In September 2021, Tech Against Terrorism published a landmark report entitled Terrorist Use of E2EE: State of Play, Misconceptions, and Mitigation Strategies on a topic which has become a central area of concern for policymakers and tech companies alike. Both are charged with the challenge of stopping the exploitation of this technology while upholding commitments to privacy and human rights. Our report provides a comprehensive overview of the risks and mitigation strategies related to terrorist and violent extremist use of online services offering end-to-end encryption, with a focus on communication services.
Our report on terrorist and violent extremist use of E2EE was published as the starting point of a necessary conversation on risk mitigation strategies which compromise neither encryption nor the right to privacy. Both in the report and the subsequent discussion, we mapped out risk mitigation strategies, for both service providers and law enforcement, that would not require “breaking” encryption.1By using the term “breaking” encryption, we refer equally to all calls to counter terrorist and illegal use of encryption through the systematic monitoring of encrypted content (including pre-encryption) or providing direct access to encrypted content to third parties, as well as any other mitigation strategies that would undermine the inherent privacy of encryption. For an overview of policymakers’ calls to reign in encryption, please see Part 1.8 “Policymakers Calls for Access to and Traceability of E2EE” of Tech Against Terrorism’s report on terrorist use of E2EE.
To facilitate this essential discussion, Tech Against Terrorism organised three workshops in 2022 with a view to identifying the strategy which could balance the objectives of safeguarding encryption and the fundamental right to privacy with countering terrorism and violent extremism, which culminated in a panel held on the fringe of the 77th UN General Assembly. Throughout the year we convened online service providers, cryptographers, policymakers, counterterrorism experts, and digital rights advocates. We structured the discussions by the outline of Tech Against Terrorism’s report on E2EE, and each event was dedicated to a specific sub-topic:
EXECUTIVE SUMMARY AND RECOMMENDATIONS
TERRORIST AND VIOLENT EXTREMIST USE OF E2EE SERVICES
Terrorist and violent extremist use of encrypted services is a reality and a significant feature of the online threat landscape that cannot be ignored.3For more on platform functionalities see our report ‘Terrorist Use of E2EE: State of Play, Misconceptions and Mitigation Strategies’. https://www.techagainstterrorism.org/wp-content/uploads/2021/09/TAT-Terrorist-use-of-E2EE-and-mitigation-strategies-report-.pdf E2EE affords users enhanced security and privacy and is used by terrorists and violent extremists for operational purposes, including internal communications, training, attack planning and coordination. E2EE poses significant challenges for detecting and monitoring terrorist and violent extremist activity, since most mitigation strategies capable of deployment on public-facing online services are of limited use in encrypted spaces. The main barrier to widespread terrorist and violent extremist use of encryption remains its limited audience reach, which restrains its use for strategic purposes.
Concerns over the use of E2EE for terrorist and violent extremist purposes have motivated calls to break encryption by providing law enforcement with general access to encrypted content or by introducing the proactive and systematic scanning of all encrypted content.4Policymakers have also been calling for the systematic scanning of content shared via encrypted services. However, these calls have been motivated by the objective of countering the dissemination of child sexual abuse material online, rather for the purposes of counterterrorism Encryption experts, digital rights advocates, and service providers agree that the systematic surveillance of encrypted content is technically unfeasible unless the security and privacy of all users is to be compromised.
LOOKING FORWARD: MITIGATION STRATEGIES SAFEGUARDING ENCRYPTION
The use of tools to conduct systematic scanning and surveillance of encrypted services may seem an appealing solution to counter terrorist and violent extremist use of E2EE. However, they fall short of their stated aims. They are resource intensive, difficult to implement at scale, and present significant adversarial risks, including risks of abuse by criminal actors and authoritarian states. Terrorists and violent extremists are also known to migrate from platform to platform once restrictive measures have been applied, and would move to more secure, and non-compliant, platforms were encryption to be compromised.
Mitigation strategies must focus on a combination of proactive and reactive measures around non-encrypted data and entry points. These include enhancing user empowerment through better user reporting processes and proactive interventions at the entry points, such as by tracking the join links to E2EE protected channels. Equally, mitigation strategies should include proactive detection measures, such as metadata analysis and targeted surveillance – both of which are limited in their enforcement of the right to privacy but are fundamentally compatible with E2EE. Tech Against Terrorism recommends the following mitigation strategies be adopted by both online service providers, policymakers, and law enforcement bodies.
Service providers can and should develop the necessary counterterrorism frameworks, starting with a clear policy prohibiting terrorist and violent extremist use of their services as well as the sharing of related content. Terrorists and violent extremists’ perception of platforms’ willingness and capacity to moderate their services can be pivotal in their decision to establish themselves on a platform. The more a platform appears to be stable, meaning not taking actions against terrorist and violent extremist content, the more likely it is to be exploited. Conversely, a platform that takes a strong and public counterterrorism stance, acting against prohibited conduct with technically feasible measures, will deter terrorists and violent extremists.
Policymaker calls for lawful access to encrypted content have led to an increase in legislative proposals that directly or indirectly impact E2EE, threatening the fundamental right to privacy and the security of all users but with no proven benefits. In the future, policymakers should ensure that legal responses to terrorist use of E2EE are developed in consultation with service providers and cryptographers to ensure that E2EE will not be negatively impacted. Digital rights advocates should also be consulted to ensure that the necessary safeguards are in place for users whose rights have been infringed. If policymakers opt to encourage the use of metadata to detect terrorist use of E2EE services, or lawful hacking to permit digital investigation, they should also ensure that the ethical and legal questions raised by these options are answered via a clear legal framework.
Terrorist and violent extremist use of E2EE is a part of the broader online threat landscape and should be understood as such to develop efficient mitigation strategies. In parallel with exploitation of E2EE services, terrorists and violent extremists rely on the usability and audience reach of public-facing or unencrypted platforms for recruitment and propaganda. Terrorists and violent extremists rely on outlinking from un-encrypted online spaces to shift followers towards secure and encrypted channels of communication. Preventive measures should focus on identifying and blocking these entry points to E2EE services and should focus on early interventions in particular. For instance, Tech Against Terrorism’s research shows that join links shared on unencrypted channels play a critical role in driving terrorist and violent extremist users to encrypted spaces. Encrypted service providers should limit the use of join links to disrupt and prevent access to their platforms. The Terrorist Content Analytics Platform can support with this by alerting the encryption provider to join links shared on unencrypted spaces. Service providers should also work with counterterrorism experts to identify those channels, groups, and emails addressed which are used by terrorists and violent extremists and promoted in non-encrypted spaces.
User reporting is an easily deployable and encryption-compatible solution which can identify and counter terrorist and violent extremist use of E2EE services. There are different reporting solutions5For a visualisation of E2EE services user reporting mechanisms see Tech Against Terrorism’s report on terrorist use of E2EE, section 18.a on “Reactive content moderation and E2EE” to ensure the authenticity of the message reported without compromising encryption protocols. For instance, encryption providers can offer on-app user reporting features relying on message franking,6Message franking allows users to flag a message without giving the encryption and decryption keys to the service provider. or a dedicated email address for abuse reporting.7Whilst this is less direct than in-app flagging, users could still screenshot messages and send them via email to report content. Whilst the consensual sharing of terrorist content on E2EE platforms poses a challenge to E2EE service providers, its emphasis on empowering the user to flag content without posing a threat to users’ privacy highlights the overall utility of user reporting and its important role in any mitigation strategy.
Metadata can support tech companies to detect terrorist use of their services by providing signals of affiliation and behaviour that are not encrypted. For instance, usernames and profile pictures can be scanned to detect signs of terrorist and violent extremist affiliation and support. These can be associated with patterns of use, which can often be built using non-encrypted data with the purpose of identifying terrorist and violent extremist networks on encrypted services. Equally, metadata can provide intelligence to support digital investigations without accessing encrypted content. However, more research is necessary to understand the potential of metadata as a counterterrorism tool, including into what exact types of metadata are of use for simply detecting terrorist conduct, rather than for the purpose of compiling criminal evidence. Data modelling is also required to understand how metadata can be deployed at scale.
Excerpt from Part 3 “Strategies for Risk Mitigations” of Tech Against Terrorism’s report on terrorist use of E2EE.
Encryption does impact the monitoring of terrorist and violent extremist activities online for the purposes of criminal investigations. However, targeted surveillance techniques exist and can be favoured to conduct investigations without compromising encryption protocols. Merging open-source intelligence (OSINT) and HUMINT, lawful monitoring can be conducted on encrypted services. Passive monitoring can be done both via the use of publicly available information to track terrorist and violent extremist networks operating in both public and private online spaces, focusing on the points of entry to encrypted channels. Passive monitoring can also be conducted on certain encrypted spaces, without substantial engagement with the different participants in the communication channel. Furthermore, law enforcement bodies can undertake participative monitoring, going undercover online as they would have done offline.
Lawful hacking is also an investigative tool warranting further development since it can permit law enforcement access to a suspect’s device and does not compromise the broader encryption protocols by providing blanket backdoor access to encrypted content.8Tech Against Terrorism provides an overview of lawful hacking techniques in section 19 of our report, “Going Beyond the Encryption Debate” However, whilst different lawful hacking techniques exist, all pose difficult questions concerning the threshold of suspicion required to justify lawful hacking; the level of cooperation required from service providers and whether technical vulnerabilities exploited are notifiable to those providers; the safeguards to limit interference with users’ rights; and the assessment of a measure’s proportionality to its objective. The answers to these questions must be found if lawful hacking is to be conducted with respect for the rule of law and due process.