Encrypted messages: Does the government need a way in?
When the French government was taken by surprise by the string of deadly terror attacks across Paris on Friday, some officials speculated that the attackers were able to maintain their secrecy through encrypted communications in spaces like the so-called "dark net."
The use of highly secure messaging apps and other encryption technology poses a growing challenge for law enforcement and intelligence agencies.
The U.S. intelligence community wants a way to access encrypted communications by having companies retain a way to decrypt them. But cybersecurity experts say leaving a secure "back door" just for the government is all but impossible to do without leaving a way in for hackers, cyber spies or other bad actors.
The rise in encrypted communications
Terror groups like al Qaeda have been using encryption and the Internet to trade messages since before the 9/11 attacks. But the past two decades have seen new technologies that make encryption easier and more secure.
"As the technology industry builds up tools for collaboration (anything from Slack, used to keep teams in sync, to Facebook and Twitter, to advanced encryption technology both built into phones and as simple-to-download software), smart criminals, nation states, and terror organizations are likely to make use of them as well," cyberwarfare adviser David Gewirtz told CBS News in an email.
There's The Onion Router - known as Tor - a network of servers originally developed by the U.S. government that allows users to browse the web anonymously by sending traffic through multiple routers. It's part of the "deep web" that's not indexed by search engines, and it's hard for investigators to penetrate.
In addition, companies like Google, Facebook and Twitter have moved toward an encryption technique called "perfect forward secrecy" that creates a unique key for each encryption. It does not create a long-term master key that can be shared or used to unlock previous communications.
There is no way a company or government can use one key to read previously encrypted messages - so a government entity like the National Security Agency (NSA) doesn't benefit from storing old encrypted communications in the hope that it will one day get the key to unlock them.
"You can walk in with a court order from a federal judge, hand it over to the company and say, 'We need to see what's inside here' -- just like we did in Mumbai, just like we did after 9/11 -- and they'll tell you, 'We can't see what's inside. We designed it to be uncrackable,'" NYPD deputy commissioner for intelligence and counterterrorism John Miller said on "48 Hours" this weekend. "That's a real challenge."
"It is definitely getting harder and harder for U.S. intelligence agencies to conduct these operations," Justin Harvey, the Chief Security Officer at Fidelis Cyber Security, told CBS News.
On CBS' "Face the Nation" Sunday, former CIA Deputy Director Michael Morell, a CBS News senior national security contributor, predicted that investigators will discover that the Paris attackers were using some sort of encrypted communication to plan attacks.
"I think what we're going to learn is that these guys are communicating via these encrypted apps, the commercial encryption, which is very difficult, if not impossible, for governments to break, and the producers of which don't produce the keys necessary for law enforcement to read the encrypted messages," Morell said.
What governments want
Michael Hayden, the former director of the National Security Agency (NSA), said on CBSN that it has become harder for intelligence agencies to collect information after leaks by former NSA contractor Edward Snowden that revealed the agency's surveillance tactics, as well as the availability of encryption software.
"We spent the last two and a half years withdrawing from collection activities that even this president, President Obama...was comfortable with and we've pulled back," Hayden said. "I think the events in Paris are going to give a better balance now to the kinds of discussions we need to have."
U.S. agencies like the FBI argue that companies should be required to hold the key to unlock encrypted communications when the government has a warrant. The U.S. isn't alone: a bill in the United Kingdom would legally obligate companies to help the government unlock encrypted information and stop them from using end-to-end encryption used by services like iMessage and WhatsApp where only the people sending and receiving messages can read them.
What cyber experts say about that
Cybersecurity experts say that leaving a "back door" that can be entered by the government is a bad idea.
"If you're asking whether Google, Apple, Microsoft, Twitter, Slack, and Facebook should allow the governments of the world to dig through their records, that's a matter of interpretation of each nation's laws. But if you're asking if they should install back doors or flaws so governments can easily hack into communications, the answer has to be absolutely not," Gewirtz said. "Any time you build a flaw into software for the benefit of the good guys, it leaves a gaping hole where the bad guys can get in. It's far better for the tech industry to build as solid and powerful products as they can, without any built-in breach points, and then work with law enforcement constructively when there are tangible clues."
Beyond sacrificing the right to have a private conversation, Harvey said, "I don't think there is a workflow that enables complete transparency and the ability to decrypt these encrypted communications without the potential for widespread abuse or targeted abuse."
Shane McGee, the chief privacy officer at cybersecurity firm FireEye, said that even if the U.S. government started demanding that companies maintain a key to unlock encrypted communications, people who wanted secrecy would simply move to one of the many non-American or open-source encryption products that already exist.
"It wouldn't really help," he said. "It would be turning business away from U.S. companies."
How can the government get around encrypted communications?
U.S. law enforcement and the intelligence community are very good at "finding and reading those communications even when they are encrypted," McGee said. "There's different tradecraft, different forensic techniques and legal techniques."
As an example, he pointed to a FireEye report on the Syrian conflict. Hackers were able to see the Syrian opposition's strategy, battle plans and other personal information that was shared on Skype. The hackers posed as attractive women who would send the targets photos laden with malware to steal data on the devices they were using.
Encryption, Gewirtz, suggested, "only gets the bad guys so far." Most technological activity leaves some sort of trace.
"It may take some time, but the world's law enforcement and investigative agencies will find clues and dig them out," he said. "While we may not be able to interpret the contents of encrypted messages quickly or easily, the existence of a pattern of encrypted messages is often a clue itself."
for more features.