martedì 20 novembre 2018

Why you shouldn't encrypt all your private communications

I was at the LinuxPiter conference a couple of weeks ago, and among the many interesting talks, a couple were about cybersecurity, privacy, encryption.
The main point of these talks was roughly this: end-to-end encryption is getting easier to setup, so we (the technical audience at the conference) can start protecting all our private communication and hopefully help bringing the technology to a state where it's more accessible to the masses.

Cyber Security

The reasons why people want to encrypt their private communications are varied: sometimes it's about hiding one's communications away from an oppressive government or from big corporations; other times it's about avoiding personality theft or stalking; but in general, the core point is that it's my private communication, and no other eyes than mine and the intended receivers's should have any right to see it. And this sounds pretty reasonable indeed.

However, some reading into the history of the technologies used to achieve this result has left me doubting. And actually, as this article's title says, I've slowly grown convinced that I should fight the battle on the opposite front, and convince people not to pursue the goal of encrypting their private digital lives. Which will probably get you suspecting that I've gone out of my mind, to propose not supporting something that nearly the entire technical community recognizes as valuable. But if you bear with me a little longer, I'll try to explain.

Let's start with this quote by Edward Snowden:

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.”

I do care about my privacy and, furthermore, I'm not such a hypocrite to say that I don't have anything to hide: quite the opposite, there are plenty of things I don't want people to know about me. I'm not arguing against the right to one's privacy, and I do use encryption when storing sensitive data on my computer or when sending out passwords to people. And I've long stopped sharing bits of my private life on the big social networks, which I mostly use in write-only mode for spreading political propaganda (and I invite you to do the same, unless you have already left them: these places must die). What I am objecting to is mass encryption of all of your communications, just for the sake of making them inaccessible to everyone else.

I don't want to hide things from the government. I definitely want to hide as much as possible from corporations and other individuals, but I do want the state officials to be able to access any private conversation of any citizen. I do not want mass surveillance, but if there are serious reasons to suspect that a person could be involved in some crime, then I want the state to be able to look into the suspect's conversations — while exercising maximum care so that these are not leaked to the press and, in general, to people who don't need to know about them. Call me naive or an idealist, I still hold the state responsible for my own safety and the sole guarantor of justice. Should state officials abuse their position and either leak the private communications of the citizens or — worse — use them for blackmailing, this is something that should be investigated and punished, but I don't believe that it is the norm. Considering Snowden's revelations about the extent of the mass surveillance program in the U.S. and seeing how little of this information has been revealed or used by malicious state officials makes me optimistic in thinking that this is a secondary problem.

Surely someone could point out that not all governments are trustworthy: totalitarian regimes suppress dissent, while encryption could help the oppressed speak freely and organize themselves. The first part of the sentence is certainly true, but the second part reveals, in my opinion, a wrong evaluation of the reactionary movements. Let me explain it more clearly with one example.
My western readers would probably include Russia (the country in which I live) in the list of the “totalitarian regimes” I mentioned above; but you might be surprised to know that the West's favourite opposition character, the nationalist Alexei Navalny, who is getting jailed every other month for minor offences, is quite open in his criticism, and provocatively organizes actions that he knows will get him into trouble, with the goal of getting maximum visibility and exposing what he believes are unreasonable laws. If on one side there could be some value for revolutionaries to use encrypted communications during the initial phases of their action, on the other, the real change can only be brought forward with the involvement of the masses — which means one needs open talks.
And even if we limit ourselves to the early phases of the organisation of a reactionary plan, I do believe that using encryption carries the bigger risk of alienating one's potential allies, which were not part of the conversation, who might easily be led to believe (the conversation not having been released) that the participants in these secret talks were after some criminal plan or were getting support from some foreign country.

Beijing Airport
Picture this: at the airport security check (maybe in a country whose government you don't trust the least), you are asked permission by the officials to open your luggage for a search. If you refuse, they'll confiscate your luggage, but they'll let you return home free; if you agree, you'll be able to return home free, and with your luggage.

And we get to the real criminals. No matter how some politicians are abusing the topic for their own profit, it remains a fact that terrorism exists and terrorists operate in our cities. If we all encrypt our conversations, we practically preclude the security services from performing a screening which could help them focus their attention on potential suspects; and whether the terrorists encrypt their conversations has little impact: the very fact that a conversation is encrypted could raise some suspicion (which doesn't mean that the security services would hunt down everyone who uses encryption! — but their online behaviour could be monitored for some time).
Furthermore, I don't buy the story that these technologies are good because they can help those who fight against injustices in some remote oppressive country; on the contrary, I have a strong suspicion that the reason why these technologies are pushed forward it to protect the corrupted financial world from having their deeds exposed, here at home. Well, maybe that's not the goal, but indeed those people would benefit from it, at our expense.

Finally, let me spend a couple of words on encryption technologies, because I believe that their history matters and that we should be aware of who stands behind them. Suppose that you were a Russian dissident, and the GRU sponsored the development of some technology that promises full anonymity and secrecy; would you use it? I hope you agree with me, if I say that you'd have to be a complete fool to use it, no matter how many independent agencies have analyzed the technology and found it to be impenetrable. The lamb would never live in a house built for him by the wolf, no matter how comfortable or solid it looks like.
That's why, if I had to name one particular privacy enabling technology which I recommend you not to use, that would be Tor. Developed in the '90s by the U.S. Navy to be used by U.S. intelligence agents embedded in foreign countries, the Tor project is still being funded by the U.S. government and its usage is being promoted worldwide, in order to make it harder for foreign government to identify the American agents; because it goes without saying that, if the U.S. agents were the only people using Tor, then foreign security services would have a rather easy time spotting them.
Now, if you are perfectly fine with the U.S. government being able to read your secret communications, by all means do feel welcome to use Tor. But if you are a dissident in either the U.S. or an allied country, be it a Western European country, Japan, Israel or Saudi Arabia, then I'd think twice before using it. And even if you lived in Russia, China or Iran, well, the same fact of connecting to Tor carries the potential risk of exposing you as a rebel or as a foreign agent.

That's why I don't encrypt my online conversations, and I don't strive to be anonymous online. No matter how bad the government we live in might be, I'm deeply convinced that the state is the only authority that can protect us; and if we don't trust it, or if we want to act against it, then we'd rather do it openly, suffering all the consequences that might arise, but having done all our best so that other people might find the courage to join our cause.

Etichette: , ,

0 Commenti:

Posta un commento

Iscriviti a Commenti sul post [Atom]

<< Home page