Summary

In September 2021, Tech Against Terrorism published a landmark report entitled Terrorist Use of E2EE: State of Play, Misconceptions, and Mitigation Strategies on a topic which has become a central area of concern for policymakers and tech companies alike. Both are charged with the challenge of stopping the exploitation of this technology while upholding commitments to privacy and human rights. Our report provides a comprehensive overview of the risks and mitigation strategies related to terrorist and violent extremist use of online services offering end-to-end encryption, with a focus on communication services.

Our report on terrorist and violent extremist use of E2EE was published as the starting point of a necessary conversation on risk mitigation strategies which compromise neither encryption nor the right to privacy. Both in the report and the subsequent discussion, we mapped out risk mitigation strategies, for both service providers and law enforcement, that would not require “breaking” encryption.1By using the term “breaking” encryption, we refer equally to all calls to counter terrorist and illegal use of encryption through the systematic monitoring of encrypted content (including pre-encryption) or providing direct access to encrypted content to third parties, as well as any other mitigation strategies that would undermine the inherent privacy of encryption. For an overview of policymakers’ calls to reign in encryption, please see Part 1.8 “Policymakers Calls for Access to and Traceability of E2EE” of Tech Against Terrorism’s report on terrorist use of E2EE.

To facilitate this essential discussion, Tech Against Terrorism organised three workshops in 2022 with a view to identifying the strategy which could balance the objectives of safeguarding encryption and the fundamental right to privacy with countering terrorism and violent extremism, which culminated in a panel held on the fringe of the 77th UN General Assembly. Throughout the year we convened online service providers, cryptographers, policymakers, counterterrorism experts, and digital rights advocates. We structured the discussions by the outline of Tech Against Terrorism’s report on E2EE, and each event was dedicated to a specific sub-topic:

  1. State of play of the threat
  2. Existing policy responses
  3. Mitigation strategies

EXECUTIVE SUMMARY AND RECOMMENDATIONS


  • We cannot ignore the realities of terrorist and violent extremist use of E2EE services, in particular their use for operational purposes and attack planning. To adequately counter terrorist and violent extremist use of E2EE, it is critical to understand the role of E2EE in the wider threat landscape and how it links to terrorist and violent extremist use of other, non-encrypted, online services.

  • Existing mitigation strategies which safeguard encryption should be further developed by online service providers, law enforcement and policymakers. Use of non-encrypted data, targeted surveillance techniques, and the prevention of access to encrypted services are both easily deployable and scalable.

  • Online service providers should take the lead on developing resilient mitigation strategies focused on the early prevention and detection of terrorist and violent extremist use of their services. Metadata are available to detect terrorist and violent extremist use, and measures can be introduced to limit or prevent terrorist and violent extremist users from accessing encrypted services in the first place.

  • Online service providers and law enforcement bodies should consider developing mitigation strategies focusing on the link between encrypted and public online spaces. Tech Against Terrorism’s Terrorist Content Analytics Platform (TCAP), for instance, can be used to report join links shared on non-encrypted platforms.2For more on the Terrorist Content Analytics Platform, visit the website. https://www.terrorismanalytics.org/

  • Law enforcement should adapt to the evolution of the online space and focus on targeted monitoring techniques to counter terrorist and violent extremist use of encrypted spaces. Human intelligence techniques (HUMINT) can be adapted and used to conduct investigations into encrypted channels.

TERRORIST AND VIOLENT EXTREMIST USE OF E2EE SERVICES


Terrorist and violent extremist use of encrypted services is a reality and a significant feature of the online threat landscape that cannot be ignored.3For more on platform functionalities see our report ‘Terrorist Use of E2EE: State of Play, Misconceptions and Mitigation Strategies’. https://www.techagainstterrorism.org/wp-content/uploads/2021/09/TAT-Terrorist-use-of-E2EE-and-mitigation-strategies-report-.pdf E2EE affords users enhanced security and privacy and is used by terrorists and violent extremists for operational purposes, including internal communications, training, attack planning and coordination. E2EE poses significant challenges for detecting and monitoring terrorist and violent extremist activity, since most mitigation strategies capable of deployment on public-facing online services are of limited use in encrypted spaces. The main barrier to widespread terrorist and violent extremist use of encryption remains its limited audience reach, which restrains its use for strategic purposes.

Concerns over the use of E2EE for terrorist and violent extremist purposes have motivated calls to break encryption by providing law enforcement with general access to encrypted content or by introducing the proactive and systematic scanning of all encrypted content.4Policymakers have also been calling for the systematic scanning of content shared via encrypted services. However, these calls have been motivated by the objective of countering the dissemination of child sexual abuse material online, rather for the purposes of counterterrorism Encryption experts, digital rights advocates, and service providers agree that the systematic surveillance of encrypted content is technically unfeasible unless the security and privacy of all users is to be compromised.

Excerpt from Part 2 “Assessing Terrorist and Violent Extremist Use of E2EE” of Tech Against Terrorism’s report on terrorist use of E2EE.

LOOKING FORWARD: MITIGATION STRATEGIES SAFEGUARDING ENCRYPTION


The use of tools to conduct systematic scanning and surveillance of encrypted services may seem an appealing solution to counter terrorist and violent extremist use of E2EE. However, they fall short of their stated aims. They are resource intensive, difficult to implement at scale, and present significant adversarial risks, including risks of abuse by criminal actors and authoritarian states. Terrorists and violent extremists are also known to migrate from platform to platform once restrictive measures have been applied, and would move to more secure, and non-compliant, platforms were encryption to be compromised.

Mitigation strategies must focus on a combination of proactive and reactive measures around non-encrypted data and entry points. These include enhancing user empowerment through better user reporting processes and proactive interventions at the entry points, such as by tracking the join links to E2EE protected channels. Equally, mitigation strategies should include proactive detection measures, such as metadata analysis and targeted surveillance – both of which are limited in their enforcement of the right to privacy but are fundamentally compatible with E2EE. Tech Against Terrorism recommends the following mitigation strategies be adopted by both online service providers, policymakers, and law enforcement bodies.

  1. Encryption centred policy responses

Recommendation 1.
E2EE service providers should include explicit prohibition of terrorism and violent extremism in their content standards, developing on their counterterrorism framework, and how it safeguards encryption, in a dedicated policy.

Service providers can and should develop the necessary counterterrorism frameworks, starting with a clear policy prohibiting terrorist and violent extremist use of their services as well as the sharing of related content. Terrorists and violent extremists’ perception of platforms’ willingness and capacity to moderate their services can be pivotal in their decision to establish themselves on a platform. The more a platform appears to be stable, meaning not taking actions against terrorist and violent extremist content, the more likely it is to be exploited. Conversely, a platform that takes a strong and public counterterrorism stance, acting against prohibited conduct with technically feasible measures, will deter terrorists and violent extremists.

Recommendation 2.
Policymakers should consult with service providers, cryptographers, counterterrorism experts, and digital rights advocates to develop legal responses to terrorist and violent extremist use of E2EE that safeguards encryption and meet their stated aims.

Recommendation 3.
Policymakers should ensure that there is a clear legal framework that considers the ethical and legal questions surrounding the countering of terrorist use of E2EE.

Policymaker calls for lawful access to encrypted content have led to an increase in legislative proposals that directly or indirectly impact E2EE, threatening the fundamental right to privacy and the security of all users but with no proven benefits. In the future, policymakers should ensure that legal responses to terrorist use of E2EE are developed in consultation with service providers and cryptographers to ensure that E2EE will not be negatively impacted. Digital rights advocates should also be consulted to ensure that the necessary safeguards are in place for users whose rights have been infringed. If policymakers opt to encourage the use of metadata to detect terrorist use of E2EE services, or lawful hacking to permit digital investigation, they should also ensure that the ethical and legal questions raised by these options are answered via a clear legal framework.

  1. Preventing access to encrypted services

Recommendation 4.
Service providers should work with law enforcement and counterterrorism experts to identify and block access to encrypted channels associated with terrorists and violent extremists.

Recommendation 5.
E2EE service providers should introduce obstacles to terrorist and violent extremist access to their services, notably by limiting the use of joining links.

Terrorist and violent extremist use of E2EE is a part of the broader online threat landscape and should be understood as such to develop efficient mitigation strategies. In parallel with exploitation of E2EE services, terrorists and violent extremists rely on the usability and audience reach of public-facing or unencrypted platforms for recruitment and propaganda. Terrorists and violent extremists rely on outlinking from un-encrypted online spaces to shift followers towards secure and encrypted channels of communication. Preventive measures should focus on identifying and blocking these entry points to E2EE services and should focus on early interventions in particular. For instance, Tech Against Terrorism’s research shows that join links shared on unencrypted channels play a critical role in driving terrorist and violent extremist users to encrypted spaces. Encrypted service providers should limit the use of join links to disrupt and prevent access to their platforms. The Terrorist Content Analytics Platform can support with this by alerting the encryption provider to join links shared on unencrypted spaces. Service providers should also work with counterterrorism experts to identify those channels, groups, and emails addressed which are used by terrorists and violent extremists and promoted in non-encrypted spaces.

  1. User reporting

Recommendation 6.
E2EE service providers should ensure users’ easy access to user reporting, and provide more accessible resources for users about the reporting processes.

Recommendation 7.
Service providers should collaborate with counterterrorism researchers to investigate ways in which user reporting can be used as part of a broader mitigation strategy for terrorist and violent extremist use of E2EE services.

User reporting is an easily deployable and encryption-compatible solution which can identify and counter terrorist and violent extremist use of E2EE services. There are different reporting solutions5For a visualisation of E2EE services user reporting mechanisms see Tech Against Terrorism’s report on terrorist use of E2EE, section 18.a on “Reactive content moderation and E2EE” to ensure the authenticity of the message reported without compromising encryption protocols. For instance, encryption providers can offer on-app user reporting features relying on message franking,6Message franking allows users to flag a message without giving the encryption and decryption keys to the service provider. or a dedicated email address for abuse reporting.7Whilst this is less direct than in-app flagging, users could still screenshot messages and send them via email to report content. Whilst the consensual sharing of terrorist content on E2EE platforms poses a challenge to E2EE service providers, its emphasis on empowering the user to flag content without posing a threat to users’ privacy highlights the overall utility of user reporting and its important role in any mitigation strategy.

  1. Use of available metadata

Recommendation 8.
Service providers should build metadata modelling and work in collaboration with counterterrorism experts to understand the potential of metadata for counterterrorism.

Recommendation 9.
Law enforcement, service providers, and counterterrorism experts should collaborate to identify terrorist and violent extremist patterns of behaviours on E2EE services, using metadata.

Recommendation 10.
Policymakers should provide a clear legal framework on the use of metadata as a counterterrorism tool, including the necessary safeguards for the right to privacy.

Metadata can support tech companies to detect terrorist use of their services by providing signals of affiliation and behaviour that are not encrypted. For instance, usernames and profile pictures can be scanned to detect signs of terrorist and violent extremist affiliation and support. These can be associated with patterns of use, which can often be built using non-encrypted data with the purpose of identifying terrorist and violent extremist networks on encrypted services. Equally, metadata can provide intelligence to support digital investigations without accessing encrypted content. However, more research is necessary to understand the potential of metadata as a counterterrorism tool, including into what exact types of metadata are of use for simply detecting terrorist conduct, rather than for the purpose of compiling criminal evidence. Data modelling is also required to understand how metadata can be deployed at scale.

Excerpt from Part 3 “Strategies for Risk Mitigations” of Tech Against Terrorism’s report on terrorist use of E2EE.

  1. Considering targeted surveillance solutions

Recommendation 11.
Law enforcement should adapt HUMINT investigation techniques to the online landscape, adapting passing and active monitoring to be used within encrypted spaces without breaching encryption protocols.

Recommendation 12.
Law enforcement should detail in which circumstances targeted surveillance, in particular lawful hacking, can be beneficial for investigations, and clarify what level of cooperation from service providers would be valuable.

Recommendation 13.
Policymakers should provide a clear legal framework delineating targeted surveillance techniques, with respect for the rule of law, due process, and user rights. This should specify when and how targeted surveillance is permissible, as well as what can be reasonably expected of tech companies – with consideration for users’ right to privacy and overall security of the service.

Encryption does impact the monitoring of terrorist and violent extremist activities online for the purposes of criminal investigations. However, targeted surveillance techniques exist and can be favoured to conduct investigations without compromising encryption protocols. Merging open-source intelligence (OSINT) and HUMINT, lawful monitoring can be conducted on encrypted services. Passive monitoring can be done both via the use of publicly available information to track terrorist and violent extremist networks operating in both public and private online spaces, focusing on the points of entry to encrypted channels. Passive monitoring can also be conducted on certain encrypted spaces, without substantial engagement with the different participants in the communication channel. Furthermore, law enforcement bodies can undertake participative monitoring, going undercover online as they would have done offline.

Lawful hacking is also an investigative tool warranting further development since it can permit law enforcement access to a suspect’s device and does not compromise the broader encryption protocols by providing blanket backdoor access to encrypted content.8Tech Against Terrorism provides an overview of lawful hacking techniques in section 19 of our report, “Going Beyond the Encryption Debate” However, whilst different lawful hacking techniques exist, all pose difficult questions concerning the threshold of suspicion required to justify lawful hacking; the level of cooperation required from service providers and whether technical vulnerabilities exploited are notifiable to those providers; the safeguards to limit interference with users’ rights; and the assessment of a measure’s proportionality to its objective. The answers to these questions must be found if lawful hacking is to be conducted with respect for the rule of law and due process.

  • 1
    By using the term “breaking” encryption, we refer equally to all calls to counter terrorist and illegal use of encryption through the systematic monitoring of encrypted content (including pre-encryption) or providing direct access to encrypted content to third parties, as well as any other mitigation strategies that would undermine the inherent privacy of encryption. For an overview of policymakers’ calls to reign in encryption, please see Part 1.8 “Policymakers Calls for Access to and Traceability of E2EE” of Tech Against Terrorism’s report on terrorist use of E2EE.
  • 2
    For more on the Terrorist Content Analytics Platform, visit the website. https://www.terrorismanalytics.org/
  • 3
    For more on platform functionalities see our report ‘Terrorist Use of E2EE: State of Play, Misconceptions and Mitigation Strategies’. https://www.techagainstterrorism.org/wp-content/uploads/2021/09/TAT-Terrorist-use-of-E2EE-and-mitigation-strategies-report-.pdf
  • 4
    Policymakers have also been calling for the systematic scanning of content shared via encrypted services. However, these calls have been motivated by the objective of countering the dissemination of child sexual abuse material online, rather for the purposes of counterterrorism
  • 5
    For a visualisation of E2EE services user reporting mechanisms see Tech Against Terrorism’s report on terrorist use of E2EE, section 18.a on “Reactive content moderation and E2EE”
  • 6
    Message franking allows users to flag a message without giving the encryption and decryption keys to the service provider.
  • 7
    Whilst this is less direct than in-app flagging, users could still screenshot messages and send them via email to report content.
  • 8
    Tech Against Terrorism provides an overview of lawful hacking techniques in section 19 of our report, “Going Beyond the Encryption Debate”