The death toll from the Paris massacres was still being finalised when the Western intelligence community began using them to attack encryption and restrictions on surveillance. The head of the CIA said the attacks should be a “wake-up call” about limitations on surveillance by security agencies. A former deputy director of the CIA said “I think what we’re going to learn is that these guys were communicating via these encrypted apps”. A former CIA director blamed Edward Snowden for the attacks. Later last week, a Manhattan district attorney demanded Congress force manufacturers like Apple and Google to build in backdoors in mobile phones. And last Friday, our own Minister Assisting the Prime Minister on Counter Terrorism, Michael Keenan, was quoted by Fairfax as calling for more legislation to deal with encryption, which was “a significant challenge for intelligence and security agencies around the world”.
Some in the media weren’t much different. The New York Times published an article quoting unnamed French officials who said “the attackers are believed to have communicated using encryption technology” (Here, the Financial Review ran a balanced, sceptical article by John Kehoe, but titled it “Paris attacks: Is Silicon Valley helping terrorism?”).
By the time Keenan entered the fray, however, the links between encryption and the Paris attacks had evaporated. The New York Times quietly removed the story claiming the attackers had used encryption from its website: it turns out it was simple speculation. Evidence may yet emerge that the attackers did use encryption. But so far the evidence points the other way: one attacker was using an unencrypted, indeed unlocked, mobile phone just prior to the attacks. The organiser of the attacks, Abdelhamid Abaaoud, had a previous, similar attack planned in Belgium thwarted because security agencies intercepted his communications to the would-be attackers and between the latter, despite them using multiple mobile phones.
Moreover, apart from Abaaoud, one of the attackers, Samy Amimour, was already well known to security agencies, while Ismail Omar Mostefai had been flagged as a potential threat by French agencies in 2010. Brahim and Salah Abdeslam had both previously been questioned by Belgian authorities in relation to terrorism, and let go.
This is a persistent pattern in terrorism, whether in Europe, the United States or Australia: the perpetrators are often already known to security agencies but have been ignored for one reason or another; the most egregious case was Man Haron Monis here, who had extensive dealings with ASIO, had been charged with involvement in a murder and a number of sexual assaults, was a well-known extremist and had written to the Attorney-General asking if he could communicate with Islamic State — and yet was ignored until he entered the Lindt cafe in Martin Place.
Yet according to Keenan, encryption is the problem — not the lack of targeted surveillance, or the poor judgement of security agencies, or the lack of agency resources for human intelligence and targeted monitoring.
Terrorists, like organised crime and paedophiles, do use encryption: al-Qaeda has been regularly updating its own encrypted communications software (one brandnamed “Secrets of the Mujahideen”) since 2007, making a mockery of attempts to blame Edward Snowden for alerting terrorists to surveillance. Islamic State and al-Qaeda both use an ephemeral message app. As the al-Qaeda example demonstrates, since long before Snowden, terrorists have been developing their own encryption platforms as well as using commercially available encryption and ephemeral software. Putting a government-mandated backdoor into Apple products or Google platforms will only expose hundreds of millions of innocent citizens to mass surveillance while terrorists go on using bespoke systems.
And access to the traffic of those hundreds of millions will stretch security agencies charged with preventing attacks even thinner. More information will mean more false positives that have to be analysed and investigated, while potential perpetrators already flagged as suspects go unmonitored. The “collect it all” mentality comes with a cost not just in obtaining and storing information, but in pursuing every innocuous but sinister-sounding communication.
And that’s before you get to the problem that encryption isn’t merely a tool for criminals or downloaders but is critical to modern capitalism: the world’s financial system relies on encryption for billions of financial transactions an hour. Government-sanctioned backdoors into encryption software place all that at risk: a backdoor controlled by the US government may be obtained by other states, organised crime or terrorists themselves. UK encryption experts explicitly warned in 2013 that long-term efforts by the National Security Agency and the UK’s Government Communications Headquarters placed critical infrastructure at risk, while Barack Obama’s own surveillance review panel called for an end to NSA attempts to undermine encryption standards.
All this is well known to security agencies, but their “collect it all” mentality overrides evidence and logic. And their rapid exploitation of the Paris attacks reflects a clear PR strategy. “The legislative environment is very hostile today,” one of the US intelligence community’s most senior figures told colleagues earlier this year about efforts to mandate backdoors. However, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement”.
Thus the rush to exploit the dead in Paris to attack encryption, regardless of the facts.