Images of child sexual abuse and stolen credit card numbers are being openly traded on encrypted apps, a BBC investigation has found.
Security experts told Radio 4’s File on 4 programme that the encrypted apps were taking over from the dark web as a venue for crime.The secure messaging apps, including Telegram and Discord, have become popular following successful police operations against criminal markets operating on what is known as the dark web – a network that can only be accessed by special browsers.
Images of child sexual abuse and stolen credit card numbers are being openly traded on encrypted apps, a BBC investigation has found. https://t.co/iGq4hVcZUI
— Edge Cyber Security (@EdgeCyber) February 19, 2019
Expert Comments below:
Boris Cipot, Senior Security Engineer at Synopsys:
“Encryption apps started out with good intentions – it was to help people who couldn’t speak up without this software. For example, news reporters in countries where the truth could get them in jail or even cost them their lives, and it should protect abused people that are on the run from their partners so that they can keep up communication with people without the abuser finding them. Also, through the Snowden revelation, it helped protect private communications from government spying.
“Since this idea started, encryption in all types of software is a feature which users do not want to be without. Some have valid reasons, and some are just following the crowd when they say they need it. But, unfortunately, even if this functionality was created for good use, there are those that will abuse it for negative reasons. The Silk Road Darknet portal is one of the most well-known negative uses, and unfortunately those abuses will continue.
“The issue is that once you add some sort of governance or tracking into encryption enabled apps, the whole idea about security/anonymity/privacy is gone. But I hope that there will be a technology developed that will disable the misuse of encryption functionalities for human-harming actions.”
Christopher Littlejohns, EMEA Manager at Synopsys:
“The use of what is currently considered “uncrackable” encryption mechanisms is an essential capability that enables much of the commerce that is executed on the internet. Without encryption, there would be no way to safely buy goods online, protect personal data, comply with GDPR regulations, do your banking, communicate safely in the battlefield, etc. We literally cannot do without encryption in current and future times. So encryption ensures privacy and security in the transmission and storage of our valuable data, hence this is why criminal and terrorist groups of various kinds will use it to their advantage.
“The underlying issue is one that societies as a whole need to tackle. The question is, is tackling the bad usage of encryption worth the potential impact on the good uses? Governments throughout the world are considering this problem, but there are no easy answers. If government agencies demand that the private keys are stored in some form of Escrow or similar, this undermines the whole purpose of encryption, to guarantee privacy and security. The worry would be that these keys are used for political or criminal purposes. This would lower the trust that people would place in the good uses of encryption, and could badly effect the economy. Alternatively, if we insist on the use of crackable encryption techniques, then the result is the same, i.e. we lose trust in the mechanism and the capabilities that use it.
“There is some positives in this however. Criminal gangs who exchange encrypted messages will inevitably leave a footprint on the internet. It is quite possible that Cyber forensic specialists could use this to identify participants to help build a picture of the participants. In addition, these individuals will inevitably record or store these pictures for further use. Here is where our serious crime investigators need to focus their efforts and develop their capabilities to deal with the threats as they are now. These types of criminals will always use whatever they can to reduce the risk of being caught, be it low tech or high tech. Unfortunately the old, trusted method of infiltration into these groups is probably still the best approach.
“The bottom line is it is absolutely futile to expect that the issue can be tackled by enabling government or police forces to access encrypted data more easily.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.