U.S. may be financing encryption apps to stay ahead of terrorists

18.11.2015
The U.S. government's financial support for the development of smartphone encryption apps doesn't surprise security experts.

U.S. intelligence agencies are probably involved in funding commercial encryption apps through the government's Open Technology Fund to stay on top of terrorists and organized criminals that use encryption to cloak their communications, several security experts said Wednesday.

"It would not surprise me if federal agencies were funding encryption apps because it is possibly the only option available to monitor terrorism and organized crime," said Darren Hayes, assistant professor and director of cybersecurity at Pace University. "ISIS members have been actively pushing potential recruits to move to encrypted communications."

Patrick Moorhead, an analyst at Moor Insights & Strategy, added, "I believe that intelligence agencies fund many of these encryption efforts to stay one step ahead of it, to be able to crack [encryption] earlier than anyone else."

Avivah Litan, an analyst at Gartner, agreed that it makes sense that the OTF would take advantage of startup software developers building encryption tools in order to find ways that the encryption can be broken. "The bottom line is that intelligence agencies need to develop surveillance methods that get around encrypted communications," she said.

Computerworld reported that the OTF, a federally funded organization created in 2012, was intentionally financing privately built encryption and other apps and software that was designed to circumvent surveillance to promote human rights and open societies.

OTF provided $1.3 million to encryption app maker Open Whisper Systems in 2013 and 2014. The San Francisco company makes and supports Signal, RedPhone and TextSecure smartphone apps available for iPhones and Android smartphones.

Spokespersons for the FBI and the U.S. Senate and House intelligence committees would not comment on the OTF funding when asked on Wednesday. FBI Director James Comey and Attorney General Loretta Lynch have publicly raised concerns about terrorists and criminals going dark and using encryption to block surveillance.

Some experts, including Hayes, have said ISIS probably used encrypted communications to evade detection before the Paris massacre on Friday that killed 129 people and injured hundreds. Lynch and many other officials would not confirm that ISIS used encrypted channels, either with commercially available or home-grown encryption.

Members of the Senate Intelligence Committee on Tuesday called for a hearing and possibly legislation to find ways to grant intelligence agencies access to encrypted data used by nefarious groups.

But details are sketchy on what the legislation might be. Various ideas have been raised, including pushing Apple, Google and tech companies to find ways to share decryption keys when ordered by a judge. A Department of Justice spokeswoman said the agency is not currently seeking legislation to address encryption remedies.

Other proposals have involved seeking voluntary industry compliance with intelligence agency demands for access to encrypted data. U.S. Sen. Dianne Feinstein, D-Calif., said Monday that she has asked for help from the chief attorneys for Silicon Valley companies but to no avail.

U.S. Sen. Mark Warner (D-Va.), said in a statement to Computerworld: "We know that the growing use of encryption technology poses a growing challenge to the ability of our intelligence and law enforcement professionals to keep the country safe, but the question is what should be done about it. We have asked the FBI, the intelligence community and the Administration what their plan is to get ahead of this challenge, and we have not gotten good answers."

Privacy advocates have roundly objected to back-door or workaround attempts to break encryption, even for national security, pointing out that it is impractical, expensive and would disrupt low cost, commercial encryption for average users, putting them at risk of government snooping.

Even supporters of new surveillance methods to bypass encryption say the right approach will be hard to find. "It's a waste of time to pressure companies like Apple and Google to release decryption keys to intelligence agencies because terrorists will just use non-standard encryption applications and devices that are readily available," Litan said.

Intelligence agents should take a lesson from cybercriminals in taking control of handsets and accounts when they need to monitor communications, Litan added. "Criminals do this all the time — they plant malware on endpoints, and that gives them full account access to files and communications, whether or not they are encrypted," she said. "I know this is easier said than done, but it's what intelligence agencies need to focus on because they are never going to be able to stay on top of all the encryption applications."

While it might not be surprising to analysts that the OTF could be working with private encryption developers on behalf of intelligence agencies, the OTF and various federal agencies have not confirmed that to be the case.

The OTF's website describes a complex routing of federal dollars to reach OTF recipients. A flow chart shows funding from Congress is passed through the Broadcasting Board of Governors and then to Radio Free Asia before reaching OTF. The U.S. State Department and President Obama have a hand in the process.

Open Whisper Systems, one of 23 recipients listed by OTF, could not be reached for comment on its grant from OTF. Whisper has a number of bloggers and is owned and supported by a developer community. Its founder, Moxie Marlinspike, is a pseudonym for computer security researcher Matthew Rosenfeld, who, according to the website, was the past head of security at Twitter. He could not be reached for comment.

(www.computerworld.com)

Matt Hamblen