Yes, ISIS Is Using Encryption — But Not Very Well

from the a-comedy-of-errors dept

I’ve been seeing a few anti-encryption supporters pointing to a new ProPublica report on terrorists using encrypted communications as sort of proof of their position that we need to backdoor encryption and weaken security for everyone. The article is very detailed and thorough and does show that some ISIS folks make use of encrypted chat apps like Telegram and WhatsApp. But that’s hardly a surprise. It was well known that those apps were being used, just like it’s been well known that groups like Al Qaida were well aware of the usefulness of encryption going back many years, even predating 9/11. It’s not like they’ve suddenly learned something new.

So, the fact that they’re now using tools like WhatsApp and Telegram is hardly a surprise. It also kinda highlights the idiocy of trying to backdoor American encryption. Telegram is not a US company and WhatsApp’s encryption is based on the open source Signal protocol, meaning that any American backdoor encryption law isn’t going to be very effective.

But, really, what strikes me, from reading the whole article beyond the headline notion of “ISIS uses encryption,” is that it lists example after example of the fact that folks in ISIS use encryption badly and often seem prone to revealing their information. This is not unique to ISIS. Lots of people are not very good about protecting themselves. Hell, I’m probably not very good about my own use of encryption. But, of course, I’m also not trying to blow things up or kill people. Either way, story after story after story in the article highlights the rather bumbling aspects of teaching ISIS supporters how and why to use encrypted communications and to avoid surveillance. My favorite example:

On Jan. 4, 2015, an exasperated coordinator repeatedly explained to a befuddled caller with a Lebanese accent that he could only bring a basic cell phone to Syria, according to a transcript.

?The important thing is that when you arrive in Turkey you have a small cell phone to contact me,? the coordinator said. ?Don?t bring smart phones or tablets. OK, brother??

For the fourth time, the recruit asked: ?So we can?t have cell phones??

?Brother, I said smart phones: iPhone, Galaxy, laptop, tablet, etcetera.?

Sounding a bit like a frustrated gate agent at a crowded airport, the coordinator added: ?Each of you can only bring one suitcase. If you come alone, just bring one suitcase. That is, a carry-on and one suitcase.?

?I didn?t understand the last thing, could you explain??

?Brother, call me when you get to Turkey.?

Then there was the case where someone planned a plot using an encrypted WhatsApp conversation, but police were already bugging the guy so they heard what he was saying anyway:

In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.

In the message, the unidentified ?sheik? declared: ?Detonate your belt in the crowds declaring Allah Akbar! Strike! (Explode!) Like a volcano, shake the infidels, confront the throng of the enemy, roaring like lightning, declare Allah Akbar and blow yourself up, O lion!?

The suspects exchanged recorded messages over WhatsApp, an encrypted telephone application that is widely used in Europe, the Arab world and Latin America

All of these examples keep making the same point that many people have been making for a long time. Yes, encryption hides some aspect of communications. That’s part of the point. But the idea that it creates a “going dark” situation is massively exaggerated. There are many other ways to get the necessary information, through traditional surveillance and detective work. And the report suggests that’s working. And the fact that many ISIS recruits are particularly unsophisticated in understanding how and when to use encryption only makes that kind of thing easier for people tracking them. In discussing the Paris attacks, for example, the article notes that while some of the attackers were told to use encryption, they didn’t.

Abaaoud?s operatives did not always follow security procedures, however. In June of last year, Turkish immigration authorities detained Tyler Vilus, a French plotter en route to Paris with someone else?s Swedish passport. Allowed to keep his cellular phone in a low-security detention center, Vilus brazenly sent an unencrypted text message to Abaaoud in Syria, according to a senior French counterterror official.

?I have been detained but it doesn?t seem too bad,? the message said, according to the senior official. ?I will probably be released and will be able to continue the mission.?

Instead, U.S. spy agencies helped retrieve that text and French prosecutors charged Vilus with terrorist conspiracy.

Anyway, it’s no surprise that terrorists are going to use encryption. Of course they have been for over a decade and will continue to do so. The issue is that it’s not as horrible as law enforcement is making it out to be. Just as plotters have always been able to plan in ways that law enforcement has been unable to track (such as discussing in person, in other languages, or through simple ciphers or codes). That’s always happened and somehow we managed to get by. Yes, sometimes law enforcement doesn’t get to know absolutely everything about everyone. And that’s a good thing. And sometimes, yes, that means that terrorists will be able to plan bad things without law enforcement knowing it. But that’s part of the trade-off for living in a free society.

Filed Under: , , , , ,
Companies: telegram, whatsapp

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Yes, ISIS Is Using Encryption — But Not Very Well”

Subscribe: RSS Leave a comment
John Fenderson (profile) says:

Security is hard

The easy availability of strong crypto does make security a bit easier, but it has always been true — and will always be true — that security is hard.

That’s because security is not a matter of deploying a tool, no matter how powerful. To be secure against serious threats requires careful attention to every aspect of procedures and behavior, both electronic and not. Weakness in any aspect of the overall effort weakens all aspects.

As a common example of the truth of this, look at the excellent and common advice given regarding everyday passwords: never use a given password for more than one thing. That way if the password is exposed, only one thing is compromised.

Behavior is at least as important to security as technology is.

hij (profile) says:

odd phrasings

I had to re-read that phrase “anti-encryption supporters” 3 or 4 times. It seems like a double regressive statement to be a supporter of going backwards.

As far as the effort itself, these folks are going to be quite shocked to find out that it is possible to create and install android apps on your own. When they find out it is possible to employ encryption without being blessed by the google they are likely going to blow a hemorrhoid. By their reasoning, that is going to mean it is time to make android illegal because terrorists use it.

Then again terrorists use toilets. We should get rid of those things too. Nothing good ever came out of a toilet.

I.T. Guy says:

viva l'italia!!!

Seems like good ole fashioned Police Work was the Italians answer to going “dark.”

The whole exchange:
“The important thing is that when you arrive in Turkey”
Reminds me of 15 years ago when I started out as a level 1 tech helping clueless users use fairly simple technology.

There has to be something said about the person that’s willing to blow themselves up for a “God.” The law and media acts like these are sophisticated individuals when in reality they are borderline retarded.

I read that somewhere else yesterday and just laughed at the Abbot and Costello-esque nature of the conversation.

Even the “sheiks” rant was South Parkish in nature.

I.T. Guy says:

I missed this the first time from the 2001 article:
“Hidden in the x-rated pictures on several pornographic web sites”

Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?(And visit strip clubs)
Sound farfetched? It may because:
“Us officials and experts say it’s the latest method of communication”
Oh. Whew. As long as its US officials and unnamed “experts” I’m ok. /s

I thought the method was flash drives and couriers? Oops, there I go thinking again.

Gwiz (profile) says:

Re: Re:

Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?

ABC News reported on this yesterday. Retired Lt. Gen. Michael Flynn, a former head of the Defense Intelligence Agency is quoted as saying:

“In fact, at one point, we determined that 80 percent of the material on the laptops we were capturing was pornography.”

DannyB (profile) says:

Not seeing the Forrest for the Terrorists

Terrorists may use encryption, they may use it poorly, or not at all. Or they may then reveal an encrypted communication after the fact, not thinking.

But you are missing the real issue about Going Dark.

American Citizens are increasingly Going Dark by using encryption. For everyone’s protection, decryption must be very easy, or even unnecessary for even the dumbest of cops. This makes it easier to access everything about your private life when looking for something to charge you with.

hij (profile) says:

Re: Not seeing the Forrest for the Terrorists

The leader of the biggest, terrorist state in history, Julius Caesar, used encryption. In fact, the encryption technique he used is named for him. Although, if you disagree that Rome was a terror state and one of the good guys then you might want to argue that statistics should be outlawed because from that point of view the terrorists use basic frequency statistics as a way to defeat the Caesar Cypher.

Skeeter says:

Released into the Wild

There are, without doubt, several ‘truly unbreakable’ encryption algorithms already in use worldwide. Like nuclear weapons, to this point, it is predominantly a case of the rich, powerful and corrupt (aka: governments) which have them. We act like we don’t fear the government, but they are most-assuredly wanting us to fear ‘unbreakable encryption’, so to that point, you have to ask, ‘if you have it, and we aren’t supposed to fear you, then why and who should we actually fear having it?’

If a ‘real, unbreakable encryption’ was released onto the internet, with any time at all before it was noticed, especially in code-form (where any programmer could download it and compile it at his will), the whole fantasy of ‘encryption control’ would be forever gone. What then, once the government worked on a leveled playing field with the ‘average Joe’? Governments seem to think they can print money, to finance any ‘overcoming’ of the little guy they might deem needed. What if that wasn’t ‘really’ the case? It’s only a matter of time…and a good C-programmer.

Groaker (profile) says:

Re: Released into the Wild

Unbreakable algorithms have been know for many years. With the advent of the PC one time pads have been trivial to create. A simple XOR, or possibly a more complex mutation, based on two numbers is unbreakable.

One specifying a particular CD, the other the starting bit. This trivializes the bane of prePC one time pads — the complexity of passing on the pad definition.

John Fenderson (profile) says:

Re: Re: Released into the Wild

Yep. Unbreakable crypto is well known and technically easy to do without the need for computers at all.

The hard part is the key exchange. After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.

PKE is an engineering tradeoff — the crypto is strong but not mathematically unbreakable, but the win is that the key exchange problem is rather dramatically improved (and, if you do it right, is solved).

Tyl says:

Re: Re: Re: Released into the Wild

After all, if you have a secure channel to exchange keys, then why not send the message itself through that channel?.

Because of temporal and spacial differences. Keys can be exchanged at a time and place that secure channels are available, and then used later to communicate when secure channels are not available.

Groaker (profile) says:


Terrorists do lots of things. Generally wear shoes, eat, breath and possibly use encryption. Are we willing to ban shoes, food, and air to Americans because terrorist may use those things.

Terrorists win by inducing the leaders to exert more and more restrictions on the citizenry, and creating irrational fears in the population. I have reason to be more afraid of police and other LEOs than I do of terrorists. Police will kill far more people in the US this year than terrorists will. Indeed, including the deaths from 2001, police have killed more people, many innocents, in five years than terrorists have killed in the last 15.

Who is more to be feared?

Anonymous Coward says:

“Um… are we really going to believe devout Muslims are going to hide messages in porn and go to porn websites?”

I read somewhere that ‘terrorists’ use online forums to communicate on a regular basis. Some of these can be erotic sites. Who’s gonna think that is even possible for bearded asexual anarchists? Perfect.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...