29 June 2017

*** Technology Helps the Lawless Find Digital Safe Spaces

By Scott Stewart

Advancements in digital encryption will soon put the communications of terrorists and other criminals beyond the reach of law enforcement. And in the wake of the London Bridge attack on June 3, United Kingdom Prime Minister Theresa May pledged to work with democratic governments on cyberspace regulations to prevent the spread of extremism and terrorist planning. The press and privacy advocates criticized her when she suggested that internet encryption was providing "safe spaces" for terrorists to operate.

During interviews with U.S., British and other media outlets after the attack, several journalists asked me what I thought of May's statement, half expecting me to pile on the criticism. Unfortunately, I couldn't, because in many ways I agree with what she's saying. Through digital encryption, terrorists and other criminals will soon have absolute privacy in the digital world — something they've never been able to enjoy in the physical world. The safe spaces, or dark holes, provided by encryption are helping organizations to recruit and equip grassroots terrorist operatives and to direct other operatives with an unprecedented level of security and impunity.

Origins of U.S. Privacy

In the physical world, there has never been absolute privacy. Even under governments created to protect personal liberties and privacy rights, those rights were never intended to be absolute. In the United States, most privacy law is based upon the Fourth Amendment to the Constitution, which reads:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It's clear that the Constitution permits the government to search an individual's body, home or correspondence if the threshold of probable cause is met. Since the Constitution was ratified in 1788, a tremendous amount of case law has been developed to define exactly what are reasonable — and unreasonable — searches and to define with great specificity the probable cause threshold required to obtain a legal search warrant.
Levels of Privacy.

As a young special agent trainee at the Federal Law Enforcement Training Center, I was obliged to sit through many hours of lectures about the two centuries of Fourth Amendment case law and how it affected my ability as a federal agent to obtain a warrant for evidence. There was essentially no place I could not search if I was able to develop probable cause that a crime had been committed and that I believed a specific piece of evidence pertaining to that crime was in the particular place I sought to search. I could search homes, businesses, cars, safe deposit boxes and other creative hiding spaces, if I could meet the legal threshold of probable cause in the eyes of a U.S. magistrate judge. The judge would then grant me the authority to conduct the search, provided that I returned a copy of the warrant to the magistrate with a detailed list of the specific evidence I had seized. Even a locked safe in a home or business could be searched. To me, a safe is just the physical equivalent of an encrypted hard drive or digital file.

Agents could also do certain types of searches without a warrant based on probable cause. For example, California v. Greenwood (1988) established that a person has no reasonable expectation of privacy for trash left at the curb for pickup. Also, a government agent can request that the U.S. Postal Service do a "mail cover" and record the information on the outside of all letters and packages to a targeted person. It's legal because a person has no reasonable expectation of privacy when it comes to the information on the outside. Only its contents are protected.

And under the Pen Register Act, the government may use a pen register — a device on a targeted phone line that records numbers from all outgoing and incoming calls — if agents can show that the machine is "likely" to indicate criminal behavior. That's an even a smaller legal hurdle than probable cause. In cases such as Smith v. Maryland (1979), it was ruled that while the contents of a phone conversation are protected, the number is not because the person is providing the number to the phone company. To me, pen registers and mail covers are physical analogs to the metadata on electronic communications. And under the "plain view doctrine," I was free to conduct surveillance on suspects from public places as long as I didn't encroach on the boundaries of their residence or use a telescope or other technology to aid my human senses. People have no reasonable expectation of privacy for things they openly display to the public.

In the United States, case law such as Katz v. United States (1967) has codified that what a person seeks to keep private, even in an area accessible to the public, is constitutionally protected. This protection is limited, however, and there are times when the public interest overrides an individual's right to privacy, such as when the government has developed probable cause that an individual has broken the law. In the physical world, there's never been any absolute guarantee of privacy. There's no place the government couldn't go or monitor electronically in search of evidence of a crime if it had the proper warrant. But this is changing.

Criminals and Technology

Since my days as a special agent, new digital encryption technologies have been developed that permit terrorists and criminals to construct internet black holes where the government is unable to search. These are the safe spaces Prime Minister May is talking about.

In my experience, some of the worst offenders were among the first to embrace technology. Jihadists and white supremacists were early adopters of the internet, using Internet Relay Chat rooms in the early 1990s and Usenet later. Jihadist websites such as Azzam.com appeared in 1996, as did the white supremacist website Stormfront — two years before Google was even founded.

Terrorists and criminals have also long recognized the ability of the United States and its partners to monitor internet communications, and over the years they have adopted a wide variety of countermeasures to protect their internet communications. Among these techniques was the use of simple substitution codes such as using "wedding" to mean attack and the use of burner cellphones. Other countermeasures include electronic dead drops, in which messages are saved in the draft folder of a webmail account for a co-conspirator to read but are never actually sent, and steganography, in which a secret message is hidden in an ordinary message.

But none of these tools offered the level of protection given by robust digital encryption. Today terrorists and criminals are using encrypted messaging applications such as Telegram and WhatsApp to communicate and encryption to protect their data. Using steganography, an al Qaeda operative hid digital files in a pornographic movie on a USB drive. The operative was arrested in Germany in 2011, and the files recovered. But strong encryption can render such files unreadable even if the government has a legal right to inspect them as at an international border or with a search warrant for the decoding key. In early 2016, Apple refused the FBI's request to create software to help unlock an iPhone belonging to San Bernardino shooter Syed Farook. The government took the matter to court, and a federal judge ordered Apple to unlock the device. The company appealed the decision, but meanwhile the FBI had turned to a third-party vendor to access the information.

The FBI was lucky in the San Bernardino case because Farook had an older model of iPhone, making it easier to decrypt. But in many other cases, encrypted data has become a black hole where terrorists and other criminals can keep evidence of a crime secret, even in instances where public interest overrides an individual's right to privacy — such as when a terrorist attack is being planned.
Absolute Right to Privacy

When figures such as Prime Minister May or former FBI Director James Comey discuss the challenges that encryption poses for law enforcement, they are frequently criticized in the press by people who embrace the concept that there is now an absolute right to privacy in the digital world. It's a strange paradox that while people are posting more private information than ever in plain view via social media and other technology platforms, they are demanding total privacy in their communications and digital files, which never existed before encryption. With end-to-end encryption, digital communications cannot be monitored, either.

The demand for encryption, of course, is quite understandable. A single hacker can attack targets across the globe. National intelligence services are sucking up huge amounts of data on seemingly everyone as well. But encryption comes with a cost to public safety. The technology continues to advance rapidly and is becoming more pervasive, making it more difficult for governments to monitor communications and break robust coding. Despite legal precedence, common sense and the pleas of politicians, there is no way in practical terms to stop the advancement and adoption of digital encryption. These black holes will become even larger and more widespread, and there is no law or policy change that will reverse the trend.

No comments: