamic State attackers may have planned the Paris terrorist attacks using easily available encrypted communication tools.

A spectator walks past illuminations of a French tricolour flag, in tribute to the victims of the Paris attacks, as she arrives to watch the ATP Tennis Finals in London.

Toby Melville/Reuters

November 16, 2015

As French officials continue to track down those who planned and helped carry out Friday’s brutal attacks in Paris, the terrorist attacks are already sparking a heated debate about whether national security concerns should entitle governments to greater ability to track secret communications and break the encryption increasingly found on consumer devices.

So far, investigators have turned up a sophisticated, international plot spread across Syria, France, and neighboring Belgium in which plotters may have avoided detection through the use of encrypted channels. Though the unnamed officials offered no concrete evidence yet of what platforms the attackers may have used, many have blamed encryption for intelligence agencies’ failure to stop the Paris attack. 

"These apps, these devices that now allow these terrorists to operate without fear of penetration by intelligence services – this is the first example of this," New York Police Commissioner Bill Bratton said Sunday in an interview with Face the Nation. Bratton, who has warned about law enforcement "going dark" in its pursuit of criminals and terrorists due to strong encryption on consumer devices, also said this weekend he's eager for investigators to find out what devices and apps the terrorists were using.

The battle between Washington and Silicon Valley over encryption

"We, in many respects, have gone blind as a result of the commercialization and the selling of these devices that cannot be accessed either by the manufacturer or, more importantly, by us in law enforcement, even equipped with search warrants and judicial authority, Mr. Bratton said. "This is something that is going to need to be debated very quickly because we cannot continue operating where we are blind." 

Michael Morell, former deputy CIA director, who also spoke with “Face the Nation”, echoed his remarks. "[W]e need to have a public debate about [encryption],” Mr. Morrell said. "We have, in a sense, had a public debate. That debate was defined by Edward Snowden ... and the concern about privacy. I think we're now going to have another debate about that. It's going to be defined by what happened in Paris."

FBI director James Comey has been warning for over a year now that strong, commercially available encryption hurts government efforts to stop dangerous criminals and terrorists. The bad guys are "going dark," he has warned, using readily available technology to avoid detection and endanger public safety.

Mr. Comey and others in the Obama administration have asked tech companies to develop solutions so that US law enforcement and intelligence agencies can get access to encrypted communications. Many popular services and devices – such as the iPhone or secret chat apps – deploy end-to-end encryption that can only be decrypted by users, therefore making subpoenas and warrants of little use when trying to access these communications. 

Meanwhile, privacy advocates argue that any so-called "backdoor" into encryption would only make it easier for hackers and foreign governments to access American data in the kind of massive data breaches that have made headlines over the past year.

The real tension is not between security and privacy, according to Ahmed Ghappour, director of the Liberty, Security, and Technology Clinic at the University of California, Hastings College of the Law. Instead, he said, law enforcement needs to build capacity and expertise in order to bypass or get around current technology.

"Sophisticated burglars were quick to adapt to wearing gloves when it was discovered that law enforcement had forensic capabilities that were able to identify criminal actors on the basis of their fingerprints," said Mr. Ghappour. “We did not outlaw gloves because they prevented law enforcement from detecting the fingerprints of criminals. Nor did we require that glove manufacturers sell fingerless gloves so that fingerprints could be detected. Instead, we invested in law enforcement to improve their investigative skills.  Why isn’t that the case here?"

While the alleged used of encryption by Islamic State militants is reviving the debate over online privacy, Europe has also been considering broad new surveillance powers meant to tackle online extremism. 

France passed a new surveillance law in June, after the deadly Charlie Hebdo attack, that requires all Internet service providers to install "black boxes" on their networks to monitor users’ activity and to retain user data for between two and four years. France’s Constitutional Council rejected parts of the law regarding collection of foreign signals intelligence as too vague.

Legislators rewrote that section last month, and it’s currently awaiting approval from the Constitutional Council.

According to privacy rights groups, however, the pending legislation lacks sufficient oversight and limits citizens’ ability to challenge surveillance in court. What's more, according to Estel Massé, a Paris-based political analyst for the digital rights organization Access, the pending law makes surveillance a priority at the expense of core French values.

"This goes against the principles of necessity and proportionality that always need to be in place in a democratic society," said Ms. Massé.

Britain is considering similar legislation – a so-called “snooper’s charter,” long sought by David Cameron’s government. The bill failed previous attempts, but Home Secretary Theresa May reintroduced a weakened version earlier this month.

But even with secure end-to-end encryption, it’s difficult to keep an entire communication chain secure, said to J. M. Berger, a fellow in the Project on US Relations with the Islamic World at the Brookings Institution. It is often necessary for terrorists to make initial contact over insecure channels in order to set up secure communications, for example.

"People have to poke their heads out at some point, and that is still a fruitful area to pursue," Mr. Berger said. "But there's no question that it's challenging to keep up. Terrorists are improvisers, using whatever tools are at hand, often in ways the toolmaker did not anticipate, and it's structurally difficult for governments to keep up."

In a bizarre twist to the encryption debate, Belgian Interior Minister Jan Jambon said last week that terrorists might now be using PlayStation 4 gaming consoles to communicate out of Western intelligence agencies’ reach. 

"I’ve heard the most difficult communication between these terrorists is via PlayStation 4," Mr. Jambon told Politico at an event three days before the Paris attack. “It’s very, very difficult for our services — not only Belgian services but international services — to decrypt the communication that is done via PlayStation 4."

Jambon did not go into detail about where his information came from, and he has not responded to Passcode’s requests to elaborate. However, privacy and security researcher Runa Sandvik cast some doubt on the technical aspects of Jambon’s claim.

"I do not think it's the case that the PS4 is harder to monitor than other communication methods," said Ms. Sandvik. "I think it's more that the PS4 is an uncommon communication method. It would make sense for the intelligence community to first focus on monitoring email, calls, texts and popular tools and then focus on everything else." 

On Friday, Forbes mistakenly reported that a police raid in Brussels connected to the French attacks turned up a PS4 console, stoking concerns that the Paris attackers might have used it to communicate. Forbes has since published a correction.

Still, American and British intelligence agencies do monitor online games like World of Warcraft, Second Life and XBox Live, according to leaked documents jointly published by the New York Times, the Guardian, and ProPublica in 2013.