Encryption, Ethics, & Privacy


  • Share on Google+

The 70’s was a pivotal time when it was untenable for the U.S. government to keep its’ iron grip on the computing power necessary to make & break a resilient cipher. What followed was the first public encryption standard DES (Data Encryption Standard) published by computing monolith IBM; giving the masses a way to have their information secret from prying eyes… or did it? There is a debate around whether DES was tampered with by the National Security Agency of the United States during it’s development. Since DES is a symmetric-key algorithm it makes use of an S-box (substitution-box) to obscure the relationship of the key to the ciphertext. It is believed that the NSA influenced the use of a fixed s-box size in order to decrease it’s efficacy in repelling targeted attacks (see white paper ):

DEC s5 s6

Example of S5 S6 Substitution boxes in DEC

From the very beginning of publicly available encryption on digital systems there has been a large body of power opposing it’s proper use. The Law. The ever-long arm that seeks to know exactly what it’s citizens are up to, and whether a citizen believes their data is safe or not is irrelevant since the law already holds the keys to every digital lock. Okay, I know what you are thinking… a bit dramatic? I mean, surely there have been improvements to the math and methods since the 1970’s that prevents government intervention… right? Again this is a highly debated subject which has many topics of discussion. During these discussions there is one question always asked: Why should I care? 

“I have nothing to hide, let them look…”

If you are a cipherpunk or crypto enthusiast, you would already know this is a horribly dangerous position to take. With recent revelations about how user data retention and distribution policies of large companies work, we have confirmed the “conspiracy theories” that everyone’s public data already is being looked at and analyzed. Today’s society seems to have naturally decided on a point at which a person can say, “This is where my privacy begins”. Large three letter organizations and corporations see this privacy point of demarkation as an ethically grey area; most likely due to a large bulk of the population not caring about the impacts non-privacy can have.

News stories about FBI’s attempted access of an iPhone in the case of the San Bernardino shooter – Syed Rizwan Farook – brought this debate to a public forum and exposed a gap in the public’s discourse on the subject of encrypted privacy.

In the wake of yet another U.S. mass shooting, the public outcry and law enforcement action followed the usual response of attempting to figure out the Who? What? When? Where? and Why?. In the process the FBI sought to unlock Syed’s encrypted iPhone. The entire debate that followed was whether Apple should assist the FBI in gaining access to the phone. Since the suspect Syed had not applied any additional encryption schema other than iOS’s stock in-built AES 256-bit crypto engine (see more on iOS security here) this meant the FBI was essentially asking for a way to circumvent the hardware and software security on all iPhones that relied on this crypto engine. Tension between “National Security” interests and the integrity of encrypted consumer devices caused a media firestorm when Tim Cook published a response to the FBI’s request stating:

[blockquote text=”We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them. But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.     – Tim Cook (CEO, Apple Inc.)” text_color=”” width=”85″ line_height=”undefined” background_color=”#efefef” border_color=”” show_quote_icon=”yes” quote_icon_color=””]

With Apple in opposition of the FBI’s directive, the social narrative changed dramatically from a terrorist hunt to digital privacy concerns. Without delving too deep into this one particular incident; it is noteworthy that the narrative change can be so quickly triggered by proper articulation of the implications of breaking encryption for the sake of “National Security” or law enforcement.

Often the opposing views do not look ahead to the long-term effects of relinquishing protection against backdoors. In the opposing view the only people seeking to encrypt are terrorists, drug dealers, sexual predators, and other seedy criminals. The argument largely being that if the encrypted data being sought is illegal in nature then those who enforce the laws should be able to access it for a means of evidence and prosecution. Breaking the encryption schemes of modern computing and adding backdoors is not a long term solution to fighting against criminal use of encryption. As the open source community grows and computers become more and more powerful, the breadth and complexity of encryption algorithms  that are available to the public will grow exponentially. Ways of securely hashing data will outstrip modern attack techniques, making it improbable that a corporation or agency could easily remove any protective measure you put in place unless they have a backdoor. Modern criminals should be caught, and these backdoors help achieve this… right? I would imagine that it actually does help in the prosecution and capture of criminals, which is why this is such a controversial topic.

Do you like Freedom of Press?… Social interaction? … Money? 

Chances are you like one of them, most people do. Freedom of Press is a hot topic right now with our orange US president seeking to discredit and suppress opposing political opinions. Imagine a scenario where such a political figure has the ability to read all opposition emails, see all plans, uncover all political skeletons, or even create legitimate looking false ones. This is a large point oft missed: Planting of falsified data is a risk all people take by not encrypting their data when in-transit or at rest. When I say at rest or in-transit, I mean full-disk encryption and secure transport layer when communicating with other machines. This prevents altering the state of the original copy of the underlying data once it’s encrypted. Facts or evidence could be suppressed or altered with impunity if you possess this type of access.

If you knew that all communications, facts, and anything you read is possibly gamed would you act differently? Anything you say or do is likely to be recorded in the future, how would you feel if someone altered this record indicating your past? Would you be more or less likely to join a political opposition? An enormous bulk or all financial transactions are digital now and utilize the same protections. You send a request to your bank to send $20 to address #12345 and a malicious actor strips your SSL alters that destination address to their own, maybe even modifying the amount to $10,000. To your bank this still looks like a legitimate request and is processed and if you’re savings looks like mine, your life is now ruined.

Unmanageable responsibility

Encryption is powerful, both in it’s purpose and it’s integrity. It is imperative that it continue to be a foundation we can rely on. It’s allowance for privacy and trust makes it a shield against invasive third-parties. Not one power should be able to circumvent; not even two or three. The ability decrypt should be held by, and only by, the private-key holder.