In Defence of Cryptography
Last updated: April 12, 2012
When cryptography enthusiasts and advocates are having intelligent discussions about crypto with people who don't know a lot about it, the question almost invariably arises: ``Hey, wouldn't that stuff by a great help for terrorists/child pornographers/public enemy X?''.
This is not something that cryptographers can deny. Yes, cryptography is a boon to the forces of evil, not just in theory but in definite practice - those involved in the infamous September 11 attacks on the United States are known to have used the popular PGP encryption software to help plan their attacks in secret.
Many people, and many governments, take the stance that because of this, that it is socially irresponsible of people to develop and distribute software which makes it easy to use strong encryption. A number of countries passed laws restricting the import and export of cryptographic technology. Some of these countries have relaxed their laws in recent times, while others have not. In some countries, using cryptography - even possessing the tools required to do so -- is outright illegal.
There is a large and vocal community, however, of people who insist that unrestricted access to strong cryptography is something that the public must have. This community was most vocal and active in the 1990s, often calling themselves cypherpunks. The movement has died down in recent years, but their opinions are still widely and strongly held by many people - myself included.
What is wrong with us? How can we support technology which is known for a fact to aid terrorists? Even child pornographers! Won't we, please, think of the children?!
This short essay is an attempt to convey some of the ideas and reasoning which leads people to conclude that the right to cryptography must be defended. It assumes no technical knowledge of cryptography.
The argument that the benefits outweigh the risks
This argument is comes in two parts. The first is pointing out that the risks are not as great as may be imagined, the second is pointing out that the benefits are greater than many realise.
Contrary to what the media and politicans of this age never fail to remind us, terrorism is not much of a threat to modern society at all. The impact of the worst terrorist act in history caused approximately as many deaths as accidental drowning does in the US every year. The death rates associated with terrorism are literally orders of magnitude less than those associatd with motor vehicle accidents or cancer. This is not to say that terrorism should simply be ignored, but the threat presently receives imeasurably more attention than is warranted.
Something else to realise is that there is something of a false dichotomy implied in this argument. We certainly do not face a choice between outlawing cryptography and preventing all crime or allowing cryptography and permitting crime to run unchecked. The fact that the September 11 terrorists used cryptography to plan their attacks did not prevent US intelligence from learning of the attacks before they happened. The fact that cryptography is a useful tool for distributing child pornography does not in any way prevent law enforcement from infiltrating the communities which exist around the trade of child pornography (there must, afterall, be some way for "consumers" to learn the passphrases used by "producers" of encrypted pornography), or from finding and using the physical evidence that child pornography must still necessarily leave behind.
On the other hand, promoting public awareness, knowledge, support and most importantly use of cryptography, and associated technologies like steganogrpahy, will assurredly go a long way to providing, quite literally, hundreds of millions of people the world over with the ability to exercise their rights of freedom of speech, freedom of religion and freedom of the press, despite the attempts of oppresive regimes to limit these freedoms.
Such issues may not do much to convince those living in large Western countries where such freedoms are taken for granted (although it is worth noting that many of these countries are not as free as one might imagine - Australian citizens have never had a legally protected right to freedom of speech, for instance, and American citizens recently lost the right to gamble online). Fortunately, cryptography still has the capacity to introduce substantial social benefits to countries not suffering under oppressive regimes. Digital signature schemes have the potential to stop the current epidemic of Phishing scams dead in their tracks. Cryptographic voting protocols offer the posibility of helping to prevent election fraud, which has been a contentious issue in the US in recent years.
The fallacy that "criminals don't break laws"
This argument comes from more of a practical than a philosophical standpoint.
A number of people leap from the fact that cryptography can - and, to be clear, really is - used by criminals to the conclusion that cryptography too strong for governments to break should be made illegal. This, they argue, will stop evil people like terrorists and child pornographers from using it to do evil.
The problem with this argument is made most clear by rephrasing it. The claim is: ``If we make some laws against the use of cryptography, then people who are actively trying to break some laws will not use cryptography''.
The fallacy is now clear. Outlawing cryptography will not stop evil people from using it to do harm, in the same way that outlawing drugs clearly has not stopped people from using them, or that outlawing certain weapons clearly has not stopped from using them to commit crimes.
The Pandora's Box of strong cryptography is open. Cryptography is a necessary part of modern e-commerce, and the relevant knowledge can be found in countless libraries, countless university courses and, of course, countless places all over the web. It is a fact we need to accept that criminals do now and always will have access to this technology to aid them in doing evil - shouldn't law abiding citizens of the world enjoy the same access to do good?
The unacceptability of some compromises
From time to time, various governments have proposed a sort of compromise on the issue of cryptography. These compromises have come in the form of allowing unlimited access to certain implementations of cryptographic technoloy, which have been fitted with ``backdoors'' allowing access to law enforcement but being otherwise secure. The cryptography community has consistently rejected these proposed compromises, with good reason.
Even if we make the unlikely assumption that some government can be trusted to never abuse these cryptographic backdoors, there are still problems. It is a simple reality that designing any cryptographic technology which has a secret backdoor in it for the government, but which otherwise functions like, and as securely as, regular cryptographic technology is very difficult to do well. The task involves deliberately placing a weakness in the technology's security and ensuring this weakness cannot be found by someone actively looking for it (and there certainly will be people actively looking for it). The risk that someone other than the government may discover and be able to exploit the backdoor is very real, and is obviously unacceptable.
Outlawing or restricting the access of the general public to cryptography has serious problems. Some of the primary concerns such laws or restrictions are supposed to address - such as terrorism - are in fact not really as pressing concerns as we would be led to believe. Even if these concerns were of the utmost importance, the fact that limiting access to cryptography would be an attempt to use laws to constrain the activities of law breakers suggests that the limits would be of minimal effectiveness. In exchange for this limited effectiveness at addressing unimportant concerns, the people of the world pay a substantial price in being denied access to a technology with the potential to introduce sweeping positive social changes, from the defence of freedom in countries where freedom is opressed, to the elimination of various crimes and annoyances in more established countries.
Access to strong cryptography needs to be free for all.