The November 2015 terrorist attacks in Paris continue to raise questions for the international intelligence community regarding the use of encrypted social media and mobile apps. ISIS was reported using both Telegram and WhatsApp in the Paris attacks. In just the past month, we saw the Obama Administration meet with the heads of major social media organizations in Silicon Valley. In Europe, we saw Facebook coordinate with politicians to crack down on extremist messages and the launch of “Initiative for Civil Courage Online,” which has donated more than $1 million to non-profits focused on “counter speech.”
It is promising to see the private and public sectors come together in search of solutions—that is, if we can find a happy medium between the government calling for “back-doors” into encrypted apps and Silicon Valley having flashbacks to Edward Snowden’s leaks.
Yet, just as businesses and governments search for the next big innovation, our enemies are also seeking out dangerous and innovative ways to use technology. Case in point: FinTech; that is, financial technology services, which includes everything from payments in Facebook’s messenger to wealth management apps, such as Wealthfront.
Venmo, an app used to receive and request transactions, transferred more than $1.6 billion in Q2 of 2015. In the past couple months, there has been some hype about the Department of Treasury’s Office of Foreign Assets Control’s (OFAC) audits of individuals with suspicious activity that helps mitigate Counterterrorism Financing (CTF). OFAC has been alerting suspicious Venmo “tag lines” (e.g., brief descriptions to let Bobby know you are paying for your half of the pizza) and auditing individuals with tag lines that may be connected with terrorism.
Yet, the lack of paper trails for using apps such as Venmo is what makes me most nervous. The same sort of financial tracking and records that are present when banks make transactions aren’t there, leaving a seemingly large vulnerability for terrorists to exploit FinTech companies for financing uses.
Just as with any new technology, the regulatory space for FinTech is currently unclear. There is an ambiguity of regulatory responsibility and the number of transactions. Though OFAC can sift through transaction tag lines, actually going through and auditing each transaction requires an unreasonable (and perhaps untenable) amount of resources. What is more, in the United States, there is no actual legislation on which Department of Treasury office should be regulating FinTech. FinTech companies tend to be small start-ups, and their compliance capacity is limited by a smaller workforce. And on top of that, they do not know to which regulatory agencies they are beholden. That all adds up to a mess for industry growth and government policy—and a potential vulnerability for our adversaries to exploit.
Social media companies have received backlash for not handing over more information to intelligence agencies, but investigation into the Paris attacks revealed that many of ISIS’ communications were not sent through encrypted platforms. Perhaps rather than focusing on whether to encrypt apps or the amount of regulation heaped upon new technologies, we should consider the sheer amount of information that must be assessed in either case, be they transactions, tweets or texts. With more digital communications and transactions every day, it seems that finding nefarious communications and transactions is becoming exponentially more difficult. Finding the bad actors online and in the real world will take new ideas and new approaches.