You are on page 1of 14

1

Sheyne Anderson
HONOR 3374: Privacy in a Digital Era
29 April 2016

On the Importance of Encryption for Those Who Have Nothing to Hide

Encryption has been in the news a lot lately as regulators attempt to limit its use
and privacy advocates fight to defend it. What is encryption and why is it so important?
At a basic level, encryption is using some secret thing called a key, such as a password
or a file, and using it to turn messages into ciphertext, something that cannot easily be
turned back into the original message without the key. In a world where our
communications are increasingly traveling along paths we cannot see, encryption is the
way that we can communicate and be confident that no one else is listening.
Most people have things that they would rather keep private. People ship their
mail in envelopes, hold some conversations behind closed doors, and worry about
scammers getting their social security number. Others have more critical things that
they prefer to keep secret. Victims of domestic abuse try look for support covertly and
spies try to keep their identity a secret. Using encryption helps these people not stick
out. Building a cryptosystem which can be disabled at government behest is impractical
and unwise. Such a broken system wouldn’t help law enforcement very much anyway,
most criminals don’t use encryption as their only means of protection. In a digital era,
encryption should be a fundamental part of how we communicate, of concern to
everyone, and protected by statute.
Most people do not recognize that everything they transmit over the internet can
be intercepted, viewed, and even changed. Because the internet is so vast and
complicated people have a hard time comprehending this, but anything transmitted is
sent on a complicated path of routers or devices that transmit data. Each message can
take a different path, and any router in the path can read the message. Before most
major websites adopted encryption for all of their traffic, someone could start up
wireshark (a program that lets people see messages transmitted on their network) and
intercept account credentials of anyone who logged in to something. Tools like
FireSheep1 would automatically give users access to other people’s Facebook accounts
as they logged in.
This poses the issue: why do we even care to hide what we are saying? People
who think they have nothing to hide often think that they have no use for encryption.
The same could be said about the fourth amendment, only people who have something
to hide should be concerned about the police searching their home. While we will soon
1 https://codebutler.github.io/firesheep/

2
see that there are problems with this argument, it is rendered moot by the fact that
nearly everyone has something to hide. Do you own a credit card? Do you show
everyone you meet the number? If you do not then you have something you hide. Do
you announce your social security number to strangers? You have something you hide.
More than twenty years ago Philip Zimmermann (the author of industry standard
encryption software PGP) commented that nearly everyone hides their mail in
envelopes2. Most of us would rather that not everyone working for the postal service can
read our personal messages, and because of this, envelopes are in common usage.
Imagine a world where most people just write postcards; anyone securing their
communication with envelopes might be considered radicals or terrorists.
Zimmermann’s essay seems especially prescient when he says “But the mere fact that
the FBI even asked for these broad powers is revealing of their agenda” while arguing
that the government would slowly increase their surveillance capacity until they reached
the level of an Orwellian state. A few years ago the encryption debate was brought into
the public eye when NSA analyst Edward Snowden revealed the scope of the United
States government's surveillance apparatus. As evidence that this issue has reached
mainstream debate, a popular satirical news show, “Last Week Tonight with John Oliver”
discusses the issue with Snowden. Oliver traveled to Russia to interview Snowden and
gave a controversially confrontational interview. He attempted to put the question of
government surveillance in a context that people would actually care about. Oliver did
this by handing Snowden a picture of his penis and asking how the various NSA

2 http://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html

3
surveillance programs would get access to his “Dick Pic” 3. By giving a concrete example
of something which many people do (take nude pictures) and consider private, Oliver
shows how surveillance and security issues affect everyone.
People also have access to other entities’ private data. Corporations have a
strong incentive to protect their trade secrets. Most have extensive records on their
employees. Employees will have access to some amount of this information. This might
be in the form of credentials to the company database, or may be data directly stored on
their machine. A programmer would have access to the company’s source code, often a
closely guarded secret. Lovers might have intimate photos of each other stored on their
phones. Someone may text their friend a message in confidence. Even if someone is
not interested in protecting their own privacy, protecting confidence bestowed on them
is still important.
Using encryption software to mask communications is valuable even if someone
truly does not have anything to hide. If using encryption is not mainstream, then the only
people using it will be “people with something to hide” and this is dangerous because
there are many groups that most people would agree need to be protected. Victims of
domestic abuse may be trying to get support in an anonymous manner. Let us assume
that an assailant can see that their victim(s) are sending encrypted messages. If
sending encrypted messages is not common practice then they will be suspicious.
Concern that this will happen might prevent victims from seeking help. Undercover cops
will want to use encryption and anonymity tools to infiltrate crime rings and
communicate with their handlers, but again, if the only people using the technology and
3 https://www.youtube.com/watch?v=XEVlyP4_11M

4
people who really need to hide then it has no value. A mob boss will be suspicious of
any mobsters using encrypted chat tools. A popular piece of anonymizing software,
TOR’s website states4 “Tor hides you among the other users on the network, so the
more populous and diverse the user base for Tor is, the more your anonymity will be
protected.” Tor was originally funded by the US government as a way to hide spies’
communications. It needed widespread adoption so that it could be effective at hiding
spies. Under the same logic a whistleblower living in a corrupt country may try to reveal
corrupt habits of politicians. As long as anonymous communication software is
prevalent in that county, the corrupt individuals outed will have no way to track down the
whistleblower.
When thinking about algorithms in computer science, we often simplify things by
referring to them as a black box. Such a simplification allows us to not worry about the
internal workings of a system and just consider what inputs the system takes and the
outputs it produces. While treating encryption as a magical black box that uses a key to
lock our data is sufficient for this paper, it is worth noting a couple of properties about
the box. The first thing is that it is not perfect. Perfectly encrypting something is possible
but requires the use of a key that is as long as the message to be encrypted. The key
must also be truly random, never reused, and transmitted to the recipient over a secure
medium. This is called a one time pad (OTP) and is completely unreasonable in
practice. There do exist ways to encrypt things that make it very computationally
intensive to break. Good encryption algorithms with good keys would take the lifetime of
the universe several times over to decrypt without the key. The second principle is that
4 https://www.torproject.org/about/overview

5
nothing about the black box should be considered secret. The algorithms involved with
the encryption process are public knowledge. The only secret thing is the key. This is
important because it allows us to reason about cryptography and make guarantees
about its security. This removes the false sense of security that comes with secret
algorithms. It also encourages peer reviewing of algorithms to make sure that they end
up strong.
In addition to the black box that can use a key to encrypt and decrypt messages,
cryptographers have developed a second kind of box called asymmetric key encryption.
This uses two keys, one that encrypts and one that decrypts. It is analogous to mailing
someone an unlocked safe and having them put their message in the safe, lock it, and
mail it back. No one (even the person locking the message) can unlock the box except
the person holding the key. In the encryption world, the safe is called a “public key” and
the key that unlocks the safe is called a “private key.”
Using both kinds of black boxes discussed above we can think of a way to
appease law enforcement. What we will build up is called a key escrow system or a
back door. The idea is that we want symmetric (same key) encryption to do exactly as
described above with the added property that it has a second key that can decrypt any
encrypted message. To be practical, the master decryption key should not be known by
the encryption algorithm (otherwise anyone studying the algorithm would be able to
decrypt any message). This is where asymmetric key cryptography comes into play.
Imagine if the new backdoored encryption algorithm did everything as normal (with a
key let’s call K1), then used a well known public asymmetric key to encrypt K1.
Someone could then decrypt the file as normal, or, a third party with access to the

6
master decryption key that was paired with the well known public asymmetric key would
be able to decrypt K1, and use that to decrypt the message. For clarity, since the above
idea is quite complicated, I’ve included a picture describing the functionality.

There are other ways to make a key escrow system. There have been proposals
for the widespread adoption of some kind of key escrow system in the US since the
‘90s. The US government actually went so far as to build a custom hardware circuit (at a
time when it was computationally unreasonable to perform the encryption in software)
that included a government-backed key-escrow system. This was called the “Clipper”
chip and sparked major controversy in a time where encryption was still classified by the
US government as a munition and controlled by strict export regulations.
The problem with key-escrow systems is who to choose as the authority. The
organizations calling out for the creation of backdoors are most often governments, so
should governments hold the keys? However, they are asking private companies to
ensure that they (the companies) can decrypt customer data, so should the companies
hold the master keys? And companies are increasingly globalized, so should the US
government be able to compel Apple to decrypt a British person’s phone? How about
China asking to decrypt a US citizen’s phone? Should the US government be
responsible for the keys? How about the UN?

7
Even if there were some magical organization that actually had the authority to
hold the keys to the world’s data, how would such a system work? Would all requests
have to go through this central agency? How would we make sure that the information
was turned over to the correct party? While all these problems are solvable, there is one
glaring issue that cannot be overlooked. What happens in the case that the key is
stolen? Electronic goods cannot be thought of like regular goods: once something is out
there, it costs next to nothing to make a copy of it. Copy after copy is made, and every
one of those copies can be copied again. At this point, the keys to everyone’s private
information are public and anything that has been encrypted up to that point can be
recovered. All machines will be vulnerable until an update is pushed, which in practice
will take a really long time. There are ways to mitigate these threats, specifically
encryption schemes that have a property called forward secrecy5, but using these
protocols would break our backdoor. The idea with a backdoor is that it should be able
to decrypt any message and is thus incompatible with forward secrecy. We cannot
assume that this magical organization is capable of keeping the keys secret forever,
even organizations with a huge financial incentive 6, and the US government7 has been
shown to mishandle and leak public keys.

5 https://en.wikipedia.org/wiki/Forward_secrecy

6 https://en.wikipedia.org/wiki/AACS_encryption_key_controversy

7 https://www.schneier.com/blog/archives/2015/09/tsa_master_keys.html

8
Exfiltration of master keys aside, the NSA has been criticised several times for
failing to ensure that agents handled sensitive content appropriately. There are
allegations8 that operatives would pass around sexy or compromizing pictures captured
by various programs. While the NSA has denied the claims, Snowden holds that there
was little to no auditing of the 18 to 22 recruits operating many components of the
program.
Given all the dangers discussed above, a master key would have to be incredibly
useful to national security to merit the risks. The problem is that we have not had a
single incident that having the ability to decrypt terrorist communications would have
averted. In the Paris bombings, the terrorist (probably concerned by the US and her
Allies’ surveillance capabilities) did not depend on encryption to communicate, but used
low-tech burner phones9. Boxes and boxes of the phones were found. An ex-NSA
analyst has argued that the NSA does not need more information. He argues that the
clues to solve most major incidents end up intercepted by the NSA, but that they are so
overwhelmed with the amount of information they are taking in that they can not find the
threat in time. Instead of more information, the NSA needs better ways to sift through
the data they already have10.
8 http://www.nytimes.com/2014/07/21/us/politics/edward-snowden-at-nsasexually-explicit-photos-often-shared.html?_r=0

9 http://bgr.com/2016/03/22/paris-attacks-iphone-encryption/

10
http://www.wsj.com/articles/SB10001424052702304202204579252022823658850

9
The government is powerfully interested in inserting a backdoor in
telecommunications. Efforts include consistent attempts to legally mandate backdoors.
The FBI has been incredibly vocal of late in their requests for legally mandated
backdoors. The NSA has worked to subvert the security community by introducing
covert backdoors into public encryption standards. They’ve also built tools capable of
defeating the TOR network.
According to classified documents leaked by Snowden, the NSA has spent
hundreds of millions of dollars to “defeat the encryption used in specific network
communication technologies” in covert project Bullrun. While little is known about the
project, one of the most commonly cited examples is the backdooring of the
Dual_EC_DRBG. Dual_EC_DRBG is a PRNG or pseudo-random number generator.
While it is impossible for deterministic computer code to produce truly random numbers,
it is possible to produce numbers that cannot be predicted without the “seed” or small
amount of information used to start the PRNG. Dual_EC_DRBG was proven to be
strong assuming certain math problems are hard to solve (we still believe they are) and
assuming that certain parameters P and Q were chosen randomly. It is widely believed
(although not proven) that the NSA chose P and Q to satisfy the equation e*Q=P where
e is some constant known only to the NSA. Because of the construction of the problem,
solving for e is not as simple as dividing by Q (for more information read about modular
arithmetic11 and factoring.) This e becomes a backdoor, allowing them to predict the
output of the PRNG. This allows them to break many widely used encryption algorithms

11 https://en.wikipedia.org/wiki/Modular_arithmetic

10
assuming that the algorithm is run with Dual_EC_DRBG. The NSA successfully
convinced RSA Security to use Dual_EC_DRBG as the default PRNG for all their
customers. As a result, a huge portion of all web traffic was vulnerable. Dual_EC_DRBG
has since been removed as a recommendation by NIST 12 and by RSA security. There
had been some suspicion that the NSA had backdoored Dual_EC_DRBG before the
Snowden revelations and you can find an easy-to-understand discussion of the whole
issue here13.
Privacy extends past the content of messages. The amount of data that can be
discerned from so-called metadata can be astronomical. Surveillance metadata are any
details about data pertaining to the actions of an observed party.14 What that means is
that a phone call is data and and who is calling/called, how long they speak, and when
they speak is metadata. Edward Snowden argued that the information that can be
extracted from metadata is greater and more dangerous than the content of the
communication itself15.
12 http://www.nist.gov/itl/csd/sp800-90-042114.cfm

13 https://www.wired.com/2013/09/nsa-backdoor/

14 http://whatis.techtarget.com/definition/surveillance-metadata

15 http://www.newsmax.com/Newsfront/AmnestyInternational-chicago-meetingsurveillance/2014/04/05/id/563875/

11
So, in light of all this, here are some of the best practices and technologies
people can use to secure their communications. SSL is the simplest and goes a long
way. It is used by accessing web pages as https://www.example.com/ (note the “s” in
“https”). There are browser plugins like “HTTPS everywhere” for Chrome which ensure
that HTTPS is being used by all websites that support it and will warn users when they
are accessing a page insecurely. On the topic of HTTPS/SSL it is important to heed the
“secure connection failed” and “certificate not trusted” messages that browsers
sometimes show with HTTPS. This is a warning that something nefarious is probably
going on. SSL can also be used with email. When setting up an email client (such as the
Mail app on iOS, or Outlook on windows) make sure that the “SSL” or “encrypted” box is
checked. If your email provider does not support this feature, you should get a different
email provider or know that any of your emails may be stolen if you check your mail at a
coffee shop -- or stolen anywhere else for that matter, it just requires access to your
internet service provider (ISP), or some ISP handling the message intercepts it.
While SSL helps, it is not a panacea. It is what is called “transport encryption”
which means that it encrypts messages while communications are occurring. Your email
provider still has access to any and all messages sent over SSL. There exist tools such
as PGP (Pretty Good Privacy) which allow you to encrypt messages you send. You can
can exchange keys with the people you want to send encrypted mail to and then send
mail that only they will be able to decrypt 16. This works for any kind of text message you
want to send, from Email, to Facebook message. There are a growing number of apps
for iOS, Android, and desktop computers that offer end to end encryption. The
16 http://www.pgpi.org/doc/pgpintro/

12
Electronic Frontier Foundation (EFF) has a list of such apps and gives them a score
based on how secure they are17.
Finally, you may value the ability to anonymously communicate. While there are
websites that allow you to post anonymously such as Reddit, YikYak, or, more
infamously, 4Chan, the website owners still have access to your IP address. This
number identifies your current network connection (and can probably be traced back to
you). The solution is to put some kind of intermediary between you and the website you
are trying to connect to. Such an intermediary shows up in your place from the
perspective of the website you are connecting to and is called a proxy. There are
several kinds of proxies. A simple HTTP proxy can hide your web requests and make it
look like they are coming from a different part of the world. A VPN can mask all of your
communications, sending all traffic through them. For both kinds of proxies, your
security depends entirely on the quality of the proxy you use. As a general rule, if
something is free, then you are the product. This holds especially well with proxies. A
stronger tool, TOR18 is a distributed proxy, where any traffic sent through TOR is
bounced through many proxies, encrypted at each step. This tool is free and easy to
use, although it comes at the cost of substantially slowed network performance.
At the same time, governments are attempting to regulate encryption from all
angles. Several states are talking about restricting encryption and requiring backdoors
and have bipartisan support. Bills were proposed by a Republican in New York and by a
17 https://www.eff.org/secure-messaging-scorecard

18 https://www.torproject.org

13
Democrat in California. In response to these regulatory efforts California Democrat Ted
Lieu and Texas Republican Blake Farenthold introduced a bill “Ensuring National
Constitutional Rights for Your Private Telecommunications Act of 2016" ("ENCRYPT Act
of 2016")19 which would block states from banning encryption within their borders. They
cited the difficulty states would impose on companies by having a different set of laws in
each state they operated in and the fact that such laws would be largely ineffective
because citizens of one state would be free to just cross a border can get a different
model (of encrypted device). The bill does nothing to prevent bans on encryption or
requirements of backdoors on a national scale. It just attempts to ensure that the
country will have consistent rules. As such it has seen more support than similar
measures.
In response to the Paris attacks, the San Bernardino shootings, and a less
publicized “islamic State-inspired attack last year in Garland, Texas” a pair of
congressmen from both parties have proposed a bill that would require “a person or a
company—when served with a court order—to provide law enforcement with
information (in readable form) or appropriate technical assistance that is responsive to
the judicial request. This will enable law enforcement to conduct investigations using the
communications involved in criminal and terrorist activities.” 20 They soften this
19 http://thehackernews.com/2016/02/encrypt-act-2016.html

20 http://arstechnica.com/tech-policy/2016/04/senators-play-terror-card-to-lobbypublic-for-backdoor-crypto-legislation/

14
requirement by saying “We want to provide businesses with full discretion to decide how
best to design and build systems that maintain data security while at the same time
complying with court orders.” This would allow private companies to become the
gatekeepers of their customers secrets, only giving up the decrypted information in the
case of a court order. They could of course be ordered to hand over the information by
the FISA court and required not to tell anyone that they decrypted the phone.
The bill would apply to any company doing business in the US and many of these
businesses operate abroad. The bill is silent about how US companies should react to
foreign governments ordering them to decrypt phones. This bill would set a dangerous
precedent and raise difficult international questions. As discussed earlier, what countries
should be able to require devices be decrypted?
All these issues are insurmountable. People value personal privacy, with most
having things that they would prefer not everyone knew. Some people depend on
encryption for their safety and this depends on widespread use of crypto tools. While it
would be nice if law enforcement could decrypt the phones of dangerous criminals and
terrorists, the dangers of a backdoor far outweigh the benefits. Especially since such
backdoors wouldn’t do much to prevent crime.