Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Paris attacks re-energize mobile phone encryption argument

The deadly ISIS terror attack in Paris and the on-going police activity stemming from that incident may bring to a head the argument over whether or not the benefits encryption brings to privacy is worth the risks run when bad guys use the technology to pull off attacks or run criminal operations.

Apple and Google's decisions to bring full-disk encryption to their respective mobile operating systems sent a collective shiver down the spines of law enforcement agencies, while at the same time was praised by privacy advocates. However, in light of an older generation smartphone being found at the Bataclan theater and being used by authorities to track down and eliminate a second terrorist cell, renewed arguments call it foolhardy to not offer the police some method of accessing a smartphone to help save lives or solve a case.

Manhattan, New York District Attorney Cy Vance released a white paper this week detailing the argument against full encryption, while still giving consumers what he believes is a very high level of privacy.

“Apple and Google are not responsible for keeping the public safe. That is the job of law enforcement. But the consequences of these companies' actions on the public safety are severe. That is why my office has been working with our law enforcement partners around the world to craft the solution recommended in this report,” the DA's report stated.

The flip side of the argument states that any backdoor left in device that is supposedly only accessible by the good guys is a fallacy.

“Like clockwork, cynical calls to expand mass surveillance practices—by continuing the domestic telephone records collection and restricting access to strong encryption—came immediately following the Paris attacks,” said Cindy Cohen, executive director of the Electronic Frontier Foundation (EFF) in a blog.

Cohen specifically pointed to Sen. Tom Cotton (R-Ark.) introduction of the Liberty Through Strength Act that would delay the USA Freedom Acts' termination of the government's metadata collection program.

“This legislation, along with President Obama's unilateral actions to restrict the Intelligence Community's ability to track terrorist communications, takes us from a constitutional, legal, and proven NSA collection architecture to an untested, hypothetical one that will be less effective,” Cotton said in a written statement.

Cohen added that one reason the program is being allowed to end is it did not work as advertised.

“Millions of dollars and over 10 years of effort later, two independent panels held there was no indication that the mass domestic telephone collection had ever assisted in thwarting a domestic terrorist attack,” she said.

The Manhattan DA's primary recommendation would not create a backdoor through which customer data could be pulled, but instead insist that the software makers have access and could supply information from when asked to do so when presented with a search warrant. In addition, this would only affect data “at rest” on mobile devices and not in transit.

One argument put forth against this idea is that most of the data police need is probably stored in the cloud and thus not protected by any phone-based encryption.

“Even under the best of circumstances, the cloud does not have all of the information that would be available on a personal device. And, there are several further reasons the cloud is a poor substitute for personal devices as a source of information important to law enforcement,” Vance's report stated.

Igor Baikalov, chief scientist at Securonix, sees a clear reason for tech companies to cooperates, but he noted simply having access to the data is no guarantee the information will be useful to authorities.

“We should work together to develop better algorithms and technologies to detect malicious intent, analyze behavior anomalies, and pinpoint stress indicators,” he told Thursday in an email, adding, “Intercepting communication - assuming there is any worthy of interception - is only part of the problem. Understanding the content - considering the many ways terrorists could obfuscate the true meaning - is a lot more difficult.”

Then there is the very real possibility that no matter how much access law enforcement is given there are many very simple, tried and true methods that anyone can implement to remain off the grid.

“Given that preliminary reports indicate five of the Paris attackers may have lived within miles of one another, their communication mechanism of choice may have been old-fashioned, face-to-face conversation,” said Jeff Hill, channel marketing manager for STEALTHbits Technologies, to in an email Thursday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.