One of the big problems with encryption – for example, email encryption using public key cryptography (PGP or GnuPG) – has been just getting enough people to start using it. With the way public key encryption works, you need to use encryption, AND the person you’re sending it to needs to use encryption, too.
In addition, there’s also the further complication of signing one another’s keys and assigning trust levels and so on… it’s just a bit too complicated and technical for your average user.
However, it doesn’t have to be complicated, and given what we’ve learned recently, it seems to me it really shouldn’t be – and that it is in all of our best interests to make it be as simple and easy as possible.
People have been harping on about the importance of encryption for ages, but widespread adoption has mostly been limited to SSL (for webmail & other web apps & services). This sort of encryption prevents a 3rd party from intercepting your communication with Google or Microsoft or Facebook or your bank or whatever, but none of that matters if your data is just going to be handed over to the government by the company on the other end anyway!
SSL encrypts your connection and your data during transmission, but the actual contents of your data are unencrypted at either end, and vulnerable to interception. It’s a good first step, but it isn’t enough – not anymore.
On the other hand, actually encrypting the contents of your communications – the email, the files, etc. – means that even if they are stored on a server (as your email is, for example), they are still encrypted – and most importantly, the server doesn’t have the decryption key – only the recipient does.
What this would means in practice is that it would prevent the wholesale collection of data. If the government wanted the contents of someone’s communications, they would need to go after that individual; they wouldn’t be able to just pull it out of a big database.
Since going after an individual takes effort and requires a subpoena or at least a court order of some sort, there’s protection built-in. Plus, now the government’s attempts to access your data would be limited in scope to one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.
The government may still collect other data about you, of course – encryption is not a cure-all. It may still collect “metadata” about you – times and dates and such – but at least the content of your data remains secure until specifically subpoenaed.
As a side note, the NSA has repeatedly said that this is what it does anyway, as part of an attempt to justify why we shouldn’t be worried about this – but because everything the NSA does is secret, we have no way to be sure that this is actually the case. All we have to go on is the NSA saying “trust us, we won’t read your email without a court order (that you aren’t allowed to see).” Doesn’t exactly inspire a lot of trust, now does it? Especially given the track record we’re dealing with.
Perhaps if our government had a long & strong history of being trustworthy, of being transparent with its behavior, of standing up for individual rights and privacy, and severely limiting the collection and access of people’s data to only what is explicitly needed for specific cases and actions, this whole wholesale surveillance thing wouldn’t be such an issue.
But sadly, this is not the case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given the opportunity, it will make a grab for as much power as it possibly can get.
Given the recent revelations on exactly how much power (and, by extension, data) our government has grabbed as of late, making actual content encryption available, widespread, and easy to use seems like an absolute no-brainer.
Icons courtesy of the Crystal Icon Set.