There have been some important public debates about cryptography recently, and, unfortunately, the loudest voices have understood the problem the least. So, I’m very pleased to post a paper on the subject by someone who understands the fundamental issue: my associate at Cryptohippie, Jonathan Logan.
If you have any interest in this subject, please give this paper your time. And if you know others who are interested in the debate, please send them the link.
A battle is underway about the limits of cryptography. On the one side are people who want to break into iPhones, tap into conversations and decrypt our backups. On the other side are those who want to prevent the government from mass intrusions but accept targeted attacks. And then there are those who take a so-called “extremist” position that government shouldn’t be allowed to undertake even targeted attacks on cryptographic systems.
This isn’t the first time this battle has been fought, and it won’t be the last. But it’s our turn to fight it right now. And we had better fight it well.
I will begin by admitting that I am an ‘extremist’ in this debate. If my wishes came true, no government or any other uninvited third party would be able to break cryptographic protections.
This is not the first time I’ve been involved in this battle. My job involves designing, writing and deploying cryptographic services.
I wrote my first PGP-encrypted email in 1991 or 1992, I’ve been using OTR since 2005 and all my Internet access has been routed through VPNs since 2000. (Yes…. that early.) I never access the Internet unencrypted, out of principle. I’ve been using Tor since its earliest days, have been surfing Freenet and run I2P eepsites.
If you have no idea what these terms mean, please don’t worry; I’m just mentioning them to emphasize that I am very much in favor of the daily use of good cryptography. I won’t use most of these terms again.
So, while I am a crypto extremist myself, honesty compels me to point how wrongly the “pro-cryptography” side in the current debate has made their case.
The State of the Debate
If you search the arguments made in favor of strong cryptography and against government “backdoors,” you’ll come up with a collection of statements that are uncharitable and shallow.
Proponents of crypto accuse politicians of not understanding technology or cryptography, of wanting to fatally undermine the security of digital systems, or to implement a global surveillance grid without checks and balances. The picture drawn is that the operation of cryptographic systems is binary – they either work completely or not at all… that anybody suggesting a middle ground is stupid.
Yes, politicians are often stupid and uninformed. That’s why people who know better must actually argue in ways that are truthful, well informed and balanced.
Educating the people who will be on the business end of new government regulations must be more than emotional whitewash. If you don’t trust your fellow humans to make good decisions, based on good information, your arguments will quickly degrade into bullying.
The point I hope to bring home in the remainder of this paper is this:
This debate should not be about cryptography. Rather, it should be about government’s regulatory powers.
Let me state this clearly:
A debate about encrypted smartphones is the same as a debate about police breaking into your home and throwing you in jail for private actions.
We cannot have our cake and eat it too. We cannot have government regulate the private actions of people we don’t like and still retain freedom for our own private actions.
You cannot be anti-crypto and at the same time defend freedom of expression, not without contradicting yourself. A strong position against cryptography requires totalitarianism beyond what existed in the Soviet Union.
Crypto Is Math and Speech
Let’s get to the core of this: Cryptographic software uses cryptographic algorithms, and algorithms are simply math.
Math has no concept of working one way in one case and another way in another case.
Math does not care if an evil or a good person is using it.
Math doesn’t care about legislation.
Math is objective and absolute – it works the same way in every case, no matter what the law books say. There cannot be a cryptographic algorithm that works one way for the FBI and another way for the KGB.
For crypto to work, the only difference between users is the key – a secret that each user generates. The ability to decrypt a message relies on the key being known. If you have it, you can decrypt the message; if you don’t, you can’t.
Poorly executed cryptography aside((I’m presuming here that our algorithms are without error, that our assumptions about certain mathematical principles is true and complete, and that our implementations are correct.)), cryptography that the FBI can break can be broken by anyone else who expends the same resources. Weak cryptography is weak for everybody. Math does not care about citizenship.
Anybody in this debate must take the above to heart. It all centers on the keys, the secrets. The fundamental question of any crypto regulation is this:
Are we allowed to keep our secrets to ourselves? May we have private thoughts and actions?
A fundamental thing to notice is that as long as someone writes cryptographic software, there will be messages that law enforcement can’t decrypt. And that brings us to two more fundamental questions:
Are we free to choose how to implement (in software) our ideas?
Are we free to choose which ideas (again, in software) we will use?
Regulating encryption means regulating our secrets, and that dictates the limits of both free choice and free expression. Let that sit for a second. These aren’t geek questions, these are fundamental human questions:
Can someone forbid us from having secrets?
Can someone forbid us from creating products as we see fit?
Can someone forbid us from buying the products we want?
If you are pro-cryptography, then you must answer all the above with “no.” Otherwise you can’t defend it. If you are anti-crypto, then you must say “yes,” otherwise you’ll never be able to enforce your anti-crypto regulations.
Software is nothing but ideas expressed in a language, making this an issue of speech:
Can we be forced to say something that we do not want to say?
Can we be forced to keep quiet?
Is censorship okay?
To constrain cryptography is to constrain speech and is to answer these questions “yes,” affirming that we should be forced to speak or be quiet.
How Crypto Regulation Is Possible…
There are two naive ways to regulate cryptography. The quickest is to create laws that force people to reveal their passwords or keys when ordered by a judge. These are known as key disclosure laws. Should the person refuse, they are punished. There are three major problems with this approach.
First, it undermines the right to remain silent and not to self-incriminate.
Second, it only works if you get your hands on a living culprit.
Third, the person may simply refuse and accept the sentence.
Note that this is not what anti-cryptography people want. They want access to the encrypted messages and content NO MATTER WHAT. Dead or alive, no torture required.
The second naive approach is to demand that all encryption products use algorithms that are easily broken by law enforcement. This, however, requires that software is written to the order of legislators and regulators.((And thus to the order of people who donate to their campaigns as well.)) And that comes at the cost of security: Weak cryptography is weak for everybody. If you don’t want an evil government to decrypt your secrets, don’t allow your “good” government to enforce weak cryptography.
… Without Breaking the Digital Economy
A much less naive regulation is called “key escrow.” With this approach, the secrets (cryptographic keys) are put into the hands of one or more trusted parties who will reveal those secrets only if legally compelled.
Key escrow is rarely mentioned in these debates. It has a bad history because it was used in the first version of the battle over cryptography (in the ’80s and ’90s). Pro-cryptography people usually treat this approach as “weak cryptography” and lump them together, but that’s a crucial mistake – it distracts us from what we are fighting for and against, and it allows the anti-cryptography crowd to assemble legislation, technology and public support.
It’s necessary to be clear on this: Key escrow is NOT weak crypto, in the sense that it is built with weak algorithms. Instead it’s a sharing of our cryptographic keys – our secrets – with third parties picked by someone else.
That third party can then combine our key with an intercepted message (or stored files) to reveal the contents.
Since the state of the art for encrypted communication is deniable (you cannot prove beyond reasonable doubt who encrypted a message) and with perfect forward security (a key only works in decrypting the messages within a small time range) it is possible to selectively decrypt communication and not be able to undermine the integrity of information systems after the fact.
Correctly implemented, key escrow would only impact past messages, and only those that have been intercepted by other means.
Of course this is less secure than systems without key escrow. Instead of only the actual participants in the communication, there would be one more participant… and one not chosen by the participants.
Instead of one other party to private speech, there would always be two other parties to it. Instead of X people in a group chat, it would always be X+1.
This introduces new problems:
The additional party would hold a lot of keys. That creates a very juicy target for attackers, potentially harming millions of people with a single breach.
There are jurisdictional differences between nations. Access to escrowed keys would involve different legal procedures in different places.
Technical issues and unreliable communication links can prevent keys from making it into escrow.
The system must know exactly whom to give the keys to: it must authenticate the key escrow parties.
Each of these problems can be solved to some extent, resulting in a secure system that wouldn’t allow mass surveillance. The question with key escrow is not whether it will be as secure as non-escrowed encryption (it cannot), but whether it will be secure enough.
In other words, this is not a technical debate; these are decisions that a society must make. And for that, people must be informed and aware of the tradeoffs.
To reduce the issue of having huge caches of keys amassed in some government cellar – which could undermine the whole society with a single leak – there are other things that could be done:
Instead of one facility holding everyone’s data, have many facilities that hold the data of a few people only. This could, for example, be a service offered by lawyers, notaries, banks or consumer protection organizations. They would then be obliged to challenge court orders against the keys of their clients, increasing the likelihood that access to the keys actually adheres to the law.
Instead of directly escrowing the keys with one party, the key could instead be shared with several parties so that a minimum number of those parties has to come together and cooperate to actually reveal the key. These schemes are known as “secret sharing” and would render the subversion of just a few key escrow caches ineffective.
If key escrow caches are designed only for infrequent access to escrowed keys, it would be mandatory to set them up behind data diodes. This means that a message could be sent into the facility, but there would be no way to get data out of it except for a physical visit.
Escrowed keys sent to the facilities must follow the same cryptographic standards as the data they are meant to protect. In other words, all communication to data facilities must be authenticated and be perfectly forward secure, so that intrusions would have limited impacts
Jurisdictional differences could be solved by setting up independent key escrow systems in each country. Keys could also be escrowed with different agencies. For example, the key escrow for a phone’s internal storage would depend on where the phone was located. For messages, the location of both sender and recipient would determine who gets the escrow keys.
An additional variation could be that keys are shared not only between external data caches, but that part of the key would be stored on the device itself. In this case, three conditions would have to be met for law enforcement to be able to access messages or storage:
Access to the device that did the encryption.
Interception of the message in question or access to the encrypted storage.
N out of M key escrows must cooperate.
Implementing and operating such a key escrow system, however, would be a major task, and government IT projects are known to have a prodigious failure rate.
So, key escrow is complex, expensive and far from perfect. But depending on a society’s decision on tradeoffs, it would be possible to set up a key escrow system that would be secure enough and reliable enough for most scenarios.
Here, then, lies the danger:
Bypassing the fundamental issues of freedom of speech, choice and the right to have secrets, people who defend cryptography are easily painted into corners as unrealistic radicals.
We must engage with these possibilities and put the debate into down-to-earth, understandable terms. People must see the tradeoffs regarding personal privacy and not be distracted by confusing, technical arguments.
Regulating cryptography comes with a fundamental obstacle: How can people be forced to follow the regulations?
Regulations are never created with the assumption that they will be perfectly adhered to. Rather, they always authorize punishments for those who do not obey.
Sadly, an enforcement method for cryptographic regulation already exists. Smartphones and tablets are already the most commonly used devices to access the Internet, not general purpose computers. Apple, Google and Microsoft (and a few minor players) control the software pipeline from which users select their Apps. Smartphones and tablets allow for nothing else. You can’t run just any program on such devices – it must come through the aforementioned Apple, Google or Microsoft.
Thus it would be relatively easy for the US government to create laws that:
Make it illegal to develop and distribute software that does not follow government rules on cryptography.
Criminalize cryptography software that does not adhere to government rules.
Mandate platform providers (Google, Apple, Microsoft) to remove software that violates government rules.
Since most people don’t know how to install software on their phones, except from the manufacturer’s appstore, they would be prevented from using “illegal” cryptography.
Cryptography outside of government limits would become a black market and a target of intelligence agencies, who would poison that black market by introducing compromised crypto products.
At that point governments would have re-conquered cryptography… all except for a new class of “criminals. ”
Is this possible, or even likely? Yes, it is. Similar things have been done with drugs, guns and gold, all of which have been subjected to effective schemes of suppression and confiscation.
Surely some activists will protest and will continue to use “illegal cryptography,” but how many will be willing to go for jail for it?
While it’s fairly easy for a software manufacturer to move to a jurisdiction that does not regulate cryptography… and while it is certain that illegal cryptography will still be developed and distributed… there remain two serious problems with that hope:
Control over ‘platforms’ will be the key to controlling software distribution. The decrease of general purpose computing will limit the market substantially, probably enough to achieve regulators’ goals.
Proposals for secure key escrow will keep many producers from having to take a stand. Cowardice and convenience will win if people don’t care enough.
So, please, don’t say that the regulation of cryptography is impossible or stupid. It is possible, and it demands a serious response from us.
Calling our opponents technologically inept detours us from clarity on the issues. Rather, we must understand that there are politically feasible ways to regulate cryptography.
If we hope to win this new crypto war, we must make it about the true, fundamental question:
Is it okay that we are forced to act in certain ways, even in private?
Either we have the right to act as we wish in private, or we don’t.
We need to take a principled stand on liberty in all its facets – even towards people and behaviors with which we disagree… either that or slide back to tyranny.
Obama was right when he said that we should not be “fetishizing [the privacy of] our phones above every other value,” making them a special case in the debate over civil liberties.
Indeed, our phones shouldn’t be special. The questions raised here apply to the whole of our lives: to our phones and tablets as much as to our private papers, opinions and actions – digital or not.
Our private lives are off-limits to law enforcement. Period.
* * * * *
If you’ve enjoyed Free-Man’s Perspective or A Lodging of Wayfaring Men, you’re going to love Paul Rosenberg’s new novel, The Breaking Dawn.
It begins with an attack that crashes the investment markets, brings down economic systems, and divides the world. One part is dominated by mass surveillance and massive data systems: clean cities and empty minds… where everything is assured and everything is ordered. The other part is abandoned, without services, with limited communications, and shoved 50 years behind the times… but where human minds are left to find their own bearings.
You may never look at life the same way again.
* * * * *