A (Renewed) Case for Encryption

I kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption – but sadly it doesn’t seem that way. Content encryption – as opposed to just endpoint encryption, like SSL – is important, and especially so in light of this kind of wholesale government surveillance.

gpg encryptionI kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption, and perhaps even trying to solve the problem of getting more people to actually use it.

One of the big problems with encryption – for example, email encryption using public key cryptography (PGP or GnuPG) – has been just getting enough people to start using it. With the way public key encryption works, you need to use encryption, AND the person you’re sending it to needs to use encryption, too.

In addition, there’s also the further complication of signing one another’s keys and assigning trust levels and so on… it’s just a bit too complicated and technical for your average user.

However, it doesn’t have to be complicated, and given what we’ve learned recently, it seems to me it really shouldn’t be – and that it is in all of our best interests to make it be as simple and easy as possible.

People have been harping on about the importance of encryption for ages, but widespread adoption has mostly been limited to SSL (for webmail & other web apps & services). This sort of encryption prevents a 3rd party from intercepting your communication with Google or Microsoft or Facebook or your bank or whatever, but none of that matters if your data is just going to be handed over to the government by the company on the other end anyway!

SSL encrypts your connection and your data during transmission, but the actual contents of your data are unencrypted at either end, and vulnerable to interception. It’s a good first step, but it isn’t enough – not anymore.

passwordOn the other hand, actually encrypting the contents of your communications – the email, the files, etc. – means that even if they are stored on a server (as your email is, for example), they are still encrypted – and most importantly, the server doesn’t have the decryption key –  only the recipient does.

What this would means in practice is that it would prevent the wholesale collection of data.  If the government wanted the contents of someone’s communications, they would need to go after that individual; they wouldn’t be able to just pull it out of a big database.

Since going after an individual takes effort and requires a subpoena or at least a court order of some sort, there’s protection built-in. Plus, now the government’s attempts to access your data would be limited in scope to one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.

The government may still collect other data about you, of course – encryption is not a cure-all. It may still collect “metadata” about you – times and dates and such – but at least the content of your data remains secure until specifically subpoenaed.

As a side note, the NSA has repeatedly said that this is what it does anyway, as part of an attempt to justify why we shouldn’t be worried about this – but because everything the NSA does is secret, we have no way to be sure that this is actually the case. All we have to go on is the NSA saying “trust us, we won’t read your email without a court order (that you aren’t allowed to see).” Doesn’t exactly inspire a lot of trust, now does it? Especially given the track record we’re dealing with.

Perhaps if our government had a long & strong history of being trustworthy, of being transparent with its behavior, of standing up for individual rights and privacy, and severely limiting the collection and access of people’s data to only what is explicitly needed for specific cases and actions, this whole wholesale surveillance thing wouldn’t be such an issue.

But sadly, this is not the case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given the opportunity, it will make a grab for as much power as it possibly can get.

Given the recent revelations on exactly how much power (and, by extension, data) our government has grabbed as of late, making actual content encryption available, widespread, and easy to use seems like an absolute no-brainer.

Icons courtesy of the Crystal Icon Set.

The Roots of Government Surveillance

This great article goes into great detail how the current surveillance society came to be, and looks at the historical origins of the entire process – and the debate that continues to this day. It is as enlightening as it is well-written.

No one should believe that real-time government surveillance of the communications network is an idea born of the 9/11 attacks or that it results solely from the Bush administration’s aggrandizing of executive power. The legal arguments that the government has asserted to support increased surveillance of digital space were first put forth in 1994, under a Democratic president, and they had little to do with the threat of Islamic extremism.

All the more reason to continue to fight for our own privacy rights at every turn – because by its very nature, Government (with a capital G) will scoop up every last bit of privacy you have if you don’t defend them. And before you know it, you’ll feel… well, a picture speaks louder than words:

1984 poster

“1984 was NOT supposed to be an instruction manual.”

No, it was not – but it seems like we’re following it as if it were.

Effects of REAL ID

C|NET News has a great writeup on what the effects of REAL ID are going to be to people in different states – depending on whether your state has complied or not.

There are some SERIOUS problems here of course – for example, you may not be able to go visit your representative in Washington DC if you don’t have a REAL ID – which is a clear violation of your right to petition your government.

And of course, today the news broke that the Department of Homeland Security is suggesting that REAL ID might be required to buy medicines that contain pseudophedrine. Of course, this has absolutely nothing to do with the original goal of REAL ID – it’s clear feature creep and the start of that slippery slope thing… that we were promised wouldn’t happen this time (really!).

As usual, the law – as it was originally passed – was supposed to be used to “stop terrorists.” Now it’s expanded to include immigration control, drug restrictions, and a “big stick” to beat down rebellious states – within our own country! States that have the guts to stand up and say “this is wrong, we won’t do it” are being beaten down with the power given to the DHS by the REAL ID Act.

Once again, we have taken another step towards becoming a police state. May I see your papers, please?

Security vs. Privacy

As usual, Bruce Schneier puts it more eloquently than I can:

…it’s precisely why, when people in their business are in charge of government, it becomes a police state. If privacy and security really were a zero-sum game, we would have seen mass immigration into the former East Germany and modern-day China. While it’s true that police states like those have less street crime, no one argues that their citizens are fundamentally more secure.

That is spot on. And it’s something that I’ve been trying to get more people to understand. In this post-9/11 world, everyone is telling us to be afraid of this, that, and the other thing, and we are then being told that in order to make ourselves “safe” we need to let people into our homes, our businesses, and our private lives, and that it’s OK, they’re trustworthy, just trust us on this one, folks, we won’t screw anything up for you. Just be good little sheep and get in line.

And by and large, we’ve been good little sheep, and we’ve gotten in line. And believe it or not, we’re headed for the slaughter.

But it’s not even a this vs. that debate here – being secure doesn’t mean we have to let government into our homes and personal lives. Once again, let me quote Bruce:

The debate isn’t security versus privacy. It’s liberty versus control.

You can see it in comments by government officials: “Privacy no longer can mean anonymity,” says Donald Kerr, principal deputy director of national intelligence. “Instead, it should mean that government and businesses properly safeguard people’s private communications and financial information.” Did you catch that? You’re expected to give up control of your privacy to others, who — presumably — get to decide how much of it you deserve. That’s what loss of liberty looks like.

What we really aught to be scared of is not each other, or vague “terrorist threats,” but instead this creeping encroachment into our personal liberties. If anything, that should be what keeps us awake at night.

It’s what keeps me awake at night, anyway.

REAL ID In Its Death Throes?

Oh thank god:

“The ACLU, which opposes the plan on civil liberties grounds, says that the many changes made since the Act was passed [in 2005] nearly ‘negate the original intent of the program.’ ‘DHS is essentially whittling Real ID down to nothing… all in the name of denying Real ID is a failure,’ said ACLU senior legislative counsel Tim Sparapani. ‘Real ID is in its death throes, and any signs of life are just last gasps.'”

I am very glad to hear this. I only hope it’s true.

UPDATE: In case you were living under a rock, here’s all my previous posts on this subject, in case you need to bring yourself up-to-speed.