Journal forkspoon's Journal: A critique of Phil Zimmerman and PGP 2
A critique of Phil Zimmerman and PGP
Travis Hadley
There are two initial critiques of the haphazard distribution of a functional and simple to use version of RSA or any strong encryption. Assume the use of the terms PGP, strong encryption, and encryption are interchangeable unless otherwise specified. I will argue against Phil Zimmerman's position that free and open distribution of easy to use strong encryption is good and beneficial in the long run for humanity. I will also reflect on the futility of trying to restrict the use of strong encryption. Then questions of encryption policy will be discussed.
Zimmerman argues for PGP along two lines. First that strong encryption is a tool for freedom fighters, humanitarian groups, and other groups that face repression of and punishment for their speech. Second that because strong encryption already exists, it will inevitably fall into the wrong hands, so why not enable everyone else to have it also?
Zimmerman's belief that only valid groups will use strong cryptography is false. Furthermore this discussion brings in the question of what makes a group valid? This will finally show that the use of strong encryption ultimately leads to lawbreakers becoming more brazen as they use strong cryptography because they know their communications will be secure thus eliminating some key evidence needed to prosecute various parts of the apparatus.
Zimmerman maintains that strong encryption is good because it is a tool for groups that need security for their communications because the government under which they live, which they may be fighting, wants to monitor, punish, and ultimately halt their communications. Such groups would be freedom fighters fighting "a really horrible government" [1], human rights groups documenting atrocities, and groups who may be politically oppressed or closely monitored such as leftist groups were in the United States in the early Cold War period or followers of Falun Gong in China. The prospect that not so good groups such as the right-wing paramilitary forces of Columbia or al Qaeda cells abroad may use strong cryptography is very great. The use of computers by terrorist groups is well documented. One such example by al Qaeda is in planning a bombing: "A computer used by top al-Qaeda chiefs contains a report of a scouting mission" [3]. Furthermore the terrorists used some kind of security mechanisms, showing they are aware and eager to use all such resources: "The computer...has finally had its secrets cracked after high-tech computer programs broke through its complex password protection system." [3]. Besides evidence of its use, we can assume that any suspect groups who need their communications to be secret will use strong encryption. Why does this matter? Because if their communications are intercepted or their equipment is seized, law enforcement may not be able to break the security of the messages, and vital information that could save lives would be lost.
The problem with praising free and open encryption's use by "good" groups is that the definition of "good" is relative. Phil Zimmerman may think that Burmese rebels are "good":
The resistance groups in Burma are using it. Burma has a really horrible government, and there's resistance groups using PGP in jungle training camps. They're being trained to use it on portable computers. Then they are taking them to other jungle training camps and teaching them. [1]
But what if we replace "The resistance groups in Burma are" with "Hamas is", replace "Burma" with "Israel", and "jungle" with "desert"? If we pretend that is what Zimmerman said, then suddenly some may find his remarks very offensive and not a very good support of easily available strong encryption. The key is that Hamas believes they themselves are as justified as the Burmese rebels believe themselves to be. There is no international arbiter of justice; as Kenneth Waltz would say political groups exist in a "self-help" system. So Zimmerman's opinions are just that. His opinions won't help the Burmese rebels or Hamas obtain what they believe is justice. However both will try, and one of the tools they will use is strong encryption. So although Zimmerman's intentions may be good, he cannot guarantee that only "just" groups will use his software, because groups cannot be easily categorized as "just" and "unjust". What we do know about organizations is that they behave similarly in an anarchic world - to preserve and propagate themselves and their goals.
Because all organizations have an interest in security, "good" and "bad" organizations will develop an understanding of what encryption can provide. If your keys (basically passwords) are managed properly, then encryption can secure your immediate communications and your records of past communications. If someone in a group, whether an Amnesty International observer in Algeria or a mobster in Philadelphia, decides to secure their communications then theoretically for the next few hundred years or so the information will be out of the reach of prosecutors. Let us explore the mobster example. Imagine a criminal emails his associates to discuss the next hit, or some fraudulent scheme. This email may implicate many people well enough to send them to prison, such as the godfather, hit men, business associates who are aware of the crimes, etc. If this email is strongly encrypted, all this evidence is lost. It can be assumed that as strong encryption is used more and more by shady groups of all kinds, they will develop protocols and procedures for keeping as much communication as secret as possible for the purpose of cutting ties and prosecutable relationships. So the availability of easy to get and easy to use strong encryption software will lead to illegal organizations using the software to make themselves more resilient to arrests and less susceptible to prosecution. It will also make it extremely hard to get reliable information about terrorist activities, as the only source of information then becomes interrogation, which we know can be defeated with discipline and devotion to one's cause.
All groups whether good or bad will use encryption to hide their communications. Zimmerman cannot even clearly point to a universal standard of good or bad, so he knows all groups, whether humanitarian or terrorist will use strong encryption. Groups that learn to incorporate encryption into their procedures will as a result learn to use encryption to make their group's future plans unknowable, their relations unaccountable, and individual members harder to prosecute.
Zimmerman's argument that freedom of encryption will provide a powerful deterrent to government oppression is incorrect. Encryption does not provide a meaningful service to citizens. It has only lead to criminals and terrorists having easier access to the technology - citizens of any countries rarely use it.
Zimmerman argues along similar lines of the following argument. If only the government is allowed to have guns, then the government can oppress the people. Furthermore criminals will get guns from elsewhere or on the black market, and then they will be able to harass the people and attack the government. Therefore allow the people to have guns as well to defend themselves against government oppression and criminal harassment. This argument works for material things that affect material safety. Examples would be guns among citizens, nuclear weapons between superpowers, and walking in groups at night in unfamiliar places. The basic argument is that one-to-one material deterrents are valid and successful. If you can deter someone with a gun, a nuclear weapon, or group from attacking you, then you have successfully provided material safety. Furthermore the means for protecting yourself are material objects.
Information is not a material object. People assume privacy; they do not assume their information is at risk. Encryption is a non-substantive thing; it is mathematical and therefore confined to the mind. Who does the use or possession of encryption deter? According to Zimmerman:
Advances in technology will not permit the maintenance of the status quo, as far as privacy is concerned. The status quo is unstable. If we do nothing, new technologies will give the government new automatic surveillance capabilities that Stalin could never have dreamed of. The only way to hold the line on privacy in the information age is strong cryptography. [2]
Zimmerman believes strong encryption will deter the government from trying to get information. This is false because the government will still try and succeed, using other methods. An example is this. Imagine a thief who wishes to come into your home in a so-called "home invasion" and take your possessions of value. If you have a shotgun under your bed, you can do something about it. However if the government wants information about you or wants to prosecute you, they will succeed because they have domestic jurisdiction. So what if you slow them down by encrypting your email, you still haven't stopped them from talking to your neighbors, wiretapping your phone, opening your mail, seizing your handwritten notes such as journals, using listening devices to record your speech in your home and elsewhere, et cetera? The widespread use of strong encryption does not lead to less government investigation or legal harassment. The government has de jure right to gather information in whatever way a judge has provided warrant to do. One example is the FBI's development of a key logging system called Magic Lantern to get passwords [4]. The FBI used a "keystroke logging device on the computer of Nicodemo S. Scarfo Jr., hoping to record a password for a file encrypted with PGP (Pretty Good Privacy) software" [5]. So the FBI will not be deterred from getting your secrets if they want them. Other projects like Tempest [6], Echelon [7], and Carnivore [8] guarantee the government's ability to capture communications. This same principle applies to all other governments, valid or not. Using encryption does not in any way legally or functionally prevent a government from investigating or harassing its citizens.
The ill effect of Zimmerman's belief that strong encryption software is necessary to healthy domestic political freedom is that the technology "blows across the border like dandelion seeds blowing in the wind" [1]. I personally do not believe strong encryption would have been put into use by criminals and terrorists had easy to use and easy to get products not been released. Yes the information is available - books and papers on strong encryption are available online, at libraries, at universities, and at bookstores all over the world and have been for decades. But it is one thing for a quiet mathematician to read about encryption; it is far more damaging to release an implementation of the theory into the wild. Had PGP and similar software never been released, I doubt anyone but researchers and national security ministries would have been interested in strong encryption. Militaries, governments, and corporations have always (at least as far back as ancient Rome) used cryptography to hide their intentions should their message bearers be captured. The important point here is that Governments and corporations can afford to hire mathematicians and computer specialists to create, implement, and manage cryptographic solutions. Small terrorist cells certainly don't have the money to hire these people, and I doubt that the mafia or terrorists would ever think to even try to get a hold of cryptography if it had stayed an academic curiosity only put into practice by foreign ministers communicating with their ambassadors or businessmen sending sensitive messages.
I have seen the reports validating this argument, but do not currently have a reference, so I will appeal to your common sense and experience. Who do you know that doesn't work at a university and isn't a computer specialist that regularly uses encryption technology to encrypt their emails, instant message conversations, and personal files on their computer? Excluding computer specialists, I know none. I doubt there are very many people out there using encryption who aren't also privacy or civil liberties buffs and who don't work in a computer related field. My point is that common people don't care about PGP or encryption. It just isn't important and taking the time to learn about it and use would be non-productive. The meaning of this argument is that even though Zimmerman may think encryption provides privacy from the government, no one cares. Nearly no one in his target audience uses his software. However it seems that many outside his target audience were enabled by Zimmerman to make their illegal operations more secure.
Zimmerman's belief that encryption will help citizens keep their government at bay is false. The government will not be deterred from trying to gather information just because one avenue of data is not available. Encryption was probably not even on the radar screens of anyone except government, corporations, and researchers until the public release of strong encryption software in the early 1990s. Few citizens use strong encryption to protect their communications, but criminals seem to have taken to it handily.
Trying to restrict the flow of information once it has become public or widespread seems to never work, and in fact possibly encourages the spread even more. Currently books, papers, and software about encryption are all freely available to people all over the world. Zimmerman argues that this is a good thing. One thing is for sure; the methods are mathematical and sometimes simple. Many encryption schemes can be thought up by amateurs that will provide valid security. And even if all the books and records of encryption in the world were burned, it would still be possible to redevelop the technology from nothing. Not even advanced mathematics would be necessary, although it would help. Trying to control or restrict cryptography software is a fantasy. It can only be fought with advancements in cryptanalysis, but even then there is a known time limitation unless technology or mathematics advances rapidly. One hope lies in key problems - many pieces of software are careless with their keys and should the system be compromised in another way the keys can be salvaged. On the whole strong encryption software is widespread and will remain so.
A question of policy arises. I concede strong encryption now cannot be stopped. But perhaps we can learn from our past actions. Why are books explaining strong cryptography sold in bookstores and available online for free? Why is computer cryptography taught at universities and some community colleges? Why were mathematicians allowed to develop a technology that inevitably would lead to a more chaotic world? These questions boil down to the value the world society places on absolute academic freedom. In the west information is held to be sacred, as can be seen in the "freedom of speech" clauses in many nation's constitutions. But most of those constitutions were drafted in a different time, when science was not so advanced that it's development seriously endangered human survival as a whole. Perhaps today with a more knowledgeable perspective we must review what types of speech should be protected, not just what types are protected by the current legal framework.
Zimmerman and other's free implementations of cryptography have done little to improve the lives of common citizens, but have done much to improve and secure the operations of oppressed or clandestine groups. The problems lies in the fact that the New York mafia could be considered oppressed by the FBI and that al Qaeda believes they are oppressed by America. So although supposed "good" oppressed groups like humanitarians and activists have benefited, society at large has been adversely affected by the increased capabilities of supposed "bad" groups. Encryption is just a tool, neither good nor evil, but it has gravitated towards those who would use it for the latter.
Sources:
[1] "Interview with author of PGP (Pretty Good Privacy)". Russell D. Hoffman. http://www.animatedsoftware.com/hightech/philspgp.htm
[2] "Why I Wrote PGP". Phil Zimmerman.
http://www.philzimmermann.com/essays-WhyIWrotePGP.shtml
[3] "Al-Qaeda computer details shoe bomber scouting mission". Hugh Dougherty. http://www.asiamedia.ucla.edu/Weekly2002/01.15.2002/UnitedStates5.htm
[4] "Judge OKs FBI Keyboard Sniffing". Declan McCullagh. http://www.wired.com/news/print/0,1294,49455,00.html
[5] "Federal judge okays keyboard stroke capture". George A. Chidi. http://www.infoworld.com/articles/hn/xml/02/01/04/020104hncapture.xml
[6] "NSA/CSS REG 90-6" (TEMPEST FOIA Request). NSA.
http://cryptome.org/nsa-reg90-6.htm
[7] "Answers to Frequently Asked Questions (FAQ) about Echelon". ACLU.
http://www.aclu.org/echelonwatch/faq.html
[8] "The Carnivore FOIA Litigation". Electronic Privacy Information Center.
http://www.epic.org/privacy/carnivore/
I personally support free and open strong encryption software and information, I just wrote this article because it is clear there are some adverse affects to encryption use that must be considered.
A critique of Phil Zimmerman and PGP More Login
A critique of Phil Zimmerman and PGP
Slashdot Top Deals