In the early 1990s, the first Crypto War began. With the release of Phil Zimmerman’s PGP in 1991, for the first time in history, anyone could encode and exchange a message that no law enforcement agency had the technical ability to intercept and decode.
Fearing that criminals would be able to hide their communications, the reaction of governments worldwide was swift. The United States, for instance, banned the export of what it deemed “strong crypto.” Early versions of Internet software such as Netscape’s Communicator browser and Lotus Notes came in two flavors: a Domestic version that supported strong 128-bit crypto and an International version that supported weak 40-bit crypto.
But the genie was out of the bottle. The math equations that powered both strong and weak crypto systems were identical and elegantly simple. The difference between strong and weak was merely the length of the keys they used. Regulating the length of a key — effectively akin to telling you that you’re not allowed to use a password that’s more than a certain number of characters — proved impossible. And, by the early 2000s, the technologists prevailed. Restrictions on the use and export of strong cryptosystems were largely dropped, and the first Crypto War came to a close.
First shots in the next Crypto War
History may attribute the Archduke Ferdinand moment that spawned the second Crypto War to a cheeky little smiley face, hand drawn on a United States National Security Agency diagram which was revealed to the public on October 30, 2013. On that day, the Washington Post published the diagram from the trove of secret documents revealed by former NSA contractor Edward Snowden.
Source: Washington Post, 30 October 2013
The document showed how the US was tapping Google’s private communication lines over which messages between the company’s data centers were being exchanged unencrypted. The cheeky smiley face denoted the place on Google’s infrastructure where crypto was “added and removed.” To the NSA, it was a clever way to sneak behind the strong crypto lines and capture messages where they weren’t encoded. To the technology industry, it was nothing short of a declaration of war.
The technologists fight back
Since then, the technologists have scrambled to add strong cryptographic protections even to those parts of their systems that were previously considered private. Apple, for instance, with the release of the latest version of the company’s iPhone software, has designed a messaging system where it doesn’t have a way of reading messages that pass between two users. If you’re using an up-to-date iPhone to send a text message to another iPhone user, and the little bubble containing your message is blue, then neither Apple, nor your ISP, nor any law enforcement agency tapping into the transmission line is likely able to read the contents of the message.
This intentional “blinding” of user content not only thwarts mass surveillance, but also many of the techniques of targeted law enforcement. If Apple doesn’t have the contents of their users’ messages, the company has no way of responding to a warrant requesting that content. Previously, companies like Apple, Google, Facebook, and others have acted as a centralized repository of user data that law enforcement could turn to during an investigation. As the second Crypto War heats up, these companies are engineering new ways to lock their users’ data away even from legal process.
And, again, as in the first Crypto War, the response from government has been swift. British Prime Minister David Cameron recently pledged that “modern forms of communication” should not be “exempt from being listened to.” Director of GCHQ Robert Hannigan urged that companies needed to help with allowing surveillance of their networks, describing social media networks as “a terrorist’s command-and-control network of choice.” And US FBI Director James Comey suggested companies should be required to design “intercept solutions” into their technologies.
Cryptography’s broad swath
While debate in the coming Crypto War will likely focus on the proper responsibilities of technology companies and law enforcement, it’s important to bear in mind the wide swath cryptography now cuts. Strong crypto’s implications to protect user privacy and create challenges for law enforcement surveillance are obvious. However, cryptography impacts other significant technology debates of our time.
For example, network neutrality — the idea that Internet Service Providers (ISPs) shouldn’t discriminate against or favor different services — is directly impacted by cryptography. By encrypting data as it moves across the wire, ISPs cannot inspect the contents of packets in order to discriminate between services. Cryptography also prevents ISPs from inserting tracking cookies in their users data streams, a practice some providers like Verizon have begun implementing in order to develop new advertising-based revenue streams.
Government regulation of Internet content also depends on controlling cryptographic content. Regimes that block certain content from entering their borders inherently need to inspect Internet traffic. In many instances where state actors have taken this approach, encrypted traffic is simply blocked outright since it cannot be inspected. That approach, of course, only works so long as a majority of Internet traffic is unencrypted. As more of the Internet adopts strong crypto, the ability of a regime to control what information flows across its borders is threatened.
Cryptography is even challenging traditional monetary systems. Bitcoin, the most popular of the so-called crypto currencies, depends on some of the same cryptographic algorithms that Apple uses to secure messages sent between iPhone users. Rather than Bitcoin’s money supply being controlled by a central bank, the value of the currency depends on the math behind the cryptography algorithm itself. Some governments have banned the use of Bitcoin, suggesting it poses an existential threat to their ability to regulate financial transactions. The challenge, however, just as in the first Crypto War, is that the algorithms are simple, widely known, and broadly used across many applications making it very difficult to put the genie back in the bottle.
Proceed with caution
Today, the technology industry is more powerful and better organized than it was when it won the first Crypto War. However, I am concerned that the industry underestimates the threat posed by regulators reluctant to give in to the broad use of strong crypto, and in doing so, give up some level of control. As we fight the coming Crypto War, it is important that the technology industry acknowledge the challenges of law enforcement and legitimate government interests at stake. And, at the same time, it is critical for government policy makers to educate themselves about the broad impact of strong crypto and the potential unintended consequences of trying to weaken it.
Author: Matthew Prince is Co-Founder & CEO of Cloudflare
Image: A security camera overlooks a man as he walks down a street in London November 2, 2006. REUTERS/Luke MacGregor