Secret-Bits: The Need for Encryption

By R. E. Barksdale

Authentication and verification are necessities required for Internet Traveler to use the Internet safely.  Two tools that help Internet Traveler in addressing these requirements are encryption software and digital signatures. Yet, while encryption software is readily available, “Overall, the public seems unconcerned about privacy of communication today, and the privacy fervor that permeated the crypto wars a decade ago is nowhere to be seen.” (Abelson, Ledeen, and Lewis, 2008, p.193) [1] So, should Internet Traveler be concerned about privacy of communication, or should he continue to be apathetic?

As Internet Traveler charts his course across the digital oceans, rivers, and streams, he will realize that he is going to encounter other travelers along the way.  Many of the travelers will be of like mind; yet, pirates are also on the waters looking to exploit those they encounter.  Meanwhile, governments are patrolling and keeping watch over all. Because of this, from an ethical perspective, it is critical that Internet Traveler properly stows and secures his digital cargo. Encryption tools assist Internet Traveler in securing his vital ‘bits’ and the ‘bits’ that are shared with others.

Keeping and uncovering secrets has been an area of interest for governments since the beginning of time. They have historically taken interest in those that use ciphers.  Caesar, British Intelligence, NSA, and the Soviet KGB are just some of the government entities that have utilized encryption methods, over the centuries. When messages from Mary Queen of Scots to enemies of Queen Elizabeth I were intercepted and decrypted, Mary Queen of Scots lost her head, literally. (Abelson, Ledeen, and Lewis, 2008, p.169) [2] While the Internet is a medium vastly different from a piece of Middle Ages parchment, the concepts, and the risks remains the same.

Information is empowering and obtaining secret information can either topple or secure governments.  It was not until the 1980’s, as Internet use began to become more prominent, that governments began to raise a flag of concern. This concern took shape in the form of proposals to control the distribution of cryptography solutions. (Abelson, Ledeen, and Lewis, 2008, p.188)[4] During the Clinton years, the Communications Assistance for Law Enforcement Act (CALEA) was passed.  This act mandated that infrastructure be deployed in telecommunication central offices that would make it possible to remotely “activate” wiretaps on digital switches. According to a Washingpost.com Encryption Special Report titled, “Deciphering Encryption:”

Until 1996, the U.S. government considered anything stronger than 40-bit encryption a “munition” and its export, therefore, was illegal. The government now allows the export of 56-bit encryption, with some restrictions – but 128-bit cryptography is emerging as the new digital standard. [3]

After the legislation of 1996 was passed, the citizenry became alarmed enough to raise a flag of their own.  This banner was planted in the foundation of the U.S. Constitution.

One of those that carried the banner for the citizenry was Philip Zimmermann.  Zimmermann, a software engineer, specializing in cryptography, data security, and data communications has been instrumental in delivering email and telephony encryption software to the masses.  In June of 1991, Pretty Good Privacy, or PGP, which Zimmermann had been working on since the late 1980s, magically appeared on servers across the U.S. for anyone to download.  In spite of efforts by government and corporations, Zimmermann held the banner high and ultimately the corporations and government relented by ultimately allowing the Internet traveler community to use the software without restrictions. Later when asked why he wrote PGP, Zimmermann responded with the following:

It’s personal. It’s private. And it’s no one’s business but yours. You may be planning a political campaign, discussing your taxes, or having a secret romance. Or you may be communicating with a political dissident in a repressive country. Whatever it is, you don’t want your private electronic mail (email) or confidential documents read by anyone else. There’s nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution. [4]

Now that the barriers of encryption for the masses have been overcome, it is possible for Internet Traveler to properly secure his cargo.  However, since encryption software has been developed for the masses, not everyone has taken privacy seriously.  Beginning in 2005, a group of hackers began a targeted attacked to exploit a Wired Equivalency Protocol (WEP) “secured” Wi-Fi network of a $17+ billion retailer.  It was not until the beginning of 2007, 18 months later, that the attack was uncovered. [5] This retailer, in a terrible lapse of ethical judgment, chose to utilize an inferior encryption protocol that resulted in their customers being compromised.  By the time this company had adjusted their sails and secured their cargo, credit/debit card numbers and personal information of 500, 000 to 1,000,000 people had been compromised.

As the Internet has spawned millions, if not billions, of outlets of commerce around the globe, the need for encryption has proved essential.  Therefore, government intelligence agencies have not continued their crusade of limiting access to encryption solutions.  As government secrets can topple politicos, so financial losses can topple societies and cultures.  As the authors note in “Blown to Bits,” in 2007 the United Kingdom passed laws that require the disclosure of encryption keys to agencies investigating terrorist acts or other criminal activity. Encryption technologies, and those that use them, will remain on the radarscope of government agencies tasked with securing their nation’s borders and citizenry.

Yet, even after all of the efforts being made by Zimmermann and leading civil liberties group like the Electronic Frontier Foundation (EFF) to communicate the need for Internet Traveler to encrypt and secure his electronic data cargo, there continues to be a disconnect with that reality.  Internet Traveler continues to utilize service providers to store and deliver precious digital cargo.  According to a June 20, 2011, Wired report by Ryan Singel:

At a time when hackers are on a tear looting information willy-nilly from insecure sites on the Web, Dropbox did the unthinkable Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password. [6]

This apathy by Internet Traveler comes back to bite him when his service providers fail to take their responsibility seriously or opt to change their Terms of Service without really considering the privacy needs of the Internet traveler community at large.  Not only is he entrusting his digital cargo to others, but he is also entrusting every message that he sends using email.  As a rule, his emails are sent in the clear, much like a postcard.  The email messages are being routed from one router to the next until the email messages reaches their recipient’s mailbox.  This complacency exposes the root of the ethical dilemma.

Internet Traveler, traversing the Internet, will need to address his encryption dilemma—to encrypt or not to encrypt. First, there is the dilemma that he will encounter when he opts to e-mail an update to a friend, family member, or his doctor.  The other is when he chooses to utilize a service, such as Dropbox or Facebook.  In both cases, Internet Traveler must determine whether he should encrypt or not.  On another front, the service provider who provides Internet Traveler with a service must understand that they should be concerned about the encryption of the transactions that take place between them and their user community.  And on the final front, the governments that protect and serve should not step back from their ethical responsibility to keep abreast of encryption technologies and continue to monitor as best as they are able the Internet and its ever-changing tide.  This continuous balancing act is required to insure that the Internet waters stay as safe as possible and will continue to be the wonderful place to explore.

References:

  1. Abelson, H., Ledeen, K., & Lewis, H. (2008). Blown to bits. Boston: Addison-Wesley.)
  2. Abelson, H., Ledeen, K., & Lewis, H. (2008). Blown to bits. Boston: Addison-Wesley. p.169)
  3. Froomkin, D, & Branson, A. (1998). Deciphering encryption. Washington Post, Retrieved from http://www.washingtonpost.com/wp-srv/politics/special/encryption/encryption.htm
  4. Zimmermann, P. (June, 1991). Why i wrote pgp. Retrieved from http://www.philzimmermann.com/EN/essays/index.html
  5. Pereira, J. (2007). How credit-card data went out wireless door. The Wall Street Journal, Retrieved from http://online.wsj.com/article/SB117824446226991797.html
  6. Singel, R. (2011, June 20). Dropbox left user accounts unlocked for 4 hours sunday. Wired, Retrieved from http://www.wired.com/threatlevel/2011/06/dropbox/