Obama Stokes Crypto Debate

Encryption , Technology

'Make it Harder for Terrorists to Use Technology to Escape from Justice,' Obama Urges Obama Stokes Crypto DebatePresident Obama delivers his Dec. 6, 2015, address from the Oval Office.

President Obama is once again calling on Silicon Valley to help law enforcement and intelligence agencies monitor encrypted communications as well as for signs of terrorist-related activity, warning that terrorism in the United States "has evolved into a new phase." His Dec. 6 appeal was delivered in a rare address from the Oval Office, and followed last week's shootings in San Bernardino, Calif., which left 14 people dead and 21 injured.

See Also: Proactive Malware Hunting

"I will urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice," Obama said in his televised speech, thus setting the stage for further debates about whether information security can be meaningfully balanced with weakened cryptography (see Paris Attacks Reignite Encryption Debate).

Authorities have said that the San Bernardino shootings were carried out by a husband and wife, who attacked a holiday party with assault rifles and handguns, before themselves dying just four hours later in a shootout with police. Reacting to those events, and the need to curb radicalization and the flow of extremist ideology in any community, Obama also cautioned against overreach. "Let's not forget that freedom is more powerful than fear," he said.

Obama's call for the technology community to work with the government follows similar entreaties from government officials and lawmakers in both the United States and Europe, following the Nov. 13 terror spree in Paris that killed 130 people. And as part of his administration's approach to combating terrorism - including that perpetrated by the Islamic State group, also known as ISIL, ISIS and Daesh - Obama noted that the United States, among other strategies, had already "surged merged intelligence sharing with our European allies ... to counter the vicious ideology that ISIL promotes online" (see Threat Intelligence Lessons from Paris Attacks).

The Never-Ending Crypto Debate

In the wake of both the San Bernardino and Paris killings, many officials have stated that attackers might have used encryption to mask related planning, although provided no evidence to support those assertions. Even so, that has reignited the long-running debate over whether technology firms should - or should not - encrypt data and communications (see After Paris Attacks, Beware Rush to Weaken Crypto).

Over the past year, however, information security experts have continued to stress that even if terrorists do use encrypted communications to organize their plots, any attempt to ban the use of encrypted communications would do nothing to stop the illegal use of such tools (see Why 'Cryptophobia' Is Unjustified). Furthermore, they say, attempting to build in a so-called backdoor for government access would likely make law-abiding businesses and individuals far less secure against online attacks launched by criminals or other nations (see Sea-to-Sea: China Hacks in U.S.).

But Christopher Soghoian, the principal technologist at the American Civil Liberties Union, suspects that U.S. officials are attempting to get technology firms to not weaken encryption, but at least to disable it by default, which would make it easier for government agencies to monitor less-security-savvy users.

Rhetoric aside, the national security community isn't trying to ban strong encryption, just pressure tech firms to not enable it by default.

The Telegram Question

Since the Nov. 13 Paris attacks, authorities have released no evidence that those attackers employed encrypted communications, although ISIS - in general - has been known to use the free ephemeral messaging app Telegram developed by Berlin-based brothers Pavel and Nikolai Duro. Its creators promise that "Telegram is more secure than mass-market messengers like WhatsApp and Line" and note that their app's chats "use end-to-end encryption, leave no trace on our servers, support self-destructing messages and don't allow forwarding." They have also offered $300,000 to anyone who can decipher Telegram messages.

Despite how the app is marketed, however, multiple information security experts have questioned whether it - and by extension, many types of encrypted communications tools - are really so well-designed that law enforcement and intelligence agencies cannot already eavesdrop on them. Johns Hopkins University cryptography professor Matthew Green, for one, notes that while the user experience - UX - is well-designed, he has serious questions about the efficacy of Telegram's homebuilt encryption protocol.

@csoghoian @tqbf The UX is nice. The crypto is like being stabbed in the eye with a fork.

"Personally, I wouldn't trust the encryption protection in Telegram against a nation-state adversary," says the operational security expert Thaddeus Grugq - better known as "the grugq" - in a blog post. In particular, he notes that while the app might be able to hide what's being said, it nevertheless generates a large amount of metadata. "This metadata would expose who talked with whom, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid)."

FBI Recovers Smashed Cellphones

Authorities to date have detailed no evidence suggesting that the San Bernardino attackers - named by authorities as Tashfeen Malik, 27, and her husband Syed Farook, 28 - used encrypted communications. But like many criminals, they did apparently attempt to hide their communications trail, after the fact.

imagePictured: Tashfeen Malik and Syed Rizwan Farook in undated photographs. (Sources: FBI, California DMV)

"We have ... uncovered evidence that [the shooters] attempted to destroy their digital fingerprints. For example, we found two cellphones in a nearby trash can," David Bowdich, assistant director of the FBI's Los Angeles office, said in a Dec. 4 press conference. "Those cellphones were ... crushed, we have retained those cellphones, and we do continue to exploit the data from those cellphones. We do hope that the digital fingerprints that were left by these two individuals will take us toward their motivation."

In terms of motivation, Malik reportedly took to Facebook - using an alias - to pledge allegiance to the leader of ISIS just prior to the massacre, anonymous law enforcement sources told NBC News. Bowdich said the FBI is still investigating that report. But using social media is completely different from encrypting one's communications, not least because Facebook and Twitter do monitor posts for signs of terrorism-related activity and at least expunge some related posts.

Social Media Monitoring

The Republican-controlled House Committee on Foreign Affairs is set to vote Dec. 9 on what chairman Ed Royce, R-Calif., says is legislation designed to "combat terrorists' use of social media." Past proposals - none of which have been voted into law - would have required Facebook, Twitter, YouTube and their ilk to notify the government of any apparently pro-terrorism content they found.

This issue has also now become part of the November 2016 presidential election landscape. "We're going to need help from Facebook and from YouTube and from Twitter," candidate Hillary Clinton, the front-runner in the Democratic race, said Dec. 6 on ABC's "This Week."

"They're going to have to help us take down these announcements and these appeals," she said.

But Reuters reports that social networks are already taking down more propaganda than ever before, often working with law enforcement agencies and activists. "If there's a broad trend, it's that companies have become more willing to take things down that are somehow involved in terrorist recruitment or propaganda," Andrew McLaughlin, executive chairman of media-sharing site Digg, as well as a former Google executive and deputy CTO at the White House during Obama's first term, tells Reuters.

Google and Twitter didn't immediately respond to a request for comment on either Obama's speech or Clinton's comments.

But a Facebook spokeswoman tells Information Security Media Group: "We share the government's goal of keeping terrorist content off our site. Facebook has zero tolerance for terrorists, terror propaganda, or the praising of terror activity and we work aggressively to remove it as soon as we become aware of it," she says. "If we become aware of a threat of imminent harm or a planned terror attack, our terms permit us to provide that information to law enforcement and we do."