It should not be illegal to whisper

A bill in the US congress called the EARN IT Act is making the rounds right now. It attempts to provide a commission with tools to fight against child sexual abuse online. Unfortunately, some of those tools are unconstitutional, including violating the first and fourth amendments. The primary tool it gives authorities is legal force to scan and report on encrypted data, rendering end-to-end encryption de-facto illegal in many cases.

[National Center for Missing and Exploited Children] believes online services should be made to screen their messages for material that NCMEC considers abusive; use screening technology approved by NCMEC and law enforcement; report what they find in the messages to NCMEC; and be held legally responsible for the content of messages sent by others.

This is not the first time, nor will it be the last time a government wishes to make encryption illegal. If it's not the children, then it's the terrorists. The argument usually sounds something like this

We just want to ensure that terrorists do not have a safe space in which to communicate

That was UK Prime Minister David Cameron in 2015.

... but the dangers are real, maintaining law and order in a civilized society is important, protecting our kids is important, so I'd caution against an absolutist view on this.

Obama, SXSW 2016 on end-to-end encryption

If you’re dealing with drug lords, if you’re dealing with terrorists, and if you’re dealing with murderers, I don’t care. We have to find out what’s going on.

Trump, 2020

These types of arguments (appealing to the safety of us or our children) are either disingenuous or show a severe lack of understanding of encryption.

Secret Communications

Most communication people partake in is intended for only the people in the conversation. When you are talking to a friend or significant other, you expect them and only them to listen. You can control who is part of the conversation.

When you later find out the walls in the room were a bit thin, you feel like your privacy was violated. There was a third party in your conversation, unbeknownst to you. Perhaps you talk quieter, or find a new room. Even if you aren't discussing sensitive secrets, whoever is in that other room is not invited to the conversation. Imagine if every time you sent a text message, it was a group chat that included an anonymous third party.

End to end encryption takes the in-person whispering or the finding of a new room into the digital realm. Just as it should not be illegal to whisper, it should not be illegal to encrypt your messages. Nobody should be implicitly invited to a private conversation.

If you make encryption illegal, only criminals can have private conversations

Making something illegal does not stop it from happening. Look at drugs or prostitution. If you make it illegal to have end-to-end chats, then the honest, law abiding citizens will have only public conversations (public in the sense that a third party is listening).

Terrorists and criminals will continue to use encrypted messages. Further, anyone who now wishes to communicate in private is labeled a criminal. This is not only unethical but it does not solve the problem the law is intended to.

There is no way to make backdoors only the good guys can use

One solution that is often touted about is to generate multiple sets of keys. You hold on to one set, and the police hold onto the other. Both sets work to access your secret data. When a warrant is served by a judge, then the police can use their key to search your encrypted communications.

It shouldn't be necessary to state, but the police don't always act in the public's best interest. Local police forces have been guilty of using Stingray devices that mimic cell phone towers for warrantless surveillance. The FBI, NSA, and CIA have long lost any trust towards the American public with warrantless wiretapping, drag nets, and mass surveillance and collection of both metadata and personal records.

Let there be no mistake: if the police hold the keys, there is no private communication. They will be listening, passively collecting data. They will defend it in the name of safety, using the next tragedy as a selling point for further eliminating our fourth amendment protections.

Not to mention the keys to your data are now entrusted to a faceless government agency. If the keys happen to leak, or there is a data breach, then all bets are off. And it would make a mighty juicy target for hackers. A key tenant of cybersecurity is minimizing the attack surface area. Having multiple sets of keys increases the risk of unintended access.

If you have nothing to hide, you have nothing to fear

Why should an honest, law-abiding citizen be worried about law enforcement reading their messages? They have followed all the rules, they have nothing to hide. In fact, it may even work in their favor once the powers-that-be realize what an upstanding citizen they are!

Having nothing to hide is a function of both time and interest. If a federal prosecutor is interested enough in you, they will find something. And when they don't, they can get you for lying to a federal agent or obstruction of justice. Even if they can't find anything on you, just wait for the rules to change. Suddenly, you have something to hide, but it is not hidden. It did not use to be illegal to sell heroin, but try advertising that now. It is not currently illegal to construct a firearm in the US, but perhaps if you wait long enough it will be. You have nothing to hide right now.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. – Edward Snowden

For these same reasons, it is common advice to never speak to a police officer any more than necessary. Anything you say can and will be used against you. If your thoughts are in the open, it is much easier to implicate you in a crime whether or not you are guilty.

Freedom of speech

In 2013, Ladar Levison was served a National Security Letter (gag order), and forced to shut down his email service, Lavabit, for refusing to give up the keys to his customer's data. He was tried in a secret court, with dubious representation, and denied his first amendment rights to speak about it.

In 2016, the FBI wanted Apple to create a backdoor in their software to catch the San Bernadino shooter. Apple refused (though the FBI later got access and retrieved worthless data).

Political and societal thoughts are like chaotic winds in a storm. One day they're blowing one direction, the next, there's a 2x4 flying through your window. The principle of free speech only protects the unpopular speech. Laws that restrict government overreach are a very powerful tool for the people, but an equally powerful and complementary tool is encryption.

Encryption cannot be applied in an as-needed basis. It must be ubiquitous, or the very presence of encrypted bits reveals information. Therefore, it is necessary to encrypt as much communication as possible.

Encrypted speech is free speech

Encryption is a mathematical operation on a series of bits, numbers. When we write text on a computer, it is represented as a series of 1s and 0s. This is a fundamental property of information. Some complex math operations are run on this, which is “easy” to run in one direction, but incredibly hard to run in the other, like factoring prime numbers. This allows us to send information without regard to who can read it, as long as your intended recipient has the correct numbers to decipher the true meaning. Also known as asymmetric encryption.

That's pretty neat!

Should it be illegal to communicate certain types of factorization? Or in fact, any type of math? Of course not. Math is a fundamental property of the universe, or at least a clever way of representing the logic of it. This didn't stop the US government from trying to restrict the export of math during the cold war. This was shown to be ridiculous by the printing of t-shirts with the banned math on it.

Chilling effects

An unfortunate side effect of the constant barrage on encryption is that there is a chilling effect of new privacy or security based services being created, specifically in the US. A primary selling point of protonmail, for instance, is that it is hosted in Switzerland, a neutral nation known for strong privacy laws.

A more dangerous chilling effect would be a stigma towards using general purpose secure messaging applications. I have a hard enough time getting people to use Signal, a messenger that uses end-to-end encryption by default. “What do I have to hide?” is commonly asked. This would get even worse if there was a concerted effort to equate using encryption to being a terrorist or pedophile. Thankfully that tactic has not been employed yet, or has not been effective.

Summary

There is a threat to private communication. It is cloaked in the good intentions of catching terrorists and pedophiles. Trading a little bit of our liberty for a promise of security. But we must be vigilant against this promise, because it cannot be fulfilled: the premise itself is flawed.

By making it illegal to use end-to-end encryption, we harm only the honest and law-abiding.

By storing copies of our keys, we provide juicy targets and a larger attack surface area.

By creating backdoors, we make front doors for the bad guys.

By limiting encryption we infringe on the fundamental human right to free speech.

Private communication between people cannot be eliminated; mathematics cannot be prohibited, and any attempt to do either is foolish.