In this article, Paul Rosenberg explains the problem with how the cryptography debate is approached by technologists and pro-crypto and pro-privacy advocates. To refresh your memory, the FBI tried to force Apple to give up security keys, while the NSA has continually tried to break encryption algorithms. One side wants to weaken encryption so the government always has access, another side wants to weaken encryption on a case-by-case basis to give government access, and a third side wants to keep encryption strong even if it disallows all government surveillance.
The problem, according to him, is that the debate is approached by the third side, the pro-privacy side, with emotional arguments about whether politicians know enough about technology to even be proposing laws related to encryption, and that anti-privacy politicians just want to build a surveillance complex to benefit their pals in the surveillance industry. Furthermore, cryptography is presented as an all or nothing affair, it works or it doesn’t.
Mr Rosenberg argues that this approach is not helpful because it does not approach cryptography realistically and does not go deeper into the details, details which politicians and other people need to be informed on this debate.
The unique approach is to elevate the debate to a debate about government regulatory powers, especially their control over freedom of speech and freedom of expression.
As Mr Rosenberg puts it (emphasis my own),
The point I hope to bring home in the remainder of this paper is this:
This debate should not be about cryptography. Rather, it should be about government’s regulatory powers.
Let me state this clearly:
A debate about encrypted smartphones is the same as a debate about police breaking into your home and throwing you in jail for private actions.
This is quite a unique approach and I think it will be the most fruitful because it is immediately relateable to everyone and gets back to the core of the debate
By taking this approach we start to ask more fundamental questions about each side’s position in the debate. (I am going to quote a large block from the article because it lists these fundamental questions and explains why they matter. This is possibly the finest article where the logical reasoning and arguments are made clear, emphasis is my own):
The fundamental question of any crypto regulation is this:
- Are we allowed to keep our secrets to ourselves? May we have private thoughts and actions?
A fundamental thing to notice is that as long as someone writes cryptographic software, there will be messages that law enforcement can’t decrypt. And that brings us to two more fundamental questions:
- Are we free to choose how to implement (in software) our ideas?
- Are we free to choose which ideas (again, in software) we will use?
Regulating encryption means regulating our secrets, and that dictates the limits of both free choice and free expression. Let that sit for a second. These aren’t geek questions, these are fundamental human questions:
- Can someone forbid us from having secrets?
- Can someone forbid us from creating products as we see fit?
- Can someone forbid us from buying the products we want?
If you are pro-cryptography, then you must answer all the above with “no.” Otherwise you can’t defend it. If you are anti-crypto, then you must say “yes,” otherwise you’ll never be able to enforce your anti-crypto regulations.
Software is nothing but ideas expressed in a language, making this an issue of speech:
- Can we be forced to say something that we do not want to say?
- Can we be forced to keep quiet?
- Is censorship okay?
To constrain cryptography is to constrain speech and is to answer these questions “yes,” affirming that we should be forced to speak or be quiet.
As a software developer, the questions about whether we have the freedom to choose which ideas to implement and how to implement them bring home the point that this is whole debate is really about government regulation. Imagine if cryptography is weakened, then the code written by developers in the free and open source software world will be regulated and dictated by a government office in whichever countries are regulating cryptography. Imagine trying to write software and having it scanned for “bad” ideas like strong crypto. Imagine having to sign forms and get approval before encrypting valuable user data when trying to launch your startup or releasing your open source project.