Clueless Press Being Played To Suggest Encryption Played A Role In San Bernardino Attacks
As law enforcement and their friendly politicians have used the attacks in San Bernardino to renew a call to undermine and break encryption, the mainstream press has been an easy target for politicians looking to get out whatever message they want. Take, for example, the following set of stories that popped up for me in a simple Google News search: 
Note that the first story -- the one claiming the San Bernardino attackers had encryption actually came out before the second story saying they did not. Incredibly, if you read the full text of both stories, neither fully agrees with its own headline. The ABC story is ridiculously vague:
Anyway, it appears the same anonymous "senior US officials" who were whispering in ABC's ear were doing the same to CBS, which posted a ridiculously vague tweet, without any followup story (that I can find):
Others have since run with it. The International Business Times wrote an entire story about the encryption the attackers used, with CBS's tweet as its sole source. And a local Fox affiliate ran a similar story that also is ridiculously vague, with a title breathlessly declaring "ISIS Encryption Used By San Bernardino Shooters." Even that headline goes beyond anything else I've seen, since no one had specifically claimed "ISIS encryption." But then you read the full article and it doesn't either. Here's the entire discussion of the San Bernardino attackers in the first paragraph:
Thankfully, Joshua Koopstein at Vice's Motherboard throws some cold water on this kind of idiocy, noting that every phone these days has some "built-in encryption" and that the press running with this story are being ridiculous.
But, really, none of that really matters in the long run. There certainly will be attacks where encryption is used for planning -- why wouldn't there be? But the debate shouldn't be about that so much as looking at the overall setup of the world and computer security. And the simple fact is that more people are made safer by the widespread adoption of encryption than are made safer by undermining that encryption to let the FBI peek in on your communications.
Permalink | Comments | Email This Story
Note that the first story -- the one claiming the San Bernardino attackers had encryption actually came out before the second story saying they did not. Incredibly, if you read the full text of both stories, neither fully agrees with its own headline. The ABC story is ridiculously vague: The couple who launched the terrorist attack in San Bernardino, California, last week had devices with some form of encryption, making it difficult for authorities to access all potential information on phones and perhaps other devices, two senior U.S. officials told ABC News.The story at The Hill that claims there's "no evidence" instead has lots of quotes from people suggesting that they just haven't found it yet, and Senator Richard Burr saying it doesn't matter because "we've still got a big problem out there that we're going to have to deal with and it's called encryption." This is the same Richard Burr who, just a couple of months ago, was warning about the dangers of "cyber" attacks in pushing CISA. Does he not realize that encryption helps protect against those attacks significantly more than the ridiculous CISA bill he supported?
"Some of their digital media we have been able to exploit. Some of it we have not," one official said.
Anyway, it appears the same anonymous "senior US officials" who were whispering in ABC's ear were doing the same to CBS, which posted a ridiculously vague tweet, without any followup story (that I can find):
Others have since run with it. The International Business Times wrote an entire story about the encryption the attackers used, with CBS's tweet as its sole source. And a local Fox affiliate ran a similar story that also is ridiculously vague, with a title breathlessly declaring "ISIS Encryption Used By San Bernardino Shooters." Even that headline goes beyond anything else I've seen, since no one had specifically claimed "ISIS encryption." But then you read the full article and it doesn't either. Here's the entire discussion of the San Bernardino attackers in the first paragraph: Lawmakers say the San Bernardino shooters may have used encrypted communications in an attempt to hide their activities. This type of encryption has been seen before, however.The rest of the article deals with the FBI's new claims that one of the Garland, Texas, shooters used encryption, not the San Bernardino attackers. And then it just mentions that ISIS has its own form of encryption at the end of the article, never tying it back to the San Bernardino attackers. A headline like that seems like journalistic malpractice.
Thankfully, Joshua Koopstein at Vice's Motherboard throws some cold water on this kind of idiocy, noting that every phone these days has some "built-in encryption" and that the press running with this story are being ridiculous.
And, even more on point, Marcy Wheeler points out that "encryption" has just become law enforcement and the intelligence community's buzzword of choice for "failing to achieve omniscience."As many in the security world quickly pointed out, the claim is both vague and nonsensical: Every phone and computing device currently sold in the US has "levels of built-in encryption." If they didn't, criminals would still be able to easily intercept your calls when your phone connects to a cell tower, and a common thief who steals your device would get access to your bank account info, login details, pictures, and any other sensitive data you stored on it.
In other words, saying you found "built-in encryption" in a modern cellphone is about as meaningful as saying you found a battery and a touchscreen.
But this is the second attack in a row, with Paris, where Burr and others have suggested that their lack of foreknowledge of the attack makes it probable the planners used encryption. Burr doesn't even seem to be considering a number of other things, such as good operational security, languages, and metadata failures might lead the IC to miss warning signs, even assuming they're collecting everything (there should have been no legal limits to their ability to collect on Malik).Indeed, that's why we pointed out that the Paris attacks were an intelligence failure, not an encryption problem. And it explains why the law enforcement and intelligence communities are so quick to blame encryption. They don't want people looking back at their own failures, so they might as well blame the technology.
We're not having a debate about encryption anymore. We're debating making the Internet less secure to excuse the IC's less-than-perfect-omniscience.
But, really, none of that really matters in the long run. There certainly will be attacks where encryption is used for planning -- why wouldn't there be? But the debate shouldn't be about that so much as looking at the overall setup of the world and computer security. And the simple fact is that more people are made safer by the widespread adoption of encryption than are made safer by undermining that encryption to let the FBI peek in on your communications.
Permalink | Comments | Email This Story