We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

A View from Nathan Freitas

6 Ways Law Enforcement Can Track Terrorists in an Encrypted World

Government officials want us to believe that encryption is helping terrorists, but law enforcement still has plenty of tools to get the data.

  • November 24, 2015

The phrase “the terrorists are going dark” has come back in vogue after the Paris attacks, referring to assertions that encryption is somehow enabling the communication of future attackers to go undetected. But the public is being presented with a false choice: either we allow law enforcement unfettered access to digital communications, or we let the terrorists win. As always, it is not that simple.

Nathan Freitas

It is true that much of the world’s communication has shifted away from easy-to-intercept text messages and phone calls, to mobile apps, such as WhatsApp, Apple Messages, and Telegram, which provide free worldwide communications and improved privacy and security. Some apps have even added end-to-end “sealed envelope” encryption, putting message contents out of reach of both law enforcement and the service providers themselves.

This story is part of our January/February 2016 Issue
See the rest of the issue

Even so, there is still a great deal of data available that is not fully encrypted or even encrypted at all—data that allows for the kind of digital detective capabilities that law enforcement seek to catch the bad guys. It is disingenuous on all sides to pretend it does not. Some call this metadata, but considering the volume and detail of data available, there is nothing meta about it. Not all of the approaches to data gathering and intercept are clearly legal. Many app developers (including myself) are actively working to defend against them and close these gaps, as they are often used to unjustly attack and monitor activists, journalists, and even estranged loved ones.

Still, we cannot deny that they exist for now, and so, rather than let these data-gathering options linger in the shadows, I’ll enumerate them here.

1) If someone is carrying a mobile phone, their every movement, phone call, and use of the Internet access is being tracked and logged by the mobile service provider. Accessing that data often does not require a warrant, just a phone number and a contact at the phone company.

2) Messaging apps like WhatsApp and Telegram require users to register their accounts with a working telephone number. Use of the app is tied to this number, and to all the phone numbers of the people they are communicating with. See number one for what you can do with a list of phone numbers.

3) The kind of encryption implemented in mainstream apps today is not automatic. Even in well-regarded implementations by WhatsApp and Apple, knowing when and how encryption is active and verified is unclear. It is likely possible to disable access to or reduce the strength of encryption on a per-user basis, without the user knowing.

4) Even an end-to-end encrypted chat can be monitored if the app supports group chat or syncing conversations between multiple devices. If you can compel the app service provider to add a new device to an account or participant into a group without notifying existing users, then you are in.

5) Full storage encryption of smartphones is not on by default for Android, and only in effect on iOS when the device is powered off. Most of these apps are not password-protected on the device itself. Get access to a phone with the screen unlocked, or crack the screen lock app itself, and you are in. Compel the owner of a fingerprint-locked device to unlock it with their thumbprint, and you are in. Trick the user into installing (or force their app store to do so) a keystroke-logging keyboard or a hidden surveillance app and you are in.

6) Most cloud data is only encrypted to protect it from outside attackers, and not from the service provider themselves. Some services say, “We encrypt data at rest in the cloud,” but they mean they do so with an encryption key that they hold, not one the user holds. Rather than backdoor the messages in real time, just get access to a cloud backup of all the messages, contacts, calendars, photos, location data, and more that users often unwittingly store there.

Whether we like it or not, the opportunities for targeted surveillance of digital communications are vast and deep, within both clearly legal and legally gray areas. I am not encouraging legalizing criminal hacking by the police or promoting surreptitious methods for infringing on freedom and privacy. In fact, I am a firm believer that more encryption is needed, to strengthen our personal privacy and defend against actual cybersecurity threats. Fundamentally, I hope that through deeper understanding of the private data that we all constantly generate and expose, there can be more clarity about, and less fear of, the “dark.”

Nathan Freitas leads the Guardian Project, an open-source mobile security software project, and directs technology strategy and training at the Tibet Action Institute. His work at the Berkman Center focuses on tracking the legality and prosecution risks for mobile security app users and developers worldwide.

Learn from the humans leading the way in intelligent machines at EmTech Next. Register Today!
June 11-12, 2019
Cambridge, MA

Register now
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe to Print Subscription.
  • Print Subscription {! insider.prices.print_only !}*

    {! insider.display.menuOptionsLabel !}

    Six print issues per year plus The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Print magazine (6 bi-monthly issues)

    The Download: newsletter delivery each weekday to your inbox

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.