Europe is currently experiencing a resurgence in legislative efforts designed to regulate encrypted communication. The UK's Online Safety Bill and the European Union’s CSA Regulation threaten to establish a sweeping surveillance regime for all online communication. These proposals are the latest government forays in a globe-spanning anti-encryption campaign which began in the early 1990s.
The Recent Pivot to Privacy
For spies, hackers and law enforcement, the internet is the ultimate honeypot. It hosts the private data of billions of people - most of it conveniently indexed and searchable by keyword. Chat messages, emails, search history: your digital privacy is just one subpoena or data breach away from being compromised.
The 2013 NSA leaks by whistleblower Edward Snowden opened the world's eyes to the true extent of electronic surveillance by the US and its closest allies in the domain of signals intelligence: Australia, Canada, New Zealand and the United Kingdom. (Collectively referred to as as the 'Five Eyes'.)
The NSA leaks exposed software such as XKeyscore, which allowed intelligence agents to search through private emails and chat logs as trivially as if they were looking up showtimes at the local cinema.
Under the Prism program, venerated tech companies such as Google, Facebook and Apple granted the NSA full access to their user data. This allowed the agency to "obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders."
The rules governing who the NSA could target in its investigations were so lax as to be almost laughable: The agency was permitted to travel up to three degrees of separation from its intended suspect. By way of comparison, on Facebook, the average user has over 1 million connections when measured over three hops.
The NSA leaks prompted widespread public reckoning with digital privacy. There was a spike in consumer demand for secure communication services. Popular apps such as WhatsApp responded by introducing end-to-end encryption for their platforms. The mainstream internet had started its “pivot to privacy”, to borrow the term Mark Zuckerberg employed in a 2019 blog post signaling Facebook’s imminent embrace of encryption.
Encryption would soon become a household term, discussed as readily and with the same passion as the latest Netflix show or Popeye’s chicken sandwich.
Shots Fired: Pretty Good Privacy (PGP) Popularizes Public Key Encryption
The early 1990s were a watershed period in the history of cryptography. In 1991, the computer scientist Phil Zimmermann released a program called Pretty Good Privacy (PGP) to the world. PGP went viral, quickly finding a place among people living under oppressive regimes who needed to communicate securely (and who's lives often depended on their ability to do so) - from Bosnia and Lithuania to Myanmar. PGP remains the most widely used form of e-mail encryption to this day.
PGP made public key cryptography straightforward and accessible to the masses. Its release coincided with another important development in the realm of computer-to-computer communication: ARPANET, the precursor to the modern internet. Public key (or asymmetric) cryptography is uniquely suited to networked communication because it enables two parties who have never met to securely exchange information. It uses two encryption keys. One of these keys is public, meant to be shared with the world. It is used by others to encrypt the messages they want to send to you. The second key is kept secret and is used by you to decrypt the messages you receive. (This is in contrast to symmetric cryptography, which uses the same private key for both encryption and decryption. This poses the problem of securely exchanging the private key, which is inconvenient when communicating over a network with someone you don’t know.)
Tensions between the US government and the cryptography community had already been mounting even prior to the release of PGP. Since World War II, the US had classified encryption technology as munitions. This made it illegal to export encryption technology under the International Traffic in Arms Regulation (ITAR). The NSA was known to send envoys to people working on encryption technology to keep them aware of this. The situation started to improve in 1996, with an executive order issued by Bill Clinton which re-classified encryption as dual-use technology. This paved the way for the gradual lifting of export controls but it would still be years before full export liberalization.
Faced with the prospect of losing access to information through wiretaps and surveillance, the US Congress acted preemptively. In January 1991, a Delaware senator introduced a bill called the Comprehensive Counter-Terrorism Act or S.266. It included a clause mandating "that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law." The senator's name was Joe Biden. Upon realizing the implications of the provision, Senator Biden would eventually omit it from his proposal.
As PGP spread across the world, the authorities began to zero in on its creator. Just a few months after the software was released, Phil Zimmermann received a letter notifying him that he was the subject of a Grand Jury investigation. He recounts the incident in a post on his website commemorating 30 years since the launch of PGP.
I became the target of a criminal investigation for violating the Arms Export Control Act by allowing PGP to spread around the world. This further propelled PGP's popularity. The government dropped the investigation in early 1996, but the policy debate raged on, until the US export restrictions finally collapsed in 2000. PGP ignited the decade of the Crypto Wars, resulting in all the western democracies dropping their restrictions on the use of strong cryptography. It was a storied and thrilling decade, and a triumph of activism for the right to have a private conversation.
PGP Marks 30th Anniversary (Phil Zimmermann)
Phil Zimmermann and his lawyers eventually found a creative way to circumvent ITAR and continue legally distributing PGP abroad. They printed the software‘s source code and bound it into an 800-page tome called PGP: Source Code and Internals. As a printed book, it was legally considered a protected work under the 1st Amendment. The publisher, MIT Press, shipped it all over Europe. The book was printed in a font designed to be easily read by optical character recognition software. The idea being that you could feed the book into a scanner and then compile the PGP software. (Although it remains unclear just how many people actually did given that PGP was readily available for download.)
Confronted with the failure of legislative efforts to mandate access to encrypted communication, the government opted next for a more tech savvy approach. The 'Clipper Chip' was a piece of hardware designed by the NSA to be implanted into consumer devices such as telephones and computers. It would encrypt communication using the NSA's proprietary Skipjack algorithm. The catch was that Skipjack had a special backdoor encryption key built in that would allow law enforcement access any material encrypted by it.
Public backlash against the Clipper chip was widespread, fierce and immediate. Civil society groups such as the Electronic Frontier Foundation and tech luminaries like Bill Gates alike came out united in their condemnation of the idea. A research paper on the Clipper Chip's potential technical vulnerabilities would seal its fate, finally consigning it to the archives of history.
The Crypto Wars Quietly Rage On
The Crypto Wars have entered a quieter new phase. What once could have been described as a war has morphed into protracted PR battle. In their entreaties to the public, lawmakers and law enforcement alike increasinlgy emphasize the potential harm caused by encryption as an enabling technology for criminals. This trend started in the late 90s, when the threat of terrorism offered a readily available conduit for channeling fear.
In 1997, FBI Director Louis Freeh gave a statement before the US Senate Judiciary Committee explaining how encryption was imperiling his organization's work. He draws on terrorism repeatedly (and, this being the 90s, occasionally also to violent crime and drug trafficking) in his examples to paint a portrait of law enforcement rendered all but impotent in the face of this "magnificent" new scourge.
Almost two decades later, in 2014, FBI Director James Comey delivered his now-infamous remarks about 'going dark' at the Brookings Institution. To say that this speech, also about the FBI's struggle with encryption, was inspired by his predecessor's would be an understatement. An article by the EFF describes the parallels between the two speeches as "eerie", and highlights the similarities between them word for word.
But whereas Freeh relied on terrorism to advance his views, Comey instead invoked the image of endangered children to build his case. Appealing to base instincts is a tried-and-true method of provoking action and winning public support. Such arguments are typically deployed not out of genuine concern, but to override common sense and stifle debate:
[L]aw enforcement has become more strategic in its messaging to the public and Congress. … This tactic is likely a result of law enforcement recognizing the successful playbook used to pass a controversial set of bills—the Fight Online Sex Trafficking Act (FOSTA) in the House, and the Senate’s Stop Enabling Sex Traffickers Act (SESTA)—where advocates of the law were able to overcome strong tech industry opposition by arguing that they were acting in the interests of child sex trafficking victims.
Why New Calls to Subvert Commercial Encryption Are Unjustified
This insidious tactic is also being used today with the UK's Online Privacy Bill and the EU's CSA Regulation. Both of these legislative initiatives are ostensibly designed to protect children. Yet even child protection civil society groups remain skeptical (German language link) about whether these proposals, in their current form, would further this goal.
The debate surrounding these draft laws will intensify in the coming months, as they wind their way through the legislative process. It is important to remember that the arguments deployed in favour restricting encryption should not be taken at face value.
At least for the moment, the crypto wars seem far from over.