Daniel sent us this one — Israel's Shin Bet announced a few weeks back that they'd broken a terror cell allegedly directed from overseas by Salah Hamouri, a French-Palestinian lawyer. The coverage mentions Hamouri procured encrypted phones for the cell. But they got nabbed anyway. And it raises this question that keeps coming up: if encryption is supposedly unbreakable, why do encrypted plots keep getting busted?
It's the gap between the marketing and the operational reality. Encryption companies sell this promise of absolute privacy — your messages are secure, nobody can read them, end of story. And mathematically, that's true. The cryptography itself is sound. But arrests keep happening. And they're not breaking the math.
Where's the leak?
Let's start with the Hamouri case itself, because it's a perfect illustration. The Shin Bet announcement came in May — they said Hamouri, who's based overseas, had been operating a terror network in Jerusalem and the West Bank. He allegedly recruited operatives, directed attacks, and critically for our purposes, procured encrypted phones for the cell members so they could communicate securely.
Yet here we are, talking about the arrests.
The Shin Bet didn't release the full operational details — they never do — but they said the investigation was conducted jointly with the Israel Police. And that phrasing matters. Joint investigation means physical surveillance, informants, financial tracking, all the pre-digital intelligence methods running alongside whatever signals intelligence they were collecting.
The encrypted phones may have been irrelevant to how they actually got caught.
Or worse — they may have been the thing that got them caught. There's a phenomenon in counterterrorism called the "going dark" tell. When a group suddenly switches to encrypted communications, that behavioral shift itself is a signal. It flags the group for closer scrutiny. You go from normal phone calls and WhatsApp messages to dedicated encrypted devices — that's not something ordinary people do.
Like wearing a balaclava in July. The attempt to hide is what makes you visible.
And this gets to the first thing most people misunderstand about encryption. The math is unbreakable. AES-two-fifty-six, the Signal protocol, all of it — the cryptography is solid. But encryption is a black box in a glass house. The content is locked, but everything around it is visible.
Unpack that for me. The glass house.
Imagine you're sending a sealed letter. The envelope is opaque — nobody can read what's inside. That's the encryption. But the envelope still has a sender address, a recipient address, a postmark with the date and location, and it's being carried by a postal service that logs every step of the journey. You can see the size and weight of the envelope. You can see how often letters go back and forth. Who's writing to whom, when, from where, how frequently, in what pattern.
If you suddenly start sending a dozen sealed letters a day to someone you've never contacted before, the post office notices.
That's metadata analysis in a nutshell. And it's devastatingly effective. Phone companies log every call, every SMS, every cell tower handoff. Even with encrypted messaging apps, the IP addresses, the connection timestamps, the data packet sizes — all of that is visible to anyone controlling the network infrastructure. And in most countries, the state controls that infrastructure or can compel the companies that do.
We've got three layers here, it sounds like. The endpoint — the actual phone. The metadata — the patterns around the communication. And then something else, the human factor.
The supply chain. But let's go through them systematically, because each one is a whole world. Layer one: endpoint compromise. This is the most direct and the most common. Why try to break the encryption when you can just read what's on the screen?
The phone itself is the weakest link.
Encryption protects data in transit. It does nothing for data at rest on an unlocked device, and it does nothing if the operating system is compromised. If I have spyware on your phone — and I mean commercial-grade spyware like Pegasus, Predator, or Graphite — I can read your messages before they're encrypted and after they're decrypted. I can capture your keystrokes, take screenshots, activate your microphone and camera.
Pegasus specifically — this is the NSO Group tool that keeps showing up in these cases.
Citizen Lab at the University of Toronto has documented Pegasus infections on over fifty thousand phones as of twenty twenty-four. And those are just the ones they've found. The actual number is certainly higher. Pegasus can exploit zero-day vulnerabilities — flaws that the phone manufacturer doesn't even know about yet — to install itself without any user interaction. No clicking a link, no downloading an attachment. In some versions, a missed WhatsApp call was enough.
The terrorist buys an encrypted phone, feels secure, starts messaging his handler — and the entire time, the intelligence agency is reading every word off his screen.
He never knows. That's the crucial part. Pegasus is designed to leave no trace. No strange battery drain, no weird pop-ups, no suspicious app icons. It operates in the background, exfiltrating data over the same encrypted channels the user trusts.
It's almost poetic. The encrypted channel becomes the surveillance channel.
There's a bitter irony there, yes. And this isn't theoretical. In twenty twenty-three, European police took down something called the Matrix encrypted chat service. Matrix was marketed specifically to criminals — they promised military-grade encryption, anonymous accounts, the works. But investigators didn't break the encryption. They infiltrated the service itself. They got inside the infrastructure and were reading messages in real time for months before the takedown.
Which brings us to layer two: the supply chain. If you can't compromise the device after it's in the user's hands, you compromise it before it gets there.
Operation Trojan Shield. This is the crown jewel of supply chain interdiction. From twenty eighteen to twenty twenty-one, the FBI ran an entire encrypted phone company.
They ran the company.
They ran the company. It was called ANOM. The FBI, working with Australian Federal Police, set up a supposedly secure encrypted phone network marketed to organized crime. They distributed devices through informants who vouched for the network's security. Criminals bought these phones believing they were untouchable. And every single message — twenty-seven million of them — was copied to an FBI server before encryption.
Twenty-seven million messages. Over eight hundred arrests. Eight tons of cocaine seized.
The criminals never suspected a thing, because the phones worked. They did everything they were supposed to do. Secure messaging, encrypted voice calls, the whole package. The only difference was that a copy of every message was routed to law enforcement.
It's the ultimate honeypot. And it worked because the users trusted the device, not the math.
That's the key insight. Trust is the vulnerability. You can verify the encryption protocol all you want — and ANOM actually used real encryption, by the way, it wasn't fake — but you can't verify that the device manufacturer didn't install a backdoor in the firmware. You can't verify that the SIM card wasn't provisioned with a key that's also held by an intelligence agency. You can't verify the supply chain.
Unless you're building the phone yourself from components you manufactured.
Even then, the chips might have hardware backdoors. This is a bottomless rabbit hole. But for practical purposes, any commercial encrypted phone you buy is a black box you're choosing to trust.
We've got endpoint compromise — spyware on the device. Supply chain interdiction — the device was never secure to begin with. And then there's the metadata layer, which you started to explain.
Metadata is the "who talks to whom" graph. Even if every message is perfectly encrypted, the network still knows that device A connected to device B at a specific time from a specific location. Do that enough times, and patterns emerge.
Patterns are the thing computers are best at finding.
Let me give you a concrete example. Say you're investigating a terror cell. You know one low-level operative — maybe from an informant, maybe from physical surveillance. You start tracking his communications metadata. He calls three numbers regularly. One of those numbers calls six other numbers. One of those six suddenly starts making calls from overseas right before every attack. You don't need to read a single message to identify the command structure.
It's like mapping a corporate org chart from the phone bill.
It gets more sophisticated. Traffic analysis can look at message timing and volume. If every time a certain account sends a message, five other accounts suddenly go silent for twenty minutes and then all send messages simultaneously — that's a command being distributed and acknowledged. You don't know what the command says, but you know a command was given.
That alone is actionable intelligence.
If you see that pattern and then observe those five individuals all moving toward the same location, you don't need to read the message that says "meet at the warehouse." You already know.
The Hamouri case — what do we actually know about how they got caught?
The Shin Bet was characteristically vague on operational details. But based on the public statements, they described a joint investigation with Israel Police. That phrase "joint investigation" almost always means human intelligence — informants — and physical surveillance played a major role. They also mentioned that Hamouri was operating from overseas, which means cross-border communications. Those are inherently easier to intercept at the metadata level because they pass through more network nodes and involve international cooperation.
Hamouri was already a known entity. He wasn't some anonymous figure.
That's crucial. Salah Hamouri is a French-Palestinian lawyer who was previously imprisoned in Israel and released in a prisoner swap. He's been on the radar for years. The Shin Bet would have been monitoring his associates, his travel patterns, his financial transactions. When he allegedly started procuring encrypted phones for a cell, that procurement process itself — buying phones, shipping them, distributing them — all of that happens in the physical world where surveillance is much harder to evade.
The encrypted phones may have been the least relevant part of the whole operation.
They might have even been counterproductive. Think about it from an operational security perspective. You're a terror cell. You've been communicating through normal channels, blending in with millions of other WhatsApp users. Then someone hands you a special encrypted phone and says "use this, it's secure." Now you're carrying a second device. You're using a niche communication platform. Your behavior has changed in a detectable way. And if that phone was compromised at any point in the supply chain, you've just handed the intelligence agency a direct tap into your most sensitive conversations.
It's the operational security equivalent of announcing you have a secret.
This is where the human factor comes in — and it's honestly the most common failure mode. Terrorists and criminals make the same mistakes everyone makes. They reuse passwords. They discuss sensitive plans on unencrypted channels because it's more convenient. They meet in person and are followed. They brag to someone who turns out to be an informant.
Or their cousin's neighbor's friend mentions something unusual to the wrong person.
Human intelligence is still the backbone of counterterrorism. The Shin Bet's reputation was built on running informant networks, not on signals intelligence. Physical surveillance, financial tracking, undercover operations — all of this predates encryption and none of it is stopped by encryption.
There's a broader point here about the asymmetry of the whole thing. Encryption protects the content of the message, but the state controls everything else. The internet service providers, the phone networks, the cloud backups, the border checkpoints where they can seize your devices.
That's the infrastructure asymmetry. And it's growing. The EU passed the e-evidence regulation in twenty twenty-four — it requires tech companies to respond to cross-border data requests within ten days. If French police want data from an Irish server hosting a messaging service, they can now get it quickly and legally. The UK's Online Safety Act includes provisions that could require client-side scanning on encrypted platforms — scanning messages before they're encrypted, on your device. Implementation has been delayed, but the legal framework is there.
Client-side scanning — that's the thing where your phone scans your photos for prohibited content before sending them?
That's the idea. And privacy advocates have been fighting it fiercely, because once that capability exists, the scope always expands. Today it's child sexual abuse material, tomorrow it's "terrorist content," the day after it's political dissent. The technical capability is the same regardless of what you're scanning for.
We're in this strange position where the encryption itself is mathematically sound, but the ecosystem around it is riddled with vulnerabilities, and governments are systematically closing those gaps — not by breaking the math, but by regulating the endpoints and the platforms.
This is why the encryption debate is so badly framed. It's always presented as "should we break encryption or protect it?" But that's not what's happening. Nobody serious is proposing to break AES. What's happening is a systematic campaign to make the endpoints transparent, to mandate metadata retention, to require backdoors in client software, to control the supply chain. The fight isn't over encryption — it's over everything around encryption.
The twenty twenty-four arrest of Pavel Durov in France is a perfect example of this. Telegram's encryption wasn't broken. The French authorities went after Durov personally, alleging that Telegram's refusal to moderate content and cooperate with investigations made him complicit in criminal activity on the platform.
They didn't crack the protocol. They arrested the CEO. That's a completely different attack surface. And it worked — Telegram has since significantly changed its moderation policies and cooperation with law enforcement.
Let's talk about what this means for someone who actually needs operational security. A journalist working with sensitive sources. An activist in an authoritarian country. A lawyer communicating with a client about a case that might attract government attention.
The uncomfortable answer is that if a determined nation-state wants to read your messages, they probably can. Not by breaking the encryption, but by compromising something in the chain. Your device, your network, your cloud backup, your behavior patterns, or the people you communicate with.
That's a bleak assessment.
It's a realistic one. But realism is useful. If you understand the threat model, you can defend against it. The problem is most people have an inaccurate threat model. They think "I use Signal, therefore I'm secure." And Signal's encryption is excellent — genuinely best in class. But if your phone is compromised, Signal can't save you. If you back up your messages to iCloud, those backups aren't encrypted with Signal's keys. If the person you're messaging has a compromised device, your security is only as strong as their security.
What does actual operational security look like, if you're serious about it?
Compartmentalization is the first principle. Separate devices for sensitive communications — and I mean a device that never connects to your regular accounts, never logs into your email, never installs social media apps. A device that you physically secure and that you assume will be compromised eventually.
Like having a burner phone, but for digital communications.
Second principle: minimize metadata. Use Tor or a VPN to obscure your IP address. Use ephemeral accounts that you rotate regularly. Don't establish predictable communication patterns. If you message the same person every Tuesday at three PM from the same location, you've created a signature.
Operate as if your device is already infected. That means never putting anything in writing that would be catastrophic if read by an adversary. Use code words for sensitive topics. Have a pre-arranged duress signal. These are old spycraft techniques, but they're still effective because they don't depend on any technology.
It's almost like we've come full circle. All this advanced encryption technology, and the best practices are basically what intelligence officers were doing in the nineteen forties.
Technology changes, but the fundamentals of operational security don't. Trust is the vulnerability. Always has been. The encrypted phone is only as trustworthy as the person who gave it to you, the factory that built it, the software that runs on it, and the network it connects to.
Circling back to the Hamouri case — what's the actual takeaway here? Because the headlines make it sound like "encrypted terror cell busted despite secure communications." But from everything we've discussed, the encryption was probably irrelevant to how they were caught, and may have actually helped the investigators.
The takeaway is that encryption is necessary but nowhere near sufficient. The Hamouri cell was likely identified through traditional intelligence methods — informants, physical surveillance, financial tracking — before the encrypted phones even entered the picture. And once the Shin Bet had identified the cell members, the phones became just another source of evidence. Either they were compromised at the endpoint level with spyware, or the metadata from the phone usage confirmed what investigators already suspected, or the phones were seized during the arrests and unlocked through forensic tools.
That last point — forensic access to seized devices — that's a whole other world we haven't even touched.
Cellebrite, GrayKey, all the mobile forensic tools. Once a device is in physical custody, the encryption of messages in transit becomes irrelevant. The messages are stored on the device, and if the device can be unlocked — through biometrics, through password cracking, through vulnerability exploitation — everything is right there.
You can be compelled to unlock your phone with your face or fingerprint in many jurisdictions.
In most jurisdictions, actually. Biometric unlocks generally don't have the same Fifth Amendment protections as passwords in the US, and in many other countries there's no protection at all. Israel's security services have broad powers to compel cooperation.
We've walked through the technical layers. Now I want to zoom out to the policy question. Because there's a real tension here. On one hand, we've just explained all the ways encryption can be circumvented without breaking the math. On the other hand, privacy advocates fight tooth and nail against any measure that weakens encryption or expands surveillance. If encryption is so easily bypassed, why does that fight matter?
Because the bypasses we've described — spyware, supply chain interdiction, metadata analysis — those are capabilities that currently require resources, legal authority, and targeting decisions. A nation-state can deploy Pegasus against specific individuals. They can't deploy it against everyone. Breaking encryption itself — mandating a backdoor in the protocol — would be a universal vulnerability. It would affect every user simultaneously, and it would be discovered and exploited by malicious actors almost immediately.
The difference is between targeted surveillance and universal vulnerability.
Pegasus is expensive. A zero-day exploit might cost millions of dollars and only work until the vulnerability is patched. That imposes a natural limit on how many people can be surveilled this way. But if you build a backdoor into the Signal protocol, you've just handed every hacker, every criminal organization, and every hostile foreign intelligence service a key to every Signal conversation on the planet.
Because once the backdoor exists, it exists for everyone.
It will be found. Cryptographic backdoors are not secrets you can keep. The history of attempts to do this — the Clipper chip in the nineties, the Dual EC DRBG backdoor that the NSA allegedly pushed — every single one has been discovered and exploited. You cannot build a backdoor that only the good guys can use. That's not how math works.
The privacy advocates are fighting to preserve a world where surveillance requires effort and targeting, rather than a world where everything is visible by default.
That's the core of it. And the Hamouri case actually supports their argument, in a sideways way. The Shin Bet didn't need to break encryption to disrupt this cell. They used traditional intelligence methods. The system worked without universal surveillance. The question is whether that targeted approach scales.
That's where the AI angle comes in. Because what's changing is not the ability to break encryption, but the ability to analyze metadata and behavioral patterns at massive scale.
This is the real frontier. Machine learning models that can sift through billions of metadata records and flag anomalous patterns. Natural language processing that can analyze the sentiment and topic of communications without decrypting them — just from timing, volume, and connection patterns. Predictive analytics that can identify potential threats before any attack is planned, based purely on behavioral indicators.
That sounds like it could make encryption almost irrelevant for operational security. If the AI can identify you as a threat from your metadata patterns alone, the fact that it can't read your messages doesn't matter.
We're already seeing this. The NSA's bulk metadata collection program, even after being curtailed legally, demonstrated that you can learn an enormous amount about someone without ever reading the content of their communications. Who they call, when they call, for how long, from where — that's a fingerprint. Add in financial transactions, travel records, social network analysis, and you've got a profile that's often more revealing than the messages themselves.
Where does this leave the ordinary person who just wants private communications? Someone who's not a terrorist, not a criminal, just a citizen who doesn't want their messages read?
The honest answer is that for most people, the practical privacy threat isn't the government reading your messages. It's data brokers building advertising profiles. It's your messaging app collecting metadata and selling it. It's your cloud backup being accessible to anyone with a subpoena. The government doesn't care about your dinner plans. But your data is being monetized in ways you never consented to.
That's a different conversation than the encryption debate.
Related, but different. The encryption protects the content. The metadata is the business model. And most people don't realize that even with end-to-end encryption, WhatsApp still knows who you message, when, how often, and from what IP address. They share some of that with Facebook. That's not a secret — it's in the privacy policy that nobody reads.
If someone listening wants to actually improve their privacy, where do they start?
First, understand your threat model. Are you worried about advertisers? Use a browser with tracking protection, use a VPN, limit what you share. Are you worried about government surveillance? That's a much harder problem, and it requires the compartmentalization and operational security practices we talked about. Are you worried about your ex reading your messages? Use a strong passcode and don't share it.
Different threats, different responses.
That's the thing most privacy advice gets wrong. It treats privacy as a binary — you're either secure or you're not. But security is always relative to a specific threat. The measures that protect you from a jealous ex are different from the measures that protect you from a nation-state. And confusing the two leads to either dangerous overconfidence or paralyzing paranoia.
To wrap this back to where we started — the Hamouri case and the broader question of encrypted terror plots getting busted. What's the one thing you want listeners to take away?
That the encryption debate is happening in the wrong frame. We're arguing about whether encryption should be broken, while law enforcement is quietly and effectively working around encryption entirely. The real questions are about endpoint security, metadata privacy, and supply chain integrity. Those are the battlegrounds that actually matter, and they're getting almost no public attention compared to the endless back-and-forth about backdoors.
The second thing?
That technology is only one piece of the puzzle. The Hamouri cell wasn't caught because of a cryptographic breakthrough. They were caught because intelligence work — human sources, physical surveillance, international cooperation — still works. The Shin Bet's announcement mentioned a joint investigation, and that phrase carries a lot of weight. Old-fashioned police work and intelligence gathering haven't been replaced by technology. They've been augmented by it.
The encrypted phone is a tool, not a magic shield.
Treating it as a magic shield is exactly what gets people caught.
Before we close this out, I want to touch on something you mentioned earlier — the future trajectory. You brought up homomorphic encryption and private set intersection. What are those, and why do they matter for this conversation?
Homomorphic encryption is the holy grail — the ability to perform computations on encrypted data without ever decrypting it. So a server could process your messages, search them, analyze them, without ever seeing the content. Private set intersection lets two parties discover what data they have in common without revealing anything else. These are real cryptographic breakthroughs, but they're computationally expensive — orders of magnitude slower than conventional encryption.
Not practical for real-time messaging yet.
But the direction of travel is clear. The next generation of privacy technology won't just encrypt data in transit — it'll allow useful computation on encrypted data. That could fundamentally change the surveillance landscape. If law enforcement can search for patterns across encrypted datasets without ever decrypting individual messages, we enter a world where privacy and security aren't in opposition.
That's still years away from practical deployment.
And in the meantime, the cat-and-mouse game continues. Law enforcement gets better at endpoint compromise and metadata analysis. Privacy advocates push for better endpoint security and metadata protections. The encryption itself remains solid. The fight is everywhere else.
It's a reminder that security is a process, not a product. You can't just buy the encrypted phone and be done.
You can never be done. That's the nature of adversarial systems. The moment you stop updating your threat model, you're vulnerable.
Now: Hilbert's daily fun fact.
Hilbert, what have you got for us today?
Hilbert: Naked mole rats communicate using at least seventeen distinct vocalizations, one of which — a soft chirp used to identify colony members — resonates at a frequency that propagates particularly well through the volcanic soil of the Kamchatka Peninsula, a fact first documented by a Russian naturalist in eighteen twelve who initially mistook the sound for subterranean steam vents.
I have so many questions about how a naked mole rat got to Kamchatka in eighteen twelve.
I think the more pressing question is why a Russian naturalist was following chirping sounds through volcanic soil.
This has been My Weird Prompts. Our producer is Hilbert Flumingtop. If you found this episode interesting, you'd probably enjoy our episode on how Five Eyes intelligence sharing actually works — it's a natural companion to everything we discussed today.
Find us at myweirdprompts dot com, or search for My Weird Prompts wherever you get your podcasts. Until next time.
