This GCHQ / NSA / Snowden thing is confusing. Part of me is shocked and horrified. Another part of me is jadedly unsurprised. (Is “jadedly” a word?) I think I already assumed that they know everything they want to know. As Scott McNealy maybe did or didn’t say “you have no privacy, get used to it”.
Today a tweet from @Orbitingfrog alerted me to more disturbing news ; encrypted email company Lavabit have shut themselves down in protest over a mysterious government investigation that they are even forbidden from talking about; and Silent Circle, founded by Phil Zimmerman – the inventor of Pretty Good Privacy (PGP) – have pre-emptively shut down their secure email service and deleted content so that they cannot be subject to the same pressure. Some years back Zimmerman was under criminal investigation for offering the PGP code worldwide, which the US government claimed breached laws against the export of munitions. Zimmerman printed the code in a hardback book and exported that instead.
Although the strong-arm stuff is scary, it kinda makes sense. The Lavabit episode seems to confirm that even the NSA cannot crack RSA-grade encrypted material. Instead of quietly snooping and leaving the public docile, they have no choice but to be honest and say “We are the government and we are in charge. Give us that stuff or you are fucked.”
Its more or less inevitable that there is a three-way information arms race between individuals, corporations, and government. Information is power. It is natural for governments to always want more information, more complete information, and more reliable information. Commercial corporations have the same instinct. You don’t have to assume they are evil; just trying to know their market. Consumers get no choice in this. You try buying a train ticket online without “registering”. Oft and betimes, the consumer/voter just relaxes. Its kinda useful when I go back to GoCompare and they already know everything about me. But on the other hand, we instinctively bristle. They have the all power and we don’t!! The Freedom of Information Act tried to restore the balance, but its feeble.
Before you feel too powerless however, just recall that everything changed in 1976. This is when Diffie and Helman published the key-exchange method, followed the next year by Rivest, Shamir, and Adelman’s publication of the RSA algorithm implementing the idea. Arranged carefully enough, you can make any communication completely secure. Wouldn’t this make any government terrified? What do you do? Well, partly you sniff as much as you can on the assumption that most traffic is not encrypted, or that you can read the envelope metadata if you can’t read the letter, or that you can intercept at the relay points that the internet relies on. The counter-thrust for the latter is envelope-content splitting.
But at the end of the day, the government can’t win the technology battle; they have to resort to legal restraint. An unsuccessful attempt was the Clipper Chip initiative. The idea was to generously provide to the world obligatory encryption methods which the Government could always decode. They gave up. A successful example is the infamous 1998 Digital Millenium Copyright Act. Entertainment corporations knew they couldn’t develop perfect DRM mechanisms. So they convinced the US government to make it illegal to deploy or develop technologies intended to circumvent DRM mechanisms.
My guess is that we will soon hear of plans in both the UK and the USA to make non-Government use of the RSA algorithm a criminal offence, or more generally to make it an offence to send communications that cannot in principle be decoded by appropriate authorities.
Before you accuse me of being a paranoid old hippy, let me just say that I am not even sure where my sympathies lie. I have a bristly rebel side and a pragmatic patrician side. Viewed from above, its a fascinating struggle.