Last fall, heaps of boxes piled with tuna cans left Ecuador on a ship destined for Belgium. Upon arrival, the shipment has been picked up by law enforcement, who discovered that the tins weren’t filled with line-caught albacore but more than 1,300 pounds of cocaine, packed with neat little pucks. The seizure wasn’t a stroke of luck, however, or possibly a routine search. Belgian authorities knew the drugs would be there, since they’d read the encrypted text messages of those offenders who allegedly sent it.
Import demands, shipping container logistics–the FBI had seen it hammered out over a series of texts dating back to October on the Anom encrypted phone system. Federal agents had not cracked Anom’s cryptographypaid an informant directly involved with the canny thing. They had, along with the Australian police, spent the previous 3 years running the whole system.
As it turns out, the carrot bandits were a drop in a much bigger ocean of Anom-related law enforcement activity. Early this week, an international consortium headed by the FBI declared a total of approximately 800 arrests, more than 500 of which have been completed lately, that originated directly from the information gleaned as Anom’s owner and operator. Authorities intercepted more than 27 million messages throughout the system from around 12,000 devices, and then seized $45 million in global currency, 250 firearms, and much more than 32 tons of illegal drugs.
The story of how the FBI got its hooks into Anom is intriguing in its own right; based on court records , the agency had taken down another secure communications system marketed to criminals, then convinced among its developers to become an informant. At the FBI’s request, that anonymous individual snuck an inclusion into Anom: a calculator program that relayed every communication sent on the stage back into the FBI.
The Anom takeover was an adventurous bit of intelligence work. It also raises serious questions regarding the wider encryption discussion . Meanwhile, the US Department of Justice and law enforcement agencies across the world have increasingly lobbied in recent years to get access to”end-to-end” encrypted communication platforms, which maintain data scrambled and undecipherable at all points on its own travel throughout the internet. Content like messages or telephone call information is only decrypted locally on the sender and recipient’s devices, making it hard for law enforcement to access it through subpoenas. In many cases, such services also simply function as a pass-through for encrypted communications and do not store the information at all.
The FBI calls for this lack of prominence”going dark.” The bureau’s repeated preference, together with other law enforcement agencies across the world, is for companies to create so-called backdoors into those systems to permit officials special access. Security investigators reluctantly concur that you can’t make that sort of intentional weakness without undermining the security of all data on a given service. Along with also the Anom operation, together with several other high-profile cases in the past several years, indicates that”going dark” isn’t as much of an impediment as law enforcement insists.
“When law enforcement claim that they need companies to build in backdoors for them to gain access to the end-to-end encrypted communications of criminals, examples like Anom show that it’s not the case,” says Joseph Lorenzo Hall, a senior vice president in the nonprofit Internet Society who operates on web encryption and security.
The FBI and DOJ have been understood into overstate their requirement for backdoors in the past. In a noteworthy 2016 people standoff with Apple, the agency demanded that the tech company produce a tool which would permit them to unlock one of their San Bernardino shooters’ iPhone 5C. Apple resisted and the legal dispute ultimately ended in a draw, because the FBI was able to buy a third-party tool to access the device. A similar situation presented itself last year; the DOJ was again able to get the data it needed without forcing Apple to produce a universal iPhone cracker.
Law enforcement can also still access encrypted communications if they can gain access to and and unlock the physical devices involved. Cloud backups have provided key evidence in countless cases. Mainstream platforms like Facebook are actively developing ways to flag malicious activity without seeing the actual content of encrypted messages.
The FBI’s repeated success in overcoming its “going dark” problem belie the protestations that it’s an existential threat. In some ways, Anom shows just how creative the agency’s workarounds can be. Researchers caution, though, that as more governments around the world seek the power to demand digital backdoors–and as some, like Australia, implement such laws–authorities could also point to the Anom case as evidence that special access works.
“It seems like from there it is not rhetorically that large of a jump to say’This worked so well, wouldn’t it be nice if every app had a backdoor?’ That is what law enforcement in the US has said it needs,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s Center for Internet and Society. If being able to surveil every message on Anom was so effective, the FBI might say, why not simply do it more, and in more places?
It’s important not to extrapolate too broadly from the Anom experience. According to the documents released this week, the FBI went to great lengths to work under foreign laws and avoid surveilling Americans throughout the three-year initiative. And there’s no immediate threat of the FBI being able to deploy a totally backdoored system inside the United States. The Fourth Amendment protects against “unreasonable” search and seizure, and sets out a clear foundation for government warrant requirements. Furthermore, continuous surveillance orders like wiretap warrants are intentionally even more difficult for law enforcement to obtain, because they authorize expansive bulk surveillance. But, as the National Security Agency’s PRISM program showed, unchecked domestic digital surveillance programs are not outside the realm of possibilities in the US.
One lesson to take from Anom, though, is that while it was effective in many ways, it came with potential collateral damage to the privacy of people who have not been accused of any crime. Even a product geared toward crooks can be used by law-abiding people as well, subjecting those inadvertent targets to draconian surveillance in the process of trying to catch real criminals. And anything that normalizes the concept of total government access, even in a very specific context, can be a step on a slippery slope.
See What’s Next in Tech With the Fast Forward Newsletter
From artificial intelligence and self-driving cars to transformed cities and new startups, sign up for the latest news.
“There’s a reason we’ve justify requirements and it requires effort and resources to put the job to investigations,” P