TERRORIST USE OF E2EE: STATE OF PLAY, MISCONCEPTIONS, AND MITIGATION STRATEGIES REPORT 1. Background And Scope 04 2. Methodology 04 Part 1 – Use and Perception of E2EE: Landscape Review 3. Use and Perception of E2EE: Key Findings 05 4. Public Perception of E2EE: User Concerns for Privacy And Security 06 5. Landscape Review: Use of E2EE Across The Internet 13 6. E2EE: Challenges for Content Moderation 23 7. Challenges for Law Enforcement Access 26 8. Policymakers Calls for Access to and Traceability of E2EE 29 9. Key Arguments Against the Creation of Backdoors 39 Part 2 – Assessing Terrorist and Violent Extremist Use of E2EE 10. Terrorist and Violent Extremist Use of E2EE: Key Findings 42 11. Terrorist and Violent Extremist Use of E2EE: Assessment 42 12. Suspected Use of E2EE In Terrorist Attacks And Its Impact on The Encryption Debate 54 13. Monitoring of Encrypted Platforms By Law Enforcement Agencies 56 Part 3 – Strategies for Risk Mitigation 14. Strategies for Risk Mitigation: Key Findings 62 15. Countering Criminal Use of E2EE 63 16. Preventing Criminal Use – EMS Feature Attributes 63 17. Identifying Patterns of Criminal Use – Metadata Analysis 66 18. Disrupting Criminal Use – Technical Tools to Detect Illegal Content 78 19. Going Beyond The Encryption Debate 85 Part 4 – Tech Against Terrorism’s Recommendations for Tech Platforms 20. Recommendation: Mitigating Risks of Terrorist and Violent Extremist Use of EMS 93 21. Recommendation: Taking A Stand For Encryption 99 Annex Annex 1. Encryption Technology 103 Annex 2. Encryption: A Backbone Of Today’s Digital World 108 Annex 3. The Encryption Debate 110 Annex 4. Non-Messaging E2EE Services’ Cooperation With Law Enforcement 113 Annex 5. Theroleofmetadatainuser-generatedcontent&contentmoderation 116 Annex 6. Safety By Design 118 Annex 7. Public Perception of E2EE: Survey 122 03|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT PART 1 USE AND PERCEPTION OF E2EE: LANDSCAPE REVIEW 1. BACKGROUND AND SCOPE This report aims to provide a comprehensive overview of the risks and mitigation strategies related to the use of end-to-end encryption (E2EE) technology – with a focus on the use of end-to-end encrypted communications and the risks of abuse by terrorists and violent extremists. This report is divided in four sections: 1. A landscape review of E2EE and 2. Recommendations for risk mitigation: associated risks: providing an overview of assessing the different risk mitigation and the current use of end-to-end encryption and content moderation strategies that have been an assessment of criminal use of online proposed with regard to E2EE, and outlining services offering E2EE. recommendations for governments and tech o Part 1: Use and Perception of E2EE companies. – Landscape Review o Part 3: Criminal Use of E2EE – o Part2:CriminalUseofE2EE– Strategies for risks mitigation Terrorists and Violent Extremists o Part 4: E2EE, Criminal use and Focused Assessment Risks Mitigation – Tech Against Terrorism’s recommendations The report was commissioned by Facebook. All findings represent Tech Against Terrorism’s independent analysis and research. 2. METHODOLOGY For this report, Tech Against Terrorism experts. These interviews were focused on how consulted over 160 publicly available reports, they viewed policymakers’ calls for so-called articles, white papers, and pieces of legislation “safe” backdoors to encryption, and how they concerning the use of encryption, and of end- considered tech companies could support law to-end encryption in particular, as well as the enforcement investigations without associated risks of criminal actors exploiting compromising the online privacy and security such technology. In addition, we consulted five provided by E2EE. Furthermore, a review of the encryption experts from the civil society and prominent literature addressing the specificities tech sectors both of encryption technology and of terrorist uses of the internet allowed us to build a Open-source analysis was used to map out the detailed overview of the technical specificities use of E2EE by internet users, as well as the of E2EE and of the content moderation perception of encryption technologies amongst challenges related to E2EE-protected content. policymakers and the public. To ensure a broad Finally, open-source intelligence (OSINT) overview and in-depth comprehension of E2EE, analysis was used to inform our understanding including its benefits and potential misuses by of the use of encrypted platforms by terrorists malevolent actors (especially terrorists and and violent extremists, including their preferred violent extremists), we supplemented this platforms and the reasons for those analysis with a series of interviews with E2EE preferences. 04|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT 3. USE AND PERCEPTION OF E2EE: KEY FINDINGS Increased use of encryption and concerns Algorithm and Diffie-Hellman public values, is for online privacy: open-source and the basis for encryption 1.There are growing user concerns over protocols used by many leading E2EE online privacy and tech company misuse of messaging apps, including WhatsApp, Line personal data: 64% of users say they are Messenger, Viber, and Wire. worried about this.1 Government and law enforcement calls for 2.These concerns have motivated online “backdoors” to encryption services to turn to encryption, including E2EE, 6.With E2EE becoming more prominently in particular for their communications offering. used as a result of user demand, policymakers As of 2019, over 40% of private companies and law enforcement have raised concerns across all business sectors were using regarding how E2EE could be exploited by encrypted solutions.2,3 criminal actors, including terrorists and violent extremists. However, privacy advocates stress 3.In certain countries and regions, including that there is no substantial evidence that the the US, UK, Russia, Germany, and Canada, lack of access to encrypted communications almost 100% of internet traffic passing through significantly hinder the work of law Google is encrypted on the server-side.4 enforcement, nor that the monitoring of criminal actors cannot be done without Messaging apps and end-to-end encryption: breaking encryption. 4.Messaging apps represent the second most common online activity globally (after social 7.E2EE technical experts and digital rights media), with 87% of the world’s population advocates agree that there are no safe using such services.5 WhatsApp, the world’s backdoors to encryption. Instead they argue most frequently used messaging app, delivers that compelling tech platforms to create over a 100 billion end-to-end encrypted backdoors or remove E2EE protection would messages every day,6 in an indication of the create more security risks, and for a greater global popularity of E2EE messaging apps. number of persons, than it would resolve. 5.Four of the six most-used messaging apps 8.The majority of the literature consulted globally offer E2EE as a default or opt-in. Most stresses that E2EE is the most secure form of of them rely on asymmetric encryption.7 encryption, and the security backbone of Signal’s protocol, based on Double Ratchet today’s digital world. 1 Gorman Doug (2020),The new privacy landscape, Global Web Index. 2 This includes online communications services, financial services, and health-related services that rely on strong encryption to ensure the integrity of their data and to prevent security breaches. 3 Statista, Enterprise-wide encryption solution usage worldwide 2012-2019. 4 Google, HTTPS Encryption on the Web. 5 Global Web Index (2020),Messaging Apps: Understanding the potential of messaging apps for marketers. 6 Singh Manish(2020),WhatsApp is now delivering roughly 100 billion messages a day, TechCrunch 7 A user sends a message encrypted with a public key, which is then decrypted by the recipient, using their matching private key. In this type, AES256 keys are the most commonly used, often alongside Double Ratchet Algorithm protocols for key management. 05|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT 4. PUBLIC PERCEPTION OF E2EE: USER CONCERNS FOR PRIVACY AND SECURITY The question of whether online users view program that allowed the NSA to compel tech positively the mainstream roll out of E2EE platforms to respond to user data requests. across online services is difficult to assess The document also revealed that most given the lack of global surveys on the telephone companies in the US had been subject. Until now, and with the exception of providing users’ phone records to the NSA.11 high-level public confrontation between tech These revelations “triggered a global wave of platforms and the authorities over providing privacy concerns by revealing the extent of law enforcement with access to encrypted government mass surveillance programs”,12 devices and communications,8 the question of and drove E2EE to become the norm for whether encryption should be viewed as a risk messaging apps. The same year, WhatsApp to security has remained mostly a discussion began to roll out encryption before partnering between policymakers, law enforcement, tech with the Open Whisper System – the group companies, and E2EE experts. However, the behind Signal, one of the first messaging app growing popularity of encrypted messaging that fully integrated E2EE – to begin rolling out apps (EMS), as well as the proportionate rise E2EE on its services in 2014. WhatsApp in users’ concerns about online privacy and became fully encrypted with E2EE protocols in how their data can be (mis)used by private 2016.13 Similarly, ProtonMail, the leading companies and governments, can inform us E2EE email service provider, launched in about public perceptions of E2EE and EMS. 2014 in direct response to the Snowden revelations and out of a desire to provide an 4.a Weakened trust in tech companies easy and secure communication service to users.14 Both the Snowden revelations and the Cambridge Analytica A Pew Research Centre study on “Americans’ scandal in 20189 heavily Privacy Strategies Post-Snowden”, published impacted users trust in internet in 2015, showed that 30% of individuals aware technologies and online platforms.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages142 Page
-
File Size-