Despite the bluster in Congress about the need to press forward with laws banning the use of encryption in the United States following the Nov. 13 terrorist attacks in Paris, the truth is out. It turns out that the Paris attackers didn’t encrypt anything, but instead communicated openly, in some cases publically, about their plans.
Instead of using sophisticated message encryption and brilliant tradecraft, it seems that the reason the attackers were able to communicate so effectively is because of the low-tech nature of their communications, and because the intelligence community simply missed it.
What actually happened is that the terrorists did the one thing that is hard for big spy agencies to deal with—they mostly talked among themselves. The attacks were planned and carried out by the Abdeslam brothers, who lived in the small town of Molenbeek, Belgium. Most of their co-conspirators lived or visited nearby. The close proximity of the bulk of the attackers meant that they simply discussed their plans in person.
While the attackers were apparently known to French police, it appears that little, if anything, was done to keep tabs on them or on their communications. According to press reports, the brothers may have discussed their plans in the jihadist online magazine Dabiq months before the attack, but apparently nobody picked up on that.
Likewise, phone metadata had already identified the Abaaoud brothers as having been in contact with participants in earlier attacks in France when the Thalys train was attacked (and thwarted by three American travelers) on the way to Paris. They were also identified by metadata as having been in contact with terrorists who attacked a Jewish museum in Belgium in 2014.
With the information that the intelligence community apparently already had on the terrorists, especially on the leadership, it probably wouldn’t have mattered if their electronic communications had been encrypted. But they weren’t. French investigators have revealed in their post-attack press conferences that while the attackers communicated using Short Message Service (SMS) texting, nothing was encrypted. The messages were sent in the clear.
This information provides insight into the collection of metadata by the National Security Agency, which has been the subject of controversy since the existence of the program was revealed by former contractor Edward Snowden. That is that the existence of such metadata can indeed be critical in identifying and exposing activities such as those by the Paris attackers. But to be effective, somebody has to be paying attention, and in the case of the attacks in Paris, apparently nobody was.
The encryption blather is also revealed for what it is, which is simply so much hot air. A ban on encryption would have made no difference at all in revealing the plans of the Paris attackers because they didn’t encrypt their communications.
But suppose they had used encryption, and suppose the collection of phone metadata had worked as intended? The fact that people known to be in contact with other terrorists were communicating using encrypted messages would have been enough to alert the intelligence community that something was up, and a properly timed investigation would have revealed the terrorist plans.
Encryption Ban Wouldn’t Have Affected Paris Attackers’ Plans
However, we can suppose all we want. The reality is that the intelligence services in France and Belgium were unaware of the threat to Paris until the attack happened. It’s been called an intelligence failure by many, and in some sense it was, but the fact is that the crisis caused by Syrian and Iraqi migrants has so overwhelmed the intelligence services in Europe that it shouldn’t have been a surprise that terrorist forces would take advantage of it at some point.
But none of this has anything to do with encryption, which shows that it’s really just a red herring being used to divert attention from the real issues surrounding the need for encryption in legitimate personal and business communications. It’s easy to get people to agree that fighting terrorism is good, and then convince them that outlawing the use of encryption will solve the problem.
Unfortunately, while the tragedy of Paris is still fresh in so many minds, it’s also possible to leverage this in an opportunistic effort to convince others in Congress that banning the use of strong encryption will somehow protect the United States.
The fact is that outlawing the use of strong encryption will do nothing of the sort to make the United States safe, and instead will likely do a great deal to make it just the opposite. The problem with a government-mandated backdoor is that it will be found, and probably found more than once. That means that cyber-criminals and malevolent nation-states will have full access to commercial data as it flows.
Unfortunately, it won’t do the same for the criminals and terrorists, who will have no compunction against using unbreakable encryption regardless of its legal status. After all, if you’re planning to blow up the U.S. Capitol or Times Square, what’s the threat of a fine going to mean if you use strong encryption? Fining a suicide bomber after the fact seems to me to be an ineffective deterrent.