In February of 1993, two federal agents approached accused arms dealer Phil Zimmermann as part of a formal investigation into his criminal activities. Over the next three years, the FBI collected evidence of Zimmermann’s participation within a vast network of international transactions involving illegally powerful munitions, all of which he produced himself. Even after the investigation began, the dealings showed little sign of stopping, and actually accelerated dramatically. A particularly alarming factor in this case was the large number of otherwise law-abiding citizens who became entangled in this web of criminal trade. Indeed, thousands, if not millions, of domestic and foreign citizens with otherwise spotless records were desperate to get their hands on Zimmermann’s insidious new creation: a small piece of software called PGP.
PGP, which stands for Pretty Good Privacy, was an open source email encryption suite designed by Zimmermann in 1991. Despite the impressive fuss he managed to kick up with the federal government, a national security corporation, and the general public, his code was surprisingly unoriginal — he hadn’t designed any fundamentally new algorithm or improved an existing cryptosystem’s security. The handful of encryption techniques utilized by the program had all been designed decades before by a small group of academics. Rather than improve on their still secure designs, Zimmermann had taken this knowledge previously relegated to the military-industrial complex and packaged it in an accessible, easy-to-use form for the public. By posting his code online, he had made it possible for anyone with a computer to make their emails effectively impervious to surveillance. In fact, his design was so secure that it was legally classified as a form of military munitions. Thus, by posting it online for anyone in the world to download, he was technically participating in international arms dealing.
At this point, you may think that this is one of those quirky flukes of our legal system where some arcane law leads to absurd consequences. And yes, it is an objectively absurd scenario to charge a programmer with international arms dealing! However, the intent behind this case was far from a fluke. The regulations which classified certain types of encryption as munitions were part of an intentional effort to stifle the technology’s distribution. Ever since the popularization of the internet and personal computers, the government has expressed immense concern about these new forms of communication. It’s easy to see why something like PGP would worry national agencies. If encryption is too strong, how do you perform a wiretap? How do you seize somebody’s email? Their hard drive? Having impregnable encryption threatens the ability of law enforcement to exercise certain types of warrants, potentially leaving criminals and terrorists impervious to surveillance. While encryption can be used by law-abiding citizens to protect their privacy, it can also be used to deadly effect by mobsters, insurgents, and even petty thieves. This disparity of uses is at the heart of an ongoing debate over if and how encryption should be regulated by the government. While I certainly see both sides of the argument pitting individual rights against public safety, I think the whole debate is utterly pointless. We can’t ask if we should regulate encryption before we ask if we even can regulate it, and I think the answer to that is a resounding no! Thus, any attempt to control the use of encryption can only serve to violate the privacy of the average person while doing nothing to expose actual threats.
thing to expose actual threats. Fundamentally speaking, encryption is nothing more than an idea. Unlike warheads or assault rifles or chemical weapons, encryption has no physical form — it exists entirely as information. It can cross borders as easily as language or words or thoughts. Even in the most Orwellian society, complete regulation of ideas is fundamentally impossible, though many throughout history have certainly tried and failed. A simple equation or a stray line of code is enough to describe most encryption schemes in their entirety. How can you ban an equation? To be quite frank, you simply can’t; you can merely impede its spreading. Returning to the example with Phil Zimmermann, it seems clear he was persecuted not for his technological innovations, but his effective popularization of existing technology. He lowered the barrier of entry to secure communication enough such that anyone could use it, thus making it more likely to be adopted by adversaries. However, in the age of the internet, Pandora’s box was opened for good as soon as he uploaded the code. Because of this, anti-encryption efforts had to pivot to making it harder to use proper encryption.
One way in which the government has attempted to curb mass adoption of good encryption is through the use of backdoors, which are security vulnerabilities intentionally installed in a program or device to enable a third party to bypass its security measures. In the 90s, the NSA attempted to implement such a system en masse using a codenamed “Clipper Chip.” The plan was to force telecommunications companies to install this microchip containing a backdoor into all their phones and devices such that encrypted voice and data transmissions could be decoded with permission from the courts. However, the idea quickly fell apart when a hacker named Matt Blaze demonstrated a simple method whereby the user could essentially defeat the chip before its backdoor was ever used, rendering it useless. In this case, the battle was won, but the war with regulation was far from over.
After a thorough investigation by the Department of Justice, we can confirm that, through a flaw in iOS, the FBI was nearly capable of accessing the phone’s contents for almost the entire duration of their legal battle with AppleWe can jump ahead to a more recent example of this conflict. You may remember the San Bernardino shooting from 2015, where Syed Rizwan Farook and Tashfeen Malik killed 12 coworkers before being killed themselves. One potentially significant source of evidence left untouched by the chaos was an encrypted iPhone 5C. It was configured in such a way that if the wrong four-digit PIN was put in 10 times, the encryption key would be erased, rendering the data permanently inaccessible. The FBI claimed they were unable to circumvent the phone’s encryption and consequently filed an order with a magistrate to have Apple cooperate with their investigation. They wanted Apple to develop a software patch which would allow for unlimited attempts at the PIN, essentially bypassing the encryption. Apple sided with the public interest and refused to cooperate with the order, since it would jeopardize the security of its users and set a dangerous legal precedent, a consequence which many suspected to be the FBI’s true goal in the case. If the order was successful, they would have grounds to issue similar orders for every phone they come across and would have evidence that Apple is capable of defeating its own operating system. Considering the high stakes of the case, it was rather surprising when the Bureau later retracted their order, announcing that they were able to break into the phone themselves. However, the story didn’t stop there.
Just a few months ago, an official report showed the nation just how shady this entire affair was. After a thorough investigation by the Department of Justice, we can confirm that, through a flaw in iOS, the FBI was nearly capable of accessing the phone’s contents for almost the entire duration of their legal battle with Apple! The only reason high level FBI officials didn’t technically lie about this under oath before the Senate was because they weren’t personally aware of this capability at the time. The transparency of such a manipulative legal maneuver is incredibly concerning for a democratic nation. It is unsettling to see a federal agency go to such lengths to establish a legal precedent aimed at exposing what is honestly some of our most personal information: the contents of our phones. Just think about how often you are on your phone every day multiplied by how long you’ve had one. Hell, my phone is never even outside of arm’s reach for me; it’s either in my pocket during the day or on my nightstand in the evenings. Aside from a necklace or a ring, that is an utterly singular characteristic for an object. It’s not that much of a leap to say that giving someone access to your phone is like baring your soul to them due to the sheer amount of personal data it contains. Clearly any effort to reduce the security of encryption — even in this single case — is a massive threat to individual privacy and wellbeing. The supposed benefit of this violation is increased security against criminals and terrorists, but there is little evidence to support the idea that any sort of regulation would result in this effect. Although they didn’t cite it in their order, the FBI’s reasoning in this case falls very much in line with the logic of the Patriot Act, an invasive piece of legislation granting the post-9/11 government vast authority to conduct mass surveillance. In 2015, the FBI even admitted that the powers granted under the Patriot Act did not lead to their cracking a single major terrorism plot, thus completely failing the supposed goal of the bill. Applying a similar logic to encryption regulation could lead to even worse results. Even if we suppose in an idealistic world that somehow, the United States was able to create a perfect backdoor in all domestic encryption, that only they could access, they still have no control over encryption use in the rest of the world! Considering how easy it is to share encryption over the internet or even in person, any federal policies would effectively be rendered meaningless to even slightly motivated criminals while remaining incredibly invasive to average citizens. In what world is that a winning scenario? How can anyone justify trading their basic privacy for nothing?
It seems clear that attempts to control the creation, distribution, and use of encryption can do nothing but intrude on the fundamental rights of ordinary people while proving futile against criminals. There is simply no way to control an idea, particularly in our increasingly interconnected world. Nonetheless, there have been continuous attempts by different branches of the U.S. government to do just this. You may not have noticed this silent battleground before, but I hope you will now. The more people understand the importance of this issue, the better. Any attempt to invade an individual’s privacy — physical or digital — is a potential threat against their ability to think freely, and without free thought, democracy means nothing.
How to Ensure Your Digital Privacy:
1. Encrypt your phone
And laptop. And tablet. Believe it or not, this is actually very simple to do on almost all modern devices. A quick Google search for “how to encrypt ____” should give you a nice set of instructions on how to navigate the settings menu to make this happen. A few simple clicks is typically enough to make sure that the only one getting into your gadgets is you.
2. Use a secure messaging app.
We all love iMessage, and while its encryption is good, it isn’t great, especially when you’re texting someone on Android (guilty). I personally use Signal, which is a free app on both iOS and Android. It’s open source, regularly audited, and easy to use. It doesn’t hurt that it also looks pretty slick.
3. Get a VPN subscription.
A Virtual Private Network is a service which encrypts all your internet traffic and routes it through a set of servers it maintains throughout the world. This means your online activities are private, anonymous, and can even get around some pesky georestrictions. Look for a trusted provider, preferably one outside the United States, who doesn’t log user activity. While there are some free VPN services, I wouldn’t trust them as a general rule. They aren’t operated by a charity and they cost a lot to run, so how do they make money off your traffic? They use your private data for ads and possibly fraud. By contrast, when you pay an established company they have a financial incentive to keep customers happy by keeping your data private.
4. Download a password manager
Let’s be honest, your passwords probably aren’t great. They probably aren’t even good, and I bet you use the same one on at least three different sites. Sure you could come up with different strong passwords for everything, but considering that you’re a fallible human, you’d likely forget them anyways. That’s why you should use a free password manager like LastPass or DashLane. These programs can generate strong passwords and store them safely on your device; all you need to do is remember a single master password.
5. Spread the good word.
While securing your own information is a solitary task, securing your communications is a team effort. Encryption only works if both parties are using it, so your carefree friend using his default messenger will always be enough to thwart your carefully laid security plans. Be a pal and spread the word about encryption; the more we all do it, the easier it’ll get to exercise privacy in the digital age.
Comments