Following Paris attacks, encryption services face new scrutiny
Four days after the Nov. 13 terrorist attacks that shook Paris, Pavel Durov, the founder and CEO of the messaging app Telegram, posted a photo on Instagram of himself on a balcony in France. In the image, he is dressed in black and looking off to the side, the Eiffel Tower in the background framing his stoic expression. If you saw it at a glance, you’d think it was a tribute to the mourning nation. But then there’s this caption:
“I think the French government is as responsible as ISIS for this, because it is their policies and carelessness which eventually led to the tragedy,” it reads. “They take money away from hardworking people of France with outrageously high taxes and spend them on waging useless wars in the Middle East and on creating [a] parasitic social paradise for North African immigrants. It is a disgrace to see Paris in the hands of shortsighted socialists who ruin this beautiful place.”
Though otherwise confusing, the statement made one thing clear: Durov would rather blame the tragedy that had befallen Paris on French taxes than call attention to the way members of the Islamic state have taken to using his encrypted messaging app to communicate.
As questions continue to be raised about how the Paris terrorist attacks were coordinated out of sight of international intelligence agencies, top-level security officials have pointed to the use of encryption as a major obstacle in tracking terrorist activity. Admittedly, reports of how the attacks were organized have not identified any usage of encrypted communication. Instead, the New York Times has reported that one man involved in the scheme used Facebook to communicate with ISIS operatives in Syria. Police also found an unencrypted cellphone near the Bataclan concert hall, which showed trackable phone calls and SMS messages sent among the attackers.
Nevertheless, leaders of encrypted technology companies are now facing increased scrutiny and are being asked to defend products that — although created for privacy-minded citizens, journalists and political activists — have the potential to facilitate deadly attacks.
In Durov’s case, that threat has encouraged Russian lawmakers to suggest shutting down services like Telegram altogether (to which he responded sarcastically, “I propose banning words. There’s evidence [to suggest] that they’re being used by terrorists to communicate”). In the United States, concerns over security have led the FBI, CIA and NSA to call for companies to build “backdoors” or trusted man-in-the-middle surveillance into encrypted communications, to which the intelligence agencies would be able to gain access with a court order.
Law enforcement concerns are not entirely unfounded. Some of the same services that provide encryption also host public channels used for propaganda. A little over a week after the Paris attacks, Telegram announced that it had blocked at least 242 public ISIS-related broadcast channels. But as for regulating potential private, encrypted conversations between members of ISIS, Durov would only say “privacy is paramount.”
The spotlight on Telegram is one that has inspired passionate debate among privacy advocates and security officials, highlighting an essential question in the age of sophisticated government surveillance: Should private encryption companies be responsible for terrorists’ use of their platforms? And if so, how can they prevent them from using their services without compromising the security of the rest of their users?
Durov’s two-year-old startup is only one example. According to several analysts interviewed by Yahoo News , encryption guides are increasingly being circulated within known ISIS forums. One document that has been passed around between members of the terrorist group — originally written by a Kuwaiti security firm named Cyberkov for journalists and activists but co-opted for terrorist use — lists more than 40 consumer products from around the world.
Some established companies mentioned on the list, like Twitter, have been under pressure by Congress and outside groups since early 2015 to crack down on the tens of thousands of ISIS-owned accounts that distribute propaganda online. Others, like Apple, have refused to create backdoors in their encryption processes — causing critics, like Clare Foges, a former speechwriter for British Prime Minister David Cameron, to condemn tech giants’ advanced encryption practices for providing a “safe space for terrorists to plan bloodshed on an industrial scale.”
But many smaller encryption firms have yet to feel pressure from law enforcement to do the same. Yahoo News reached out to more than 20 companies mentioned in the Cyperkov report regarding these concerns. The majority of the responses, some of which are provided below, indicate that though security companies are willing to cooperate with law enforcement regarding terrorist activity in their networks, they do not — and often cannot — actively monitor for terrorist activity.
Take, for instance, the secure Web browser Opera. The free, downloadable consumer product has about 350 million global users and provides features that give people the option to easily remove the collection of private data picked up from browsing history or tracking cookies. Spokesperson Falguni Bhuta says the company has no technical structure in place to “monitor or block” the usage of its products by specific people or groups.
“Although we are not aware of any terrorists using our products, we cannot rule it out,” she told Yahoo News via email.
This uncertainty is common among security firms. In the case of Avast — a Czech Republic-based company whose virtual private network (VPN) product was recommended in the aforementioned encryption guide — precautions to prevent terrorists from using its product can go only so far. CEO Vince Steckler told Yahoo News that, for all paid product sales, the company requires customers to be screened against lists of known or suspected terrorists (for instance the U.S.’s Denied Persons List). This process is similar to that of encrypted hardware companies, like Cryptophone, which does not ship to conflict areas and is subject to German and European export rules. Steckler says these measures do not always guarantee that all customers have innocent intentions.
“No list is foolproof,” he said via email. “We cannot protect where false IDs or stolen credit card data is used.”
The company says it is “not technically possible” to reveal the information transmitted via its VPN. Instead, depending on information provided to the company, it can identify a range of IP addresses or sometimes a single device and therefore provide some government assistance if needed. Though Steckler was “disturbed” to see his company’s name on a guide used by ISIS, he says the software itself is designed to prevent extensive snooping.
“It is in the nature of these sorts of products that they cannot be policed,” he said. “Unfortunately, we live in a time where we see good software products designed for good purposes being used for malicious intent.”
Some companies, like encrypted email service ProtonMail, enforce a zero-tolerance policy against illegal uses. CEO Andy Yen says that though he is not aware of any terrorist usage of his product, other accounts used for illegal purposes are immediately disabled, “in contrast to other private email companies who more actively shelter and cater to criminal users.”
Though Yen says his company does not have the technical ability to decrypt the content of messages sent through his company’s system, he has cooperated with law enforcement in the past by deleting accounts the company has flagged. He warns that calls to heavily regulate encryption — enhanced by the Paris attacks — are misguided. “With or without ProtonMail, ISIS will continue to have encrypted communications capabilities, in the same way that they will continue to have access to weapons no matter how many gun laws you put in place,” he said. “Banning encryption would certainly lead to an increase in cyberattacks, data breaches, and put an end to secure online banking or online shopping — not to mention placing many at-risk activist groups in danger.”
In most cases, the requests of government officials may be in direct conflict with business interests — an issue often overlooked in the debate for encryption regulation. Sean Sullivan, the labs security adviser for F-Secure, a Helenski-based company that provides a variety of security software to individuals and businesses, says that as lawmakers push to find solutions in this area, they must also consider the costs they impose on smaller tech companies.
“Every new company coming down the pipeline will have less and less of a need business-wise and security-wise to [create a way into their systems],” he told Yahoo News. “So the lawmakers are fighting a lost cause.”