Archive for November, 2013

Why Encrypt if the NSA can Beat Encryption?

November 30, 2013 Comments off

I’ve been working, intermittently, for a while now on a blog post about encryption. The problem is, I’m not all that knowledgeable when it comes to cryptography and I really don’t want to give people bad information. I would hate for people to read my post, do what I advise, and then think they’re safe when in reality they’re vulnerable. So I’m going to scrap the wall of text I had written, and strip this down to its barest essentials. Fair warning: What follows is purely an opinion piece. If you’re okay with that, read on.

Because of the seemingly constant stream of new information about exploits used by the NSA to spy on pretty much everyone with an Internet connection, including revelations that they are deliberately weakening cryptography standards, it’s tempting just to give up and not bother encrypting anything at all. This is, in my humble opinion, a bad idea.

Even if some attackers (like the NSA) can break encryption, not everyone can, and there are at least some attackers for whom it would be preferable to move on to easier targets than to devote resources to cryptanalysis. Whatever attacks may exist against encryption, whatever backdoors may have been installed at the behest of the surveillance state, it’s still (if done right) better than nothing.

This is basic common sense. It’s the same reason we all lock our doors even though someone could theoretically pick the lock, take a grinder to it, or rent a backhoe and just remove the entire wall. For that matter, I don’t know for sure that the feds don’t have some kind of special key that works on every lock in America (or, um, just a really nice set of lock picks). The correct response to this is not to leave the doors unlocked.

One other thought that occurred to me was that, because the NSA apparently can’t decrypt everyone’s information on-the-fly, I could encrypt my information to make it just difficult enough to get that the NSA would have to have some reasonable suspicion before my information was worth the effort. This idea of DIY due process appeals to me, but frankly I don’t trust it. The NSA’s purported habit of saving encrypted data for later cryptanalysis could be a smokescreen for all I know, intended to obscure their ability to decrypt pretty much anything in real time. At this point, nothing would surprise me, except maybe an apology. (Smarter people than me think the math behind our best encryption algorithms is still sound, but then you should be reading about that from smarter people than me. For instance, see Bruce Schneier’s article from back in September on How to Remain Secure Against the NSA. Besides, I don’t trust myself, much less average non-technical users, to be able to overcome the endpoint security problems Schneier mentions.)

To be honest, this post isn’t a response to any argument I’ve heard from anyone. I don’t think anyone is actually suggesting that people shouldn’t encrypt just because the NSA might be able to decrypt. But it’s easy to get overwhelmed or tired or complacent, and decide not to care about privacy or security at all, and that can be dangerous. I’m arguing against my own pessimism as much as anything else, but I’d be willing to bet there are plenty of folks out there who are ready to give up.

Don’t give up.

Categories: Privacy Tags: ,