Wither Encryption: What Operation Trojan Shield Reveals
My, were they delighted. Politicians across several international jurisdictions beamed with pride that police and security forces had gotten one up on criminals spanning the globe. It all involved a sting by the Federal Bureau of Investigation, led in conjunction with a number of law enforcement agencies in 16 countries, resulting in more than 800 arrests. The European Union police agency Europol described it as the “biggest ever law enforcement operation against encrypted communication.”
The haul was certainly more than the usual: over 32 tonnes of an assortment of drugs including cocaine, cannabis, amphetamines, and methamphetamines; 250 firearms, 55 luxury cars, and some $48 million in cash, both tangible and digital.
Operation Trojan Shield arose because of a grand dupe. It involved recruiting an FBI informant who had developed an adulterated version of the encryption technology platform Anom, to be used on modified cell phones for distribution through a range of organised crime networks. The platform included a calculator app that relayed all communications sent on the platform back to the FBI. “You had to know a criminal to get hold of one of these customised phones,” the Australian Federal Police explained. “The phones couldn’t ring or email. You could only communicate with someone on the same platform.”
The users were none the wiser. For three years, material was gathered and examined, comprising 27 million intercepted messages drawn from 12,000 devices. This month, the authorities could no longer contain their excitement.
While the criminals in question might well have been mocked for their gullibility, the trumpeting of law enforcement did not seem much better. A relentless campaign has been waged on end-to-end encryption communication platforms, a war against what policing types call “going dark.” To add some light to the situation, the agencies pine for the creation of tailored backdoors to such communications apps as WhatsApp, iMessage, and Signal.
Few could forget the indignant efforts of the FBI to badger Apple in 2016 to crack the iPhone of Syed Farook, the San Bernardino shooting suspect. Apple refused. The battle moved to the courts. In what has become something of a pattern, the Department of Justice subsequently dropped the case by revealing that it had “successfully accessed the data stored on Farook’s iPhone and therefore no longer requires the assistance of Apple Inc.” The DOJ then requested that a court order of February 16 demanding Apple create software with weakened iPhone security settings be vacated. By refusing to reveal how it had obtained access to the phone, government authorities had thrown down the gauntlet to Apple to identify any glitches.
In 2020, a number of international politicians with an interest in the home security portfolio released a joint statement claiming to support “strong encryption, which plays a crucial role in protecting personal data, privacy, intellectual property, trade secrets, and cybersecurity.” A casual glance at the undersigned would suggest this to be markedly disingenuous. Among them were: Priti Patel, UK Home Secretary; William P. Barr, US Attorney General; Peter Dutton, Australian Minister for Home Affairs.
Having given nods of approval for encryption as “an existential anchor of trust in the digital world,” the ministers took aim at the various platforms using it. On this occasion, it was the “challenges to public safety” posed by the use of encryption technology, “including to highly vulnerable members of our societies like sexually exploited children.” (The battle against solid encryption is often waged over the bodies and minds of abused children.) The industry was urged “to address our concerns where encryption is applied in a way that wholly precludes any legal access.” This would involve companies having to police illegal content and permit “law enforcement to access content in a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.”
Cases like Anom demonstrate that there is seemingly no need for such intrusions, bells of alarm, and warnings about safety. The police have sufficient powers and means, and more besides. As with such matters, the danger tends to be closer to home: police zeal; prosecutor’s glee; a hatred of privacy. Joseph Lorenzo Hall, senior vice president at the non-profit Internet Society, is convinced of that fact. “When law enforcement agencies claim they need companies to build in backdoors to help them gain access to the end-to-end encrypted communications of criminals, examples like Anom show that it’s not the case.”
John Scott-Railton of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy makes the same point. “What this case shows is that global law enforcement is perfectly capable of mobilising a multiyear caper to get around exactly the kinds of problems about encryptions that they’ve been talking about without breaking the encryption of the apps that keep you and [me] private.”
The Australian wing of the operation had even greater extant powers of access to encrypted messages. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 is one of those beastly instruments many law enforcement agencies dream about. It might also suggest why Australia, a nominally small partner, might have been asked by the FBI to be involved in the first place. When asked if this was the case, Australian Prime Minister Scott Morrison suggested that the question be put to US authorities. For him, the AFP’s hardly impressive technical efforts were to be praised.
None of this is enough for the Morrison government, which is intent on further pushing the surveillance cart in such proposed laws as the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill). The former would permit the AFP and the Australian Criminal Intelligence Commission to issue a new range of warrants for combating online crime; the latter would create a system by which Australian agencies would be able to access stored telecommunications from identified foreign communication providers in cases where Australia has a bilateral agreement.
Operation Trojan Shield has again shown that calls for weakened encryption are to be treated with due alarm. Almost silly in all of this was the fact that the FBI and fellow agencies made it a demonstrable fact, undercutting their very own arguments for a more invasive surveillance system. The next play is bound to come from the criminal networks themselves, who, wounded by this deception, will move towards more conventional encryption technologies. The battle will then come full circle. In countries such as Australia, where privacy is a withering tree, the encryption debate is a dead letter.