Almost two weeks ago, the New York Times and NBC reported that one of the San Bernardino attackers, Tashfeen Malik, pledged allegiance to ISIS in a Facebook post prior to opening fire on the Inland Regional Center.
Talking with the press earlier today, FBI Director James Comey said that wasn’t true, calling those press reports “a garble.” He then quickly descended into yet another jeremiad against the tech industry’s encryption practices.
Why is the FBI whining about encryption when the private messaging features on social networks are, well, unencrypted?
Apparently the couple at San Bernardino used some kind of messaging service to discuss support for jihad ahead of the attack, communicating privately versus public declarations. The Los Angeles Times reports that at least some of it was over Facebook messages. At the conference, Director Comey name-checked Twitter “as a way to crowdsource terrorism.”
Twitter Direct Messages aren’t encrypted. Facebook messages aren’t either, at least not on Facebook’s servers. That means that the FBI and other law enforcement agencies should be able to access those messages with appropriate court orders.
And while encryption looks like it’s going to continue to be the chief focal point for security experts over the next few weeks while details from San Bernardino continue to emerge, the real issue seems to be that Malik and her husband Syed Farook were not on anyone’s watch list ahead of the attacks (although Facebook had previously confirmed to the Times that Malik did post publicly on Facebook shortly after the attacks).
This is a separate issue — one of policing or censorship, depending on whom you ask — that doesn’t have a simple solution. Facebook and Twitter don’t actively scan their sites for terrorist-related content, and that includes private messages. They only act on those posts or messages once they’re flagged by other users.
Neither company has made any indication that they plan to change this policy.
As high-profile data breaches have mounted in the last few years, Facebook, Apple, Google and other tech companies have added more sophisticated encryption tech to their messaging services. In October, activists and Silicon Valley successfully pressured President Obama to back off on pushing a bill through Congress that would have required building backdoors for government access to encrypted user data.*
Though after San Bernardino and Paris it’s now politically fashionable for presidential contenders to slam the tech industry and encryption, Silicon Valley will likely continue to stay quiet and wait out the backlash.
Still, government agencies are recalibrating their practices even without much (public) cooperation from tech companies. The Department of Homeland Security is reportedly going to begin reviewing the social media profiles of visa applicants,** and the Obama Administration is recruiting college students to fight ISIS propaganda online.
What’s unclear is why, in the absence of compelling, public information indicating a direct link between recent terror attacks and encrypted communications, law enforcement is continuing to loudly complain about encryption.
In an emailed response, a representative for the FBI said: “The Director was referring to the time period before the shooting, and describing how direct private messages between the subjects would not have been apparent to a wider audience. We have not commented on media reports that the subjects posted claims of allegiance online after the shooting, as this remains an ongoing investigation.”
* Provisions that enable government surveillance were worked into the end-of-year federal budget legislation that is almost surely going to be signed into law, although that has less to do with encryption and more to do with accessing user data without a warrant.
** The Wall Street Journal reported on DHS’ plans two days ago. From the initial Dec. 4 New York Times article saying Malik had publicly pledged allegiance to the Islamic State before the San Bernardino attacks: “Immigration officials do not routinely review social media as part of their background checks, and there is a debate inside the Department of Homeland Security over whether it is even appropriate to do so.”
This article originally appeared on Recode.net.