This GCHQ / NSA / Snowden thing is confusing. Part of me is shocked and horrified. Another part of me is jadedly unsurprised. (Is “jadedly” a word?) I think I already assumed that they know everything they want to know. As Scott McNealy maybe did or didn’t say “you have no privacy, get used to it”.
Today a tweet from @Orbitingfrog alerted me to more disturbing news ; encrypted email company Lavabit have shut themselves down in protest over a mysterious government investigation that they are even forbidden from talking about; and Silent Circle, founded by Phil Zimmerman – the inventor of Pretty Good Privacy (PGP) – have pre-emptively shut down their secure email service and deleted content so that they cannot be subject to the same pressure. Some years back Zimmerman was under criminal investigation for offering the PGP code worldwide, which the US government claimed breached laws against the export of munitions. Zimmerman printed the code in a hardback book and exported that instead.
Although the strong-arm stuff is scary, it kinda makes sense. The Lavabit episode seems to confirm that even the NSA cannot crack RSA-grade encrypted material. Instead of quietly snooping and leaving the public docile, they have no choice but to be honest and say “We are the government and we are in charge. Give us that stuff or you are fucked.”
Its more or less inevitable that there is a three-way information arms race between individuals, corporations, and government. Information is power. It is natural for governments to always want more information, more complete information, and more reliable information. Commercial corporations have the same instinct. You don’t have to assume they are evil; just trying to know their market. Consumers get no choice in this. You try buying a train ticket online without “registering”. Oft and betimes, the consumer/voter just relaxes. Its kinda useful when I go back to GoCompare and they already know everything about me. But on the other hand, we instinctively bristle. They have the all power and we don’t!! The Freedom of Information Act tried to restore the balance, but its feeble.
Before you feel too powerless however, just recall that everything changed in 1976. This is when Diffie and Helman published the key-exchange method, followed the next year by Rivest, Shamir, and Adelman’s publication of the RSA algorithm implementing the idea. Arranged carefully enough, you can make any communication completely secure. Wouldn’t this make any government terrified? What do you do? Well, partly you sniff as much as you can on the assumption that most traffic is not encrypted, or that you can read the envelope metadata if you can’t read the letter, or that you can intercept at the relay points that the internet relies on. The counter-thrust for the latter is envelope-content splitting.
But at the end of the day, the government can’t win the technology battle; they have to resort to legal restraint. An unsuccessful attempt was the Clipper Chip initiative. The idea was to generously provide to the world obligatory encryption methods which the Government could always decode. They gave up. A successful example is the infamous 1998 Digital Millenium Copyright Act. Entertainment corporations knew they couldn’t develop perfect DRM mechanisms. So they convinced the US government to make it illegal to deploy or develop technologies intended to circumvent DRM mechanisms.
My guess is that we will soon hear of plans in both the UK and the USA to make non-Government use of the RSA algorithm a criminal offence, or more generally to make it an offence to send communications that cannot in principle be decoded by appropriate authorities.
Before you accuse me of being a paranoid old hippy, let me just say that I am not even sure where my sympathies lie. I have a bristly rebel side and a pragmatic patrician side. Viewed from above, its a fascinating struggle.
The e-Astronomer 
I think RSA is safe from government censure for a long while.
I’d add a fourth actor to the information arms race, the attacker, which can be anything from teenagers trying to clone credit cards to good old fashioned state sponsored industrial espionage. The internet is now so deeply embedded in business and commerce that we have to be able to protect ourselves with credible security measures, otherwise the attackers will be able to break the system completely.
Of course, this leads to a conflict of interest on the government side, they need their national economy to be as secure as possible, but they also want to be able to eavesdrop as easily as possible. So in the end NIST certifies the best encryption methods and the NSA tries to break them, and the consumer has to trust that the agencies do their jobs properly (with proper oversight etc. etc.).
“I’d add a fourth actor to the information arms race, the attacker, which can be anything from teenagers trying to clone credit cards to good old fashioned state sponsored industrial espionage.”
Good point. And many other things as well.
There is a serious second order security hazard here as well – when the attackers go after the databases of the national agencies. And the news that the NSA is firing 90% of its sysadmins so that thre is less chance of them becoming the next Snowden does not give me confidence that government servers are secure, even from external attack.
The problem with having information stored is that it will be used. In some cases this will be used validly, in tracking down fugitive tax evaders or Mafia men, in some case it will be used mistakenly – the Tuttle/Buttle problem from Brazil, quoted as an example by Cory Doctorow this weekend, in some cases in dubious ways – by the local policeman who finds out that his neighbour is transexual via a database search – as well as unofficially and hostilely by the attackers you mention.
What is going to happen next is a flight of Cloud and Email services from the US to Europe, as companies and individuals seek the better privacy protections of EU countries (with the notable exception of the UK). That is when the US and UK’s assault on EU data protection laws will kick off.
Not sure the EU is cleaner than the US in this respect. The fines Google received in the EU for breaking into private networks were surprisingly tiny.
A balanced article, except that I would not equate encryption for the purpose of copyright infringement with encryption for privacy. I wouldn’t even mention them in the same context. They are completely different things. Sort of like astronomy and astrology.
One should also remember that if we have completely secure information processing for privacy (or for avoiding copyright), then everyone else, that means everyone else, can have it as well.
I doubt they’ll make general encryption illegal. That’d hurt business. Instead they’ll make it illegal to use communication methods with ephemeral keys and perfect forward secrecy. Right now it is already illegal to not hand over your passwords in even western nations.
Sounds interesting, but I am playing catch-up here. Do you mean we will have to use a fixed public key, rather than picking a new one each time, but we can still have a private key that is indeed private? Confused. Maybe its enough to be required to hand over a de-encrypted version of any specified message on request. Thats just like a search warrant. Probably reasonable, but doesn’t help the snooping.