Is Encryption Really Preventing Governments From Stopping ISIS? A Primer

By
Laptop computer with man's hands
Photo: Dimitri Otis/Getty Images

Contrary to rumors inspired by mistaken reporting, it’s unlikely that ISIS planned the Paris attacks using PlayStation 4. The possibility that the video-game system’s inherent encryption technology played a part in ISIS’s plotting incited an avalanche of rhetoric for and against encryption and government surveillance, including remarks made by New York Police Commissioner Bill Bratton today on Morning Joe that companies allowing encryption “are working against us” in preventing terrorist attacks.

Bratton’s overheated rhetoric and the rapid spread of a baseless rumor about PlayStation showcases the worst side of our relationship with surveillance and encryption technology. It’s not just that we don’t know how the attacks were planned; it’s that we don’t have a clear picture of the debate over encryption at all — what’s at stake, what’s possible, and what needs to be changed.

At its core, the argument is fairly simple. Most modern messaging applications, like WhatsApp and iMessage, encrypt their data, essentially scrambling it and locking it behind very serious security technology. Governments (or hackers) might be able to intercept communication between two people, but because that communication is encrypted, they’d still have to decrypt it before being able to read it. Depending on the technology used, that process can range from “incredibly difficult and time-consuming” to “impossible.”

This is great for people who want to keep their communication away from prying eyes. But people like Bratton believe that if the government can access all data, all the time, it will be better equipped to detect attacks in advance. Bratton and others, including many government officials in Europe, have argued that tech companies should be forced to build a “back door” into their encryption technologies to allow unfettered access to interpersonal communication.

It’s easy to assume that the government is already reading everything you send, and paranoid crypto experts will warn you that we don’t know the full extent of government surveillance. The NSA has been accused of spending many years and millions of dollars attempting to undermine encryption technology, and the Snowden documents demonstrated that the NSA had far broader access to data from tech companies than was suspected before. But theoretically, the NSA was being given access to “metadata” that could help pinpoint identity and location — not to encryption back doors. If the U.S. forced those companies to build back doors (as the U.K. recently proposed), the NSA and Homeland Security would suddenly have access to a huge swath of communication they’d never had before. And, at the same time, so would many other governments. What else should you know as the encryption debate flares up again?

The attackers likely didn’t use PS4s to communicate, and we need to wait to see how they coordinated the attacks before we can say whether encryption is to blame. How the Paris attackers communicated is uncertain, though they did use encryption. “It was not clear whether the encryption was part of widely used communications tools, like WhatsApp, which the authorities have a hard time monitoring, or something more elaborate,” the New York Times reported, though the newspaper later edited the article

PS4 isn’t out of the question. An Austrian teenager used a PlayStation console to download bomb plans in June and was later arrested. Authorities say the teenager was also communicating with ISIS members in Syria using the system. But the PlayStation lacks a solid encryption system, according to Motherboard. Experts note that Sony likely has strong access to users’ communication on the system. Video games in general are more difficult to track than web browsers and smartphones, however, and the FBI has previously fought to access Xbox Live. There are simply more spaces and formats to communicate in video games — like Steam chat or the in-game group-message function of an MMORPG.

The security expert Graham Cluley warns against assigning blame to one specific technology. Any digital communication method, from chess apps to World of Warcraft, can be used for clandestine planning. He interprets the blaming of PS4 as “politicians attempting to use the ghastly events as a pawn to promote their own anti-privacy agenda.”

We can expect to learn whether the attackers were using encrypted channels of the type FBI Director James Comey has been warning about for the past year … as well whether the attackers avoided specific channels where they believed surveillance was possible,” writes Benjamin Wittes at Lawfare. In other words, as we understand better how the attacks were planned, we can understand what methods terrorists are using to communicate and better target them, rather than resorting to blanket surveillance. 

The government likely already has a certain kind of access to plenty of platforms. There are two levels of access when it comes to surveillance. There’s the metadata — who connected to whom, for how long — and then there’s the content of the messages. Encryption protects the specific content of communications, hence the government’s fear and the need for even better back doors. Encryption means that it’s difficult, if not impossible, to read the messages.

Through the PRISM program that the Snowden leaks revealed, the government was already working with many seemingly safe companies and products to get access to that metadata, but not encryption. These included Facebook, Google, Yahoo, YouTube, Skype, AOL, Sprint, AT&T, Apple, and Microsoft. In other words, backdoors likely already existed in familiar technology long before the PS4 rumors. The government is actively working against the encryption software Tor — it even targeted a public library that was offering encrypted internet access, making anonymity more difficult to achieve than ever.

Having access to unencrypted data is rarely enough to prevent attacks. As BuzzFeed reports, France was warned “weekly” about the possibility of a coordinated terrorist attack by Israel and Jordan, though they lacked information about a possible date or targets.

Government agencies and lawmakers will likely propose beefed-up anti-encryption laws. The role that messaging like the PlayStation rumors plays is to drum up mainstream suspicion that encryption is the one thing preventing the government from catching terrorists. Glenn Greenwald pushes back against blaming the Snowden leaks or encryption for the attacks. Terrorists already knew to avoid easily tracked communication channels, so the use of encryption is nothing new, he writes. Government officials “want to demonize encryption generally as well as any companies that offer it.” 

Greenwald avoids the point that some access to encrypted information could stop attacks, though the chances of success may be vanishingly small. Which do we value more, the full integrity of our privacy, or that chance that giving up privacy may lead to safety? After all, the U.K. recently proposed a bill that would allow for systematic access to encrypted information. As more information is revealed in Paris, we will be confronted once more with the question, and it applies equally to smartphones and chat apps as video games.