New Reports On Terror Attacks Underline Why Crypto Isn't A Serious Problem: It's Hard To Use And Easy To Get Wrong

from the multiple-missed-opportunities dept

As Techdirt has reported, politicians (and some journalists) haven't waited for the facts to be established before assuming that encryption is to blame for recent terrorist attacks. But as detailed information starts to appear, it becomes clear once more that the bombings and shootings did not succeed because things had "gone dark," but largely because intelligence agencies in both Europe and the US missed numerous clues and hints about the bigger picture. This emerges most powerfully from a long article in The New York Times, which charts the rise of ISIS over many years, and how the authorities were slow to catch on:

For much of 2012 and 2013, the jihadist group that eventually became the Islamic State, also known as ISIS or ISIL, was putting down roots in Syria. Even as the group began aggressively recruiting foreigners, especially Europeans, policy makers in the United States and Europe continued to see it as a lower-profile branch of Al Qaeda that was mostly interested in gaining and governing territory.

Arrests were made in Italy, Spain, Belgium, France, Greece, Turkey and Lebanon of European citizens that had been trained in Syria, and had returned to carry out terrorist attacks -- usually unsuccessfully. And yet:

in each instance, officials failed to catch -- or at least to flag to colleagues -- the men’s ties to the nascent Islamic State.

Sometimes the inability to grasp what was really happening borders on the incredible, for example in the case of the person alleged to have killed four people in the Jewish Museum of Belgium, in 2014:

Even when the police found a video in his possession, in which he claimed responsibility for the attack next to a flag bearing the words "Islamic State of Iraq and Syria," Belgium’s deputy prosecutor, Ine Van Wymersch, dismissed any connection.

"He probably acted alone," she told reporters at the time.

Another article, from CNN, makes it clear that missed opportunities to spot connections between possible terrorists have continued right up until the recent attacks in Paris and Brussels. It reports on current efforts to locate "at least 8 suspects" with links to those attacks:

All but one of the suspects are said to have connections to Abdelhamid Abaaoud, the leader of the Paris attacks, or Salah Abdeslam, the only survivor among the Paris attackers, who was arrested earlier this month in Brussels.

The security bulletin gives a sense of ISIS' geographical reach in Europe. Three of the suspects were residents or spent time in the Netherlands, Germany and Sweden respectively.

The picture that emerges from these two reports is of a large, well-established network of terrorists located across several European countries. Many of them were known in multiple ways to the authorities, which repeatedly failed to bring all this crucial information together, probably because there was too much, not too little, to sift through. What is conspicuous by its absence is any suggestion that the would-be attackers escaped arrest by using encrypted communications. Both stories do, however, reveal that ISIS-trained terrorists have used encryption tools, but in a non-standard way.

@thegrugq has written a good piece on Medium analyzing the system. It seems the discontinued encryption program TrueCrypt was provided by ISIS on a USB drive. The program was used to place one or more messages inside an encrypted volume, which was then uploaded to an inconspicuous online site. By employing a shared password to encrypt the volume, more than one person could read the messages in a relatively secure and anonymous way. The system creates a kind of digital dead letter drop that can't be addressed simply by mandating crypto backdoors.

That might seem to confirm the worst fears of all those politicians (and journalists), but as @thegrugq explains, there are some serious operational problems with this approach, notably the following:

This system makes non-standard use of the tools, which means the user has to take a number of additional manual steps to compensate. Requiring users to do a manual process generally means there will be mistakes. For example, I would expect that the user might forget to put the message into the volume before sending. Or the user might send an old version of the volume rather than the latest one. Or the user might fail to save the volume after copying the message in, and the contents get lost. Or the user might attempt to download the volume while the current volume is still open, and experience failures saving to disk. There are a number of places that this protocol can break down.

Using crypto is hard, and easy to get wrong -- which is probably why terrorists prefer to deploy old-fashioned means like burner phones. But don't take my word for it, just ask the person who was using the TrueCrypt system described above. Here's what the French police discovered when they arrested him last August:

Behind a couch, they found his USB stick from the Islamic State, and in his bag a piece of paper showing his login credentials for TrueCrypt.

Whoops.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: encryption, isis, terrorism

Before We Even Know The Details, Politicians Rush To Blame Encryption For Brussels Attacks

from the it's-almost-like-you-have-an-agenda... dept

Support our crowdfunding campaign to help us keep covering stories like these!

You may remember that, right after the Paris attacks late last year, politicians rushed in to demonize encryption as the culprit, and to demand backdooring encryption before the blood was even dry. Of course, it later turned out that there was no evidence that they used encryption at all, but rather it appears that they communicated by unencrypted means. Just yesterday, we noted that the press was still insisting encryption was used, and using the lack of any evidence as evidence for the fact they must have used encryption (hint: that's not how encryption works...).

So, it should hardly be a surprise that following this morning's tragic attacks in Brussels that have left dozens dead and many more injured, that encryption haters, based on absolutely nothing, have rushed in to attack encryption again. The first up was Rep. Adam Schiff, who quickly insisted that he had no actual facts on the matter, but we should be concerned about encryption:

“We do not know yet what role, if any, encrypted communications played in these attacks,” Rep. Adam Schiff (D-Calif.) said in a statement.

“But we can be sure that terrorists will continue to use what they perceive to be the most secure means to plot their attacks,” he added.

Schiff, of course, is the same guy who just a few months ago was loudly promoting CISA, saying we needed it to protect our privacy from hackers. Of course CISA doesn't do that. You know what does? Encryption. The very encryption Schiff now wants to blame.

Not one to be left out, Senator Dianne Feinstein jumped in with a thinly veiled statement in support of her supposedly soon to be released bill, mandating backdoors in encryption:

“We must use all the tools at our disposal to fight back,” Sen. Dianne Feinstein, California Democrat and vice chairwoman of the Senate Intelligence Committee, said in a statement on Tuesday. “The way to prevent attacks like this is to develop good intelligence and always be vigilant.”

"All the tools" likely means including her plans to break encryption.

And, of course, the many in the press are no help at all. There have been reports that a talking head on NPR blamed encryption this morning, while a NY Times reporter, Rukmini Callimachi -- who was the lead reporter on that ridiculous article yesterday insisting that the lack of encryption was evidence of encryption -- is tweeting up a storm claiming that ISIS is now encouraging the use of encryption, even though the questionably-sourced document she links to (which is written in English?!?) isn't actually recommending encryption, but things like Tor and VPNs, which are designed to merely mask your IP address.

26. ISIS is now advising its "brothers" in Belgium to only go online with encryption. (Thanks @MichaelSSmithII) pic.twitter.com/eWb4SD3INi

— Rukmini Callimachi (@rcallimachi) March 22, 2016

It's like she sees encryption in absolutely anything. Meanwhile, as a number of other commenters have pointed out, if "ISIS brothers" actually follow the advice in that document, it will only likely help them get caught, as a sudden and abrupt change in behavior is a pretty good way for law enforcement to make you a suspect. And, really, encouraging people to jump onto tools like Tor that they don't understand, but which they think will keep them safe, almost certainly will lead to ridiculously bad implementations that make it easier to spot what they're doing.

Either way, in the wake of yet another attack we're left with people who don't understand and dislike encryption, rushing to demonize it for no good reason at all.

Support our crowdfunding campaign to help us keep covering stories like these!

Filed Under: adam schiff, attacks, blame, brussels, dianne feinstein, encryption, isis, rukmini callimachi

Twitter Asks Court To Dump Ridiculous Lawsuit Claiming It Provides Material Support For Terrorists

from the should-be-an-easy-one dept

Back in January, we wrote about an absolutely ridiculous case, in which Tamara Fields sued Twitter, after her husband was tragically killed in an ISIS raid last year. Why Twitter? She apparently blames Twitter for the rise of ISIS. She provides no evidence to show that the people who killed her husband (a government contractor for DynCorp International) was killed by people who used Twitter. Or that anything about the attack was related to Twitter. It's entirely just "ISIS uses Twitter. ISIS killed by husband. Let's sue Twitter." As we noted at the time, Section 230 should easily get this lawsuit tossed out quickly, and the company has now filed its Motion to Dismiss. The TL;DR: "Section 230, Section 230, What a stupid lawsuit this is."

Plaintiff’s claims seek to hold Twitter liable for the content of messages posted to its platform by third parties and are thus barred by Section 230 of the Telecommunications Act of 1996, 47 U.S.C. § 230 (“Section 230”). In enacting Section 230, Congress unequivocally resolved the question whether computer service providers may be held liable for harms arising from content created by third parties. Announcing the policy of the United States to preserve the “free market that presently exists for the Internet . . . unfettered by Federal or State regulation,” 47 U.S.C. § 230(b)(2), Congress broadly immunized entities like Twitter against lawsuits that seek to hold them liable for harmful or unlawful third-party content, including suits alleging that such entities failed to block, remove, or alter such content

Of course, even without Section 230, the lawsuit should be dumped, because Twitter had nothing to do with anything in this case.

It fails to state a claim for relief under the Terrorism Civil Remedy provision. That provision requires Plaintiff to allege and prove (1) that she was injured “by reason of”—i.e., that her injury was proximately caused by—(2) an “act of international terrorism” committed by Twitter. 18 U.S.C. § 2333(a). The Complaint’s allegations satisfy neither requirement. First, the link the Complaint attempts to draw between Twitter’s alleged conduct and the attack is, as a matter of law, far too tenuous to establish that Twitter proximately caused Mr. Fields’ death. Second, the Complaint’s allegations amount to nothing more than the claim that Twitter made its communications platform available to everyone in the world with an Internet connection. As a matter of law, that conduct cannot have constituted “an act of international terrorism” as defined by the statute because it plainly does not “appear to [have been] intended” “to intimidate or coerce a civilian population,” “to influence the policy of a government by intimidation or coercion,” or “to affect the conduct of a government by mass destruction, assassination, or kidnapping,”...

Later, the filing notes:

The Complaint makes no attempt to connect Twitter directly to Abu Zaid or his attack. It does not allege that ISIS recruited Abu Zaid over the Twitter platform. Nor does it allege that Abu Zaid or ISIS used the Twitter platform to plan, carry out, or raise money for the attack. It does not even allege that Abu Zaid had a Twitter account or ever accessed the Twitter platform. And although the Complaint devotes considerable attention to how other terrorists allegedly used the Twitter platform, it never explains how that alleged use had even the remotest connection to Abu Zaid’s “lone wolf” attack. The Complaint does not, for example, allege that ISIS helped Abu Zaid plan the attack or that ISIS provided Abu Zaid with weapons or funds. Beyond the speculation that Abu Zaid and ISIS may have shared the common objectives of inflicting harm on Americans and establishing a transnational Islamic caliphate, the closest the Complaint comes to even hinting at a connection between the two is the allegation that ISIS’s “brutal execution of Jordanian pilot Maaz al-Kassasbeh in February 2015” may have inspired Abu Zaid to become a “lone wolf” terrorist nine months later.

Obviously, having your husband killed in a "lone wolf" attack is a horrible and horrifying situation for anyone to go through. But suing Twitter seems like a particularly misguided response. It would be positively shocking if the judge actually lets this case go any further.

Filed Under: isis, lloyd fields, material support, material support for terrorism, section 230, tamara fields, terrorism
Companies: twitter

Senator Feinstein Revives Stupid Idea That Internet Companies Are 'Materially Supporting Terrorism' If ISIS Members Use Their Sites

from the not-how-it-works dept

Last year, FBI Director James Comey floated a ridiculous idea that retweeting ISIS tweets could be seen as "material support" for terrorism. Indeed, an American teenager got sentenced to 11 years in jail for pro-ISIS tweets, with the "material support" being that some of those tweets linked to pages that taught people how to use Bitcoin. Some have taken this idea even further, and argued that internet companies can be slapped with "material support for terrorism" claims or charges if they let ISIS members or other terrorists make use of their services.

This is ridiculous for many, many reasons, not the least of which is that (like in the encryption debate) it seems to presume that there's some algorithm to magically determine who is good (not a terrorist) and who is bad (terrorist!). And just like ridiculous and impossible arguments for "kicking ISIS off the open web" -- it would be ridiculously counterproductive. Not only would it be ridiculously costly to internet companies, but it would actually take away a major source of intelligence about terrorist groups, since they often reveal useful things on social media.

But guess who's seriously thinking about looking to see if it's possible to slap "material support of terrorism" charges on internet companies? Why, it's a Senator who actually is supposed to be representing many of their interests as California companies, Senator Dianne Feinstein. Jenna McLaughlin, a national security reporter for The Intercept, noted that Feinstein floated the idea this week, as if Feinstein had just thought of it:

DiFi: have we tried slapping material support charges on companies for letting terrorists use their services?

— Jenna McLaughlin (@JennaMC_Laugh) March 9, 2016

We've already discussed how dumb an idea this is (even more so that it comes from a California Senator), but ACLU deputy legal director Jameel Jaffer had an excellent response as well, highlighting the sheer stupidity of Feinstein's suggestion:

I heard that terrorists use hotels, credit cards, and phones, too. We're going to need a lot of indictments. https://t.co/N6HsYIz2Tb

— Jameel Jaffer (@JameelJaffer) March 9, 2016

Filed Under: dianne feinstein, first amendment, intermediary liability, internet companies, isis, material s upport, material support for terrorism, terrorism

CIA And NSA Directors Blame The Media For Terrorists Using Encryption

from the sorry dept

When it comes to the conversation that's going on about the use of encryption, CIA director John Brennan and NSA Deputy Director Rick Ledgett have acquitted themselves rather poorly on a regular basis. It's been an ongoing source of frustration to see the aftermath of the Paris terrorist attacks in particular devolve into a discussion on encryption, despite all evidence suggesting that those attacks weren't planned using any kind of encryption at all. That didn't keep Brennan from claiming that the CIA was unable to keep attacks from occurring due to encryption, nor has it stopped the calls from intelligence officials for even more data collection, despite the fact that those same officials have proven to be soft targets for hackers themselves. Ledgett, meanwhile, has proven to be an adversary of the free press, cheering on the destruction of computers from The Guardian.

And so it is with this backdrop that Brennan and Ledgett sat before Congress and claimed that terrorists were only using all of this encryption because of the god damned media. The hearing was supposed to be for questioning FBI Director James Comey about the dust up between the government and Apple over backdooring iPhones, except Comey essentially answered every question by shrugging his shoulders. Frustrated, the questioners turned to Brennan and Ledgett.

The oddest part came at the end, after everyone realized that Comey wasn’t actually going to say anything substantive. At that point, members of Congress asked CIA Director John Brenner and NSA Deputy Director Rick Ledgett about terrorists “going dark” by using encryption technology. “Going dark” has become an intelligence community slogan, a phrase to describe what happens when it has the legal means to search and intercept digital communications but can’t technically do it because of security protections.

“The ability of these terrorists to communicate with one another that makes it very difficult to uncover has been increasing. It’s very frustrating but very concerning,” Brennan said. “They follow the press, they follow these discussions.”

Ledgett poked his finger at the media even more explicitly. “We track when our foreign intelligence targets talk about the security of their communication,” he said. “And we see a growing number of them, because of what’s in the press about the value of encryption, moving towards that.”

Are we really to believe that the same terrorists of whom the American public ought be so terrified are chiefly informed as to their technological tactics by media and technology outlets? The suggestion appears to be that terror groups were unaware of encryption before coming across reporting on them. Reporting that really only ramped up, mind you, after intelligence officials falsely invoked encryption as the danger. In what world does that timeline result in the media being to blame for terrorists using encryption?

And, more interestingly, what would Brennan and Ledgett have happen, assuming anyone believed this nonsense? Is there to be a moratorium on discussing technology in the press? Some kind of strange silent treatment given to a technology that is in widespread use for all manner of legitimate reasons? What is the point of the comment? It can't accomplish anything, other than to attempt to distract the public from the failings and lies of these same intelligence agencies for a moment.

Neither Brennan or Ledgett specified which reports were believed to be frequently dog-eared on ISIS squatters, but that doesn’t matter. Extremists are interested in privacy tools, and media reports on privacy tools. Saying that they read about which tools to use is just saying that any group with goals attempts to find information that will help achieve those goals. Implying that media reports are aiding and abetting the enemy—not to mention the notion that reports highlighting privacy protections are somehow devious—is just unfair and chilling.

And not only that, but also consider that it will achieve no end. Trying to reduce discussions about encryption doesn't eliminate the technology itself. Try picturing an ISIS operation planner saying, "Man, we wanted to hide our communication, but we couldn't find anything about it on Techdirt so we gave up." If you can do so without laughing, it might be time for a brain tune-up, because something in your head is askew.

The point is that blaming the media is a tactic best left to talk radio shows. Our intelligence officials ought to be able to do better.

Filed Under: cia, encryption, isis, john brennan, media, nsa, rick ledgett, terrorists

White House Asked Google & Facebook To Change Their Algorithms To Fight ISIS; Both Said No

from the overreaction dept

Earlier this year, we wrote about how ridiculous the federal government's view of Silicon Valley seemed to be, in that they had this weird belief that by nerding a little harder, we could somehow "disrupt" ISIS. The thinking seemed confused, and somewhat typical of people who don't understand technology or how Silicon Valley works. It's "magic wand" thinking. People who don't understand technology tend to view technology as a sort of magic -- and thus, they assume it can do anything. And, right now, a bunch of those people in the White House want that magic wand to make ISIS disappear from the Internet.

Buzzfeed's Sheera Frenkel has a great detailed report looking "inside" the administration's attempt to have Silicon Valley help in the fight against ISIS. The main focus of a (not very secret) meeting held on Wednesday seemed to be entirely about fighting ISIS propaganda with American propaganda. As if that ever works. And, from the sound of it, the meeting was equally clueless about why ISIS propaganda is effective, while American propaganda flops.

“They wanted to figure out how to fight ISIS online, how to understand the psychology of those who support ISIS, and they invited almost no one who speaks for those of us in the Arab world, and from Arab communities, who have everything to lose from ISIS’ growing popularity,” said one Arab attendee, who estimated that less than 10% of the attendants were of Middle Eastern descent. “They don’t understand this community. That has been proven time and time again with their tone deaf messages. Why hold an event like this where there are ten white men outnumbering every Arab?”

Instead of taking on the real challenges and understanding why ISIS propaganda is effective (or even recognizing that it's likely not nearly as effective as they fear), the White House officials went for the pointless superficial plan: maybe try to make Google and Facebook change their algorithms to play up anti-ISIS stuff and play down pro-ISIS stuff. This is a profoundly ignorant idea, and thankfully one that both companies told the White House was not in the realm of reasonable:

Tech executives who have met with the Pentagon team told BuzzFeed News that some of their requests have been “jarring.” In at least one case, the Pentagon spoke with several companies — who asked not to be named as a condition of discussing the meeting with BuzzFeed News — about tweaking their algorithms to promote certain types of content. Both Google and Facebook have made it clear that they would not make changes to their algorithms to bury results supportive of ISIS.

“That’s something that is always brought up in meetings. And it shows how little they understand us,” said the Google representative. “This is a pandora’s box we won’t open, because if we answer a request by the U.S. government to feature one search result over another what’s to stop other countries from requesting the same? What’s to stop each country from tailoring the search results of their citizens to their agenda? It’s not a path we are willing to explore.”

Of course, to be fair, Google already cracked open that Pandora's box when it allowed its search results to be impacted by copyright takedown requests.

Even so, as the quote above notes, even suggesting this to companies is profoundly pointless. Not only is it a bad idea for the precedent it sets, it's unlikely to work at all. It's magic wand thinking of desperate people who don't want to actually confront the real reasons why ISIS has been successful.

Oh, and of course, the decision to force Apple to hack into the iPhone isn't helping matters at all if the federal government wants Silicon Valley to "work" with the government on this issue.

“It’s like, you’ve been asked to partner up and dance with the bully at school who keeps trying to trip you in the hallways,” one attendee told BuzzFeed News after the event. “And even though you want to learn to dance there isn’t a lot of trust to build on.”

An attendee from the government side told BuzzFeed News by phone, “We need help, but it’s like, one part of government keeps fucking this up for other parts of government. We can’t seem to get it right.”

We keep hearing from the White House how Silicon Valley has to stop treating the government like an adversary, and the only proper response to that needs to be: you first.

Filed Under: algorithms, extremism, isis, search, social media, white house
Companies: facebook, google

Senator John McCain Weighs In On 'Going Dark' Debate -- Insists That He Understands Cryptography Better Than Cryptographers

from the maverick dept

Who knew that Senator John McCain understood encryption better than actual cryptographers? Late last week, he wrote an op-ed for Bloomberg View, in which he trots out all the usual talking points on how Silicon Valley just needs to nerd harder to solve the "Going Dark" problem. There's lots of cluelessness in the piece, but let's focus on the big one:

Top cryptologists have reasonably cautioned that “new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws,” but this is not the end of the analysis. We recognize there may be risks to requiring such access, but we know there are risks to doing nothing.

Actually, it kind of is "the end of the analysis" because the core element of that analysis is the fact that any attempt to backdoor encryption doesn't just make security weaker, it puts basically everyone at much greater risk. It introduces cataclysmic problems for any system that stores information that needs to be kept secure and private.

The following sentence is equally inane, in which he tries to place the "risks" of backdooring encryption on the same plane as the risk of ISIS using encryption. Let's be clear here: the risk of backdooring encryption isn't just significantly larger than the risk of ISIS using encryption, they're not even in the same universe. Even worse, by backdooring encryption, you are almost certainly increasing the risk of ISIS as well, by giving them a massive vulnerability to attack and exploit. Trying to suggest that this is an "on the one hand, on the other hand" situation is so ridiculously ignorant, one wonders who the hell is advising Senator McCain on this topic.

The fact is that there are always some risks. Tens of thousand of people die in car accidents in the US every year, yet you don't hear Senator McCain weighing the risks of driving versus the risks of banning cars. And that's a much more reasonable position to stake out, because banning cars would actually reduce automobile deaths — but it would also cripple the economy. But here's the thing: backdooring encryption has the potential to do much more damage to the economy than banning automobiles, because it would create vulnerabilities that could really completely shut down our economy. So, for McCain to pretend that there are somewhat equal risks on either side isn't just ignorant and meaningless, it's dangerous.

Some technologists and Silicon Valley executives argue that any efforts by the government to ensure law-enforcement access to encrypted information will undermine users’ privacy and make them less secure. This position is ideologically motivated and profit-driven, though not without merit. But, by speaking in absolute terms about privacy rights, they bring the discussion to a halt, while the security threat evolves.

Honestly, this is not true. I know that Comey's favorite line these days is that using strong encryption is a "business model decision," but Silicon Valley's interest in strong encryption doesn't appear to be driven by their own bottom lines, frankly. If it was, they would have adopted it much earlier. Strong encryption actually undermines some companies' business models, in that it makes it more difficult for them to collect the data that many of them rely on. The move towards stronger encryption has mostly been the result of a few things: (1) the fact that the NSA broke into their data centers and put their legitimate users at risk, (2) a better understanding of the wider risks from malicious attackers of what happens when you have weak encryption and (3) user demands for privacy. The last one may have indirect business model benefits in that it keeps users happier, but to argue that keeping users happy is somehow a purely money-driven decision, and frame it as somehow a bad thing, is pretty damn ridiculous.

And, honestly, while there are some activists who speak in absolute terms about "privacy rights," you rarely hear that from Silicon Valley companies. In fact, those who have absolute views on privacy tend to be the most critical of Silicon Valley companies for taking a much less principled view on "privacy rights." McCain pretending that this is driven by some sort of "privacy rights" advocacy suggests he's (again) woefully misinformed on this issue.

To be clear, encryption is often a very good thing. It increases the security of our online activities, provides the confidence necessary for economic growth through the Internet, and protects our privacy by securing some of our most important personal information, such as financial data and health records. Yet as with many technological tools, terrorist organizations are using encryption with alarming success.

Actually, they're not using encryption with "alarming success." There are very, very, very, very few examples of terrorists using encryption successfully. The Paris attackers? Unencrypted SMS. San Bernardino? Unencrypted social media communication.

The jihadists' followers and adherents use encryption to hide their communications within the U.S. FBI Director James Comey recently testified that the attackers in last year's Garland, Texas, shootings exchanged more than 100 text messages with an overseas terrorist, but law enforcement is still blinded to the content of those texts because they were encrypted.

Notice that this is the only example that comes up in these discussions. That's because it's the only example. And it's not even a very good one. Because, as with most encrypted communication, the metadata was still perfectly accessible. That's why they know that the attackers exchanged messages with a terrorist. Sure, they may not be able to understand the direct contents of the message, but the same thing would have been true if the attacker and the people he communicated with had worked out a code before hand. Or, you know, if they had met and talked in person. Is McCain going to ban talking in person too?

Finally, McCain's "solution" to all of this is to make a law telling Silicon Valley to nerd harder and solve the problem... or else:

As part of this effort, Congress should consider legislation that would require U.S. telecommunications companies to adopt technological alternatives that allow them to comply with lawful requests for access to content, but that would not prescribe what those systems should look like. This would allow companies to retain flexibility to design their technologies to meet both their business needs and our national security interests.

In other words, despite the fact that all of the best cryptographers in the world have said that what you're asking for is basically impossible and would make everyone less safe, just do it anyway -- and do it in a way that when it falls apart and everyone is made more vulnerable, Congressional leaders like John McCain can spin around and blame the companies rather than themselves.

We have to encourage companies and individuals who rely on encryption to recognize that our security is threatened, not encouraged, by technologies that place vital information outside the reach of law enforcement. Developing technologies that aid terrorists like Islamic State is not only harmful to our security, but it is ultimately an unwise business model.

Does John McCain seriously not employ a single knowledgeable staffer who could point out to him that basically every encrypted technology that ISIS uses is not made by an American company? Seriously, look at the list of ISIS's preferred encryption technologies: So who, exactly, is developing technologies that "aid terrorists like Islamic State" and need their encryption undermined?

Meanwhile, we haven't even touched on the biggest issue, as was highlighted in that big paper from Harvard last week. And it's this: the whole Going Dark thing is a total myth, because for the tiny, tiny, tiny bit of information that is now blocked out by strong encryption, there's a mountain of other data that is now accessible to law enforcement and the intelligence community. Things have been getting lighter and lighter and lighter for decades.

Shouldn't a sitting Senator understand these basic facts?

Filed Under: benefits, costs, cryptography, encryption, going dark, isis, john mccain, national security, risk, security, threat

Moral Panics: Twitter Feels Compelled To Tell You It's Deleted Over 125,000 Terrorist Twitter Accounts

from the what-good-has-that-really-done? dept

It seems we've entered the next big moral panic: the fact that terrorists like ISIS use social media. It's a point of contention that keeps coming up, leading Presidential candidates to talk about stopping terrorists from using the internet. There was a whole big "summit" between White House officials and tech execs in which questions were raised about blocking ISIS from using social media. And, then, of course, you've even had some tech company execs support the idea.

And now, the inevitable followup on this is tech companies feeling the need to show just how "tough on terrorism" they are by highlighting how many people they've kicked off their service. Up first, Twitter. The company was just recently sued by a woman who lost her husband to an ISIS attack, in which she claims that Twitter is guilty of material support for terrorism, because it allowed ISIS to use Twitter to grow. And so now, Twitter feels the need to proudly highlight the removal of 125,000 terrorist accounts:

e condemn the use of Twitter to promote terrorism and the Twitter Rules make it clear that this type of behavior, or any violent threat, is not permitted on our service. As the nature of the terrorist threat has changed, so has our ongoing work in this area. Since the middle of 2015 alone, we’ve suspended over 125,000 accounts for threatening or promoting terrorist acts, primarily related to ISIS.

Our efforts have not stopped there. We have increased the size of the teams that review reports, reducing our response time significantly. We also look into other accounts similar to those reported and leverage proprietary spam-fighting tools to surface other potentially violating accounts for review by our agents. We have already seen results, including an increase in account suspensions and this type of activity shifting off of Twitter.

Every company, of course, has the right to determine who can and who cannot use their service, but is this really the best response? Hell, just recently there was a situation in which an ISIS leader used Twitter and other social media platforms to try to urge more Muslims to join ISIS, and it turned into a ton of Muslims totally mocking ISIS. When you start deleting accounts, you lose out on those kinds of interactions, which I would imagine are ridiculously more powerful than shutting down accounts of terrorists who will simply open up a new one hours later.

On top of that, merely deleting those Twitter accounts actually hides some information that can be used to track down ISIS members and see what they're doing. Obviously no one wants to be seen "supporting" ISIS, but building a moral panic over the fact that they happen to use social media to spread idiotic ideas hardly seems helpful. If anything, it suggests that their messages are a lot more powerful than they really are. Shutting them down makes them think that what they're saying is having an impact. Mocking them and laughing at them (or even ignoring them) shows that it's having the opposite effect.

But, of course, for much of the media and many politicians, such nuance is not allowed. Instead the focus needs to be on shutting such accounts down. And that leads you to silly announcements like Twitter's from last week.

Filed Under: counterspeech, deleting accounts, free speech, isis, material support, moral panic
Companies: twitter

ISIS's Encrypted Messaging App Isn't Real; But Backdooring Encryption Still Won't Help The NSA

from the be-real dept

So we recently reported on a claim that ISIS had been spotted making use of their very own encrypted messaging app, and highlighting how totally useless US laws requiring tech companies to backdoor encryption would be in that situation. However, it turns out that we should have been a lot more skeptical of the original report, coming from a single sourced security company. Over the years, we've learned that single-sourced security company claims are often highly suspect, and designed much more to get attention or increase FUD, than based on any real issue. The good folks over at Daily Dot are now reporting that this encrypted messaging app doesn't really appear to exist, and their investigation is pretty thorough and fairly convincing. Just like the claims that ISIS had a "training manual for encryption," this claim appears to be false.

That said, it still doesn't mean that ISIS is actually relying on encrypted apps that would be opened up by a US legal change requiring encryption backdoors. As we noted in our last post, research from the Open Technology Institute showed that almost all the popular encrypted communications app that were named as being used by ISIS were either open source or not maintained by a US company, meaning any such law would be basically meaningless to ISIS folks trying to communicate. And given the open source nature of many of those apps, it wouldn't be surprising at all to find out that, eventually, someone forks an existing project to create a separate one relied on by ISIS. And none of that would be impacted by US laws anyway. So the only impact would be on weakening the safety and security of Americans who rely on encryption every day to keep themselves safe.

Filed Under: backdoors, encryption, going dark, isis, messaging

ISIS Now Has Its Own Encrypted Messaging App; Doubt They'll Abide By Politicians' Demands For Backdoors

from the just-saying... dept

As law enforcement and politicians still keep pushing American companies to backdoor encryption, making the technology less secure and more dangerous for everyone, no one has explained how this will actually help in stopping terrorists from communicating secretly. Back in December, the Open Technology Institute released a paper that detailed how so many encrypted messaging systems were either open source or not controlled by US companies. It even took a WSJ report on the messaging apps that ISIS apparently was "recommending" to people and noted how most of them are not controllable by US laws: And, of course, it should come as little surprise that some security folks are reporting that they've spotted a new secure messaging app that appears to have been created by ISIS itself:

ISIS has a new Android app for exchanging secure messages, joining another app that distributes propaganda and recruiting material, according to a counterterrorism network called the Ghost Security Group.

While the report notes that the app is "rudimentary" that doesn't mean it won't be improved over time. But, more importantly, it highlights that efforts to backdoor or undermine encryption on American companies certainly won't do a damn thing to stop ISIS from communicating securely. Yes, some will argue that ISIS' homegrown encrypted messaging apps are probably much more vulnerable to NSA cracking, but it still doesn't change the fact that demanding backdoors into US companies messaging systems won't magically lead to uncovering ISIS communications. It will just make Americans less secure.

Filed Under: back doors, communications, encryption, going dark, isis, messaging