On Cryptography and Privacy

I posted this elsewhere back in February 2016, when the FBI was attempting to force Apple to develop software to break the security of the iPhone.

Cryptography creates and manages power. More specifically, it determines what can be seen, who can see it, and what those people can do with it. Cryptography, properly implemented and used, limits power. It places a boundary beyond which the others – including the state – cannot reach. It is not subversive by itself, but because its use rearranges power relationships it is a useful tool for subverting authoritarianism. Widespread and usable security is democratizing and empowering.

Cryptography implicates politics because politics is about who has power and how much power they have. Who has power is a political question; who should have power is a moral question. In this sense cryptography allows the enforcement of morality with math.

You have an inherent right to privacy; if the government wants to pry they must show a valid reason and obtain a warrant. The government is a creature of the citizenry; it has no right to privacy. If the members of government want to keep public affairs secret, they must show a valid reason. This is how a government of, by, and for the people should operate. It is not just me saying this; this is encoded in the founding documents of our country.

The “security vs. privacy” distinction tries to turn this on its head. In the context of most discussions of privacy vs. security, privacy is personal and concrete, whereas security is social and aspirational. You are asked to give up something concrete right now, and in return some group that may or may not include you will potentially obtain some thing. The group that benefits is the state, whose efforts at enforcing its own laws are – again, potentially – simplified. In this view your government may keep secrets from you, but you may not keep secrets from it. This is precisely the opposite of how a functioning, representative democracy should work. You cannot make informed decisions because you are not informed. This is authoritarianism and paternalism.

The context in which words are used matters. “The right of the people to be secure in their persons, houses, papers, and effects […]” does not mean you give up your privacy to achieve some ephemeral sense of security; here security and privacy are the same. You have control over how your effects are used; you have power.

Privacy is a public good. Being watched changes people, making them fearful and conformist, and stifling dissent. While this is good for the state, it is not good for the people. It stifles the production of art, literature, and scholarship. It increases power imbalances and weakens democratic institutions. I don’t have to simply assert this; I can point to any authoritarian state. I can contrast West and East Germany, etc. Privacy lets you be who you are; it gives you a concrete kind of security you should not trade for a mere promise of “better” security elsewhere in life.

Instead of asking for a safe space, demand a private space. You have a Constitutional right to privacy, but not to safety. Securing safety as part of the general welfare is one of the purposes for which governments are formed. Securing the free exercise of your rights is another. The government is both aided and hindered in this effort by proper security and privacy. Life is complex. It is your government.

We can employ cryptography on either side of security vs. privacy. We can and do use cryptography to establish both physical and data security. We should make better use of cryptography to establish privacy.

A demand to surrender privacy is a demand to surrender power over your own life. The ability to break privacy in one instance is the ability to break privacy in all other similar instances. The government is given this power through subpoenas, but it is not absolute.

This is not a slippery slope. This is the whole game, right now. If the FBI can order Apple to develop a new product to break their device’s security – assuming that is possible, which it likely is – then that’s what will always happen, forever, in every case where device privacy gets in the way. Companies will have to develop devices that they can break, otherwise they will be unable to comply with court orders. Companies that develop truly secure devices can be forced out of business, by a number of mechanisms made possible by the precedent.

Privacy is a public good, a power relationship, and security. Cryptography creates and manages power, and thus implicates politics. Your government is against both because they potentially make its job more difficult. You have the opportunity to assert your power over the government now; you might not later.

Leave a Reply

Your email address will not be published. Required fields are marked *