It's no longer surprising that ISIS uses Telegram's secure messaging to conduct its terror campaigns, but what other tools does it use to keep its online actions under wraps? Thanks to researchers at the West Point military academy, we now have a good idea. They've obtained an ISIS operational security guide that shows the outfit's recommended internet services and software, as well as the policies they're supposed to follow. The extremists are advised to use Tor's anonymity network for browsing, Tails as their operating system and messaging services like Telegram, FireChat or iMessage. They're asked to rely on secure phones like the BlackPhone if they can. They're supposed to avoid both anything that gives away their location (for obvious reasons) as well as Dropbox, whose company-managed encryption theoretically lets governments demand access to cloud storage.
The guide also dispels some myths. Not surprisingly, there's no mention of using PlayStation systems (or any other game console) for chats, as was briefly rumored following the Paris attacks. And while the US has frequently claimed that WhatsApp is a security risk, ISIS actively avoids it due to flawed encryption practices.
Do these tools sound familiar? They should -- they're the same tools used by human rights advocates, whistleblowers and others trying to avoid oppressive governments and overreaching surveillance. That, in turn, illustrates the troubles with arguing both for and against encrypted services. The technology lets ISIS hatch plots in secret, but it's also the key to protecting pro-democracy protests and other vital forms of free speech. And since there's no such thing as an encryption backdoor that's only available to the 'right' people (anyone can use those vulnerabilities), cracking down on these tools could hurt privacy and security across the board.
As it stands, there's a big difference between delivering advice and following it. The Paris attackers didn't actually use encrypted chat (they leaned on SMS for at least part of their assault), and they made classic mistakes like tossing a working phone in the trash. This isn't to say that there aren't smarter, encryption-savvy terrorists, but the rush to blame security tools can sometimes ignore the practical reality of how these organizations operate.
Update: You know how we said there were similarities between the strategies in this manual and those used by human rights advocates? Well, that's because it was written for those advocates. In a statement, Kuwaiti security firm Cyberkov says that it wrote the manual for "journalists and activists" trying to evade oppressors. The outfit accuses West Point of not only botching its translation job, but giving governments one more excuse to weaken encryption and reduce your privacy. We apologize for contributing to those excuses.
[Image credit: AP Photo/Biswaranjan Rout]