The Bike Shed

  Download PDF version of this article PDF

More Encryption Means Less Privacy

Retaining electronic privacy requires more political engagement.


Poul-Henning Kamp

When Edward Snowden made it known to the world that pretty much all traffic on the Internet was collected and searched by the NSA, GCHQ (the UK Government Communications Headquarters) and various other countries' secret services as well, the IT and networking communities were furious and felt betrayed.

A wave of activism followed to get traffic encrypted so as to make it impossible for NSA to indiscriminately snoop on the entire world population. When all you have is a hammer, all problems look like nails, and the available hammer was the SSL/TLS encryption protocol, so the battle cry was "SSL/TLS/HTTPS everywhere." And a lot of nails have been hit with that!

After an animated plenary session in Vancouver, the IETF (Internet Engineering Task Force) published "Best Current Practice 188" (https://tools.ietf.org/html/bcp188), which declared that pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols where possible. Now, with this manifesto in hand, SSL/TLS and encryption are being hammered into and bolted onto protocols and standards throughout the IETF working groups.

Victory—privacy—seemed certain. Or maybe not.

Other countries, notably the United Kingdom, are also working to clamp down on encryption. The Great Firewall of China has been in operation for a number of years, and for all we know, the NSA's total monitoring of the Internet continues unabated two and a half years after Snowden revealed it to the world. The things worth noting here are that:

Whatever the high-tech and law enforcement leaders decide, it will apply to everybody.

How Did More Encryption Cause Less Privacy?

In Terry Pratchett's book Going Postal, the hero postmaster, Moist von Lipwig, has a knack for noticing what is not in a text, He would have had a field day with BCP188, because none of the following words are anywhere to be found:

It was not by accident, mind you, that the authors of the document deliberately stayed clear of anything that could even faintly smell of "politics." Unfortunately, that is not the way politics works. Politics springs into action the moment somebody disagrees with you because of their political point of view, even if you think you don't have a political point of view.

In spite of leaving out all those "hot" words, the substance of BCP188 is still a manifesto declaring a universal human right to absolute privacy in electronic communications—no matter what.

That last bit is half the trouble—no matter what.

Even against law enforcement.

Even if law enforcement has a court order.

Even if....

No matter what.

To be totally fair, BCP188 nowhere states "no matter what." The real reason the result ends up being "no matter what" is that the SSL/TLS protocol, when properly configured, works as advertised: there is no way to break it.

The other half of the trouble is that the hallmark of a civilized society is a judicial system that can right wrongs, and therefore human rights are always footnoted. The UN's Human Rights Charter has §29.2, which explains:

"In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society."

Politicians, whose jobs are to maintain "public order" and improve "the general welfare," follow the general principle that if criminals can use X to commit crimes, the legal system should be able to use X to solve crimes, with only two universally recognized exemptions: when "X = your brain" and when "X = your spouse."

For instance, kids in the USA learn in school that the Fourth Amendment affords a right to privacy, but that is only the first half of it. The second half details precisely how and why you may lose that privacy:

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

As this example also shows, wise lawmakers are wary of making it too easy for the legal system, so they add checks and balances.

Political strategies regarding cryptography are all horrible: Kazakhstan brutally inserts state monitors into the middle of all encrypted traffic. France forbids all online anonymity. The USA wants backdoors built into all crypto. These ideas are all based on the same principle: If we cannot break the crypto for a specific criminal on demand, we will preemptively break it for everybody. And whatever you may feel about politicians, they do have the legitimacy and power to do so. They have the constitutions, legislative powers, courts of law, and police forces to make this happen.

The IT and networking communities overlooked a wise saying from soldiers and police officers: "Make sure the other side has an easier way out than destroying you."

But we didn't, and they are.

Slapping unbreakable crypto onto more and more packets is just going to make matters worse. The only way to retain any amount of electronic privacy is through political engagement.

Poul-Henning Kamp ([email protected]) is one of the primary developers of the FreeBSD operating system, which he has worked on from the very beginning. He is widely unknown for his MD5-based password scrambler, which protects the passwords on Cisco routers, Juniper routers, and Linux and BSD systems. Some people have noticed that he wrote a memory allocator, a device file system, and a disk-encryption method that is actually usable. Kamp lives in Denmark with his wife, son, daughter, about a dozen FreeBSD computers, and one of the world's most precise NTP (Network Time Protocol) clocks. He makes a living as an independent contractor doing all sorts of stuff with computers and networks.

Copyright © 2016 held by owner/author. Publication rights licensed to ACM.

acmqueue

Originally published in Queue vol. 14, no. 1
Comment on this article in the ACM Digital Library





More related articles:

Raphael Auer, Rainer Böhme, Jeremy Clark, Didem Demirag - Mapping the Privacy Landscape for Central Bank Digital Currencies
As central banks all over the world move to digitize cash, the issue of privacy needs to move to the forefront. The path taken may depend on the needs of each stakeholder group: privacy-conscious users, data holders, and law enforcement.


Sutapa Mondal, Mangesh S. Gharote, Sachin P. Lodha - Privacy of Personal Information
Each online interaction with an external service creates data about the user that is digitally recorded and stored. These external services may be credit card transactions, medical consultations, census data collection, voter registration, etc. Although the data is ostensibly collected to provide citizens with better services, the privacy of the individual is inevitably put at risk. With the growing reach of the Internet and the volume of data being generated, data protection and, specifically, preserving the privacy of individuals, have become particularly important.


Kallista Bonawitz, Peter Kairouz, Brendan McMahan, Daniel Ramage - Federated Learning and Privacy
Centralized data collection can expose individuals to privacy risks and organizations to legal risks if data is not properly managed. Federated learning is a machine learning setting where multiple entities collaborate in solving a machine learning problem, under the coordination of a central server or service provider. Each client's raw data is stored locally and not exchanged or transferred; instead, focused updates intended for immediate aggregation are used to achieve the learning objective.


Mark Russinovich, Manuel Costa, Cédric Fournet, David Chisnall, Antoine Delignat-Lavaud, Sylvan Clebsch, Kapil Vaswani, Vikas Bhatia - Toward Confidential Cloud Computing
Although largely driven by economies of scale, the development of the modern cloud also enables increased security. Large data centers provide aggregate availability, reliability, and security assurances. The operational cost of ensuring that operating systems, databases, and other services have secure configurations can be amortized among all tenants, allowing the cloud provider to employ experts who are responsible for security; this is often unfeasible for smaller businesses, where the role of systems administrator is often conflated with many others.





© ACM, Inc. All Rights Reserved.