Re: naive
1. Combined with timestamped endpoint IP logging, up-to-date geographical data for IP assignments, and timestamped CCTV at said endpoint... perhaps.
2. See 1 (caveat: endpoint may not have CCTV).
3. Only if they've obtained that cipher alreadys.
4. Probably not. Perhaps if 3 is true. But this assumes security services give a shit about doing anything in time to make a difference. They don't. The miniscule possibility of doing stopping "terror" is the carrot to gain ever-widening snoop powers. The stick is "look what happened because we didn't have blanket access to XYZ".