
Encrypted Messaging Apps Face New Scrutiny Over Possible Role in Paris Attacks - dperfect
http://www.nytimes.com/2015/11/17/world/europe/encrypted-messaging-apps-face-new-scrutiny-over-possible-role-in-paris-attacks.html
======
agorabinary
Every tragedy will be used to further the cause of totalitarianism. The
contents of this article, and every identical piece that is written after
every new disaster, is less worthy of HN discussion than this broader issue.
Encryption is the primary facilitator of privacy in our current times, and
privacy is a fundamental human right. Law enforcement doesn't understand this,
they only know "getting the baddies". And in times where violence is at an all
time low despite recent tragedies, "getting the baddies" is decreasingly
important relative to the preservation of rights.

~~~
x5n1
There may come a time soon where the violence is widespread enough to actually
justify this level of invasion of privacy. The threat of these sorts of
attacks is increasing and if countries like Pakistan are any clue, it's simply
not possible to ignore it and say everything will be fine because only a small
portion of the population is involved. That small portion can wreak havoc and
must be managed and surveillance is the right tool to do just that. It's by
far better than any other method of dealing with the problem... and it does
allow for surgical precision as long as the authorities don't use it instead
to go after other crime, which they inadvertently do.

~~~
terryf
It has almost never been a safer time to live in Europe than it is now. Look
at crime rates, they are dropping everywhere. Homicide is down, robberies are
down. Terrorist attacks happen so rarely that they almost don't count. The
number of people killed in traffic accidents in the USA on the same day of the
Paris attacks is almost the same as the number of people killed by terrorists.
I'm sorry to be so cold, but they didn't even manage to make a dent in the
stats graph.

[https://en.wikipedia.org/wiki/Terrorism_in_the_European_Unio...](https://en.wikipedia.org/wiki/Terrorism_in_the_European_Union#Trend)

~~~
tomjen3
And if I was Spock I might care about that kind of argument. As it happens,
people care far more about the feeling of safety than safety and believe me
that feeling tanked after Paris.

~~~
andreyf
There are other ways of addressing feelings of safety that don't involve
giving up liberties.

------
phkn1
"American and French officials say there is still no definitive evidence to
back up their presumption that the terrorists who massacred 129 people in
Paris used new, difficult-to-crack encryption technologies to organize the
plot."

IMO, that is the only part of the article that needs to be understood.

~~~
venomsnake
> new, difficult-to-crack encryption technologies

Have there been any NEW encryption technologies lately? The only one I can
think of is ZRTP. Everything else is based on well understood and well tested
theories.

~~~
sarciszewski
Sort of.

[http://sphincs.cr.yp.to](http://sphincs.cr.yp.to)

Not only is this a NEW cryptography technology, it's also the most hilarious
academic web page I've ever read.

------
zmmmmm
Intelligence agencies seem to operate on a very dubious assumption that if
mass consumer products weren't offering end to end encryption, terrorists
would just be chattering away in the clear, rather than trivially switching to
one of the plethora of alternatives that do allow secure communication (some
of them open source and "unbannable").

Are they really that dumb? Or is this a cynical PR exercise?

~~~
mc32
It's not that terrorists with good operational procedures would not be able to
find more secure means, but migrating to those means would do two things:

Fewer operatives would have the rigor to operate securely all the time. You
just need one to trip up to give the house away, but with ubiquitous encr.
anyone and their nona can encrypt without leaking.

Two, switching to alternate means would mean a big slowdown in comms speed and
throughput/dissemination and comms can be compromised/altered via
interception.

~~~
mtgx
One guy managed to get his hands on a freaking _rocket launcher_. Same with
one of the Charlie Hebdo attack guys, who sneaked an assault weapon into a
country with strict gun laws. Are you telling me that if they are _really
committed_ these guys can't get access to an _app_ they can use for encrypted
communications?

The problem is _there are too many signals_ , only made _worse_ \- not better
- by mass surveillance (making the "hay" in which to find the needle _bigger_
and all that). Here's an excerpt from Schneier in 2005:

 _> Let's look at some numbers. We'll be optimistic -- we'll assume the system
has a one in 100 false-positive rate (99 percent accurate), and a one in 1,000
false-negative rate (99.9 percent accurate). Assume 1 trillion possible
indicators to sift through: that's about 10 events -- e-mails, phone calls,
purchases, web destinations, whatever -- per person in the United States per
day. Also assume that 10 of them are actually terrorists plotting.

> This unrealistically accurate system will generate 1 billion false alarms
> for every real terrorist plot it uncovers. Every day of every year, the
> police will have to investigate 27 million potential plots in order to find
> the one real terrorist plot per month. Raise that false-positive accuracy to
> an absurd 99.9999 percent and you're still chasing 2,750 false alarms per
> day -- but that will inevitably raise your false negatives, and you're going
> to miss some of those 10 real plots.

> This isn't anything new. In statistics, it's called the "base rate fallacy,"
> and it applies in other domains as well. For example, even highly accurate
> medical tests are useless as diagnostic tools if the incidence of the
> disease is rare in the general population. Terrorist attacks are also rare,
> any "test" is going to result in an endless stream of false alarms.

> This is exactly the sort of thing we saw with the NSA's eavesdropping
> program: the New York Times reported that the computers spat out _thousands
> of tips per month _. Every one of them turned out to be a false alarm_.

99.9% and 99.9999% accuracy and you still get those huge false positive
numbers. Even the drone strike program has _much_ lower accuracy than that
(yes, they do kill people based on "mostly assumptions" that they are
terrorists, if that's news to anyone). I mean, in the US, they start spying on
people if they have a >51% of not being an American (an amazingly low
threshold - basically flipping a coin). So - maybe it's time to admit that
mass surveillance is actually detrimental to catching these guys and that
these spy agencies are _hurting_ national security?

[https://www.schneier.com/essays/archives/2005/03/why_data_mi...](https://www.schneier.com/essays/archives/2005/03/why_data_mining_wont.html)

~~~
mc32
Countries can demand app stores comply with their laws, if they wanted to.
They could demand access to interception or else the app [store] is not
allowed. They could further have carriers block jailbroken sets.

With regard to noise, you can make it more manageable by building a graph. As
you initially ID terrorists, you follow the graph and calibrate the signal.
You don't have to enmesh everyone.

~~~
aianus
> They could demand access to interception or else the app [store] is not
> allowed.

Thus forcing terrorists to use Android or a desktop OS? Big whoop.

~~~
mc32
It's not as if they can't tell Google to put out a 'special' version for their
country. Or put out their own infiltrated version and take whatever measures
necessary to "own" the OS. They could poison DNS for "favorite terrorist
distro".

It's not to make it 100% foolproof, it's to make it so that any misstep would
reveal them. In other words, make the whole of their communications system
leaky _somewhere_ not necessarily everywhere.

~~~
mtgx
The systems _are_ already leaky (like the metadata, for instance, but also the
weak end-point security most devices have, poor HTTPS implementations, and so
on). This is _not a problem_. The problem is the intelligence agencies _have
too many "targets"_. They're only making things harder for themselves putting
everyone on "lists". At least one of the terrorists from the recent Paris
attack was on such list - an "extremist" list even. Didn't seem to help.

I think it's becoming more clear that intelligence alone is not enough.

I'm also very worried that 10 years from now we'll have an even bigger problem
than Daesh in the Middle East, even if Daesh is "wiped out" \- Al Qaeda was
wiped out, too, unless we forget. Daesh is much bigger than Al Qaeda was,
which means they have many more relatives and children than Al Qaeda had -
children that may rise up again in 10 years to avenge their fallen fathers and
cousins.

France's reaction feels very much knee-jerk and 20th century thinkining -
"Someone attacked us? Let's bomb the hell out of them then!". It kind of
reminds me of when the French generals ordered their foot troops into the
Germans' machine guns a century ago, because that was their 19th century
thinking at the time.

This is a whole other discussion that also needs to happen, and I think a much
bigger issue than the encryption one.

~~~
mc32
The problem isn't the volume of data, it's the analysis and graphing. They
need to develop better mining technology.

Conversely, if there is too much data and everything is hidden because there
is too much, then why bother with the clamor for encryption? I mean, there is
so much data, it's unfindable?

I think it was Poland and Russia sending cavalry and barely armed infantry
into modern battle, not France during WWII.

------
sarciszewski
It doesn't matter what politicians think, really.

Secure end-to-end encryption is going to happen one way or another. It's a
global phenomenon, no single country can stop it.

Sure, our government likes to think it controls the world, but really all it
can do is threaten the world with violence. Mathematics knows no such fear.

~~~
giaour
And yet, similar policies have given us "export-grade" encryption and funded
projects like the clipper chip.

There's no way a single country can block secure, end-to-end encryption
forever, but they can sure make things hard for a while.

~~~
bmelton
They don't have to block every user using unlawful encryption -- they just
have to have a law that lets the penalty be enough that a few high profile
convictions will deter enough law-abiding people that it isn't worth the risk.

At that point, they can simply listen to all traffic and, if there are packets
that aren't listenable due to encryption, assume ill intent, then be free to
react appropriately.

Assuming high enough signal ratios in detecting encryption, it might actually
prove that encoded messages, or steganography proves to be more effective at
preventing state-level eavesdropping... they won't prevent a determined state
from getting your secret content, but it could be enough that, if the messages
looked unencrypted, they would be passed over for the more obviously encrypted
messages -- hiding in plain sight, as it were.

Note, this is not an endorsement of any privacy invasions whatsoever, but
musings on what a post-4th-amendment-obliteration world might look like for
the privacy-minded.

~~~
rikkus
Coming soon: 'Strong' encryption is illegal in the UK without a licence. Banks
and other institutions will pay for licences for their websites and their
behind-the-scenes comms but also be required to use backdoored crypto where
the govt and police and govt agencies hold keys.

An inter-country agreement makes us interoperable. All comms are monitored for
anything looking encrypted but not decryptable by the state using their keys.

It will be an easy sell because those who want full personal privacy will be
seen as suspect. It will also make money from licensing.

------
dewiz
Yeah I believe also trains, cars, food, water and oxygen played a role,
something should be done about those too. If that ever happens, open source to
the rescue, politicians might as well make that illegal.

~~~
mc32
This is all true, but it's also true "governments" had previously had [court
ordered or otherwise, depending on jurisdiction] access to communications,
when necessary in order to track individuals or obtain evidence. The claim is
that now people can choose technologies which allow them to evade
communications interception [easily] which frustrates governments when they
want to intercept communications.

I don't think it's far fetched to believe if not the US countries abroad will
require technology vendors to provide interception systems ala BlackBerry. Big
enough markets, can say, Apple, you can still sell in our country[1] but you
must grant access [MITM, whatever] and you know what, Apple will not want to
see its growth markets evaporate.

[1] They'd also disallow non-approved apps from country app store and also
disallow carriers from allowing jailbroken handsets.

~~~
terryf
Like the saying goes, if you outlaw guns, only the outlaws will have guns.

Seriously. Ever heard of steganography?

Police being able to listen in to communications for selected individuals,
based on court orders is of course something that is necessary for safety,
nobody is arguing that. The difference is the scale of the ability to survey.
You can argue that the scale doesn't matter, but it does. The only difference
between uber and your local taxi company with 10 cars is also scale. Being
able to scale surveillance trivially is the thing that must be fought against,
because it erodes the freedom of people. After all, the freedom of people to
live their lives as they wish is what we're protecting after all, isn't it?

~~~
TeMPOraL
> _After all, the freedom of people to live their lives as they wish is what
> we 're protecting after all, isn't it?_

Is it? I thought it's freedom to live their lives as long as they follow the
law?

~~~
terryf
No, it's exactly the reverse in fact! Laws are supposed to be made to make
living life better for the majority. Many problems stem from thinking the
opposite.

------
smegel
Wow, going for a walk in the woods is also a pretty good way to avoid be spied
on by the government. Better burn the forests down, or at least fill them with
video-cameras and microphones!

~~~
SixSigma
Unless you happen to be a govt advisor on Iraq.

The medical report was recently sealed by the govt. for 70 years.

[https://en.wikipedia.org/wiki/David_Kelly_(weapons_expert)](https://en.wikipedia.org/wiki/David_Kelly_\(weapons_expert\))

~~~
dfc
I am confused, the wikipedia article you link to says "In October 2010, the
postmortem—including the pathologist's 14-page report and the six-page
toxicology report—was made public, re-iterating the conclusion of the Hutton
report." The subtitle to the linked Guardian article is, "Government releases
previously secret medical files on death of weapons inspector at centre of
BBC's Iraq dossier story." What is it that you want to see?

~~~
SixSigma
Hmm maybe I have fallen for the headlines accompanying the recent sealing as
though it were revelatory when really it is back to normal practice of medical
records being private.

~~~
dfc
What is the recent sealing?

~~~
SixSigma
Part of the Hutton report that is due any day now....

------
spdustin
Typical. They blame Snowden, too. 'Hey, look, a chicken!'

[https://theintercept.com/2015/11/15/exploiting-emotions-
abou...](https://theintercept.com/2015/11/15/exploiting-emotions-about-paris-
to-blame-snowden-distract-from-actual-culprits-who-empowered-isis/)

More people should read that story.

------
nmj
Kind of sick of hearing government officials saying encryption is evil. This
stance is disingenuous at best and dangerous at worst.

------
mtgx
Jesus, NYT. Is it even _confirmed_ that they couldn't see what they were doing
"because they used encrypted apps", or is that just an _assumption_ of
"anonymous officials"?

Upon loading the post and reading the first paragraph:

> _American and French officials say there is still no definitive evidence to
> back up their presumption that the terrorists who massacred 129 people in
> Paris used new, difficult-to-crack encryption technologies to organize the
> plot._

Oh. Well there you go. I really don't see the point of these media entities
letting themselves _played_ like this by the authorities to spread their false
propaganda then. The bodies weren't even cold yet and they started spreading
this anti-encryption message on TV. Because they couldn't have possibly
admitted that maybe - just maybe - it's the intelligence agencies that screwed
up and they have to take responsibility for it, like it should happen in any
democratic country, instead of pointing fingers at others. I wonder what
they'll say next if we discover these terrorists _weren 't_ actually using
encrypted channels to communicate.

------
lvs
It's almost like they were ready and waiting with the talking points...
Hmmm...

[https://www.techdirt.com/articles/20150916/15570332276/havin...](https://www.techdirt.com/articles/20150916/15570332276/having-
lost-debate-backdooring-encryption-intelligence-community-plans-to-wait-until-
next-terrorist-attack.shtml)

------
teaneedz
Personally, I thought this tweet was spot on:
[https://twitter.com/marasawr/status/666467808071573504](https://twitter.com/marasawr/status/666467808071573504)

------
digitalzombie
Encrypted Messaging isn't the problem.

They should have better boarder control, background check on people before
letting them in, communication with other countries, and better integration.
Also perhaps programs for more tolerant people, and ease/integrate immigrants
in instead of more religious and toward the extreme end of the spectrum.

There are many other solutions without sacrificing freedom and privacy.

~~~
danieldk
Indeed. Some of the terrorists were from Molenbeek, a Brussels suburb that has
been out of control for the authorities for decades. The same applies to some
Parisian suburbs.

Rather than investing in these suburbs and getting human eyes and ears on the
ground. We spend many millions more on bombs and anti terror units.

Encryption is an easy scapegoat and convenient for power grabs. Saying 'we
mismanaged these suburbs' takes political courage.

~~~
venomsnake
> Indeed. Some of the terrorists were from Molenbeek, a Brussels suburb that
> has been out of control for the authorities for decades. The same applies to
> some Parisian suburbs.

Can you explain that a bit? There is not enough political will to impose order
there or something else?

~~~
danieldk
I am not sure, since I am from a neighbouring country. Some analysts said that
in the case of France, Sarkozy pulled resources from local projects and local
police to form anti-terror units, etc. Some areas have regressed so much that
regular policemen do not want to go there.

In the case of Belgium, one of the problems is that there was never a push
towards integrating North-Africans. Traditionally, the left has been in favor
of 'multi-culti' \-- you basically allow minorities to form their own
community without much outside interference. As far as I understand, this has
been strengthened in Belgium by the socialist party, which pretty much
maintained this non-interference policy for votes. This leads to problems,
because in other cities/countries family and friends would signal
radicalisation to the authorities. Here, many people do not even speak Dutch
or French and mistrust authority.

~~~
jacquesm
I like to look at Canada in this respect. They have done arguably a _very_
good job at integrating newcomers. The country has substantially increased its
population in the last 40 years and yet I did not meet any individuals that
did not think of themselves as 'Canadian' first. And that's in spite of cities
like Toronto containing areas labeled little Italy or Chinatown.

Integration of the Muslim community at large in Western Europe is for
reasonably large numbers of people a failure. Of course there are also plenty
of people that did integrate and that will stand up to defend the values of
the countries that they have adopted. But not at the level that Canada has
managed to achieve.

------
nemo
There's an interesting article on how Telegram is being used here:
[http://www.memri.org/report/en/0/0/0/0/0/0/8828.htm/](http://www.memri.org/report/en/0/0/0/0/0/0/8828.htm/)

~~~
jszymborski
Except, other than being a nice chat app, Telegram's encryption is snake oil

[http://unhandledexpression.com/2013/12/17/telegram-stand-
bac...](http://unhandledexpression.com/2013/12/17/telegram-stand-back-we-know-
maths/)

~~~
nemo
The article mentioned encryption, but I was more interested in their details
on how Daesh was using it as an unmoderated platform to spread tutorials on
manufacturing weapons and launching cyberattacks, calls for targeted killing
and lone-wolf attacks, and Daesh's use of bots on the platform.

~~~
toast0
So he's distributing the Anarchist Cookbook?

~~~
nemo
No. Not 'he', and not just distributing how-tos. Read the link if you'd like
to be aware of what's happening though.

------
titzer
We must resist every attempt to treat us like criminals a priori.

------
dijit
I was reading an article yesterday about how the attacks in paris were
coordinated via the playstation network.

This tells me, unequivocally, that the news outlets can't possibly understand
what is secure and usable, vs what isn't.

My girlfriend (whom is not very technical) was saying that PSN should open
itself to police, and then I showed her the security record of Sony, and then
showed her how messages are sent unencrypted over the wire.. and then showed
her the wiki page on Tempora.

It's very clear to me that they're going to blame everything and anything- and
we should very clearly ask the question to these publishers;

"whats your evidence of any wrongdoing";

"what's your ideal situation?";

"why do you feel that way"

------
callesgg
I am more afraid of the bs lobying people try to push using terror attacks
than i am of actually dying in an attack.

Just by looking at the numbers and the actual risks involved in being
effected.

------
kijin
If the latest James Bond movie were released 15 years ago, I would not have
found the villain's plan convincing at all. Using random terrorist attacks as
an incentive for governments to participate in global surveillance? Give me a
break.

Now, the Bond villain's agenda so obviously makes sense that it took all the
suspension-of-disbelief fun out of the movie. I watched it the day after the
Paris attacks. I couldn't help but feel as if _Spectre_ were just a historical
piece with some fictional characters added for dramatic effect. Of course
that's how surveillance creeps into modern societies. We don't even need
cheesy villains to act as masterminds of a convoluted plot. The assholes at
Daesh can get the job done just as effectively, thank you very much.

------
btreecat
>American and French officials say there is still no definitive evidence to
back up their presumption that the terrorists who massacred 129 people in
Paris used new, difficult-to-crack encryption technologies to organize the
plot.

Everything you need to know in the first paragraph.

------
nickysielicki
Did you guys know TERRORISTS are also on TWITTER and FACEBOOK! As soon as I
heard this my heart sank and I deleted my accounts.

These dangerous tools are being used to recruit jihadists from our own
communities!!!!! Can you believe it?

I hope they ban this "cryptography" app, as well as Facebook and Twitter.

/s

How can people be this stupid? Better question: Why are people so
uncomfortable deferring their opinions to people who know these things? I
don't think you'll find a single person involved in tech who thinks banning
cryptography is a good idea, let alone possible.

With that in mind, why does this news article exist? How are our politicians
getting away with this populist bullshit?

~~~
vonklaus
> Why are people so uncomfortable deferring their opinions to people who know
> these things?

I think you might find that a non-trivial subset, if not outright majority, do
deferring their opinions to people _who know these things_.

They often get information and analysis from the news, their government, and
that "one guy who is good at computers". I use pgp and gpg, I use ssh, and I
am a programmer. I know very little about how cryptography works, but likely
enough to appraise someone else's ability to shepherd such discussion and
policy.

So what heuristic would you apply here? I love the EFF but they have not
succeeded in any mainstream endeavor. I do not mean to belittle their
accomplishments, but what percent of people reading this article know what the
EFF is?

------
kriro
I think the sensible argument for advocates of strong privacy has been touched
upon in the article when they mentioned China. At least that's my "debate
tactic". The argument is basically "we need strong crypto because it allows
people living in ISIS dominated regions to communicate safely and escape
without the danger of having their communication intercepted and having a kill
team visit them"

------
LoSboccacc
the sad part is that this is the only actual quote I could find, all the rest
is just speculation and security theater

"The working assumption is that these guys were very security aware, and they
assumed they would be under some level of observation, and acted accordingly"

and the ps4 quote about encryption is completely unrelated:
[http://www.xpats.com/brussels-weakest-link-europes-fight-
aga...](http://www.xpats.com/brussels-weakest-link-europes-fight-against-
terrorism)

just think about it: if problem was just the encryption, the logical
assumption is that they were aware of the person involved but couldn't read
the messages

you have to find the person you need to monitor first, encryption or not. you
can't track every message, even if you force the whole word to communicate
without encryption, because of the sheer amount of false positives.

[https://www.schneier.com/blog/archives/2006/03/data_mining_f...](https://www.schneier.com/blog/archives/2006/03/data_mining_for.html)

------
chei0aiV
More on this:

[https://www.schneier.com/blog/archives/2015/11/paris_attacks...](https://www.schneier.com/blog/archives/2015/11/paris_attacks_b.html)

------
dbg31415
So if the government is complaining that ISIS now uses technologies that it
can't yet crack... and they know this... who exactly are they intending to
spying on? Not ISIS, just the rest of us.

------
spoiler
I fail to see how privacy/crypto apps helped them. They could've as well used
DIY "apps" or alternate channels of communication (which could be encrypted).

------
voynich61
Tech-savvy people often miss the forest for the trees on this one. Once you
get past the engrossment in implementation details, the fundamentalist
political philosophizing, and the harping on spurious and mostly anecdotal
evidence for Western police states, there actually is good reason for
government surveillance of W/Obama scale. There is a distinct threat that
global terror will increase in scope by orders of magnitude, due to a) gains
in message efficacy, b) positive feedback loops for recruitment (i.e., bombing
Iraq over and over again), c) weapon availability gains, d) geopolitical
posturing, or e) a black swan. Of what has been revealed from Snowden's leaks,
the worst intentional (read: potentially malicious) invasion of privacy was
NSA employees making fun of tapped conversations. If that and you not being
able to torrent 24-bit flacs off of what.cd is the cost we have to pay for
security in a future which is less certain than is widely acknowledged, sign
me up.

~~~
benashford
The worst thing for me about the Snowden leaks wasn't that. It was the
deliberate interference in secure protocols (e.g. the flawed random number
generators), combined with the pressure to leave open accidental flaws.

This makes everyone vulnerable to J. Random Cybercriminal when those same
flaws are finally discovered by the non-secret services.

Being a victim of an identity thief is a lot less terrifying than being in the
middle of a automatic weapon massacre, but it's a lot more likely to happen.

The framing of the debate as "encryption = only used for evil" is not only
wrong, but very dangerous from that point-of-view.

I don't have any easy answers that keeps everyone happy. But neither does
anyone else.

