On Tuesday, the Times reporter Rukmini Callimachi published the latest in a series of blockbuster stories about the inner workings of the Islamic State. The piece focussed on the logistics of the group’s deployment of terrorists in Europe, but also included a significant revelation in an ongoing debate about encryption. In ISIS’s training and operational planning, Callimachi reported, the group appeared to routinely use a piece of software called TrueCrypt. When one would-be bomber was dispatched from Syria to France, Callimachi writes, “an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user’s online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at the time and that experts say has not yet been cracked.”
Before companies like Apple and Microsoft built encryption into their products, before Apple took on the U.S. government (briefly) over the unlocking of a San Bernardino shooter’s iPhone, TrueCrypt and programs like it were the primary means for securing files and disks by those with a privacy bent of whatever stripe. Free to download and relatively user-friendly, TrueCrypt has been considered by experts to be among the strongest file-encryption programs available, since its release in 2004. It allows its users to easily work with encrypted files, and can store them in such a way that even if the user is forced to provide a key to, say, the authorities, that key can lead only to a file the user doesn’t mind exposing while keeping more sensitive contents behind a thicker wall. Without the user’s password, the software has long been viewed as uncrackable. Included in the information that Edward Snowden provided to Glenn Greenwald, Laura Poitras, and other reporters in 2013 was a document showing that the National Security Agency had “major problems” breaking TrueCrypt.
The genesis of TrueCrypt turns out to be as full of intrigue as the uses of it. The encryption software came up in my own reporting, in a story I’ve been researching for two years about a programmer named Paul Le Roux, who built a global drug, arms, and money-laundering cartel out of a base in the Philippines. For the seven-part weekly serial in The Atavist Magazine, a publication I co-founded with newyorker.com editor Nicholas Thompson, I recently established that Le Roux—before he was a prolific, violent criminal—was the author of a piece of software called Encryption for the Masses (E4M). Le Roux’s creation, in turn, served as the basic code upon which TrueCrypt was built. (The proof of Le Roux’s authorship of E4M is complicated, but in short: Web sites on which E4M was stored trace back to companies owned by Le Roux, and message-board postings about E4M tie to Le Roux’s e-mail address. Recently, at a court hearing in Minneapolis that I attended, Le Roux himself claimed credit for E4M.)
Both E4M and its progeny, TrueCrypt, are “open source” software. Their code is available to anyone to examine or to build upon, with some restrictions. The developers who expanded upon E4M to improve and maintain TrueCrypt over the years have remained anonymous. “The origin of TrueCrypt has always been very mysterious,” Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt, told me last year. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”
Le Roux’s connection to TrueCrypt might have remained an interesting footnote if not for the fact that, in September, 2012, he was arrested in Liberia on drug-trafficking charges by the Drug Enforcement Agency. He turned, becoming a coöperator with the federal government. For two and a half years, he was held under tight security and in extreme secrecy, helping the D.E.A. and other agencies organize sting operations against his former associates. The full nature of that coöperation has not yet been revealed.
In May, 2014, however, the anonymous developers behind TrueCrypt abruptly announced on their Web site that they would no longer support—or vouch for the security of—the software. Theories abound in the encryption community as to why: perhaps the developers saw they were being outpaced by commercial projects, they found some flaw in the software that couldn’t be corrected, or they simply grew bored. But the timing of their abandonment of TrueCrypt, coming when they could have realized that Le Roux was in U.S. custody, raises the possibility that his arrest somehow contributed to the move. “What we did think was that one of the reasons why they shut down was that they might be under some sort of pressure,” Green said, while cautioning that even his theory is still speculation.
Readers of Callimachi’s reporting might at first assume that ISIS’s use of TrueCrypt bolsters the argument that the U.S. or other governments need “back doors” into encryption software. A back door is a secret way of unlocking encryption, typically built into software when it is created. Much of the ongoing debate over encryption revolves around whether the government can mandate that software makers create these back doors and hand the keys to the authorities, to later be used in intelligence gathering or criminal cases (or, in the case of Apple, demand that the company create and hand over a means to break encryption at any time). With ISIS using TrueCrypt, the need for back doors would at first seem even more clear.
But, as Green pointed out on Twitter in the aftermath of the revelations, what TrueCrypt shows is how impractical those back doors and requests are. TrueCrypt is an open-source program, maintained by mysterious, anonymous developers who are generally assumed to be outside the U.S. They likely have no legal incentive to help any government, and every practical incentive not to. We now know that the original creator of E4M was not a company looking to curry favor with the U.S. government, but a man who went on to become one of its most wanted criminals. Negotiating back doors with such developers is almost certainly not an option. And TrueCrypt is just one of many open-source encryption programs available.
In 2015, Green and some colleagues completed a security audit of TrueCrypt, concluding that, the developers’ shutdown notwithstanding, the software remained secure from back doors or cracking. ISIS certainly seems to think so. If terrorists keep using TrueCrypt and software like it, police and intelligence agencies will likely have to find other ways to gather intelligence and evidence. Something in Callimachi’s story pointed to the possibilities: one of the terrorists, caught with an encrypted drive, had apparently written down his TrueCrypt password on a piece of paper found in his bag.
