Initial skirmishes have provided some indication that the next cryptography (crypto) battle is heating up and is not far from a full-fledged call to arms. Insights from previous battles in this continuing war are useful in predicting how it could play out.
Online security and privacy are at the heart of the battle. The most obvious foot-soldiers of this war are a new breed of ‘cypherpunks,’ who advocate crypto to fight ubiquitous government surveillance. As Julian Assange said, “No amount of coercive force will ever solve a math problem… A well-defined mathematical algorithm can encrypt something quickly, but to decrypt it would take billions of years.”
There will be a bigger, less visible part of the battle. People will want to retain control over their communications- messages, photographs, video, files, and locations. They will want to be able to use cloud computing and store their files on the Internet with the confidence that it can be done safely and securely. They will not want these things from a ‘nothing to hide’ perspective but rather as a natural and necessary prerequisite for confidence and utility of the medium.
Underpinning the Internet are the TCP/IP protocols which were designed to provide only the functions of efficiently transmitting and routing packets of data between peers. What they inherently lack is the ability to deal with network security issues such as data snooping and connection hijacking.
This wasn’t a problem when people used trusted and open networks that interconnected university computers. It rapidly became a big problem as the Internet exploded to become central to communication, commerce, and all the myriad of ways that we now depend on the Internet.
Crypto played an important role in World War II. From then on, many governments regulated the export of crypto on national security grounds. Treating crypto as munitions, several governments introduced controls like export licences. There were also other efforts to control crypto, such as the 1976 weakening of IBM’s Data Encryption Standard (DES) by the National Security Agency (NSA) before the National Bureau of Standards allowed it to become a government-approved standard.
The Internet created a need for individuals and businesses to use crypto as well as the means to distribute information on crypto quickly and cheaply. Phil Zimmermann‘s PGP in 1991 allowed everyday people to encrypt their email and data. The growth of electronic commerce created additional pressure, such as the need to protect credit card transactions online using public key crypto.
In the US, some defining moments of the first crypto battle occurred with the cases Junger v. Daley and Bernstein v. United States which established that crypto software could be published online, protected by the First Amendment as free speech.
The Clinton administration tried to get the industry to adopt the Clipper chip- an encryption chip for which the government had a back-door key. When this failed, the administration tried to introduce key escrow – a policy that required all encryption systems to leave a spare key with a ‘trusted third party’ that would hand it over to the FBI on demand.
The willingness of some to risk and resist prosecution as well as the growing availability of crypto software outside the US led to relaxing of export controls. Some restrictions still exist, even on purely commercial services for the mass market, particularly in countries participating in the Wassenaar Arrangement on dual-use technologies.
Growing Mass Market Use of Crypto
It’s common for commercial products to use crypto with credit cards and DVD content scrambling. What’s relatively new is the conscious, routine use of crypto for communications and data protection by people for themselves. For example, when people send emails in crypto-enabled ‘envelopes’ rather than postcards open for everyone to read. While this technology has existed since the 1990s, so far it has been too hard and inconvenient for everyday use by the average person.
Global concerns over governments collecting, storing, and analysing all Internet traffic is growing. New laws are sprouting everywhere like the UK’s proposed ‘Snooper’s Charter,’ metadata retention for law enforcement agencies in Australia, and an update to lawful interception in New Zealand.
This is leading to a return to the debate of the 1990s and 2000s. In 1997, the then Director of the FBI said:
“Clearly, in today’s world and more so in the future, the ability to encrypt both contemporaneous communications and stored data is a vital component of information security. As is so often the case, however, there is another aspect to the encryption issue that if left unaddressed will have severe public safety and national security ramifications.”
“Uncrackable encryption will allow drug lords, spies, terrorists, and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes.”
The Next Crypto Battle
Exactly the same concerns still drive the continuing war on crypto. Only, this time, the vocabulary has been updated to include words like national security, cyber espionage, and paedophiles.
The FBI is worried about the ‘dark net’ while the German police uses malware to spy on its citizens’ Internet activities. Some governments are worried about decrypting Apple’s iMessage and all user data held on that company’s smartphones and tablets. On the other side, the inventor of PGP is back with Silent Circle while the company that I work for, Mega, provides encryption and decryption invisibly and automatically.
Some of the instruments governments have used in the past- such as export controls and deliberate weakening of the crypto- will no longer work. New instruments will undoubtedly be tried. The same arguments and counter-arguments of the 1990s will be debated back and forth.
While it is difficult to predict how this crypto battle will evolve and the inevitable casualties, one thing is certain: the end result will be the same as the previous battles- an uneasy truce in which governments will accept that they have limited ability to control crypto being used by people and businesses.
That will be a victory for the public good and the Internet’s indispensable role in our daily lives. Until the next crypto battle erupts.