Cracking Open the Encryption Debate, Post-Paris Attacks
The recent attacks in Paris have reopened the debate over whether the government should have expanded abilities to crack open encrypted messages and devices. At a global security forum after the attacks, CIA Director John Brennan said that “there are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover [terrorist plots]. And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve.”
Cryptography researcher Matt Blaze and strategic security consultant Patrick Skinner discuss what role encryption plays in surveillance, security, and privacy.
Matt Blaze is a professor of Computer and Information Science and the Director of the Distributed Systems Lab at the University of Pennsylvania in Philadelphia, Pennsylvania.
Patrick Skinner is the Director of Special Projects at The Soufan Group in Savannah, Georgia.
IRA FLATOW: This is Science Friday, I’m Ira Flatow. After the attacks in Paris last week, government officials here have said that encryption can be a roadblock in obtaining information about these terrorist plots. They’ve called for broadening their abilities to unlock encrypted messages and devices. CIA Director John Brennan addressed this issue at a global security forum just three days after the attacks.
JOHN BRENNAN: There are a lot of technological capabilities that are available right now that make it exceptionally difficult both technically as well as legally for intelligence security services to have the insight they need to uncover it. And I do think this is a time, for particularly Europe as well as through the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created and the ability of intelligence and security services to protect the people that they are asked to serve.
IRA FLATOW: That was CIA Director John Brennan speaking earlier in the week. Now, would expanding the government’s ability to crack open encrypted messages make for better surveillance? How do you balance national security and privacy? My next guests are here to talk about that.
Matt Blaze is director of the Distributed Systems Lab at the University of Pennsylvania in Philadelphia. He joins us here in [? CUNY ?] Studios. Welcome to Science Friday.
MATT BLAZE: I’m glad to be here.
IRA FLATOW: Patrick Skinner is the director of Special Project at the Soufan Group. He’s also a former CIA case director. Our phone number if you want to participate is 844-724-8255. You can also tweet us @scifri.
Let me start with you, Matt. Officials working on the cases are, of course, they’re still piecing together how the whole plan came together. How good is encryption of all these messages? They used an app called Telegram supposedly– it encrypts things. How good is encryption on these types of apps?
MATT BLAZE: Well, first of all, we don’t actually know much about what the Paris terrorists were actually using to communicate. In fact, a lot of the evidence that’s come out so far suggests that they were just communicating back and forth on Facebook and weren’t using any encryption apps at all, but it’s conceivable that they could have been. What encryption is good at when it’s implemented properly– and that’s a pretty big if– is hiding the contents of messages from somebody who intercepts the communication.
What it’s not good at doing is hiding the presence of the communication in the first place or the identities of who’s talking to who. It’s also not good at protecting communications if you can go after the endpoint computer or phone or whatever it is that they’re using. So encryption is pretty good at protecting data in transit, but it’s not a one-stop shopping communication security solution.
IRA FLATOW: Now, Apple, the iPhone maker, has been having a running battle with the government about encryption because stuff stays in its iPhone encrypted, right? How does that work?
MATT BLAZE: Well, what Apple recently did was make a few changes to the way that they encrypt data that’s stored on the iPhone handsets. And that basically makes it more difficult, if it’s configured in a particular way, for someone who doesn’t know the passcode to recover data that’s stored on the phone, and that’s assuming that the person has physical possession of the phone and is trying to extract data off of it. So it’s a little bit different from the problem of encrypting messages that are going back and forth over the network.
IRA FLATOW: And Apple still is insisting on keeping?
MATT BLAZE: Well, one of the problems is– and you hinted at this earlier when you talked about the question of security versus privacy– that’s part of this question. But there is another and probably much more important aspect of the question, which is that we rely on encryption for our own security. We are using the internet for just about every aspect of our daily lives, of our commercial lives, for our critical infrastructure, and encryption is one of the important technologies that lets us protect those things.
IRA FLATOW: Patrick Skinner, how much does encryption and these consumer apps really hinder intelligence agencies? Is more data the answer?
PATRICK SKINNER: No, I actually don’t think more data is the answer. In your previous clip of CIA Director Brennan, he mentioned that they needed insight but I think that’s a confusion between more data and insight. Paris attacks show that we have all the information. In fact, we have way more information than we can process, and what we’ve done with all this data collection is build the world’s most accurate hindsight machine. We can quickly determine what happened but we’re still unable to prevent it.
So I don’t think that encrypted apps– I mean, it’s the scare of the month, and there are some valid concerns, but that’s not the root problem.
IRA FLATOW: Would that explain how they were so able to quickly go to Saint-Denis and track down where those terrorists were hiding, because they have so much data to work with already?
PATRICK SKINNER: Yes, they’re called known wolves of terror for a reason. They already know who these people are. They just operate right under the radar. And the Saint-Denis raid was actually an unencrypted cellphone– they were tracking the cousin, the female cousin, of Abaaoud. And so encryption could play a role but it doesn’t appear to have played a role in this or any other major plot.
IRA FLATOW: So why do people keep asking for more encryption if you say they have so much? I’m going to throw this out to both of you, Matt and Patrick.
MATT BLAZE: Well, I think there are two debates going on and it’s probably helpful to separate them. Law enforcement agencies in the United States have been warning that encryption will hinder their ability to investigate past crimes– to do forensic analysis of phones and so forth. But that’s very different from the problem of tracking terrorist activity.
When the intelligence agencies warn about the use of encryption causing them to go dark with terrorists, I wonder sometimes whether what they’re saying is, oh please don’t throw us into the briar patch. We would hate that if they use more encryption and use more of this secure communication. Because I wonder if the availability of encryption tools encourages our adversaries to make more use of electronic communication where the metadata, the presence of the communication, can be tracked in ways that other types of communication like sending messages back and forth with couriers would be much harder to track. So I think this may be a boon for intelligence but they’ll never say that publicly.
IRA FLATOW: Is that right? Patrick Skinner, does this make a case then that we need more effective surveillance people? You know, people on the ground?
PATRICK SKINNER: Yeah, we certainly need to combine more human intelligence, human sources, that will provide context to the information that we’re collecting. If you continually collect everything you literally know nothing, and so we need more analysis. More surveillance cameras only will have more angles of the explosion. You need more people to understand before it happens.
The encryption debate– and I actually agree that it could be that the government is saying, oh please, oh please, don’t use these invulnerable apps and that they’ll never admit it, but then they would be able to track the e-chatter a lot easier.
IRA FLATOW: So sort of a don’t do as I– don’t do it and I’m really hoping that you do it because I say don’t.
PATRICK SKINNER: Exactly. And it’s correct– it’s hard to break it if they physically have it. If I have something with TrueCrypt on my computer it’s hard for you to physically break it– assuming you have my computer. But the communications in transit, that still leaves some kind of trail.
And we’re missing the obvious stuff. We shouldn’t even worry about encryption yet. We’re missing really obvious, unencrypted stuff.
IRA FLATOW: Intelligence agencies have always talked about having what’s called a back door. We need a back door to get into these encryptions. Would back doors help?
MATT BLAZE: Well, that sounds from a policy point of view like such a perfect solution. Unfortunately there’s one fundamental problem with that which is that we simply don’t know how to do that in anything close to a secure way.
We are in what I think everyone would agree is effectively a crisis in our network and cybersecurity infrastructure. We hear about things like critical infrastructure being weak. We hear about things like the OPM database breach literally every week. It only makes headlines if it’s something on the scale of the OPM breach.
One of the very few technologies that can help– and it won’t help 100%, but it gets us some part of the way there– is the widespread use of encryption where it’s possible to use it. When we include back doors in these systems, we create a very, very real and very practical risk that those back doors will be available not just to the good guys but also to the bad guys.
IRA FLATOW: Oh you agree, Patrick?
PATRICK SKINNER: I actually do. As somebody who just got my letter from the OPM hack saying that all my personal detail and fingerprints were lifted, I don’t think that I would want the US government to have this ultimate master key that could unlock everything, because one, it does weaken the encryption. I don’t know how you make encryption stronger by putting a back door on it. But also the fact that the government is made up of people and we’re fallible, and it’s entirely feasible and more likely probable that mistakes will happen and they’ll just leak it again.
IRA FLATOW: While I have you two hacking experts here I have to ask you this question about the hacker group Anonymous– said it was going to be shutting down ISIS accounts. Could these have any effect on intercepting some of the terrorists’ messages? Can they hack into their message system at all? Matt, what do you think?
MATT BLAZE: Well, I think there’s more to counter-terrorism than just the electronic side of it, so while perhaps the Anonymous group has its heart in the right place I suspect there’s more to it than that.
PATRICK SKINNER: Yeah, it’s more of a whack-a-mole strategy where they’re shutting down individual accounts. Actually, increasing reporting to Telegram or Facebook or whatever is pretty effective. It causes them to shut down. They’ll open up again but it is a pain to keep having to ensure that your followers know who you are as you close accounts.
IRA FLATOW: Well, we’ll keep following this. I want to thank both of you gentlemen for taking time to be with us today.
MATT BLAZE: Thanks for having me.
IRA FLATOW: Matt Blaze is director of the Distributed Systems Lab at University of Pennsylvania in Philadelphia. Patrick Skinner, Director of Special Projects at the Soufan Group.