Apple has its Genius Bars. Amazon has a Mayday Button. And ISIS, we learned this week, has a 24-hour Jihadi Help Desk.
It’s a handy convenience for the terrorist on the go, who doesn’t have time to read the Islamic State’s 32-page manual on online privacy and encryption techniques—which Yahoo News’s Alyssa Bereznak got her hands on and published Wednesday.
One of the key questions in the wake of the Paris attacks is how ISIS managed to plan and perpetrate them without being detected by French and international authorities. Law enforcement officials in the United States were quick to argue that the massacre highlighted the danger of encrypted communication technologies. They’ve been pushing for “backdoors” that would enable government access to otherwise private messaging services.
This week has brought some surprising evidence to support the concern that terrorist networks are growing increasingly tech-savvy. NBC News reported on Monday night that ISIS maintains a 24-hour help desk, “manned by a half-dozen senior operatives,” to solve the tech conundrums that inevitably arise as they endeavor to conspire online without attracting unwanted attention. As described by NBC News, it isn’t so much a desk as a cadre of experts with professional IT training who make themselves available via various online forums, encrypted messaging apps, and even public social media accounts. Their job is to keep abreast of the latest developments in online security, distribute news updates and tutorials, and dispense advice on the best way to interact online without arousing suspicion. “Clearly this enables them to communicate and engage in operations beyond what used to happen, and in a much more expeditious manner,” a counterterrorism analyst told NBC News.
The manual that Yahoo News uncovered reinforces the picture of ISIS as a tech-savvy, 21st-century operation. It dispenses a mixture of common-sense privacy advice, like turning off location services on your phone and using a VPN for your browsing, with useful recommendations for secure apps, like TrueCrypt and Hushmail. It also includes some country-specific tips, like avoiding the Opera Mini browser when you’re in Saudia Arabia. Yahoo News' Bereznak posted the full manual on Scribd, and you can read it below:
This is not ultra-sophisticated stuff, but it doesn’t have to be. It’s just meant to help ISIS affiliates and self-styled jihadis around the world avoid making the sorts of really dumb mistakes that basic law enforcement techniques would be most likely to detect.
Along the same lines, the Wall Street Journal reported recently that an ISIS “technical expert” circulated a list that ranks 33 popular communication apps on a scale of “unsafe” to “safest.” In the “unsafe” category are globally popular chat apps such as WhatsApp, Kakao Talk, and WeChat. Leading U.S.-based apps, including Apple’s iMessage, Google Hangouts, and Facebook Messenger, are rated “moderately safe,” likely because they come with some high-end security features, but are also suspect due to the attention those companies have received from the NSA. Wickr and Telegram are among the “safe” options—or at least they were until Telegram announced it would block ISIS-related channels this week after coming under fire as a favorite tool of the terrorist group. Redphone and SilentCircle are among those considered safest of all. All of this would seem to play into the law-enforcement narrative that new technology, specifically the rise of commercial encryption, has made its job harder and the public less safe. (Here’s a good, nontechnical explainer on encryption, in case you’re wondering what exactly it means.)
It isn’t that simple, however. For one thing, most technologists agree that the government’s proposed antidote to encryption—backdoors—would cause more mayhem than it would prevent. For another, there’s a good case to be made that government spooks have more access to our personal data than they’ve ever had before, even accounting for the small portion that’s encrypted.
Finally, it’s worth noting the source of all these recent news stories about ISIS’ encryption strategies. For the most part, they’re coming from intelligence officials and counterterrorism analysts, some of whom might have their own reasons for painting the group as terrifyingly tech-savvy.
That’s not to say the stories of tech manuals, help lines, and app ratings are untrue. It seems clear that ISIS is in many ways a modern operation that takes online privacy seriously. Even religious extremists need 21st-century skills. But we still don’t know exactly how the French attacks were planned and coordinated, and it would be premature to blame encryption tools for authorities’ intelligence failures.
There are already signs that the image of ISIS as a technological juggernaut has been exaggerated: The Intercept reported Wednesday that at least some of the attackers’ communications were sent via unencrypted SMS, including a text message that read, “we’re off; we’re starting.” A cellphone that apparently belonged to one of the attackers was found to have unencrypted data, including location records. And, as the Intercept notes, authorities did in fact intercept ISIS conspirators’ communications in advance of a failed attack on Belgium earlier this year, which a key figure apparently tried to coordinate via cellphone from Greece. Far from using Tor or SilentCircle, it turned out the attackers were simply talking on the phone in obscure Moroccan dialects.
Why would the Paris attackers have ignored ISIS’ own best practices for secure communications? Who knows—maybe the Jihadi Help Line was busy assisting other customers.
Previously in Slate: