The political life of encryption
What happens in cyberspace no longer stays in cyberspace. A ransomware attack on a fuel pipeline company leads to long lines at gas stations. A healthcare system data breach prevents people from receiving medical care. An infiltration into a home video security system leads to egregious violations of personal privacy. Foreign probing of digital voter rolls reduces trust in democracy. And security disruptions to cyber-physical industrial systems are also disruptions of our food supply, livelihoods and ability to function in daily life.
Being ‘offline’ is no longer a defence against the effects of any of these disruptions. People who have never even been on the Internet can be affected by, for example, a data breach of credit card information at their favourite retail store or be harmed by a security vulnerability in a telemedicine device. The complication of society’s digital dependencies, with all of its undoubted upsides, is that the security of everything in life now depends upon strong cybersecurity. Hence, cybersecurity is a great human rights issue of our time. Democracy, financial transactions, consumer safety and the stability of all industrial sectors now depend upon it just as much as personal privacy does.
Strong encryption solves many of these concerns. Yet those who have invented the numerous ingenious encryption protocols over recent decades sometimes express surprise that widely available and strong encryption is not implemented everywhere in digital society. Is this merely because of the cost or processing power required for strong encryption, or something more complex?
Encryption is arguably the most politically charged of all Internet technologies. The ability of governments to apply encryption and break encryption has been at the core of diplomatic strategies, foreign intelligence, law enforcement and national security approaches for decades. The complication is that encryption – and especially encryption strength – is a site of contestation and tension between competing values, even within a single government. National security now requires strong cybersecurity around critical communication and industrial systems, and the digital economy. But at the same time, governments also have an interest in weak encryption for law enforcement and intelligence gathering purposes. Law enforcement personnel sometimes call this the ‘going dark’ problem, where encrypted messaging and encrypted devices become inaccessible for routine evidence gathering. The intelligence necessary for counter-terrorism similarly depends upon the ability to access encrypted communications.
Societal requirements for strong encryption – for securing financial transactions, defending infrastructure and protecting the right to privacy – are directly opposed to the societal requirement that law enforcement and intelligence agencies need access to encrypted information, or more authoritarian surveillance approaches that monitor and control the lives of citizens. This same tension exists between privacy and the invasive business models that rely upon personal data gathering in exchange for customised online ads. Many of the largest technology companies do not charge users for their services but they rank among the highest revenue generating institutions on the planet by collecting the personal data of users and converting this into revenue.
Responding to these tensions and the dynamic norms around the global intersection of security, privacy and social control, different governments have established diverse regulatory approaches to encryption technologies, ranging from banning some outright, to restricting exports to certain countries, to requiring licenses to use them. Because of the political stakes of encryption, it is not surprising that cryptography has sometimes been regulated under the same statutes as firearms and munitions.
In short, cryptography occupies a powerful place in modern society. It is a highly politicised lever of power balancing trust in the economy and democracy, national security, human safety, individual privacy, and law enforcement and intelligence gathering functions.
Considering the stakes, there has not been sufficient examination of encryption and secure messaging as a central lever of infrastructure politics. Concealing for Freedom is a much-needed book that cracks open the black box of encrypted secure messaging and discusses the consequences for freedom and online civil liberties. Secure messaging and tools are not just born when implemented into products or regulated by governments. They are created by design communities. And they are shaped by designers who make technical decisions that consider risk, threat models, business models, sociopolitical context and technical constraints. Decentralised versus centralised? Localisation versus globalisation? Anonymous or pseudonymous approaches? What counts as ‘good’ or ‘desirable’ security? The standardisation process itself, and design decisions about arrangements of architecture, are also arrangements of power.
Fundamental human rights such as personal privacy and free speech, and the right to trust in digital infrastructures and economies, are shaped by communication protocols. The tension in protocol design between security and privacy has a long history, but it came to the fore after American government contractor Edward Snowden’s disclosures about the massive extent of National Security Agency (NSA) surveillance. Internet protocol designers immediately called for ‘hardening the Internet’ with more extensive end-to-end encryption. The Internet Engineering Task Force (IETF) published consensus documents suggesting that indiscriminate surveillance of either content or metadata was an assault on individual privacy that should prompt stronger encryption choices that make such surveillance either less possible or more expensive. These designers acknowledged both the importance of individual privacy and also the need to restore trust in the Internet. This wasn’t the first-time protocol designers would push back against government surveillance.
The political and social stakes around encryption continue to rise as government and corporate surveillance approaches alike become more sophisticated, but also as new technologies emerge. As the Internet has leapt from two dimensional digital screens to the three-dimensional objects all around us – the Internet of Things – so the consequences for privacy and national security have become starker. There is also well-founded speculation about how rapid advancements in quantum computing power may intersect with encryption technologies, possibly cracking historically entrenched cryptography.
Considering the political pressure and the momentum of invasive and powerful emerging technologies, society may already be at a tipping point. We must design a world in which privacy and security are still possible.