Encryption and the Faustian Bargain

In his seminal book Code 2.0, Harvard professor Lawrence Lessig explains that law alone will not solve problems related to privacy in the digital age. Rather, to ensure privacy we’ll need a combination of improved coding, law, and policy. Each measure by itself will only bring partial results.

Lessig’s prescient advice rings true today. As advocates—including PEN American Center—rally for improved legislation that will thwart the spying of the NSA under various legal authorities, other groups have pressed for improved encryption measures by default. In 2014, Access launched a campaign called Encrypt All the Things, which PEN has joined. The best way to protect privacy, they argue, is for none of the intermediaries involved in transmitting information to be able to access it, so that there will be no “back doors” or vulnerabilities for the NSA, or anyone for that matter, to pry into your conversations.

Thankfully a number of rights groups and coders have been thinking about this need for some time. Many encryption tools like PGP and the Tor Browser are free, and others developed by organizations such as Whisper Systems (TextSecure) and the Guardian Project (Orbot, Orweb) are even more user-friendly than PGP and Tor. Used properly by people on both ends of a conversation, even the staggering computing power of the NSA cannot hack into them.

That’s why governments will simply go after the users of the tools themselves without worrying about the content of their conversations. We have seen this in Ethiopia, where 6 members of the blogging collective Zone 9 have been put on trial just for taking part in a digital security training. Below is an extract from the charge sheet presented by the federal prosecutor at the Lideta High Court in Addis Ababa, translated from the Amharic:

With the support provided by Ginbot7, the accused tried to encrypt their lines of communication and attempted to conceal the contents of their messages from government agents.

Ginbot7 is listed as a terrorist group in Ethiopia, and members of Zone 9 vehemently deny any connection. But the more worrying aspect is that the fact the accused “tried to encrypt their lines of communication” is being used to enable their persecution. The government is relying on the fact that the boggers utilized encryption at all as a proxy for criminal intent, so the contents of the message—presumably never deciphered—become less important than the fact that they were encrypted. PEN has supported Zone 9 in our advocacy, believes in the innocence of their members, and argues that their persecution is an attempt to silence dissident voices. But the chilling effect remains: in some places, just using encryption tools can make you a suspect in a terrorism investigation.

In the United States, encryption is embraced by both advocate groups and the private sector. Just last week, Yahoo announced that it would support end-to-end encryption on its email servers, something which Google already does, and which Microsoft recently joined. This is good news for the casual user, because encryption will be built in to the products they rely upon. And firms such as Silent Circle are offering consumer-friendly “Blackphones” as all-in-one privacy solutions. Even the FBI has expressed an interest in the product, according to Ars Technica.

But one persistent accusation against whistleblower Edward Snowden is that he has strengthened America’s enemies by revealing valuable tradecraft used by our signals intelligence agencies and the CIA. In particular, there was a troubling article in The Washington Post which suggested that Snowden had helped Al Qaeda by identifying better encryption systems than the home-grown systems they were using:

In fact, the product al Qaeda had been recommending until the leaks, Mujahidin Secrets, probably did qualify as “home-brew encryption.” Indeed, Bruce Schneier dissed Mujahidin Secrets in 2008 on precisely that ground, saying ‘No one has explained why a terrorist would use this instead of PGP.’

The article quite transparently uses the evidence that Al Qaeda has improved its methods as an indictment of Snowden’s contribution to the global debate on surveillance. It’s not especially persuasive, and it takes quotes by Snowden and security expert Bruce Schneier out of context. But the headline says it all: “As evidence mounts, it’s getting harder to defend Edward Snowden.”

Like Ethiopia, the implication is that encryption has enabled terrorists to do their dirty work. Zone 9’s communications were scrambled by encryption, making them suspicious, and Al Qaeda, openly hostile to the U.S., is now equipped with dangerous encryption tools. By revealing information to the world (including Al Qaeda) about the NSA’s capabilities, some suggest, Snowden drove the terrorists to protect themselves.

You can see the trend here. In the repressive state of Ethiopia, encryption is being used to put dissidents behind bars. In the U.S., we’re using encryption to indict a whistleblower, at least in the court of public opinion. We now know that the NSA specifically targets users of the Tor browser, which allows users to surf the web anonymously. And if you demonstrate an interest in encryption at all (by reading this article, for example), you may become a target of government surveillance.

We’re being offered a Faustian bargain: use these tools, but when you do, the government will come knocking. Encryption is legal and should not be used as a proxy for criminality. If we move down that dangerous path in the United States, it’s obvious that repressive regimes—the ones that violate the human rights our foreign policy promises to uphold—will get a free pass.