Paris attacks demand ‘wake-up call’ on smartphone encryption

Deadly terrorist attacks on Friday in Paris, apparently planned by ISIS, have ignited a new round of concerns over encryption on smartphones.

“A lot of people in these terror groups have developed encryption techniques, and France has one of the most sophisticated systems for monitoring communications. If France didn’t pick up this attack in advance, it’s a wake-up call for all of us,” said Darren Hayes, assistant professor and director of cybersecurity at Pace University.

Encrypted messages reportedly helped ISIS hide communications prior to the attacks, keeping security agencies from any advance warning of what was being planned. Some experts have blamed the attacks on the growth of cheap or free smartphone apps like WhatsApp or Chatsource that encrypt messages.

REUTERS/Charles Platiau

Other experts on Monday pleaded with lawmakers in the U.S. and other countries to find ways to force private companies like Apple and Google to redesign their operating systems to relinquish encryption keys under court order if a judge decides that gaining access to messages is considered a matter of international security.

ISIS operatives used encrypted messages to go dark and elude intelligence agencies in the days before the bombings and shootings that left 129 dead and many more wounded, intelligence officials said, according to various reports by CBS and others.

Even if various easy-to-get encryption apps were not deployed by ISIS, the group could have built its own messaging encryption that would have been nearly impossible for even sophisticated spy agency servers to break.

Al-Qaeda and ISIS have probably built their own proprietary encryption protocols for Internet and mobile communications, not trusting Western technologies like those in commercial apps, Hayes said. Clamping down or restricting sales of smartphone apps that offer encryption wouldn’t be realistic or even effective in combating proprietary encryption.

Former CIA deputy director Mike Morrell said today on CBS This Morning and on Face the Nation yesterday that there needs to be a public debate about the use of encryption apps to protect privacy. Developers of those apps don’t always give law enforcement agencies the keys they need to read encrypted messages, he said.

Americans have expressed more concern about protecting the privacy of their smartphone data and communications since the Edward Snowden revelations last year, and interest in downloading encryption apps is on the rise, Morrell and Hayes noted.

[ ALSO ON CSO: After Paris, ISIS moves propaganda machine to Darknet ]

Hayes said the issue is less about the developers of encryption apps sharing decryption keys than it is about Apple and Google and public officials allowing encryption on smartphones to be broken when a judge issues a warrant to grant spy agencies access to communications.

Apple and Google both enable disk-level encryption in recent versions of their mobile operating systems; it’s been part of iOS since iOS 4, and part of Android since Android 5.0 (Lollipop). That means a decryption key is kept only on the phone itself, making it virtually impossible for Apple or Google to turn over the key to investigators, Hayes said. BlackBerry offers disk-level encryption, but it can make the decryption keys available to investigators, he said.

“We’ve reached the point [of] no access for [investigating] agencies, even with a warrant in their possession,” Hayes said. “Apple and Google don’t have the key — that’s the problem. The keys to decrypt a phone are stored locally, and the companies no longer hold the keys. They say, ‘Sorry, we can’t help you.'”

“Privacy should absolutely be protected, and data should be encrypted and anonymous. But if a judge is in agreement, then I believe the government can investigate,” Hayes said. “It’s clear from my research that ISIS is using secure mobile devices and either using their own encryption or paying for trusted third-party apps.”

Hayes said IT shops also need to have the ability to decrypt phones, in case they need to obtain access to corporate data encrypted on a worker’s device. “Companies have to be able to investigate the insider threat also,” he said.

Even if a user has a third-party encryption app running on a phone, gaining access to the disk-level encryption would turn the encrypted data from most third-party apps into plain text, he added.

Congress needs to update the Communications Assistance for Law Enforcement Act (CALEA), a wiretapping law first passed in 1994, to help the FBI and others gain the ability to monitor encrypted communications sent wirelessly over different modes, with a judge’s consent, Hayes said. He said the current law has “shortcomings.”

Congress and other policymakers have thus far been ineffectual, he added. “I don’t think anybody is listening to the terror threat,” Hayes said. “I haven’t heard any movement on changes. It’s worrying.”

However, another cybersecurity expert questioned whether there is any solid evidence that ISIS used encryption at all. “I would take claims ISIS used encryption with a grain of salt,” said Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute.

“There’s been a year-long debate on encryption and there’s a kind of vested interest [by security agencies] to find ways to weaken encryption for wiretaps. After any breach, the first thing you hear is that encryption has to be banned,” Green said. “Terrorists are really too hard to find, and the hard part is not wiretapping but finding who to wiretap.”

Getting rid of encryption would “make it easier for vast numbers of people to be spied upon,” Green said. “How to strike a balance is the question. Is getting rid of encryption worth it?”

Jack Gold, an analyst at J. Gold Associates, said the U.S. and much of the world face a serious dilemma in balancing privacy and security when it comes to smartphones.

“It’s a two-edge sword,” Gold said. “The question is what are we willing to give up in privacy to allow law enforcement agencies to be able to read what we send? Even if we do, will the bad guys go along? Do we prevent even the most powerful encryption apps from being deployed? It’s a real dilemma that needs realistic discussion.”