Saturday, June 08, 2013

A question the press isn't asking about government surveillance

Encryption. The government hates it because it provides real privacy for people who want it. But the government sees it as a threat. Personal privacy is an issue that is all over the news with stories about PRISM, a program to allow the biggest social networking sites to share information with the government. The story we're getting is that they're trying to protect us from terrorists.

Few people use encryption actively. I say actively because many people do use encryption when they visit a secured web page that uses SSL encryption (you'll know you're using SSL security when you see https at the beginning of an address in your browser). But emails? Attachments? Few of us, if ever, really use that. There are many people who don't know what encryption is, much less use it.

There are many forms and techniques for encryption. Encryption is the use of a mathematical algorithm to scramble a message so that it cannot be read by others. Only the person with the key can decrypt the message. A very well known encryption method is Pretty Good Privacy (PGP), invented by Phil Zimmerman in 1991. It is a standard today for personal and industrial encryption. It is also open and free. Anyone can use it. But it is not widely used mostly because it's not advertised much.

So that begs the question: Why didn't Microsoft make it a standard? My first thought on the question is that Microsoft doesn't like anything that is free. Microsoft could easily bake PGP into Outlook, but they don't want a form of encryption that would work well with Linux or Mac. If you want it for Outlook, you may have to buy it. Google offers a free plug-in, too (this didn't exist years ago when I first looked into it).

I suspect that there is a bigger reason: the government discourages encryption that they don't have a back door to. PGP is just that. There is no back door anywhere and if there were, an alternative could be made quickly to remove it. That's what's so cool about free software where the source code is available.

The same question could be asked of Apple. Or any other company that sells email client software. But one look at the free email clients like Thunderbird and Evolution will show that the Free Software movement has been quick to make PGP and option. There are PGP apps for Chrome and Gmail, too.

Some of you are wondering what PGP is. That's ok. Not everyone knows, so here is a short, gentle lesson. PGP is based on the concept of public key encryption. To encrypt a message or a file, I first create a key pair. One key is public, I share that with you. The other key is private and I keep that private.

I want you to secure the messages you send to me, so I share my public key with you. You use PGP with that public key to encrypt a message to me and then send it. When I receive it, I can use PGP with my private key to decrypt it. It's that simple in practice. But underneath is an incredible discovery in mathematics that makes it effective.

Bruce Schneier is a security expert. He's famous for exposing the security theater that is supposed to make us feel safer at airports. But he's also a software developer. He's studied encryption for many years, so he's just one authority on it. I found a fascinating excerpt (scroll down to answer 224) from his book, Applied Cryptography, which describes some very interesting facts about encryption.

Suffice it to say that, even if one wanted to use brute force to break encryption, it is not just a matter of time to use every possible combination to find the right key for an encrypted message. It is also a matter of energy. There is a discrete, finite amount of energy required to record, store and test each bit in a key. In short, to break a 256-bit encryption key would require an enormous amount of energy. Something like 10^51 ergs. That's supernova energy.

That's why the government hates encryption. The laws of thermodynamics place real limits on the computational power available to break encryption.

Again, the question remains, why isn't encryption standard in every email transmission? Someone doesn't want it be a standard practice. I wonder who that might be.

No comments: