Encryption, a question of privacy or a matter of security?

The discussion has been around for some time: creating fully encrypted applications that guarantee privacy for real is, from a technological point of view, relatively easy. In fact, Apple has lately turned it into one of the value propositions of its products: “Our commitment to customer privacy doesn’t stop because of a government information request.” The company says that the actions of the US government show that it has not understood the balance between privacy and security, and that its role is to help reestablish that balance through encrypted products that the company itself has no reasonable possibility of deciphering.

Apple’s arguments have made it the leading spokesman for the arguments outlined in Julian Assange’s Cypherpunks, the Spanish edition of which I had the honor of writing the prologue to: encryption will set us free. Apple’s approach is already having repercussions: in the United States, no less than nine police investigations last year were blocked by the company’s privacy policy, which has since prompted the authorities there to consider a blanket ban on any device that cannot be accessed by the police, albeit under the supervision of a judge.

The outcome of this has been the so-called Crypto Wars, which now has its own Wikipedia article, and which has seen the US government try to limit the use of powerful encrypting tools. Should we be able to keep our communication and archives private by using unbreakable codes, or should the government force programmers and distributors of these tools to include back doors into them that allow the police and courts access? This is an old debate, but one that Apple has now revived.

Any back door means vulnerability, which weakens security. We all want privacy, we consider it a fundamental right, but that right becomes relative when emails and other digital communication is being used by criminals and terrorists. In other words, privacy for me, but not for the bad guys.

The revelations of the post-Snowden era show that governments have abused the right to access computers and phones only when there is reasonable suspicion and with a court order. At the same time, the current development eco-system, wherein it’s easier than every for companies to create and launch communication tools, generally subject to the rules of the network than those of the market, make it difficult to imagine that any hypothetical demand for information by the US government would have any effect: at this moment I have messaging services created in Spain, Russia, and another with a base in Iceland that all say they can guarantee the security of my communications. Powerful encryption is now demanded by more and more people, and it is becoming a de facto standard for every messaging tool out there. The idea of being able to control communications diminishes as more and more companies decide to build systems based on genuinely robust security protocols.

This is no longer a purely technological debate. The right to inviolable communications implies the possibility that all our communications and correspondence be not subject to vigilance, regardless of its content, whether a message to a friend or a plot to destroy civilization as we know it.

Neither is this simply about keeping the police’s nose out of our emails and phone calls: it’s about the right of those who write those emails or make those calls to be the only ones to have the keys to decipher them. Civilized countries protect the rights of their citizens, including their digital rights. After all, there’s no point in trying to preclude terrorists from using certain communication tools: if they know such tools are being monitored, they simply switch to other tools. The final result, as we have seen before, is a huge, pointless collection of innocent cirtizens’ personal information.

Obviously, this doesn’t mean that the police are powerless: in some cases, it can try to obtain data in transit from communication companies. In others, it can punish the accused for blocking a police investigation. What seems clear now is that when offered the possibility of encrypting their communication and data, the majority of users will opt to do so, which potentially creates a new scenario as regards the police’s actions. For better or worse.

(En español, aquí)