What does the recent Trojan Shield sting tell us about privacy, trust and surveillance?

Police forces across the world have revealed details of Trojan Shield, what is probably the most successful digital sting operation yet:

A series of large-scale law enforcement actions were executed over the past days across 16 countries resulting in more than 700 house searches, more than 800 arrests and the seizure of over 8 tons of cocaine, 22 tons of cannabis and cannabis resin, 2 tons of synthetic drugs (amphetamine and methamphetamine), 6 tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in various worldwide currencies and cryptocurrencies. Countless spin-off operations will be carried out in the weeks to come. Operation Trojan Shield/Greenlight will enable Europol to further enhance the intelligence picture on organised crime affecting the EU due to the quality of the information gathered. This enhanced intelligence picture will support the continued effort in identifying operating high-value criminal targets on a global scale.

At the heart of the sting lies an encrypted communications platform called Anom. The devices seemed to run just one app: a calculator. But entering a code turned it into a messaging system for text and images that was encrypted end-to-end. The Anom device was designed to allow criminals to communicate in the securest manner possible, and it proved popular: in three years, over 12,000 were sold to over 300 criminal syndicates around the world. But what the Anom’s users did not know until very recently, was that the system had a built-in backdoor that allowed police authorities to gather and read all the messages in real time. When the police took advantage of the knowledge gained from these communications, the Anom database held over 27 million messages.

The authorities had access to a backdoor because the Anom device was built in cooperation with the FBI. The anonymous designer of the Anom had distributed two previous “hardened encryption devices”, designed to meet the needs of major criminal organizations, the Phantom Secure and Sky Global devices. While working on a new device, the Anom, the designer had been sentenced to six years in prison for importing narcotics. As part of a deal with the FBI, the designer became a “Confidential Human Source” (CHS), and agreed to add a backdoor to the Anom system, which would be developed further and then sold as a subscription costing thousands of dollars a year. The designer played another important role that was vital to the success of the Trojan Shield sting. A court document explains:

The CHS also agreed to offer to distribute Anom devices to some of CHS’s existing network of distributors of encrypted communications devices, all of whom have direct links to TCOs [transnational criminal organizations]. Because encrypted communication devices exist to eschew law enforcement, the distribution of these devices is predicated on trust. This shadowy distribution system is designed, in part, to impeded law enforcement’s ability to obtain content from these devices. To prevent law enforcement from obtaining devices, the Phantom Secure investigation revealed that oftentimes, the distributor must vet would-be purchasers of these devices. This vetting process comes from either a personal relationship or reputational access with a purchaser premised on prior/current criminal dealings. By introducting Anom to the CHS’s trusted distributors, who were likewise trusted by criminal organizations, the FBI aimed to grow the use of Anom organically through these networks.

It’s hardly a surprise that even hardened criminals wish to preserve their privacy by using end-to-end encryption. But it is fascinating to note the key role of trust in this world. The FBI was able to insert backdoors into the supposedly secure communications by subverting the web of trust through the use of the CHS. In doing so, the authorities turned what was theoretically a strength of the criminal world – the fact that it was built on trust – against itself.

Trust is important outside the criminal world too, which is why it is crucial that ordinary people feel they can trust the devices and software that they use. It is much harder to do that if weaknesses are intentionally built in to end-to-end encryption, as governments and police forces have repeatedly demanded. Perhaps the most important lesson of the Trojan Shield sting is that it shows that mandatory backdoors in day-to-day encryption used by billions of people are not needed in order to keep society safe from its worst elements.

One of the primary arguments that the authorities often make in favor of backdoors is that it will allow encrypted conversations between serious criminals to be accessed. But history shows that serious criminals tend to prefer specialist devices, not mainstream ones, which they don’t trust because they can’t be vetted in the same way. Anom is by no means the only example of this preference: in addition to the Phantom Secure and Sky Global devices mentioned above, another system popular with criminals was EncroChat. Despite its use of advanced encryption, French and Dutch law enforcement experts were able to penetrate its system by accessing some of EncroChat’s servers. The fact that in recent years four different encrypted communication systems designed for, and widely used by, criminals in many different countries led to numerous arrests shows that it is nonetheless possible to access such communications, using various kinds of workarounds. That is exactly what the respected security expert Bruce Schneier pointed out a few years ago. In a paper jointly written with Orin Kerr, he listed no less than six kinds of workarounds that can be explored. It is simply not necessary to undermine the online safety of billions of people by weakening encryption in general use software, unless the real aim of such a move is to spy not just on criminals, but on everyone.

Featured image by John Flaxman.