Archer

Cybersecurity experts say the proposed changes would not stop terrorists from communicating and planning attacks.

 

Almost one month after terror attacks killed 130 people in Paris, the French government is considering new ways to fight terrorism, including shutting down some uses of the internet. 

Le Monde reports that it has obtained an internal document from France’s Department of Legal Affairs and Civil Liberties to the Interior Ministry outlining recommendations from law enforcement for two new laws to be considered next year.

Law enforcement would like to block the anonymous Tor network in France, according to the report.

Banning anonymous networks?

China has tried to ban Tor, reported Motherboard.

“So, if the French really wanted to block Tor, they might have to consider a model similar to the Chinese regime’s. Naturally, that might be worrying for anyone that cares about free-speech, increasing surveillance, or, say, democracy,” the Motherboard article said.

Cybersecurity experts said the French plan will not stop terrorists from communicating and planning attacks.

“France certainly has a right to attempt to find ways to better root out the ‘bad guys,'” said Stacy Bresler, managing partner of Archer Security Group. “However, they may be pushing toward the wrong solutions.”

The Tor Project says Tor “protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.” 

That could certainly help terrorists plan attacks. But it is not the only way for them to communicate in secret.

“Blocking Tor doesn’t solve the use of anonymizers,” said Bresler. “It just blocks one of hundreds, if not thousands, of options.” 

Bob Beachy, also of Archer Security Group, said France could ban Tor itself, but that would not stop anonymous use of the Internet.

“If history or high school serve to tell us anything, the backlash against a ban of a popular activity can often lead to unintended consequences that are worse than the original problem,” Beachy said.

Beachy used the music industry in the late 1990’s and early 2000’s as an example. He said the recording industry was too slow to keep up with the technology evolving around it.

“When they finally realized that communities had come up with a demand-driven system for music sharing, their reaction was to legislate, arbitrate, and litigate, rather than to find a way to evolve with existing and future technology,” he said.

“This did little to stop the evolution of online music, and consumers did not venture back into the world of paid music until companies outside of the recording industry, like Apple and Spotify, began to offer products in a way that was equivalent or superior to illicit file-sharing tools and blogging sites,” he added.

“Fringe elements will always find a way to exploit burgeoning technologies in their favor,” Beachy said. “If Tor is shut down, it is only a matter of time before well-meaning paranoids and criminals alike have moved on to other currently available, yet less popular technologies. Inevitably, the next used iterations will be even harder to track.”

Bresler added that in the pursuit of Internet security, people sometimes forget about real-world issues.

“Can I buy something at a grocery store with cash without giving them my identity? Of course, I can,” Bresler said. “Should France make it a law that whenever you buy a can of Coke with cash you are required to identify yourself?”

“It seems an impossible task to cover all the ground where a bad actor might attempt to hide,” he explained. “I get making it just that much more difficult to mask your identity could have its benefits, but at what cost? The bad guys will find an alternative means to do the same thing. The only way to prevent it in the digital world would be to shut down the Internet altogether, and we know that isn’t going to happen!”

State of emergency?

The French government document, as reported by Le Monde, recommends that France “prohibit free and shared Wi-Fi connections during a state of emergency and remove public WiFi connections, under penalty of criminal sanctions, because of the difficulty of identifying people connected.”

Patrick C. Miller, managing partner of Archer Security Group, questioned whether this part of the plan, if made into law, would be successful.

“Would this also make an unsecured-but-not-public WiFi illegal?” he asked. “Say, for instance, I lived in an apartment building and just didn’t put a password on my WiFi connection, so that anyone could connect to it. If this is considered illegal, and the owner of the ‘open’ WiFi connection is not a terrorist, would they be treated as one just because they didn’t put a password on their WiFi?”

He said the approach could be very difficult to enforce. 

“Further, this will slow down communications at best,” Miller said. “The bad guys will either move to alternative methods or they will get better at cracking weak WiFi encryption/keys.”