The phrase “the terrorists are going dark” has come back in vogue after the Paris attacks, referring to assertions that encryption is somehow enabling the communication of future attackers to go undetected. But the public is being presented with a false choice: either we allow law enforcement unfettered access to digital communications, or we let the terrorists win. As always, it is not that simple.
It is true that much of the world’s communication has shifted away from easy-to-intercept text messages and phone calls, to mobile apps, such as WhatsApp, Apple Messages, and Telegram, which provide free worldwide communications and improved privacy and security. Some apps have even added end-to-end “sealed envelope” encryption, putting message contents out of reach of both law enforcement and the service providers themselves.
Even so, there is still a great deal of data available that is not fully encrypted or even encrypted at all—data that allows for the kind of digital detective capabilities that law enforcement seek to catch the bad guys. It is disingenuous on all sides to pretend it does not. Some call this metadata, but considering the volume and detail of data available, there is nothing meta about it. Not all of the approaches to data gathering and intercept are clearly legal. Many app developers (including myself) are actively working to defend against them and close these gaps, as they are often used to unjustly attack and monitor activists, journalists, and even estranged loved ones.
Still, we cannot deny that they exist for now, and so, rather than let these data-gathering options linger in the shadows, I’ll enumerate them here.
1) If someone is carrying a mobile phone, their every movement, phone call, and use of the Internet access is being tracked and logged by the mobile service provider. Accessing that data often does not require a warrant, just a phone number and a contact at the phone company.
2) Messaging apps like WhatsApp and Telegram require users to register their accounts with a working telephone number. Use of the app is tied to this number, and to all the phone numbers of the people they are communicating with. See number one for what you can do with a list of phone numbers.
3) The kind of encryption implemented in mainstream apps today is not automatic. Even in well-regarded implementations by WhatsApp and Apple, knowing when and how encryption is active and verified is unclear. It is likely possible to disable access to or reduce the strength of encryption on a per-user basis, without the user knowing.
4) Even an end-to-end encrypted chat can be monitored if the app supports group chat or syncing conversations between multiple devices. If you can compel the app service provider to add a new device to an account or participant into a group without notifying existing users, then you are in.
5) Full storage encryption of smartphones is not on by default for Android, and only in effect on iOS when the device is powered off. Most of these apps are not password-protected on the device itself. Get access to a phone with the screen unlocked, or crack the screen lock app itself, and you are in. Compel the owner of a fingerprint-locked device to unlock it with their thumbprint, and you are in. Trick the user into installing (or force their app store to do so) a keystroke-logging keyboard or a hidden surveillance app and you are in.
6) Most cloud data is only encrypted to protect it from outside attackers, and not from the service provider themselves. Some services say, “We encrypt data at rest in the cloud,” but they mean they do so with an encryption key that they hold, not one the user holds. Rather than backdoor the messages in real time, just get access to a cloud backup of all the messages, contacts, calendars, photos, location data, and more that users often unwittingly store there.
Whether we like it or not, the opportunities for targeted surveillance of digital communications are vast and deep, within both clearly legal and legally gray areas. I am not encouraging legalizing criminal hacking by the police or promoting surreptitious methods for infringing on freedom and privacy. In fact, I am a firm believer that more encryption is needed, to strengthen our personal privacy and defend against actual cybersecurity threats. Fundamentally, I hope that through deeper understanding of the private data that we all constantly generate and expose, there can be more clarity about, and less fear of, the “dark.”
Nathan Freitas leads the Guardian Project, an open-source mobile security software project, and directs technology strategy and training at the Tibet Action Institute. His work at the Berkman Center focuses on tracking the legality and prosecution risks for mobile security app users and developers worldwide.