Category Archives: ENCRYPTION

Canberra gives ‘decryption’ yet again another crack with draft legislation

The Australian government is still committed to ‘no backdoors’, publishing draft legislation that will force internet companies to assist law enforcement in decrypting messages sent with end-to-end encryption.

The Australian federal government has finally outlined in detail how it plans to access encrypted communications, publishing draft legislation more than a year since Prime Minister Malcolm Turnbull announced his intentions to do so.

In a bid to address the “serious challenges posed by current communications technology to law enforcement and national security investigations”, the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 [PDF] is described by the government as demanding “critical assistance” from the communications industry thus enabling law enforcement to effectively investigate serious crimes in this digital era.

The Bill, opened to the public for consultation, introduces measures that the government said will greatly improve the ability of agencies to access intelligible communications content and data.

FBI Couldn’t Access Almost 7K Devices Because Of Encryption

The FBI hasn’t been able to retrieve data from more than half of the mobile devices it tried to access in less than a year, FBI Director Christopher Wray said Sunday, turning up the heat on a debate between technology companies and law enforcement officials trying to recover encrypted communications.

In the first 11 months of the fiscal year, federal agents were unable to access the content of more than 6,900 mobile devices, Wray said in a speech at the International Association of Chiefs of Police conference in Philadelphia.

“To put it mildly, this is a huge, huge problem,” Wray said. “It impacts investigations across the board—narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation.”

The FBI and other  have long complained about being unable to unlock and recover evidence from cellphones and other devices seized from suspects even if they have a warrant, while technology companies have insisted they must protect customers’ digital privacy.

The long-simmering debate was on display in 2016, when the Justice Department tried to force Apple to unlock an encrypted cellphone used by a gunman in a terrorist attack in San Bernardino, California. The department eventually relented after the FBI said it paid an unidentified vendor who provided a tool to unlock the phone and no longer needed Apple’s assistance, avoiding a court showdown.

The Justice Department under President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from . But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take.

“I get it, there’s a balance that needs to be struck between encryption and the importance of giving us the tools we need to keep the public safe,” Wray said.

In a wide-ranging speech to hundreds of police leaders from across the globe, Wray also touted the FBI’s partnerships with local and federal law enforcement agencies to combat terrorism and violent crime.

“The threats that we face keep accumulating, they are complex, they are varied,” Wray said, describing threats from foreign terror organizations and homegrown extremists.

Wray also decried a potential “blind spot” for intelligence gathering if Congress doesn’t reauthorize an intelligence surveillance law set to expire at the end of the year. The Foreign Intelligence Surveillance Act allows the government to collect information about militants, people suspected of cybercrimes or proliferation of weapons of mass destruction, and other foreign targets outside the United States. Intelligence and law enforcement officials say the act is vital to national security.

A section of the act permits the government, under the oversight of the Foreign Intelligence Surveillance Court, to target non-Americans outside the United States.

“If it doesn’t get renewed or reauthorized, essentially in the form that it already is, we’re about to get another blind spot,” Wray said

Henry Sapiecha

Famed Hacker Kevin Mitnick Shows You How to become Invisible Online

If you’re like me, one of the first things you do in the morning is check your email. And, if you’re like me, you also wonder who else has read your email. That’s not a paranoid concern. If you use a web-based email service such as Gmail or Outlook 365, the answer is kind of obvious and frightening.

About the author

Kevin Mitnick (@kevinmitnick) is a security consultant, public speaker, and former hacker. The company he founded, Mitnick Security Consulting LLC, has clients that include dozens of the Fortune 500 and world governments. He is the author of Ghost in the Wires, The Art of Intrusion, and The Art of Deception.

Even if you delete an email the moment you read it on your computer or mobile phone, that doesn’t necessarily erase the content. There’s still a copy of it somewhere. Web mail is cloud-based, so in order to be able to access it from any device anywhere, at any time, there have to be redundant copies. If you use Gmail, for example, a copy of every email sent and received through your Gmail account is retained on various servers worldwide at Google. This is also true if you use email systems provided by Yahoo, Apple, AT&T, Comcast, Microsoft, or even your workplace. Any emails you send can also be inspected, at any time, by the hosting company. Allegedly this is to filter out malware, but the reality is that third parties can and do access our emails for other, more sinister and self-serving, reasons.

While most of us may tolerate having our emails scanned for malware, and perhaps some of us tolerate scanning for advertising purposes, the idea of third parties reading our correspondence and acting on specific contents found within specific emails is downright disturbing.

The least you can do is make it much harder for them to do so.

Start With Encryption

Most web-based email services use encryption when the email is in transit. However, when some services transmit mail between Mail Transfer Agents (MTAs), they may not be using encryption, thus your message is in the open. To become invisible you will need to encrypt your messages.

Most email encryption uses what’s called asymmetrical encryption. That means I generate two keys: a private key that stays on my device, which I never share, and a public key that I post freely on the internet. The two keys are different yet mathematically related.

For example: Bob wants to send Alice a secure email. He finds Alice’s public key on the internet or obtains it directly from Alice, and when sending a message to her encrypts the message with her key. This message will stay encrypted until Alice—and only Alice—uses a passphrase to unlock her private key and unlock the encrypted message.

So how would encrypting the contents of your email work?

The most popular method of email encryption is PGP, which stands for “Pretty Good Privacy.” It is not free. It is a product of the Symantec Corporation. But its creator, Phil Zimmermann, also authored an open-source version, OpenPGP, which is free. And a third option, GPG (GNU Privacy Guard), created by Werner Koch, is also free. The good news is that all three are interoperational. That means that no matter which version of PGP you use, the basic functions are the same.

When Edward Snowden first decided to disclose the sensitive data he’d copied from the NSA, he needed the assistance of like-minded people scattered around the world. Privacy advocate and filmmaker Laura Poitras had recently finished a documentary about the lives of whistle-blowers. Snowden wanted to establish an encrypted exchange with Poitras, except only a few people knew her public key.

Snowden reached out to Micah Lee of the Electronic Frontier Foundation. Lee’s public key was available online and, according to the account published on the Intercept, he had Poitras’s public key. Lee checked to see if Poitras would permit him to share it. She would.

Given the importance of the secrets they were about to share, Snowden and Poitras could not use their regular e‑mail addresses. Why not? Their personal email accounts contained unique associations—such as specific interests, lists of contacts—that could identify each of them. Instead Snowden and Poitras decided to create new email addresses.

How would they know each other’s new email addresses? In other words, if both parties were totally anonymous, how would they know who was who and whom they could trust? How could Snowden, for example, rule out the possibility that the NSA or someone else wasn’t posing as Poitras’s new email account? Public keys are long, so you can’t just pick up a secure phone and read out the characters to the other person. You need a secure email exchange.

By enlisting Lee once again, both Snowden and Poitras could anchor their trust in someone when setting up their new and anonymous email accounts. Poitras first shared her new public key with Lee. Lee did not use the actual key but instead a 40-character abbreviation (or a fingerprint) of Poitras’s public key. This he posted to a public site—Twitter.

Sometimes in order to become invisible you have to use the visible.

Now Snowden could anonymously view Lee’s tweet and compare the shortened key to the message he received. If the two didn’t match, Snowden would know not to trust the email. The message might have been compromised. Or he might be talking instead to the NSA. In this case, the two matched.

Snowden finally sent Poitras an encrypted e‑mail identifying himself only as “Citizenfour.” This signature became the title of her Academy Award–winning documentary about his privacy rights campaign.

That might seem like the end—now they could communicate securely via encrypted e‑mail—but it wasn’t. It was just the beginning.

Picking an Encryption Service

Both the strength of the mathematical operation and the length of the encryption key determine how easy it is for someone without a key to crack your code.

Encryption algorithms in use today are public. You want that. Public algorithms have been vetted for weakness—meaning people have been purposely trying to break them. Whenever one of the public algorithms becomes weak or is cracked, it is retired, and newer, stronger algorithms are used instead.

The keys are (more or less) under your control, and so, as you might guess, their management is very important. If you generate an encryption key, you—and no one else—will have the key stored on your device. If you let a company perform the encryption, say, in the cloud, then that company might also keep the key after he or she shares it with you and may also be compelled by court order to share the key with law enforcement or a government agency, with or without a warrant.

When you encrypt a message—an e‑mail, text, or phone call—use end‑to‑end encryption. That means your message stays unreadable until it reaches its intended recipient. With end‑to‑end encryption, only you and your recipient have the keys to decode the message. Not the telecommunications carrier, website owner, or app developer—the parties that law enforcement or government will ask to turn over information about you. Do a Google search for “end‑to‑end encryption voice call.” If the app or service doesn’t use end-to-end encryption, then choose another.

If all this sounds complicated, that’s because it is. But there are PGP plug-ins for the Chrome and Firefox Internet browsers that make encryption easier. One is Mailvelope, which neatly handles the public and private encryption keys of PGP. Simply type in a passphrase, which will be used to generate the public and private keys. Then whenever you write a web-based email, select a recipient, and if the recipient has a public key available, you will then have the option to send that person an encrypted message.

Beyond Encryption: Metadata

Even if you encrypt your e‑mail messages with PGP, a small but information-rich part of your message is still readable by just about anyone. In defending itself from the Snowden revelations, the US government stated repeatedly that it doesn’t capture the actual contents of our emails, which in this case would be unreadable with PGP encryption. Instead, the government said it collects only the email’s metadata.

What is email metadata? It is the information in the To and From fields as well as the IP addresses of the various servers that handle the email from origin to recipient. It also includes the subject line, which can sometimes be very revealing as to the encrypted contents of the message. Metadata, a legacy from the early days of the internet, is still included on every email sent and received, but modern email readers hide this information from display.

That might sound okay, since the third parties are not actually reading the content, and you probably don’t care about the mechanics of how those emails traveled—the various server addresses and the time stamps—but you’d be surprised by how much can be learned from the email path and the frequency of emails alone.

According to Snowden, our email, text, and phone metadata is being collected by the NSA and other agencies. But the government can’t collect metadata from everyone—or can it? Technically, no. However, there’s been a sharp rise in “legal” collection since 2001.

You’d be surprised by how much can be learned from the email path and the frequency of emails alone.

To become truly invisible in the digital world you will need to do more than encrypt your messages. You will need to:

Remove your true IP address: This is your point of connection to the Internet, your fingerprint. It can show where you are (down to your physical address) and what provider you use.
Obscure your hardware and software: When you connect to a website online, a snapshot of the hardware and software you’re using may be collected by the site.
Defend your anonymity: Attribution online is hard. Proving that you were at the keyboard when an event occurred is difficult. However, if you walk in front of a camera before going online at Starbucks, or if you just bought a latte at Starbucks with your credit card, these actions can be linked to your online presence a few moments later.

To start, your IP address reveals where you are in the world, what provider you use, and the identity of the person paying for the internet service (which may or may not be you). All these pieces of information are included within the email metadata and can later be used to identify you uniquely. Any communication, whether it’s email or not, can be used to identify you based on the Internal Protocol (IP) address that’s assigned to the router you are using while you are at home, work, or a friend’s place.

IP addresses in emails can of course be forged. Someone might use a proxy address—not his or her real IP address but someone else’s—that an email appears to originate from another location. A proxy is like a foreign-language translator—you speak to the translator, and the translator speaks to the foreign-language speaker—only the message remains exactly the same. The point here is that someone might use a proxy from China or even Germany to evade detection on an email that really comes from North Korea.

Instead of hosting your own proxy, you can use a service known as an anonymous remailer, which will mask your email’s IP address for you. An anonymous remailer simply changes the email address of the sender before sending the message to its intended recipient. The recipient can respond via the remailer. That’s the simplest version.

One way to mask your IP address is to use the onion router (Tor), which is what Snowden and Poitras did. Tor is designed to be used by people living in harsh regimes as a way to avoid censorship of popular media and services and to prevent anyone from tracking what search terms they use. Tor remains free and can be used by anyone, anywhere—even you.

How does Tor work? It upends the usual model for accessing a website. When you use Tor, the direct line between you and your target website is obscured by additional nodes, and every ten seconds the chain of nodes connecting you to whatever site you are looking at changes without disruption to you. The various nodes that connect you to a site are like layers within an onion. In other words, if someone were to backtrack from the destination website and try to find you, they’d be unable to because the path would be constantly changing. Unless your entry point and your exit point become associated somehow, your connection is considered anonymous.

To use Tor you will need the modified Firefox browser from the Tor site ( Always look for legitimate Tor browsers for your operating system from the Tor project website. Do not use a third-party site. For Android operating systems, Orbot is a legitimate free Tor app from Google Play that both encrypts your traffic and obscures your IP address. On iOS devices (iPad, iPhone), install the Onion Browser, a legitimate app from the iTunes app store.

In addition to allowing you to surf the searchable Internet, Tor gives you access to a world of sites that are not ordinarily searchable—what’s called the Dark Web. These are sites that don’t resolve to common names such as and instead end with the .onion extension. Some of these hidden sites offer, sell, or provide items and services that may be illegal. Some of them are legitimate sites maintained by people in oppressed parts of the world.

It should be noted, however, that there are several weaknesses with Tor: You have no control over the exit nodes, which may be under the control of government or law enforcement; you can still be profiled and possibly identified; and Tor is very slow.

That being said, if you still decide to use Tor you should not run it in the same physical device that you use for browsing. In other words, have a laptop for browsing the web and a separate device for Tor (for instance, a Raspberry Pi minicomputer running Tor software). The idea here is that if somebody is able to compromise your laptop they still won’t be able to peel off your Tor transport layer as it is running on a separate physical box.

Create a new (invisible) account

Legacy email accounts might be connected in various ways to other parts of your life—friends, hobbies, work. To communicate in secrecy, you will need to create new email accounts using Tor so that the IP address setting up the account is not associated with your real identity in any way.

Creating anonymous email addresses is challenging but possible.

Since you will leave a trail if you pay for private email services, you’re actually better off using a free web service. A minor hassle: Gmail, Microsoft, Yahoo, and others require you to supply a phone number to verify your identify. Obviously you can’t use your real cellphone number, since it may be connected to your real name and real address. You might be able to set up a Skype phone number if it supports voice authentication instead of SMS authentication; however, you will still need an existing email account and a prepaid gift card to set it up.

Some people think of burner phones as devices used only by terrorists, pimps, and drug dealers, but there are plenty of perfectly legitimate uses for them. Burner phones mostly provide voice, text, and e‑mail service, and that’s about all some people need.

However, purchasing a burner phone anonymously will be tricky. Sure, I could walk into Walmart and pay cash for a burner phone and one hundred minutes of airtime. Who would know? Well, lots of people would.

First, how did I get to Walmart? Did I take an Uber car? Did I take a taxi? These records can all be subpoenaed. I could drive my own car, but law enforcement uses automatic license plate recognition technology (ALPR) in large public parking lots to look for missing and stolen vehicles as well as people on whom there are outstanding warrants. The ALPR records can be subpoenaed.

Even if I walked to Walmart, once I entered the store my face would be visible on several security cameras within the store itself, and that video can be subpoenaed.

Creating anonymous email addresses is challenging but possible.

Okay, so let’s say I send a stranger to the store—maybe a homeless person I hired on the spot. That person walks in and buys the phone and several data refill cards with cash. Maybe you arrange to meet this person later away from the store. This would help physically distance yourself from the actual transaction.

Activation of the prepaid phone requires either calling the mobile operator’s customer service department or activating it on the provider’s website. To avoid being recorded for “quality assurance,” it’s safer to activate over the web. Using Tor over an open wireless network after you’ve changed your MAC address should be the minimum safeguards. You should make up all the subscriber information you enter on the website. For your address, just Google the address of a major hotel and use that. Make up a birth date and PIN that you’ll remember in case you need to contact customer service in the future.

After using Tor to randomize your IP address, and after creating a Gmail account that has nothing to do with your real phone number, Google sends your phone a verification code or a voice call. Now you have a Gmail account that is virtually untraceable. We can produce reasonably secure emails whose IP address—thanks to Tor—is anonymous (although you don’t have control over the exit nodes) and whose contents, thanks to PGP, can’t be read except by the intended recipient.

To keep this account anonymous you can only access the account from within Tor so that your IP address will never be associated with it. Further, you should never perform any internet searches while logged into that anonymous Gmail account; you might inadvertently search for something that is related to your true identity. Even searching for weather information could reveal your location.

As you can see, becoming invisible and keeping yourself invisible require tremendous discipline and perpetual diligence. But it is worth it. The most important takeaways are: First, be aware of all the ways that someone can identify you even if you undertake some but not all of the precautions I’ve described. And if you do undertake all these precautions, know that you need to perform due diligence every time you use your anonymous accounts. No exceptions.

Excerpted from The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data, Copyright © 2017 by Kevin D. Mitnick with Robert Vamosi. Used with permission of Little, Brown and Company, New York. All rights reserved.

Henry Sapiecha

Repeat performance: Paris Attacks May Renew Encryption Debate

FILE - In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that "there's no such thing as a backdoor for the good guys only." (AP Photo/Jeff Chiu, File)

FILE – In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that “there’s no such thing as a backdoor for the good guys only.” (AP Photo/Jeff Chiu, File)

In this June 2, 2014, file photo, Apple CEO Tim Cook speaks at an event in San Francisco. The deadly attacks in Paris may soon reopen the debate over whether and how tech companies should let the government sidestep the data scrambling that shields everyday commerce and daily digital life alike. The Obama administration continues to encourage tech companies to include backdoors, although it says it will not ask Congress for new law that requires them. Cook has said that the trouble with that approach is that “there’s no such thing as a backdoor for the good guys only.” (AP Photo/Jeff Chiu)

The deadly attacks in Paris may soon reopen the debate over whether – and how – tech companies should let governments bypass the data scrambling that shields everyday commerce and daily digital life.

So far, there’s no hard evidence that the Paris extremists relied on encrypted communications – essentially, encoded digital messages that can’t be read without the proper digital “keys” – to plan the shooting and bombing attacks that left 129 dead on Friday. But it wouldn’t be much of a surprise if they did.

So-called end-to-end encryption technology is now widely used in many standard message systems, including Apple’s iMessage and Facebook’s WhatsApp. Similar technology also shields the contents of smartphones running the latest versions of Apple and Google operating software. Strong encryption is used to protect everything from corporate secrets to the credit-card numbers of online shoppers to intimate photos and secrets shared by lovers.

That widespread use of encryption, which was previously restricted to more powerful desktop or server computers, is exactly what worries members of the intelligence and law enforcement communities. Some are now using the occasion of the Paris attacks to once again argue for restrictions on the technology, saying it hampers their ability to track and disrupt plots like the Paris attacks.

“I now think we’re going to have another public debate about encryption, and whether government should have the keys, and I think the result may be different this time as a result of what’s happened in Paris,” former CIA deputy director Michael Morell said Monday on CBS This Morning.

The last such debate followed 2013 disclosures of government surveillance by former National Security Agency contractor Edward Snowden. Since then, tech companies seeking to reassure their users and protect their profits have adopted more sophisticated encryption techniques despite government opposition. Documents leaked by Snowden also shed light on NSA efforts to break encryption technologies.

In response, law-enforcement and intelligence officials have argued that companies like Apple and Google should build “backdoors” into their encryption systems that would allow investigators into otherwise locked-up devices. The Obama administration continues to encourage tech companies to include such backdoors, although it says it won’t ask Congress for new law that requires them.

“The Snowden revelation showed that backdoors can be destructive, particularly when they’re done in secrecy without transparency,” says Will Ackerly, a former NSA security researcher and the co-founder of Virtru, which provides encryption technology for both companies and individual people.

On Monday, Attorney General Loretta Lynch said the government continues to have “ongoing discussions” with industry about ways in which companies can lawfully provide information about their users while still ensuring their privacy.

Last week in Dublin, Apple CEO Tim Cook noted that “there’s no such thing as a backdoor for the good guys only. If there’s a backdoor, anybody can come in.” In other words, any shortcut for investigators could also be targeted by cybercriminals eager to hack major corporations – a la the devastating cyberattack on Sony late last year – or to target individuals for identity theft or extortion, as reportedly occurred following the disclosure of records from the infidelity dating site Ashley Madison.

In the same speech, Cook said Apple will resist attempts to weaken encryption in iMessage. A draft law recently introduced in Britain would require telecommunications companies to provide “wider assistance” to police and intelligence agencies in the interests of national security.

Like iMessage, Facebook’s WhatsApp encrypts all communications from “end-to-end” – a technique that blocks anyone outside the conversation from reading or seeing what’s being sent. Although Facebook can’t see the content of the messages, it does track who is talking to whom and stores their phone numbers – information that can be valuable for law enforcement officials trying to sniff out terrorist plots and fight other criminal activity.

Steven Bellovin, a Columbia University professor and computer security researcher, says he isn’t surprised by the effort to bring back discussion on encryption backdoors. But he adds that it’s way too early to tie it to the Paris attacks.

“We don’t know how these people were communicating and with whom,” he said. “If they were communicating with homegrown software and there’s some indications of that, then a mandatory backdoor is not going to do any good.”

Source: Associated Press


Henry Sapiecha

Rise of encryption tests intelligence in Isis fight

encryption locks symbol image

One challenge above all stands out for western counter-terrorism agencies fighting Isis: the rise of encryption technology across modern communications.

The jihadis are more than aware of the fact.

Investigators will be focusing on the nature of communications between the eight terrorists behind the deaths of 129 people in Paris on Friday, and their covert planning and logistics support network.

But with a cell of such size, involving co-ordination across several countries, what has come to the fore is the question of whether encrypted apps on their smartphones or secure email on computers obscured the intelligence picture before the massacre.

“There has been a significant increase in the operational security of a number of these operatives and terrorist networks as they have gone to school on what it is that they need to do in order to keep their activities concealed from the authorities,” John Brennan, CIA director, said in Washington at the CSIS think-tank on Monday.

Encryption affects counter-terrorism work on two levels. First, the increasingly off-the-shelf availability of apps and platforms that have high levels of security, particularly those with end-to-end encryption, offers terrorists increasing levels of secrecy.

But second, the spread of less rigorous encryption across a broader range of everyday web and smartphone software, from email to social media platforms, also means that even those with inferior standards are harder to monitor.

Agencies are therefore not just “going dark”, as they refer to their information shortfall, on the activities of specific, high-value targets, but on the broad amount of “chatter” they depend on for the core of their counter-terrorism analysis. Chatter is so crucial because it is what produces the leads for deeper investigations. In an age in which Isis is creating a far more diffuse terror threat, radicalising thousands of young, would-be jihadis through social media, such leads are vital.

“We are trying to pick signals out of the noise,” says a senior official at the Five Eyes signals intelligence alliance that combines the US, UK, Canada, Australia and New Zealand. “But what encryption is doing is vastly increasing that noise.”

The speed of technological development makes trying to keep up an almost impossible task.

“Almost every new app, whether it’s for file-sharing or sending photos that disintegrate or playing at orcs and dragons these days has some level of communication in it. We have to keep on top of them all,” says the official. “It’s around 1m.”

Isis, for its part, has what one British security source describes as a “highly sophisticated” digital security operation to make the task of signals intelligence work against it as hard as possible.

Isis and encryption technology


Intelligence tracking of Isis under question

Abaaoud killed but presence in France points to failure of EU agencies

The rise of encryption technology poses an increasing challenge for counter-terrorism agencies fighting Isis. Ravi Mattu asks Sam Jones, FT defence and security editor, why intelligence chiefs are so worried.

Isis adapts constantly, he says. Two years ago, its mujahideen were frequent users of messaging services such as Kik and Vibr. Their presence on social media services such as Twitter was particularly noteworthy.

But the opening of Washington’s bombing campaign against the group marked a turning point in which Isis moved to close its digital blackout blinds. The so-called caliphate clamped down on its fighters’ activities and apps. Orders were issued to fighting units on how to scrub tell-tale metadata from pictures and social media output online. And guides quickly circulated on which smartphone apps were the hardest to crack.

The jihadis turned initially to sites such as Russia’s VKontakte and Diaspora or anonymous text-sharing websites such as and Pastebin.

Isis now favours Telegram, a messaging app that advertises its services as “heavily encrypted” with the bonus of a self-destruct feature. For Isis, the app has another crucial benefit. Users can sign up to secure “channels” that broadcast messages.

The militant group has several channels established. The largest was identified by Memri, a Middle East media think-tank, in a report last month. Nashir, Isis’s flagship channel on Telegram, broadcasts in numerous languages: it has more than 10,000 Arabic followers, 998 in English, 348 in French and 340 in German.

Telegram said on Wednesday it had blocked 78 Isis-related channels across 12 languages, identified because of users reporting them to its abuse email. The start-up has responded to requests to remove content such as porn, in countries where it is illegal, but it has also pledged not to block those who express their opinions peacefully.

“It’s a game of catch-up,” says Callum Jeffray, national security research fellow at the Rusi think-tank. “As soon as intelligence agencies find a means of accessing one platform, more spring up. There is this adaptive and learning element of Isis that means this whole debate over encryption and data are going to play out for years to come.”

Additional reporting by Hannah Kuchler in San Francisco


Henry Sapiecha


Why We Should Encrypt Everyone’s Email as security

Ladar Levison is the owner of the encrypted email startup Lavabit. After Edward Snowden’s NSA document leaks last summer, Levison rebuffed government demands to hand over the email service’s private encryption keys—opting to shut it down instead. He spoke about his new project Dark Mail, online privacy, and how encrypting our email helps disassemble today’s unconstitutional surveillance networks.


When we talk about email, how much of our online communications are truly private?


I think everybody today needs to assume that if they’re communicating electronically, somebody is listening. Over the last 20 years we’ve been communicating across the Internet with a level naïve innocence that has been lost forever.

One big issue is that today’s electronic communication systems have gotten so complex that they are all but impossible for private citizens to understand. And that’s because these systems have been built with layer upon layer of complexity. If any of those layers has a vulnerability, an organization with the access and resources of the NSA can exploit it to gain total control of the system. The only question is how difficult it is for them to do so.

Another issue is that while we have the encryption technology to protect email messages, the current state of endpoint security (meaning the security of your individual computer or device) is abysmal—almost laughable to the Tailored Access Operations unit which employs more than 1,000 engineers whose only mission is expanding their exploit catalog. If your device is compromised, it doesn’t matter how strong the encryption is, a snooper will simply steal the keys protecting your messages.


Why should we be so concerned about keeping our email encrypted and private?


For one, privacy is a form of security and protection—an assurance that what we write won’t one day be used against us, to blackmail us into conducting some nefarious deed. I look to history and shudder to think of what Joseph McCarthy, Richard Nixon, or J. Edgar Hoover would have done with the surveillance capabilities of today.

One of our most basic rights as American citizens, as people, is the privacy of our papers—our thoughts in written form. Why should this right be forfeited simply because the thought was typed into a computer and stored in a cloud?

But the most important reason is this: By encrypting our email, we force a potential attacker to break into our devices if they want to read our private messages. That changes the game. Instead of sweeping up everyone’s communications wholesale, without much incremental effort, we force them to pick and choose specific targets. And this would be a huge step towards making unconstitutional surveillance obsolete


Talk to us about Dark Mail, your newest project.


Dark Mail is really an effort to turn the world’s email dark—to make email encryption ubiquitous, universal, and automatic. The simplest explanation of what we’re doing is that we’re rewriting the protocols of email—the standard rules computers use for delivering email messages—so that messages are encrypted before they leave your computer and can’t be decrypted until they’ve reached the recipient’s computer. And because this is built into the system, there’s no cognitive burden. Grandma could use this—you don’t need to understand encryption or why it’s important. If someone can use email today, they will be able to use Dark Mail tomorrow.

Just to be clear, one important distinction is that Dark Mail is a technology—it’s not [an email] service. Our hope is that different email service providers will implement support for Dark Mail. In fact, we’ll be publishing the specifications and releasing the code as free software. That way, the community can help us find vulnerabilities and make Dark Mail even more secure. It’s even possible that others will take our design and improve on it. And if they do, more power to them.


So how does Dark Mail work?


Dark Mail is built around something called asymmetric cryptography, in manner similar to [a piece of software called] PGP, which stands for Pretty Good Privacy. It involves two keys (think passwords) to work. You generate a public and a private key. You then give your public key to the world, so that anyone in the world can send you a message that has been encrypted using the public key. Once the message has been protected using a public key, only someone with the corresponding private key can unlock it. At least in theory, the only person with access to the corresponding private key is you.

Now all you need to do is protect it.

But Dark Mail is more complicated than simply taking PGP and making it automatic. For example, we’re working on making the Dark Mail key discovery process resistant to manipulation by bad guys with big budgets. Were also working on the metadata problem—or making it harder for an outsider to track when and with whom you’re communicating. Without that, we will lose our ability to associate freely. I know this from experience. Contacting the EFF shouldn’t make you a surveillance target.


Is this type of encryption even legal?


Yes. If you go back to the early ‘90s, the person who wrote PGP, Phil Zimmermann, freely released his software to a handful of friends. Eventually PGP source code found its way onto the global Internet. For his trouble, Zimmermann was subjected to a 3-year criminal investigation, which would eventually be dropped and never result in charges against him. At the time, in 1991, any form of encryption that was strong enough to be considered unbreakable by the federal government was classified as a munition—as a weapon—and was subject to strict distribution controls.

In large part because of Zimmermann, those laws would get repealed, and the victory would become one of many battles that make up a period known as the Crypto Wars. Freedom would eventually prevail. We won the right to create and distribute software with strong encryption. All we need to do now is use that right.

Henry Sapiecha