Daily Archives: March 12, 2016

Privacy, Security, and Encryption

Privacy, Security, and Encryption

by Richard White

2016-03-12

There are a number of conversations going on right now related to the ideas of privacy, security, and encryption. Three contexts:

  • Do government representatives (NSA, FBI, local police, etc.) have the right to access your personal information–metadata, phone calls, emails, etc.–without a warrant?
  • Does the FBI have the right to compel Apple to create software that will provide government agencies with access to information stored on Apple-manufactured hardware?
  • Was Edward Snowden wrong to make copies of secret documents and share them with journalists, with the intent of exposing what he viewed as government corruption?

All of these conversations are fundamentally concerned with the question of whether or not people have a right to privacy, and how hard the government has to work to “invade” that privacy.

There’s much to be explored here, more certainly than can be covered in a brief blog post. My talking points regarding the subject–my “elevator talk” when the occasion arises–include these:

Just about everyone agrees that people need privacy, and have a right to privacy. This is a documented psychological need–people need time alone, and act differently when they are alone. The United States of America, in its Fourth Amendment to the Constitution, includes federal prohibitions against “unreasonable search,” which has been interpreted to include a wide variety of forms of surveillance.

This need for privacy is not just psychological. Most people feel that financial transactions, including the ones that we all conduct with our own banks, should be protected. Indeed, financial transactions on the Internet *must* be private; if not, the communication structure of the Internet allows for those transactions to be viewed by others, “good guys” and “bad guys” alike.

Our world is digital now, and the means of ensuring digital privacy is encryption. Encryption is simply “math applied to information,” in a way that ensures the information can be accessed only by the intended recipient. Encryption is a means of making sure that things–my bank information, my personal information, my business transactions, my diary–can be private.

Some government representatives, including the FBI and most recently President Obama, are calling for mandated “backdoors” in certain systems that will allow the “smallest number of people possible” access to anyone’s private information.

This point of view is flawed, for two simple reasons:

  1. Exchanging private information is possible, and has been done for years, without computers and/or phones. Requiring a company to place a backdoor in an operating system doesn’t change the fact that any of us can freely exchange messages via that phone that have been encrypted by another means. Encryption is math, and you can’t outlaw math. Ultimately, backdooring doesn’t “protect us from terrorists.” It just violates our rights to unreasonable surveillance.
  2. Providing backdoors in technology fundamentally means that one is building in a means by which normal security mechanisms can be avoided. This system, by its design, also allows untrusted agents to avoid the normal security mechanisms once they’ve obtained the means to do so. There is no way to allow only good guys to bypass security. Bad guys get to use the same bypass.

    (One easy example: The federal government Transportation Security Administration suggests locking your luggage with TSA-approved locks: Your luggage remains secure, but allows them to access your luggage for inspection without having to destroy the lock. Only the TSA has the keys that will open these locks… until they don’t. Now your baggage lock has a backdoor that the bad buys know how to defeat.)

If you’re concerned about the consequences of giving child pornographers, Chinese dissidents, and the Russian mafia access to this same encryption, there’s no way around that. (Or maybe you DO want to protect the Chinese dissidents? You’re going to have to make up your mind.) Those people will need to be dealt with the same way they always have been: legal warrants for wiretaps, legal warrants for reasonable search and seizure. At the end of the day, weakening encryption doesn’t stop the bad guys–it only makes it easier for them to victimize good guys like you and me.

Decipher this secret message and I’ll give you $100.

U2FsdGVkX1+Z8Wx61sOSQghi2ANM0QfXVXJzM7tP5eo=

Other interesting articles on this topic: