(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]
Perspective: “Lawful Access” to End-To-End Encrypted Communication
2020-11-14 19:43:06.190000+00:00
Perspective: “Lawful Access” to End-To-End Encrypted Communication
Question: Would business and society suffer “harm” as a consequence of provision of “lawful access”, or “exceptional access”, for end-to-end encrypted communication, as proposed? Alec Muffett Nov 12, 2020·4 min read
Prologue
I would say that business and society already and currently does suffer from such harm, because although we know what chilling effects we have experienced in past — restrictions upon access to cryptography — nonetheless we don’t know what Internet we could have had without such chilling effects. We cannot price the opportunity cost we have suffered from chilled, never-built privacy innovations that would address current-day problems by means which we have not yet realised.
What does “secure communication” achieve?
The purpose of any kind of “communications security” is to divide the universe into two parts:
people who can read* a message, and…
read* a message, and… everyone else who cannot.
It does not matter if this division happens by end-to-end encryption, or by any other form of encryption, or even if we achieve it by traditional means of burying steel-clad network cables in concrete, the goal of communications security is always to separate people who can-or-should read* messages, from those who can-or-should-not.
With this in mind, we can understand the current end-to-end encryption debate as a simple refresh of key escrow proposals which failed in the 1990s. There are two “real” questions at hand:
should two-or-more parties be free to establish private communication in such a way that they prevent oversight by non-participants? should a business be free to offer such “strongly private” communication, as part of a value proposition?
I say “yes” to both of these questions, because I believe that provision of privacy at-scale and without exception is a much greater enabler of innovation and good than it is of potential harm.
*or write, amend, filter, or tamper with…
Re: Business
Forbidding the freedom to offer private communication is to treat privacy as a dangerous good rather than as an enabler; history shows us that privacy is the strongly an enabler because it enables both scale and distribution.
Lack of strong privacy causes “at-scale” data breach problems like “The Snappening” and leaks such as those of “Twitter Direct Messages” [v1][v2]. In specific benefit: global adoption of end-to-end encryption offers a tectonic reduction in the “attack surface” of data that could ever be “breached” or leaked onto the Internet. Conversely the problems of privacy-enabled abuse generally do not scale easily, thus there is a strong net positive to enabling more and better privacy.
Sidebar: Examples from History We can look to the history of key escrow and infer what impact there would have been on modern e-commerce if we were obliged to register each HTTPS connection with central authorities; the online world that we would live in would be more onerous, less stable, less trustworthy, less rich and less capable. We can look at the history of messenger systems and observe that if users do not trust the privacy of the platform networks, they will layer other tools like PGP and OTR via “over-the-top” means, to assure privacy and strongly negate the purported benefits of any “exceptional access” mechanism in the message transport layer — unless the state next wishes to regulate open-source software and to mandate the closure of open communications APIs? We can look in the direction of open-source tooling, containers, and the distributed web, to see the tools which we will be using for the next 30 years, new tools which will be bereft of billion-user centralised mega-platforms to coerce. Early adaptation — rather than chasing backdoors — would be wise.
Surveillance Compliance
Finally, implementation of “exceptional access” would push a new obligation of surveillance compliance onto platforms:
The security services of different countries will fight with each other for corporate dominance , for the power to filter and veto platforms from honouring exceptional access requests from competing (eg: BRIC ) countries, on the basis that such may empower corporate espionage.
, for the power to filter and veto platforms from honouring from competing (eg: ) countries, on the basis that such may empower corporate espionage. Such obligation will drive a deep KYC / know-your-customer requirement into the platforms — to enable surveillance compliance — which (not least due to cost, and proliferation of personal data) is not something they wish to undertake.
requirement into the platforms — to enable surveillance compliance — which (not least due to cost, and proliferation of personal data) is not something they wish to undertake. Such obligation will also foster a hostile relationship between platforms and users, eg: forcing platforms to prevent or report people who use superencryption tools (eg: PGP, OTR) which will obviate exceptional access.
Escrow and exceptional access — irrespective of the mechanism — was considered and judged unwise, because of its burden and because of the unintended consequences of forbidding people’s freedom to communicate privately. It remains unwise. Foisting the same obligations upon platform providers would simply reboot all of the historically-identified problems, and create a whole set of new ones, besides.
[END]
[1] URL:
https://medium.com/@alecmuffett/perspective-lawful-access-to-end-to-end-encrypted-communication-90e1955d5b8d
[2] URL:
https://creativecommons.org/licenses/by-sa/3.0/
DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/
