Encryption Privacy

Freedom of Speech: Rethinking the Role of Encryption

Classically, the encryption of data solves two simple problems:

  1. how to store data securely when it’s at rest,
  2. how to communicate it securely when it’s in motion.

On the face of it, that makes encryption look like an ideal tool for freedom of the press: it can render a journalist’s stored data meaningless to unwanted readers, and protect transmitted data against interception.

Unfortunately, those two “simple problems” have never been the whole story. For one thing, both the journalist and the intended recipient of transmitted data have to be able to decrypt the data… and that gives rise to a number of problems. As former Burton Group and Gartner analyst Bob Blakley puts it: encrypting data is easy; the hard part is managing access to the keys. Neither is this purely a technological problem. Even the strongest encryption can be rendered useless if – for example – its user can be fooled, persuaded or bullied into disclosing the key.

There are also the problems of how to distribute decryption keys securely, how to manage and replace keys over time, and so on. These problems, even if they are not often well solved, have at least been known about for many years.

Then there are the problems to do with regulation of cryptography. I don’t propose to discuss those here – only to note that if you take any technology, from the rock onwards, humans will find both beneficial and destructive applications of it. The key is to legislate for behaviour, not for technology.

Periodically, too, someone will suggest that one regime should support journalists/activists under another regime by providing them with the means of free expression… in the form of some kind of toolkit for secure, encrypted communication. To my mind, this is to return to the original fallacy, namely that encryption technology is enough to solve the problems raised by restriction of free speech.

However, there are other tools we could be developing that don’t raise the same kinds of issue as cryptographic ones, and which would be of practical help to anyone who has a serious concern for their digital privacy. In particular, let’s look at the problem of digital footprints.

Managing your digital footprint

The more devices we use, and the more networked our world becomes, the bigger the digital footprint we leave behind us with every online action.

Some of us  already take some steps to reduce our digital footprint – for instance, clearing cookies and browser caches after each use – but how many of us even know about, let alone manage, all the other data trails we create as we use our devices?

  • Have you ever cleared your machine’s “thumbnail” cache?
  • If you have ever transferred your mobile SIM from one handset to another, how many of your contacts’ details did you leave in the onboard storage of the old handset?
  • And, to return to the crypto theme: if you installed a secure communications app on your smartphone and it used its own key pair, where are they, and what Certificate Authority do they identify?

How many of these pieces of information would you be happy for someone else to find – especially if freedom of speech is a particular concern?

Here’s my suggestion: rather than get into debates about whether to air-drop crypto survival kits to dissidents, why not develop tools that help people see and manage the digital trail they create on their own device(s)?

This wouldn’t prevent those who wish to from encrypting their stored data or their communications. It would, however, help reduce some of the other data we’re all generating – day in, day out – on a growing range of personal devices that, increasingly, reveal more about us than we reveal about ourselves. Whether specifically to safeguard access to free speech, or to protect our privacy more generally, this is something that ought to be of value to all of us.