[cryptography] [liberationtech] Crypto Advocacy TED Talk

Eugen Leitl eugen at leitl.org
Thu Dec 1 16:03:42 EST 2011


----- Forwarded message from Gregory Maxwell <gmaxwell at gmail.com> -----

From: Gregory Maxwell <gmaxwell at gmail.com>
Date: Thu, 1 Dec 2011 01:38:33 -0500
To: Jeffrey Burdges <burdges at gmail.com>
Cc: liberationtech at lists.stanford.edu
Subject: Re: [liberationtech] Crypto Advocacy TED Talk

On Thu, Dec 1, 2011 at 12:01 AM, Jeffrey Burdges <burdges at gmail.com> wrote:
[snip]
> Aside from arguing these point, there should be emphasis that "this ain't your daddy's PGP", meaning modern crypto packages have grown incredibly easy to use.  Tor Browser Bundles are about the most user friendly thing in the world.  Off-the-record messaging is almost a triviality in Adium, Jitsi, or other open source IM clients.  Most mail readers have user friendly plugins for GPG.  etc.

I've argued before that protocol designers have an ethical obligation
to include always-on-by-default cryptography whenever it isn't
contraindicated by other requirements— The primary idea being here
that the whole cost of cryptography to the user can be drastically
reduced when its properly integrated.

In particular, even unauthenticated cryptography provides absolute
immunity to passive attacks, invisible wiretapping dragnets, and gives
active attacks a serious risk of discovery.  And this protection can
be added to any realtime communication for _free_ and invisibly from
the users perspective.  (Of course, authentication is important— and
nothing unauthenticated should be advertised to the user as encrypted.
But the unavoidable user-costlyness of authentication shouldn't
prevent us from getting encryption).

One point on this subject that is overlooked is the network effect: I
may have good reasons why I should be using encryption, but it's very
hard to use it when most of my friends are not using it.  This is
related to your point (1), but not identical. Unrelated to cover, my
contacts can't use encryption with me if I don't use encryption— and
asking me to use it is a social/time cost that discourages them from
using it when they really should. Unless encryption is a norm they
won't even ask.

Related to your point (2) I'd add a more subtle argument: The
widespread use of unencrypted communications enables an _industry_ of
dragnet surveillance.  Iran pays FooBarNetworks to build a fleet of
passive eavesdropping widgets... The R&D cost gets sunk building it
and then FooBar has a new product in their price book which their
sales drones go peddling to everyone who will take them, including the
governments of countries which are less prone to coming up with these
initiatives on their own. In this manner, oppression gains a marketing
department.  Fairly modest decreases in the effectiveness of
surveillance can break this cycle by making the initial cost less
appealing and making the products harder to sell.

(And at the extreme limit: A few billion to build and maintain an
infrastructure of hundreds of thousands of optical taps and fast
stateless packet filters is a _lot_ more attractive when it will
intercept Almost Everything then when its mostly only useful for
traffic analysis).

Another point that I make when discussing this subject is that none of
us is really able to correctly assess the risks in making the choice
to use encryption:  We're not aware of secret lawful and unlawful
interception by governments (our own, and/or hostile ones) and
organized crime. We don't have a good feel for how massive collections
of data may be used against our interests in the future. And once
disclosed the information genie can't easily be rebottled. Encryption
is cheap insurance, and would be much cheaper if ubiquitously
deployed.
_______________________________________________
liberationtech mailing list
liberationtech at lists.stanford.edu

Should you need to change your subscription options, please go to:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"

You will need the user name and password you receive from the list moderator in monthly reminders.

Should you need immediate assistance, please contact the list moderator.

Please don't forget to follow us on http://twitter.com/#!/Liberationtech
----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE



More information about the cryptography mailing list