First they blamed encryption. Then they wanted websites taken down. Now, they’re proposing additional legislation.
Just days after the shocking attacks in Paris, there's a new push in Washington to crack down on encryption and other security tools in an effort to prevent future attacks. Members of Congress have proposed mandatory backdoor provisions, website shutdowns, and expanded surveillance powers. But none of the suggestions have any clear connection to methods used in the attacks, which is resulting in a strange hodgepodge of ideas. Many in the government aren't sure which technologies to blame.
The loudest voice so far comes from CIA director John Brennan, who blames encryption for intelligence failures leading up to the attacks. "There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it," he said during a speech at the Center for Strategic and International Studies. "And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve."
"There are a lot of technological capabilities that are available right now that make it exceptionally difficult."
Despite Brennan's assertions, investigators still don't how these attacks were planned. There was initial speculation the terrorists communicated via the unencrypted PlayStation Network, which turned out to be false. In another twist, given the physical proximity of many of the already-named attackers, it's unclear if electronic devices were used at all during planning.
Others have sought to blame disk encryption, particularly the security measures protecting iPhones, which law enforcement officials have been looking to circumvent for years. Many in law enforcement, including the Manhattan District Attorney today, have pushed for a universal power that would allow police to unlock any disk-encrypted device once the appropriate legal rulings were obtained. However, early reports from Paris indicate disk encryption wasn't protecting the attackers' phones, which makes it unlikely those powers would have helped prevent these attacks or catch perpetrators afterward.
Investigators still don't how these attacks were planned
At the same time, other legislators have focused on ISIS's web presence. Yesterday, during a hearing with the Federal Communications Commission (FCC), US Representative Joe Barton (R-TX) suggested shutting down ISIS websites and social media networks. "They’re using the internet in extremely offensive and inappropriate ways against us," he said after noting websites "pop up like weeds" and asking if the government could just "shut those internet sites down."
FCC Chairman Tom Wheeler responded, "I’m not sure that our authority extends to picking and choosing among websites, but I do think there are specific things that we can do." Among those things the agency could do is have Congress update the definition of a "lawful intercept" under the Communications Assistance for Law Enforcement Act (CALEA), which could force companies to build backdoors into their technology and decrypt any encrypted communications. When asked if Wheeler and his agency would help lawmakers update that law, Wheeler replied, "A capital yes, sir." Reports out of Washington indicate Wheeler might just get that opportunity with interest in CALEA building, along with further anti-encryption legislation.
"They’re using the Internet in extremely offensive and inappropriate ways against us."
While investigators sort through evidence and determine how these events transpired, even if the attackers used an encrypted chatting app, such as WhatsApp, plenty of non-terrorists use it, too, and want their communications kept private. Plus, a backdoor built for law enforcement can be used by anyone who discovers it, which makes many in the technology world reluctant to build one.
Paris hasn't changed the fundamental question of whether strong privacy protections should be allowed on the web for most privacy advocates. "These [Paris] attacks are reprehensible," said Harley Geiger, senior counsel and advocacy director at the Center for Democracy & Technology, in an interview with The Verge. Noting the investigations are ongoing, he continued, "the debate about government-mandated cybersecurity vulnerabilities in this country has been going on for many years, and the dangers of a government-mandated backdoor into encryption have not changed simply because we’ve had these reprehensible attacks."