By John Ahearne, Forensic Analyst When data is is needed for use as evidence, it…
Computerworld: Feds Fund Encryption Apps that Could Cloak Terrorists
Originally published by Computerworld.
U.S.-financed Open Technology Fund supports privately built encryption and other apps
U.S. government funds have recently been used to support the creation and maintenance of commercially available smartphone encryption apps, according to public records.
At the same time, U.S. security officials and some elected officials have complained to software makers that their encryption software allows terror groups to communicate over the Internet in secret. Some experts have even tied encryption and darknet communications to deadly attacks like the one by ISIS in Paris last week.
The U.S.-financed Open Technology Fund (OTF) was created in 2012 and supports privately built encryption and other apps to “develop open and accessible technologies to circumvent censorship and surveillance, and thus promote human rights and open societies,” according to the OTF’s website.
In one example, the OTF provided $1.3 million to encryption app maker Open Whisper Systems in 2013 and 2014. The San Francisco-based company produced Signal, Redphone and TextSecure smartphone apps to provide various encryption capabilities. Signal recently combined TextSecure for encrypted text messaging with RedPhone for encrypted Voice over IP. The software is available for both iOS and Android smartphones.
Both Signal and Redphone were named among the five “safest” encryption apps by ISIS in a tech tutorial that was circulated in January, according to a report in the Wall Street Journal. The ISIS tutorial was intended to keep ISIS followers’ communications out of the reach of government surveillance. It listed 30 encryption apps, ranking about half of them as “unsafe” for ISIS followers to use.
Open Whisper Systems could not be reached to comment on Tuesday. The company is supported and owned by a developer community, including founder Moxie Marlinspike. In tweets and other messages, the company has supported National Security Agency leaker Edward Snowden, and Snowden recently tweeted: “I use Signal every day.”
The OTF had no comment on its funding of encryption apps and referred a reporter to its website for information about its activities. On its site, the OTF lists a selection of projects it has supported, listing 22 in addition to Open Whisper Systems. The maximum amount of financial support per year is $900,000, but many projects are in the range of $100,000 to $200,000.
Encryption supporters and detractors
Encryption app developers proudly support and promote their apps to help improve privacy for average users, especially in light of disclosures in 2014 by Snowden of widespread government surveillance.
Apple and Google have also supported disk-level encryption in recent iOS and Android releases. The companies have noted that they have no access to the decryption keys, which are kept on the smartphones themselves. Apple issued an explanation of its privacy policy related to encryption as long ago as September 2014.
Also about a year ago, FBI Director James Comey called for a public debate about the need for access to a criminal’s or terrorist’s device, subject to a judge’s warrant, saying such access could “protect the lives of people of all kinds.”
More recently, in July before the U.S. Senate Judiciary Committee, Comey and Deputy Attorney General Sally Yates described deficiencies in the 1994 Communications Assistance for Law Enforcement Act (CALEA) in allowing surveillance of newer technologies such as email, Internet messages and social networking sites.
“The harms resulting from the inability of companies to comply with court-ordered surveillance warrants are not abstract and have very real consequences,” the two officials said in a prepared statement. “The challenges posed by the Going Dark problem [of using encryption to evade detection] are grave, growing and extremely complex.”
Although their statements seemed to support revisions to CALEA, a Department of Justice (DOJ) spokeswoman on Tuesday said the agency is not currently seeking legislation to address encryption remedies.
Following Friday’s attacks in Paris in which 129 people died and many more were injured, Attorney General Loretta Lynch told reporters on Monday that terrorists have used “any means to communicate, including encrypted means…. We need to do everything we can to protect the American people. We are pursuing a number of options.”
She said the DOJ is “in discussions with industry to look at ways where they can provide us, lawfully, information while preserving privacy.”
Sen. Dianne Feinstein, D-Calif., also on Monday told Andrea Mitchell on MSNBC that she has met with chief counsels of most of the biggest software companies to find legal ways that would allow intelligence authorities to break encryption when monitoring terrorism.
“I have asked for help,” Feinstein said. “I haven’t gotten any help. I think that Silicon Valley has to take a look at their products, because if you create a product that allows evil monsters to communicate in this way, to behead children, to strike innocents, whether it’s at a game in a stadium, in a small restaurant in Paris, or take down an airliner, that’s a big problem. So we need high tech’s help in securing an Internet that even with a court order, you can’t get to what they’re saying. That’s a big problem.”
Representatives for Feinstein and Lynch were asked to comment about the use of OTF funds to support encryption apps, but didn’t immediately respond.
Finding a back door called impractical
While the threat of terrorism cloaked in secrecy by encryption is on the minds of policymakers, some software makers view attempts to gain backdoor access to encryption keys as both impractical and potentially harmful to privacy rights.
Security officials “will always be chasing around, even if you are able to get a court order, because you never know who to go after,” said Rene Novoa, senior manager of forensics and e-discovery at DriveSavers, a data recovery company.
“I don’t think getting access to decryption keys is a good solution,” he said. “If you allow law enforcement to have the keys, you’ll also see the bad guys getting the keys. It can work both ways and you have to be careful what you ask for.”
Novoa sometimes provides expert testimony in court cases on behalf of prosecutors who need access to data on smartphones. Instead of finding ways around encryption, he urged security and intelligence officials to concentrate on social networks where communications are in public to follow terrorists.
“Not everything is done in encryption on the dark web, ” he said.
“I definitely think government officials are talking about encryption now because they are trying to show the public they are doing something about terrorism,” he said. “They say a lot of people will die because they can’t eavesdrop. It’s designed to get people talking and thinking, but it’s actually scaring us.”
Urging software makers to release decryption keys is “impractical and it’s time and money spent in the wrong direction,” Novoa added.