On February 1st, the Berkman Center for Internet & Society at Harvard University pubished their first report on the Going Dark debate titled "Don't Panic - Making Progress on the "Going Dark" Debate'.

This debate happens to be very relevant to a project of mine titled "Dark Web and Cybercriminality - for a balanced approach", for which I am funded by the Quebec Bar.

This project aims to offer crucial information to the judicial community in regards to the prosecution of criminal activities that thrive in encrypted areas of cyberspace referred to as the Dark Web (accessible through browsers such as Tor). The idea follows from two concerns :

1. the necessity for the judicial community to understand the interests at stake when debating about the Dark Web;

2. the likeliness of political interventions without sufficient knowledge of the technical nature of the Dark Web;

This is so because famous cases such as the Silk Road affair arouse intense feelings within the judicial community with people wondering why is it that it is even legal to use an encrypted version of Internet. Even following the Snowden's revelations, most people see the debate as a very simple reflection : if you've done nothing wrong, you should not be concerned with the powers of Intelligence agencies and you have no reasons to use encrypted technologies.

The Going Dark debate builds on a similar dynamic. The debate has been popularized in the United States following the affirmation by some Government officials that the increased use of encryption in communication technologies harms their capability to intercept said communications (hence the expression "going dark"). The Going Dark debate differs from the debate regarding the Dark Web because in the first case, the private market plays a crucial decisional role and further participates in facilitating the use of encrypted technologies by making it available to the public without a great deal of effort:

" The decisions of Apple, Google and other major providers of communications services and products to enable end-to-end encryption in certain applications, on smartphone operating systems, as well as default encryption of mobile devices, at the same time that terrorist groups seek to use encryption to conceal their communication from surveillance, has fueled this debate " (Don't Panic, p.1)

A central theme in both debate, then, is the ability to encrypt communications.

Encryption may be a familiar concept for IT people, but it is very vague for the political and judicial communities. They usually know that this allows for private communications, but they won't be able to say more.

The failure to understand thoroughly what is encryption, why is it done and how is it done largely explains the inability of the judicial and political communities to react and comment adequately on either debate. As a result, the issue is mostly debated within the private and intelligence sectors, while it is my contention that any issues concerning cyberspace can only be resolved by implicating all of the relevant actors. The issue is too important to be decided in margins of society - at the very minimum, you should expect jurists and politicians to be able to offer educated opinions.

The mechanic of encryption

Encryption is merely a product of coding theory, traditionally explain as the story of Alice and Bob (with additional versions including characters such as such as Eve, the eavesdropper, and Victor, the validator)

Coding theorists are concerned with two things. Firstly and most importantly they are concerned with the private lives of two people called Alice and Bob. In theory papers, whenever a coding theorist wants to describe a transaction between two parties he doesn't call then A and B. No. For some longstanding traditional reason he calls them Alice and Bob.

(...)

The other thing coding theorists are concerned with is information. Nothing else is like information. Information is very peculiar stuff. It can both be created and destroyed. You can steal it without removing it. You can often get some just by guessing. Yet it can have great value. It can be bought and sold. (Source: The Alice and Bob After Dinner Speechgiven at the Zurich Seminar, April 1984, by John Gordon, by invitation of Professor James Massey ).

Secrecy coding is referred to as cryptography. Cryptographers write code and decode them. They encrypt information, and decode it.

As it was pointed out in this article by Brian Proffitt, the best way to understand encryption is perhaps to start by a visual explanation.

Here is a text I have encrypted using Text Mechanic :

q0RbsaZl3TRaxgikutI3vSEwISEzNCG2qTjIYYRCL1Qz56Hq3NnUMST4D3ghMTAhz/23ubqfILuOE4Av2NeHfQVDmvBYJTOhbbjKguDDzohB0ezZ8M0V4C7qVoQhMTEhzCExMyHkITM5ISEwIf1S1XBKE9HWnF+yVvof0shlMUkvBqVwxyEwIcvElKE2Ue0sQjBGFfB78nW59dXOBtEUPHip/PR+HjnhHPRB0mjC+Yl7MmxLTlU7B9chMzMhQ2Laxrtx8RhKyK/w/nLzLKw0exVOvb9nEDpZZX7uUsOYh6MU3cPZ2yEzOSEhMTYwITJRBh2Kv/3A1Iow5DUYgT8XzSmaK3ywlIFbBkwVVI+27hSZNYhbh7MzwxbmHzkXtarrgha+P+tA037fITAhX3Yz7iExMiG73Y067ElFxqZhKU/GUBkhMzQhwiMhMTAhxur4gx69nuRtRqReadQcp736ipJZCBw3ITEyIb9OhKhGPtX1zuSoPyExMCGyiGy/bSEzMyF6Gzg7+lvjBghV3HYZ0gFhnh76nG/j8RZCKOzqpb988qXuf+2Rgx3nIMN8NfP/GLb+upRyZM+o264uuylQITM5IcuBqbM9oSvV+Q4RxbMc0iXtsXX82gRN67jF5Tq18USbeCExMyGze8HTvhRc7CEzOSEU6rYpwj44K8h1HYEcVbxRF67PYPoT+bTcUK2Mz5fG6uD53e/qGqRSnIV6cu/IwJJp6d+eE7i/5Jnt/s+s39Q3NrYPpvabb98x0sBsNxUOzUQHdklcuupvMNthqjS3iMghMzkhITAh/VLVcEoTEdxt8f7mb2wfccqjXWnr7Wi6yMg1Dv+QxAT3cY2Pp6QqfSUjJKo2arKpVP9T7SExMSEhMTMhB+jxiZtIx2eLLCEwIclhFxMEHDkGp//BITM0ITNyP6cTITExITPVnNYhMTEh5J6LcgHmITEwIYj0xnfmqdzv04BrKXS8WKmI/f5fx2tMIyq3ljltlt4hMzMhmhIgqlZqB+bsxRe7hSEzOSEfypUhMzkhpCQT+hQZTTbrVYFlo3VZhuBJRINqudOOi0kDITE2MCH96Tqcjpd/iO7+ZOmhcekk3DU6Kf9WgoAX2ZkoITM0IbttqzgUbeHOIJCBYEdz7QFd7171RlLW52vIekuGFd66m/bsqLCtfAM1xKMS1FtYF4AhMTMh3KQ8e7c3AbXaYhxsZ3lCuBY+MCU38J63eVMSreibm+b46w==

If you can't read it, it means you're normal. Text Mechanic is a web-based tool that uses Tiny Encryption Algorithm (TEA). To find out what is TEA, decrypt the text using this password : decryptionblog.

1. Click here to open a new page on Text Mechanic

2. Copy paste the above text

3. Enter the password : decryptionblog

What we just did is referred to as Symmetric Key Encryption - the same key (password) is used to encrypt and decrypt the data.

So there is an obvious problem with this - you need to tell the password to the recipient, and this is a major security flaw. If I e-mail or text the password (or write it on my blog!), it ruins the very purpose of going incognito, doesn't it? It can be useful if you are communicating with someone who already knows the password (a close acquintance) - but let's face it, humans are always the biggest security flaws. Manning, for instance, did not get caught due to a security flaw in the encryption methods of Wikileaks, but due to his admissions to Adrian Lamo (see story here).

To solve this inherent problem with Symmetric Key Encryption, cryptographers came up with Asymmetric Encryption of Public Key Encryption (it's nothing new really, it was revealed in 1978). The concept works with two keys : the public key and the private key.

As Brian Proffitt explains, "In an asymmetric transaction, Alice asks Bob to send his public key to her through an email. In the world of encryption, email is considered unsafe - it can be intercepte

d and read Bob can use email because he is just sending Alice his public key. His private key, he keeps very much to himself.

After Alice gets Bob's public key, she uses it to encrypt the file she plans to send Bob. Once she sends it, he can then decrypt the file with his private key to read it.

If the passing of data is reversed, then Bob will need to get Alice's public key before he can send encrypted files or messages to her".

So this is much more secure - and even if one (Eve, the eavesdropper for instance), could find one of the private keys, she could only see one part of the conversations, not both parts.

Of course, there are still security flaws in the method (a computer using mathematics could guess your private key if it's not secure enough or you could have a drink too much and reveal your private key), but it allows us for greater privacy online.

Why use encryption (lest you're a criminal or a terrorist) ?

Given that Internet was constructed as an open-source software, where information was meant to be shared and not protected, encryption appears as the only tool that can help us use the technology of Internet to conduct operations which otherwise could not be done online - banking for example, uses TPL encryption.

Encryption is also useful in the private sector given the rise of economic cyber-espionage. In fact, companies should be using more encryption than they actually do! This would prevent much of the economic damages resulting from Chinese cyber-espionage groups who create cheap (and dangerous) versions of goods invented elsewhere. Using encryption communications could also reduce the risks of employees falling for spear phishing emails, for instance.

But it's not only companies, it's also academics and universities which could profit from using encryption. Snowden, for instance, revealed that the US was spying on Beijing University. This is because universities too are the source of interesting discoveries which can be harnessed into profitable business opportunities, among other things. Universities can also be sites of resistence and dissent in totalitarian states.

In other words, the debate is important because encryption allows individuals and companies to protect themselves not from the government, but from criminals and foreign spies. When telecommunications are easily accessibles to Intelligence Agencies, they are also easily accessibles to criminals and spies.

So basically, it becomes a debate about the lesser evil. Do we want to ban the use of encryption in order to better intercept communications by terrorists and criminals or do we want to educate people about encrypted communications to protect them? And in the first scenario, can we even expect a ban of encryption to be effective? Could we even ban the dark web if we wanted to? How much energy should be spend into something that is most likely to be impossible? Here, something should be learned from the US' war on drugs which ended up with many states legalizing marijuana (or from the Prohibition earlier on). If the rule of law must apply online, it must be more flexible, informed and knowledgeable.

#encryption #privacy #cellphone #dataprotection #goingdarkdebate