Dark Dealings: How Terrorists Use Encrypted Messaging, the Dark Web and Cryptocurrencies
Total Page:16
File Type:pdf, Size:1020Kb
SCIENCE AND TECHNOLOGY COMMITTEE (STC) Sub-Committee on Technology Trends and Security (STCTTS) DARK DEALINGS: HOW TERRORISTS USE ENCRYPTED MESSAGING, THE DARK WEB AND CRYPTOCURRENCIES Report by Matej TONIN (Slovenia) Rapporteur 182 STCTTS18 E fin | Original: English | 18 November 2018 TABLE OF CONTENTS I. INTRODUCTION ............................................................................................................ 1 II. CRYPTOGRAPHIC TECHNOLOGIES: A PRIMER......................................................... 2 A. MODERN CRYPTOGRAPHY ................................................................................ 2 B. ENCRYPTED MESSAGING SERVICES ............................................................... 2 C. THE DARK WEB ................................................................................................... 3 D. CRYPTOCURRENCIES ........................................................................................ 5 III. HOW TERRORISTS USE CRYPTOGRAPHIC TECHNOLOGIES .................................. 7 A. COMMUNICATIONS, COMMAND AND CONTROL .............................................. 7 B. ACQUISITION OF WEAPONS AND OTHER ILLICIT GOODS .............................. 8 C. TERRORIST FINANCING ..................................................................................... 9 IV. CURRENT POLICIES AND FUTURE OPTIONS .......................................................... 10 A. MONITORING, REPORTING AND DISRUPTION BY ACTIVISTS, CITIZENS AND OPERATORS ............................................................................. 10 B. LAW ENFORCEMENT AND INTELLIGENCE OPERATIONS ............................. 11 C. NEW LAWS AND REGULATIONS ...................................................................... 12 D. WEAKENING OR TARGETING ENCRYPTION ................................................... 13 V. CONCLUSION .............................................................................................................. 13 SELECT BIBLIOGRAPHY ............................................................................................ 15 182 STCTTS 18 E fin I. INTRODUCTION 1. The wish to privately communicate has probably been with humankind forever. The first case of encryption – the use of a private code to encipher and decipher messages – can be traced back to ancient Egypt almost 4,000 years ago (Cypher Research Laboratories, 2014). Until the end of the 20th century, the most powerful encryption technologies were largely in the hands of governments. Today, such encryption technology is widely available, offering several key advantages to users, including: - Authentication: Users can be assured that other users are who they claim to be and not somebody impersonating them. - Integrity: Users can be assured that the data they receive from other users has not been altered (intentionally or unintentionally) between “there” and “here” or between “then” and “now.” - Confidentiality: Users can be assured that data they receive from other users cannot be read by third parties. - Anonymity: Depending on the encryption and other methods employed, users can put distance between their real identities and their digital pseudonyms, granting them various degrees of anonymity. 2. Modern encryption technology has “become a bedrock of the modern internet” (Moore and Rid, 2016). Indeed, encryption by default is “becoming the new normal in personal cyber security” (Buchanan, 2016). After all, who would trust online banking or e-government services if we were not reasonably assured that our data is secured by strong encryption? In liberal democracies, private communications also fulfil a vital and legitimate role in support of fundamental human rights, such as privacy and freedom of speech (Chertoff and Simon, 2014). Indeed, modern encryption technology “is a crucial ingredient for any free political order in the twenty-first century” (Moore and Rid, 2016). In authoritarian countries, the ability to communicate anonymously can be a matter of life and death for activists, dissidents and journalists. 3. Like any other technology, modern encryption can have a dark side. Inevitably, its advantages hold much attraction for malicious actors, including extremists and terrorists. Such groups are typically organised in a decentralised manner, where individual members have little to no information about other cells or top officials. Even Daesh, which adopted a more hierarchical and territorial organisation in Iraq and Syria, has increased its decentralisation in step with the loss of territory. In today’s world, such a fluid organising style would be near impossible to maintain if terrorists did not have access to encrypted messaging services for propaganda, recruitment, communications, command and control, financing and illicit acquisitions. Modern encryption technology has also enabled the rise of two other cryptographic technologies with the potential to further enable extremist and terrorist operations: the dark web, composed of intentionally hidden servers on the World Wide Web, and cryptocurrencies, virtual currencies secured through the use of cryptography. 4. This report informs and supports the Science and Technology Committee’s (STC) continuing focus on potentially disruptive technologies with important implications for defence and security policies. The report was adopted in November 2018 at the NATO PA Annual Session in Halifax, Canada. 5. First, the report examines the basics of modern encryption, encrypted messaging services, the dark web and cryptocurrencies. Second, it analyses how extremists and terrorists use these instruments for communications, command and control, financing and illicit acquisitions. Third, it maps some of the most important policy debates surrounding these technologies. Finally, the Rapporteur proposes some recommendations on the way forward. 1 182 STCTTS 18 E fin II. CRYPTOGRAPHIC TECHNOLOGIES: A PRIMER A. MODERN CRYPTOGRAPHY 6. Until the 1970s, the only way to encipher and decipher electronic messages was symmetric-key cryptography, where sender and recipient must have the same key to unlock the message. If someone gains access to the key or cracks the code, communications are no longer secure. During the Cold War, as the complexity of warfare increased dramatically, so did the complexity of ensuring the secure distribution of encryption keys. In the late 1960s, an employee of the British Government Communications Headquarters was the first to propose a new encryption method to solve the problem of key distribution. However, the real turning point came when researchers at Stanford University had the same idea and published their results openly in 1976, enabling researchers around the world to take their ideas further. This was the birth of asymmetric public-key encryption – “one of the most pivotal inventions of the twentieth century” (Moore and Rid, 2016). 7. The mathematics behind asymmetric public-key encryption is intricate, but the idea is simple. Those who wish to communicate in private are given a private key and a public key, which are mathematically linked. Crucially, the public key is visible to anyone. If Alice wants to send a private message to Bob, she will use Bob’s public key to encrypt the message. As Bob alone has access to the private key, only he can open the message. Not even Alice can read her message anymore. The crucial advantage is that Alice and Bob no longer need to meet to exchange keys or rely on a middleman for distribution. 8. For two decades, the US government and its allies attempted to keep strong public-key encryption out of the hands of the US public and its adversaries, classifying it as ‘munition’ in 1976 and imposing strict export laws (Bartlett, 2014). Nonetheless, as the basics were publicly known and the available computing power outside government control rose dramatically, public-key encryption began to spread – both to private citizens and states outside the West. Despite efforts by the US government, strong public-key encryption could no longer be kept under control, as privacy-minded individuals and libertarian “cypherpunks” employed the technology and advocated its use. In 1996, public-key encryption was then moved to the commerce control list, marking the end of what has become known as the Crypto Wars. Today, public-key encryption is found everywhere, and it is hard to imagine where the internet would be without it. Most internet users employ a degree of encryption by default and often unwittingly when they browse secure web sites or send private online messages or emails for example. However, those who seek stronger privacy protections – whether for benign or nefarious purposes – do not have to look very far. On the internet, an endless trove of information exists on how to shield oneself from those who would like to access one’s data – no matter whether it is governments, criminals or terrorists. In other words, it is easy for those who want to decrease their online footprint to do so, as the requirements for digital literacy and technical skills are low. B. ENCRYPTED MESSAGING SERVICES 9. Popular social media platforms, like Facebook and Twitter, are increasingly – if not sufficiently for some – cracking down on extremist and terrorist material. As a result, encrypted instant messaging services have become central for communications, command and control, acquisition and financing. 10. With roughly 1.5 billion users, WhatsApp is the most widely used messaging app in the world (Statista, 2018). Since April 2016, it has