This article has been written over the first fortnight since the operation took place and not all details have been made public. We have done extensive research and cross-referencing to the best of our abilities however given the recency, we have relied on early media reports and speculation by cybersecurity experts coupled with our own interpretation to form this article. Consider this article accurate to the best of our knowledge ‘as of this writing’, future disclosures on the operation may bring more details to light which may be contrary to any point we’ve reported within this article.
Introduction
As our devoted readers and those interested in the subject more broadly will know there have been instances of law enforcement around the world looking to weaken encryption standards. We’ve written about this in our articles about Crisis Surveillance and the Five Eyes for example, with the Apple FBI case a prominent example and good case study on the matter.
‘Operation Ironside’ as named by the Australian Federal Police (AFP) or ‘Trojan Shield’ as named by the Federal Bureau of Investigation (FBI) made headlines around the world when news broke in early June of 2021. Herein we will refer to it as Trojan Shield and it has flipped the approach law enforcement has taken regarding its battle with encryption.
We will start with a very brief outline of the operation – given it has made international headlines we will safely assume most people are aware of the basics. We will then have a look at the approach law enforcement took and what it means for privacy and security, namely the argument for weakening encryption standards often made by law enforcement.
Disclaimer
Please note we support law enforcement in their fight against criminals and illegal behaviour. This article is not a criticism of the operation nor is it sympathetic to those arrested. The operation is simply used as a topical example regarding the broader subject of the relationship between encryption and law enforcement. Our goal at Privacy Rightfully is to help people protect their privacy and online security from exploitation by bad actors, not to help people cover their tracks when taking part in illegal activities.
Operation Trojan Shield
Background
The concept of AN0M relies heavily on encryption, if you’re unsure what that is or need a refresher read our Encryption 101 article linked here before continuing. The background to the operation is as follows:
- In 2018 authorities shut down Phantom Secure which was a similar concept to AN0M operating as a modified secure mobile phone. The idea for AN0M was to fill the gap left behind by Phantom Secure
- It has been reported that one of the former hackers involved with Phantom Secure was already developing AN0M and agreed to hand control over to the FBI for a reduced prison sentence for his involvement with Phantom Secure
- The AFP and FBI ran AN0M which, unknown to its users, was a trojan horse in that it was not secure at all sending decrypted messages straight back to authorities in real time
- The phones with AN0M had no email, call, or GPS capability, all of this was stripped out to make them appeal as more secure and less trackable
- The phones only offered messaging through the AN0M app to other phones which were also stripped out of other capabilities and ran only the AN0M app as well. The phones relied on foreign SIM cards, the app was accessed by entering a pin on the phone’s calculator, and users could only send text, images, or video content through the app
- The phones were distributed through the black market for approximately $2,000 by invitation only (criminals need to know other criminals to get one)
- To appear trustworthy the company behind AN0M was apparently based in Switzerland and claimed to use military grade encryption. The authorities even charged a subscription fee for the app to make it appear as legitimate as possible
- As high-profile organised crime figures trusted the devices they grew in popularity. It is estimated approx. 11,000 phones were distributed across 90 countries.
The Operation
- Approx. 20 million messages were intercepted during the operation which ran over 3 years, was supported by the intelligence agencies of 18 countries, and involved approx. 9,000 members of law enforcement
- Authorities uncovered details about drug deals, murder plots, assassination targets (including innocent people), location and routes of drug and firearms trade, money laundering, etc
- On the 8th of June 2021 the operation culminated in mass raids and search warrants executed simultaneously around the world.
Global results
- Over 800 people were arrested across 16 countries including members of organised crime, outlaw motorcycle gangs, powerful drug syndicates, etc
- Over 40 tons of drugs were seized
- Approx. 250 firearms were seized
- Approx. 55 luxury cars were seized
- Approx $48 million dollars across numerous currencies and cryptocurrencies were seized
- Numerous other proceeds of crime including stolen artworks, jewellery, and other high-value or luxury items were seized
- The prevention of a number of planned murders
- The interception or disruption to drug supply shipments, routes, relationships, and networks
- Due to US privacy laws however – the FBI was not allowed to download or read any messages sent from AN0M accounts resulting in no arrests of domestic subjects in the US. More on this later in the article.
The unique angle law enforcement took
The most curious thing about Trojan Shield is it appears law enforcement decided to exploit the strengths associated with encryption rather than fight to weaken them. In the past they’ve argued that encryption allows for terrorists, criminals, gangs, paedophiles, people smugglers and the such to cover their tracks and evade capture (this isn’t untrue). They’ve used this line of thinking to argue for the weakening of encryption standards, which basically means having a backdoor available only to law enforcement to decipher encrypted data. The problem here is that by intentionally designing a weak link in encryption you weaken the entire concept, and as we highlighted in our Five Eyes article there are members of the law enforcement community that agree, including a former FBI General Counsel. Consider this quote from a leaked National Security Council draft paper:
“Overall, the benefits to privacy, civil liberties, and cybersecurity gained from encryption outweigh the broader risks that would have been created by weakening encryption.”
It’s unclear if the design of this operation came from the fact that law enforcement wasn’t convincing in their argument on weakening encryption standards. However, it is heartening to see that they have indeed changed their approach to ‘if you can’t beat them, join them’ so to speak and exploited the aura of security around encryption and used encryption to catch their targets. We even wrote about this in our Five Eyes article stating weakening encryption shouldn’t be the only avenue the intelligence community should be fixating on. Happily, Trojan Shield has shown it’s not.
The great juxtaposition
The execution of Trojan Shield came at a time of highly publicised ransomware attacks on global corporations. The White House has even come out and urged the business community begin to take cybersecurity more seriously and make stronger investments in securing their IT infrastructure.
As we know, encryption is one of the most powerful tools utilised across numerous cybersecurity applications. On the one hand a person or company can encrypt their data to ensure if access to it is breached by a bad actor the data is unreadable. Conversely a ransomware attack traditionally involves the bad actor encrypting valuable data they gain access to and not provide the decryption key until a ransom is paid.
So, we have a state of affairs in which we are told to sharpen our cybersecurity practises with tools such as encryption. At the same time, we’ve seen law enforcement historically try weakening encryption and look where we are today. Operation Trojan Shield, utilises international intelligence partners with weaker privacy laws (more on this later) to help law enforcement exploit the trust people have with encryption within the very cybersecurity tools they were urged to utilise.
Where does this leave secure communication?
Secure communication hasn’t changed, and encryption standards haven’t been affected (for now). If you use an encrypted email provider or messaging app the security is the same as it was the day before Trojan Shield was publicised. This hasn’t been an attack on privacy or encryption standards, this was a carefully designed standalone app, made by law enforcement for one specific purpose.
Criminals were attracted to it for reasons beyond encryption, reasons which typically aren’t considered by even the most privacy conscious law-abiding citizens. The criminals didn’t just need encryption, they needed the reduced traceability of the device itself (thus no calls, email, or GPS services were on AN0M phones).
Most people aren’t seeking that level of privacy, we always say we are helping people make changes to ensure they’re not the low hanging fruit / easy targets for bad actors. This means they still want to use mainstream mobile phones, operating systems, software, and apps – exactly what criminals targeted by Trojan Shield don’t want to use. The obscurity of the AN0M app, the stripped out features of the phones, and the difficulty in acquiring the phone is beyond the interests of most people simply pursuing a more private and secure interaction with the internet – those we write for.
The only impact we can really see this having comes back to that aurora of security surrounding encryption. The reason the criminals jumped on the use of the AN0M app was based on knowing what encryption is capable of – they did no further research beyond that. No one thought twice to verify, well almost no one.
In March of 2021 a blogger operating under the name canyouguess67 looked into a AN0M more closely. This person identified security flaws and alleged links to servers in both Australia and the US. The blog article warned users not to trust AN0M and detailed the security issues with app. The blog post was deleted from the internet not long after posting and the authorities have since confirmed that this blog post almost undermined the entire operation.
Based on current information as of this writing we believe the success of Trojan Shield came down to two critical enablers, neither of which involved weakening encryption:
- The failure of users to verify AN0M and instead relying on word of mouth from criminal associates
- Weak Australian privacy laws allowing for messages to be read
Weak Australian privacy laws
As we mentioned earlier the FBI was not allowed to download or read any messages sent from AN0M within the US due to privacy laws. The partnership with Australia in this operation goes beyond their Five Eyes alliance and long history of intelligence cooperation. Australia was able to read messages thanks to a court order obtained by the AFP in 2018 to legally monitor individuals in Australia or with a clear nexus to Australia. While the AFP couldn’t share the direct content of messages with the FBI it has said it shared the general nature of AN0M conversations with their US counterparts.
The following year in 2019 the FBI arranged with an unknown third country to install a server on their soil to download global AN0M communications from. This third-party country, like Australia, is very likely not to have strong privacy protections in place to prevent this from happening. The exception to the agreement included approx. 15 AN0M users in the United States (per the privacy laws in the US). However, the AFP monitored the US AN0M accounts for any ‘threats to life’ of US citizens.
Australian Prime Minister Scott Morrison confirmed the AFP utilised the controversial Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 or ‘TOLA’ for the first time to enable access to AN0M messages. TOLA allows for law enforcement to compel various communication providers to provide access to encrypted data, however further details of how the law was used specifically haven’t been disclosed as yet. This leads to an obvious question – could Australia’s TOLA be used to circumvent the laws and protections of other jurisdictions? Alternatively, will the FBI go ‘jurisdiction shopping’ when a planned operation violates US law?
We would love to say that’s where it ends, but after TOLA, Australia now has the Surveillance Legislation Amendment (Identify and Disrupt) Bill before parliament. This is designed to give the AFP powers to disrupt the Dark Web by accessing or disrupting the networks, data, devices, and accounts of suspected criminal networks or individuals. Naturally privacy advocates are not thrilled about the proposed bill with Human Rights Law Centre Senior Lawyer Kieran Pender commenting:
“Every increase in state surveillance has a democratic cost, and we must not underestimate the extent of that cost … the powers could be used to monitor the online activities of journalists and whistleblowers who play a vital role in a functioning democracy … with the current drafting, if a person who is considered likely to engage in a ‘relevant offence’ used an electronic service such as WhatsApp, it could mean that anyone who uses WhatsApp could face surveillance.” – Kieran Pender, Senior Lawyer, Human Rights Law Centre (1)
As always this leads to difficult privacy vs law enforcement debate which we’ll begin our conclusion with.
Conclusion
What do we mean by the privacy vs law enforcement debate? To put it simply it’s the difficult question of how much privacy intrusion over the general population should law enforcement have to fulfil their objectives?
It goes back to the point we made about the great juxtaposition earlier.
As citizens want to protect ourselves, our families, our identities, our businesses, our assets, and more, from the growing dangers in a world increasing its reliance on the internet. Unfortunately, this motivation is shared by criminals wanting to evade capture by law enforcement. Consequently, we have a privacy vs law enforcement debate as the tools used to service both are the same.
The troubling thing for privacy advocates is the general population is mostly ignorant or apathetic when it comes to valuing privacy (until something happens to them) and of course we all want criminals to be caught. Therefore, whenever law enforcement executes a successful operation, such as Trojan Shield, they ensure widespread publicity follows. This potentially leads to priming and conditioning of the general population to accept privacy erosion in the name of ‘catching the bad guys’. This repeated over several years may lead to the dangerous concession by the general public of giving law enforcement a back door to encryption and thus weakening the whole concept in the process.
We tend not to devote too much time to this debate (per our Ethics Statement) except to draw attention to it in relevant articles such as this one and those we linked to in our introduction. When defining our stance there needs to be a clear differentiation between protecting from bad actors and protecting the illegal activities of criminals. As we just mentioned the tools used by both are often the same making the line nearly impossible to draw.
Critically it’s pleasing that Trojan Shield didn’t rely on the weakening of encryption standards for success. Aside from a unique intelligence alliance using a creative approach, the weak point was the blind trust the crooks gave to AN0M simply based on the aura around encryption. The security credibility of a tool raises sharply when encryption is attached to it but only one anonymous blogger decided to do extra research under the surface. This is similar to when a popular athlete endorses a pair of shoes or sports energy bar – it gives that product credibility, but usually people won’t run out and buy it without doing further investigation. Well in this case, that is exactly what happened.
References
This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.