The Crypto Wars Come to San Bernardino

http://foreignpolicy.com/2015/12/08/the-crypto-wars-come-to-san-bernardino/

Attacks in Paris and California have renewed calls for government access to encrypted communications.

BY ELIAS GROLLDECEMBER 8, 2015

First, Paris. Now, San Bernardino. In the span of less than a month, gunmen inspired by or with links to the Islamic State have emerged from the shadows to surprise Western intelligence agencies and carry out mass slaughter. In the aftermath of each attack, political leaders have seized upon the role of the Internet and encrypted communication tools — both in spreading the Islamic State’s ideology and allowing plots to be developed under cover.

U.S. officials have repeatedly warned in recent months that the growing availability of encrypted communications has made it more difficult to detect and thwart terrorist attacks. And in a prime-time address Sunday, President Barack Obama said he will urge “high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.”

“As the Internet erases the distance between countries, we see growing efforts by terrorists to poison the minds of people like the Boston Marathon bombers and the San Bernardino killers,” Obama said.

In the case of the 2013 attack at the marathon’s finish line, which killed three and injured more than 250, prosecutors said Dzhokhar Tsarnaev embraced a radical, violent interpretation of Islam in part by consuming online the sermons of radical preachers, including those of American-born Anwar al-Awlaki. 

In San Bernardino, it remains unclear how the attackers, Tashfeen Malik and Syed Rizwan Farook, a married couple, adopted a violent outlook or whether encrypted communication allowed them to evade U.S. law enforcement. U.S. officials have said they have no evidence the shooters communicated with an international terrorist group. Malik declared her allegiance to the Islamic State on Facebook. 

U.S. investigators are examining whether Malik was what the Wall Street Journal described as the “driving force” behind the shootings. It remains unclear at what point in her life she embraced a violent ideology and whether she did so online through the voluminous propaganda campaign of the Islamic State. The group has welcomed the attack and claimed responsibility for it. 

“Both subjects were radicalized and have been for quite some time,” David Bowdich, the assistant director in charge of the FBI’s Los Angeles office, told reporters Monday. “How did that happen and by whom and where did that happen? I will tell you right now, we don’t know those answers at this point.”

Nevertheless, American political leaders have seized on San Bernardino as proof more needs to be done to counter the Islamic State’s online army. On Tuesday, Sen. Dianne Feinstein, the ranking member of the Senate Intelligence Committee, introduced a measure requiring social media companies to report terrorist activity that appears on their platforms. In a speech Sunday, Democratic presidential front-runner Hillary Clinton called for “depriving jihadists of virtual territory, just as we work to deprive them of actual territory.”

Clinton singled out American tech companies to use some of their ingenuity against the activities of the Islamic State, also known as ISIS. “Technology’s often called the great disrupter,” she said. “But we need to put the great disrupters to work in disrupting ISIS.”

But as Clinton acknowledged, cracking down on communications technology carries with it not only difficult technical problems but also political hurdles: “You’re going to hear all of the usual complaints, you know, freedom of speech, etc.”

Applications such as WhatsApp, iMessage, and Signal have made encrypted communications more accessible than ever, and law enforcement officials say they frequently cannot access the information they need from suspects’ phones, even with a valid court order. This has led to calls within Congress to allow American technology giants — including, most importantly, Apple — to decrypt user data on demand.

But building a backdoor into encryption raises huge privacy problems. Computer security experts say there is no way to build an encryption system that allows for decryption on demand without creating a high risk that hackers will also be able to decrypt that information. Companies and individuals routinely encrypt corporate, financial, and personal information for security reasons, and creating a backdoor into such systems risks allowing hackers and spies to break into a wide variety of data.

In a speech Monday, House Homeland Security Chairman Michael McCaul (R-Texas) announced plans for legislation to create a “commission on security and technology challenges in the digital age” to balance privacy interests with national security concerns. 

“No longer do terrorists plot using couriers and caves. Today, they hide their messages in ‘dark space,’” McCaul said. “A legislative knee-jerk reaction could weaken Internet protections and privacy for everyday Americans, while doing nothing puts American lives at risk and makes it easier for terrorists and criminals to escape justice.”

Indeed, how to strike a balance between those priorities remains a thorny problem. In October, the White House concluded it would not seek legislation to force American tech companies to unlock user communications for law enforcement and intelligence agencies.

Pressed by reporters Monday over whether Obama had in his Sunday address embraced a more aggressive approach to encryption, White House press secretary Josh Earnest said, “We’re going resist the urge to go and trample a bunch of civil liberties here.” He said companies such as Facebook and Twitter have an “interest in not seeing these tools be used to incite or radicalize or call for people to carry out acts of terrorism.”

Facebook spokesman Andrew Souvall said the social media giant “has zero tolerance for terrorists, terror propaganda, or the praising of terror activity and we work aggressively to remove it as soon as we become aware of it.”

“If we become aware of a threat of imminent harm or a planned terror attack, our terms permit us to provide that information to law enforcement and we do,” Souvall wrote in an email.

It appears social media companies are doing more than ever to combat the Islamic State’s online presence, according to a Reuters report Monday. Firms such as Facebook, YouTube, and Twitter are more aggressively using their own terms of service to remove terrorist content and are working with the government behind the scenes to identify and delete jihadi messages.

That commitment is not enough for lawmakers like Feinstein, who had pushed the reporting requirement as part of the intelligence authorization bill that passed the committee earlier this year but was removed amid objections.

“We’re in a new age where terrorist groups like ISIL are using social media to reinvent how they recruit and plot attacks,” Feinstein said in a statement Tuesday, using an alternate acronym for the Islamic State. “That information can be the key to identifying and stopping terrorist recruitment or a terrorist attack, but we need help from technology companies. This bill doesn’t require companies to take any additional actions to discover terrorist activity, it merely requires them to report such activity to law enforcement when they come across it.”