Re-factoring the Crypto Debate
"Broken Key" CC-BY-NC unrequitedlife on flickr
Jon Mon, 12/16/2019 - 17:36

The Carnegie Endowment for International Peace is hosting a working group to move the crypto debate forward by adding two valuable dimensions to the conversation. The WG added use cases to more capture concerns of various stakeholders and defined its technical scope, selecting a specific point to engage in this debate (around the ability to break encryption on mobile devices under the physical control of national law enforcement, but not in-transit or, theoretically, remote device access).

That said, I find the report and its use cases dangerously US-centric; ignoring the role of authoritarian states and how even this tightly scoped debate would put human rights defenders, activists, and advocates for change in these places at risk. The use cases include a wide variety, but exclude the use cases of authoritarian, state-level actors and also exclude activists who will be targeted with technologies that break end to end encryption guarantees.

We need to look beyond markets to how crypto regulation advances or undermines long-term goals around democracy and human rights around the world. "Exceptional Access" or however we frame it will be used against human rights defenders - either directly, or through pressure on tech platforms to provide equivalent access to states we might consider authoritarian. It may be a bitter pill for the law enforcement groups who seem themselves as the good guys fighting human trafficking and other horrible crimes; but promoting e2ee to encourage and protect opening civil spaces, more safely confronting corruption, and sustaining democracy could be a bigger win on a long-term, global level.

Cyberpunk Standards

Photo by Alexander London on Unsplash

The future of technology requires a dramatic shift from the present to place ownership and control back in the hands of consumers.

We engage with technology in incredibly and increasingly intimate ways, both intentionally and not. Our actions online are scrutinized, our conversations listened in on, our behaviors predicted, and all of this is done cavalierly to market products towards us, with no safeguards or thought given to not only the risks and impact of having this data available about us.

Entropy Story-time: From Claude Shannon to Equifax

Mix Two Colors / Pietro Jeng

There's an piece floating around that does a great, succinct job at summarizing Claude Shannon's contributions to our modern understanding of information. If you haven't read The bit bomb on Aeon, head over there. It'll make your brain happy with things like this:

"Shannon – mathematician, American, jazz fanatic, juggling enthusiast – is the founder of information theory, and the architect of our digital world. It was Shannon’s paper ‘A Mathematical Theory of Communication’ (1948) that introduced the bit, an objective measure of how much information a message contains."

The article digs deep into how easy it is to predict things - especially language. It ends up focusing on the power of pattern detection in being able to compress information:

"Shannon expanded this point by turning to a pulpy Raymond Chandler detective story […] He flipped to a random passage … then read out letter by letter to his wife, Betty. Her role was to guess each subsequent letter […] Betty’s job grew progressively easier as context accumulated […] a phrase beginning ‘a small oblong reading lamp on the’ is very likely to be followed by one of two letters: D, or Betty’s first guess, T (presumably for ‘table’). In a zero-redundancy language using our alphabet, Betty would have had only a 1-in-26 chance of guessing correctly; in our language, by contrast, her odds were closer to 1-in-2. "

Let's talk about PGP

I've been working on a new way to explain email encryption; I'd appreciate feedback on this approach. If you're looking to try email encryption out - buy me a beer (let let me buy you one) if we're in the same place, or check out the usable, in-browser work by Mailvelope.

New GPG Keys!

I am transitioning both my professional and personal GPG keys. This transition document (in full, below) and both updated keys are signed with both old and new keys for both personal and professional accounts to validate the transition.

In short:
[email protected] - new keyID 270C17F1
[email protected] - new keyID FDDB8C25

If this is all greek to you, GPG (or PGP) is a way to encrypt your email so that only other specific people (who must also be using GPG) are able to read it. While we think of email like regular mail, with a level of privacy like something in an envelope, the reality is that it's better to compare it to a postcard. If you're interested in getting started, I highly recommend EFF's excellent PGP guide, and Mailvelope is a super-easy browser plugin to help get you started in more secure webmail (it works great, for example, with gmail).

On Piracy

Now, there are many problems in the world of digital security - from governments around the world undermining privacy technology or firewalling their citizens off from information to valiant but underfunded security tools having the time to focus only on keeping the tool safe, but not making it easy to use. Some of these problems are rather significant, some are more approachable, but there remains a hidden problem, so pervasive and pernicious that it undermis all of our good work in bringing usable, human-centered privacy and security tools to wider audiences.

What Good Are Secure Communications Tools if No One Uses Them?

USABLE.tools

Cross-posted from my piece on Medium

It was the second day of digital security training, and I was losing the room. The journalists, documentarians, and media activists around the table were more intent on following their friends and colleagues via Facebook chat than dealing with the fidgety, hard to install, but super-secure communications tools I was trying to promote.
They had good reason — it was winter 2014, during the tense final days of Ukraine’s EuroMaidan protests, going on just across town from our training. The urgency of communication was just too much. Overnight, most of the trainees had chosen to uninstall the app we’d burnt the better part of the previous day getting to install on a mix of Windows XP, 7, Macs, and even Linux systems.

But then again, I had good reason to urge security. Protesters were being arrested because of insecure communications. People were worried about their own government, but also about the small number of companies controlling their telecommunications.

I thought I had understood their need — they wanted a way to have trusted, private communications that spanned from mobile to desktop, chat to voice.
But I had failed. I was pushing a collection of tools I knew to be the best in its class for security, developed transparently as open source, with constant attention to not only bugs but the nuances of cryptography and careful, responsible implementation and monitoring of new possible flaws. The tools were also the only ones that combined these security features, with both text and voice capabilities that could bridge desktop and mobile.

These activists required a tool that they could show to others and start using in minutes; not one that took a day of training and debugging just to install. Tools that aren’t used aren’t providing security.