Another Take on the Lessons of Paris Shootings for Encryption

A variety of sources are reporting that the terrorists in Paris used encryption that may have thwarted intelligence efforts to monitor their pre-attack activities. (See, for example, today's New York Times.) Ben Wittes had a nice piece yesterday that focused on what the Snowden disclosures may or may not have done to lead to this ostensible outcome. I want to offer below a complementary perspective that does not contradict Ben’s thoughts but does add one observation that he doesn’t make.

Specifically, the argument that only exceptional access can provide government authorities with the necessary information to thwart terrorist events don’t seem to apply to what appears to have happened in investigating the Paris shootings. The terrorists had to be in communication with each other before the events, and their use of encrypted communications apps may have prevented surveillance that could have thwarted them. But as indicated by the rapid arrests in the wake of the shootings and the identification of the leaders of the plot , the number of people for whom surveillance may be necessary is almost surely small and their identities largely known.

If so, targeted means for gaining access to encrypted communications are feasible. That is, government authorities could target the communications of a set of specific individuals using technical means. Encrypted communications must be decrypted and displayed for the terrorist or criminal to read them, and thus they can be captured by on-device software. Message capturing software could be pushed only to individuals under suspicion (and only with appropriate legal oversight). In principle, there is no reason that government authorities could not read encrypted terrorist communications a few moments after the terrorist reads them. (This approach shares much in common with the “Lawful Hacking” approach advocated by Bellovin, Blaze, Clark, and Landau.)

In arguing against the “lawful hacking approach”, advocates of generalized requirements to provide exceptional access usually posit an encrypted device is in the hands of government authorities and may contain information helpful to taking immediate action. While the case is still unfolding, this does not seem to have been the case in the Paris shootings.