For years, terrorist groups and law enforcement bodies around the world have been in a constant game of cat and mouse as the former finds new platforms on which to talk and organize and the latter tries to catch up. Lately, secure messaging apps that promise to hide users' messages from prying eyes of all sorts, have given these organizations a relatively simple way to communicate, which raises a question debated hotly by security analysts and privacy advocates: Does giving encryption services to everyone mean providing aid to terrorists?
IS claimed responsibility for the Paris attacks by way of Telegram, a Russian-made app that encrypts messages. So confident is the company in their technology that it's held a "cracking contest," inviting hackers and others to find a way to beat their security systems and extract secret data. ( No one claimed the $300,000 prize.) The service has a reported 60 million monthly active users and sends 12 billion messages a day, including some that are undoubtedly related to terrorist activity.
The company, which was originally formed to help Russians evade surveillance by their government, is unapologetic about the fact that criminals and terrorists can use it.
"Our right for privacy is more important than our fear of bad things happening, like terrorism," Telegram co-founder, Pavel Durov said on stage at TechCrunch Disrupt in San Francisco in September, when asked about IS using the platform. "Ultimately, the ISIS will always find a way to communicate within themselves and if any means of communication turns out to be not secure for them, they'll just switch to another one. So I don't think we're actually taking part in these activities... I still think we're doing the right thing, protecting our users privacy."
"Law enforcement is at a complete disadvantage," says Ed Cabrera, a former Secret Service agent who is now VP at cyber security company Trend Micro. "Companies really want to be seen, in a post-Snowden world, as champions of privacy."
Yet Telegram has made concessions to government bodies before, most notably when it barred Iranian users from viewing pornography. Durov told the Disrupt audience it was a business decision, that he didn't want Telegram to be "perceived as a source of porn."
"If they were going to great lengths to do that, you would think they would be making the same concessions for law enforcement when it came to terrorist types of activities," Cabrera said. "It would be interesting to see what (Durov) would say today."
Telegram did not respond to requests for comment.
Privacy advocates worry that this latest terrorist attack in Paris, and a renewed focus on terrorists using apps to communicate, might open a door for increased government surveillance across the board.
"It's a great PR moment (for the government) and it's going to affect people's civil liberties," says Jennifer Granick, an attorney and Director of Civil Liberties for Stanford's Center for Internet and Society. "The story is, 'All of a sudden terrorists are able to do these things because of encryption,' and that's just crazy. Terrorists have been using encryption for a while. We know very little still about how these attacks were planned."
Initially, stories circulated about the attackers using PlayStation 4 gaming consoles to plot, but those appear to be rumors without much grounding in fact, as Motherboard's Lorenzo Franceschi-Bicchierai reported Monday. There are a host of reasons PS4 communication is unlikely, but the most obvious one is that there are obvious better options. "Given that ISIS members can use, and have been reported to use, encryption apps on their phones," Franceschi-Biccherai wrote, "why use the less-portable PlayStation?
Legally, companies like Telegram don't have an obligation to help law enforcement or to ban users for content. Other platforms, like Twitter, have instituted public rules about not posting graphically violent or pornographic materials. Twitter declined to comment for this story, but has worked with law enforcement in the past and as a matter of policy will provide information about users if served with a subpoena or search warrant.
The difficulties involved in monitoring terrorist activity and preventing future attacks are more than just a matter of being able to monitor communications, it means sorting out the signal from the noise. There were warnings about the terrorist attack in Paris, the Associated Press has reported, but they were of the vague sort that a French official told the AP crop up "all the time."
"There's this idea that if we know everything everybody does, we'll be able to prevent (an attack)," says Granick, "and that's not true. You end up with a million people on the terrorist watch list and you don't know who to watch."