Yes, ISIS Is Using Encryption — But Not Very Well

(Mis)Uses of Technology

from the a-comedy-of-errors dept

I’ve been seeing a few anti-encryption supporters pointing to a new ProPublica report on terrorists using encrypted communications as sort of proof of their position that we need to backdoor encryption and weaken security for everyone. The article is very detailed and thorough and does show that some ISIS folks make use of encrypted chat apps like Telegram and WhatsApp. But that’s hardly a surprise. It was well known that those apps were being used, just like it’s been well known that groups like Al Qaida were well aware of the usefulness of encryption going back many years, even predating 9/11. It’s not like they’ve suddenly learned something new.

So, the fact that they’re now using tools like WhatsApp and Telegram is hardly a surprise. It also kinda highlights the idiocy of trying to backdoor American encryption. Telegram is not a US company and WhatsApp’s encryption is based on the open source Signal protocol, meaning that any American backdoor encryption law isn’t going to be very effective.

But, really, what strikes me, from reading the whole article beyond the headline notion of “ISIS uses encryption,” is that it lists example after example of the fact that folks in ISIS use encryption badly and often seem prone to revealing their information. This is not unique to ISIS. Lots of people are not very good about protecting themselves. Hell, I’m probably not very good about my own use of encryption. But, of course, I’m also not trying to blow things up or kill people. Either way, story after story after story in the article highlights the rather bumbling aspects of teaching ISIS supporters how and why to use encrypted communications and to avoid surveillance. My favorite example:

On Jan. 4, 2015, an exasperated coordinator repeatedly explained to a befuddled caller with a Lebanese accent that he could only bring a basic cell phone to Syria, according to a transcript.

?The important thing is that when you arrive in Turkey you have a small cell phone to contact me,? the coordinator said. ?Don?t bring smart phones or tablets. OK, brother??

For the fourth time, the recruit asked: ?So we can?t have cell phones??

?Brother, I said smart phones: iPhone, Galaxy, laptop, tablet, etcetera.?

Sounding a bit like a frustrated gate agent at a crowded airport, the coordinator added: ?Each of you can only bring one suitcase. If you come alone, just bring one suitcase. That is, a carry-on and one suitcase.?

?I didn?t understand the last thing, could you explain??

?Brother, call me when you get to Turkey.?

Then there was the case where someone planned a plot using an encrypted WhatsApp conversation, but police were already bugging the guy so they heard what he was saying anyway:

In April, Italian police overheard a senior figure in Syria urging a Moroccan suspect living near Milan to carry out an attack in Italy, according to a transcript. Although the voice message had been sent through an encrypted channel, the Moroccan played it back in his car, where a hidden microphone recorded it.

In the message, the unidentified ?sheik? declared: ?Detonate your belt in the crowds declaring Allah Akbar! Strike! (Explode!) Like a volcano, shake the infidels, confront the throng of the enemy, roaring like lightning, declare Allah Akbar and blow yourself up, O lion!?

The suspects exchanged recorded messages over WhatsApp, an encrypted telephone application that is widely used in Europe, the Arab world and Latin America

All of these examples keep making the same point that many people have been making for a long time. Yes, encryption hides some aspect of communications. That’s part of the point. But the idea that it creates a “going dark” situation is massively exaggerated. There are many other ways to get the necessary information, through traditional surveillance and detective work. And the report suggests that’s working. And the fact that many ISIS recruits are particularly unsophisticated in understanding how and when to use encryption only makes that kind of thing easier for people tracking them. In discussing the Paris attacks, for example, the article notes that while some of the attackers were told to use encryption, they didn’t.

Abaaoud?s operatives did not always follow security procedures, however. In June of last year, Turkish immigration authorities detained Tyler Vilus, a French plotter en route to Paris with someone else?s Swedish passport. Allowed to keep his cellular phone in a low-security detention center, Vilus brazenly sent an unencrypted text message to Abaaoud in Syria, according to a senior French counterterror official.

?I have been detained but it doesn?t seem too bad,? the message said, according to the senior official. ?I will probably be released and will be able to continue the mission.?

Instead, U.S. spy agencies helped retrieve that text and French prosecutors charged Vilus with terrorist conspiracy.

Anyway, it’s no surprise that terrorists are going to use encryption. Of course they have been for over a decade and will continue to do so. The issue is that it’s not as horrible as law enforcement is making it out to be. Just as plotters have always been able to plan in ways that law enforcement has been unable to track (such as discussing in person, in other languages, or through simple ciphers or codes). That’s always happened and somehow we managed to get by. Yes, sometimes law enforcement doesn’t get to know absolutely everything about everyone. And that’s a good thing. And sometimes, yes, that means that terrorists will be able to plan bad things without law enforcement knowing it. But that’s part of the trade-off for living in a free society.

Filed Under: encryption, fud, going dark, isis, law enforcement, terrorism
Companies: telegram, whatsapp