Recently, there has been talk of outlawing or greatly limiting encryption in Britain. Many people hypothesize that this is a deliberate attempt at shifting the overton window, in order to get a more reasonable sounding but still quite extreme law passed.
For anyone who would want to shift the overton window in the other direction, is there a position that is more extreme than “we should encrypt everything all the time” ?
Assuming you just want people throwing ideas at you:
Make it illegal to communicate in cleartext? Add mandatory cryptography classes to schools? Requiring everyone to register a public key and having a government key server? Not compensating identity theft victims and the like if they didn’t use good security?
This is already the case in Estonia, where every citizen over the age of 14 has a government-issued ID card containing two X.509 RSA key pairs. TLS client authentication is widely deployed for Estonian web services such as internet banking.
(Due to ideological differences regarding the centralization of trust, I think it’s unlikely that governments will adopt OpenPGP over X.509.)
Giving people an official RSA keypair in their smartcard government IDs is fine. That solves all sorts of problems, and enables a bunch of really cool tech.
Requiring that every public key used in any context be registered with the government, or worse, some sort of key escrow, is a totally different matter.
I was thinking less “everyone must register all their public keys, and you can’t have a second identity with its own key” and more “everyone has to have at least 1 public key officially associated with them so that they can sign things and be sent stuff securely.” And that Estonian system sounds pretty cool.
Well the former pretty much describes the current state of affairs. Anyone with a government ID card or national healthcare ID probably has a chip embedded with an escrowed signing key. There’s really nothing unique about Estonia here—they’re using the same system everyone else is using. Even if your country, like the USA, doesn’t have a national ID of some kind or doesn’t have a chip embedded, your passport does. The international standard governing “smart passports” being issued by just about every country in existence for the past 5-10 years includes embedded digital signature capability.
Now I don’t really know how to estimate the probability of sliding into the latter case. I don’t see them as intrinsically connected however.
Frame attempts to limit the use of encryption as unilateral disarmament, and name specific threats.
As in, if the government “has your password”, how sure are you that your password isn’t eventually going to be stolen by Chinese government hackers? Putin? Estonian scammers? Terrorists? Your ex-partner? And you know that your allies over in (Germany, United States, Israel, France) are going to get their hands on it too, right? And have you thought about when (hated political party) gets voted into power 5 years from now?
A second good framing is used by the ACLU representative in the Guardian article: You won’t be able to use technologies X Y and Z, and you’ll fall behind other countries technologically and economically.
To be a bit more specific than “we should encrypt everything all the time”:
Mandatory full-disk encryption on all computer systems sold, by analogy to mandatory seat belts in cars — it used to be an optional extra, but in the modern world it’s unsafe to operate without it.
You can have e-banking and e-commerce with “key escrow”, though. That didn’t fly in the 90s, and it’s always been an inane idea, but I could definitely imagine “you should hide from hackers, but not from the police” PR spin ramping up again.
Recently, there has been talk of outlawing or greatly limiting encryption in Britain. Many people hypothesize that this is a deliberate attempt at shifting the overton window, in order to get a more reasonable sounding but still quite extreme law passed.
For anyone who would want to shift the overton window in the other direction, is there a position that is more extreme than “we should encrypt everything all the time” ?
Assuming you just want people throwing ideas at you:
Make it illegal to communicate in cleartext? Add mandatory cryptography classes to schools? Requiring everyone to register a public key and having a government key server? Not compensating identity theft victims and the like if they didn’t use good security?
This is already the case in Estonia, where every citizen over the age of 14 has a government-issued ID card containing two X.509 RSA key pairs. TLS client authentication is widely deployed for Estonian web services such as internet banking.
(Due to ideological differences regarding the centralization of trust, I think it’s unlikely that governments will adopt OpenPGP over X.509.)
Giving people an official RSA keypair in their smartcard government IDs is fine. That solves all sorts of problems, and enables a bunch of really cool tech.
Requiring that every public key used in any context be registered with the government, or worse, some sort of key escrow, is a totally different matter.
I was thinking less “everyone must register all their public keys, and you can’t have a second identity with its own key” and more “everyone has to have at least 1 public key officially associated with them so that they can sign things and be sent stuff securely.” And that Estonian system sounds pretty cool.
What would you estimate the probability of ever having the former without the latter being? Of having that happy state last for more than a few years?
Well the former pretty much describes the current state of affairs. Anyone with a government ID card or national healthcare ID probably has a chip embedded with an escrowed signing key. There’s really nothing unique about Estonia here—they’re using the same system everyone else is using. Even if your country, like the USA, doesn’t have a national ID of some kind or doesn’t have a chip embedded, your passport does. The international standard governing “smart passports” being issued by just about every country in existence for the past 5-10 years includes embedded digital signature capability.
Now I don’t really know how to estimate the probability of sliding into the latter case. I don’t see them as intrinsically connected however.
Generating private/public key pairs is trivially easy.
Frame attempts to limit the use of encryption as unilateral disarmament, and name specific threats.
As in, if the government “has your password”, how sure are you that your password isn’t eventually going to be stolen by Chinese government hackers? Putin? Estonian scammers? Terrorists? Your ex-partner? And you know that your allies over in (Germany, United States, Israel, France) are going to get their hands on it too, right? And have you thought about when (hated political party) gets voted into power 5 years from now?
A second good framing is used by the ACLU representative in the Guardian article: You won’t be able to use technologies X Y and Z, and you’ll fall behind other countries technologically and economically.
To be a bit more specific than “we should encrypt everything all the time”:
Mandatory full-disk encryption on all computer systems sold, by analogy to mandatory seat belts in cars — it used to be an optional extra, but in the modern world it’s unsafe to operate without it.
The criminalization of all encryption in the U.S. is just one big terrorist attack away.
Doubtful. Too much of the economy takes place online today—you can’t have e-banking without strong crypto.
You can have e-banking and e-commerce with “key escrow”, though. That didn’t fly in the 90s, and it’s always been an inane idea, but I could definitely imagine “you should hide from hackers, but not from the police” PR spin ramping up again.
It already did—see David Cameron’s new stance on encryption e.g. here or elsewhere. He’s not shy about it.
True. That said, the Internet has proven very good at defending its essential infrastructure, and I suspect it will continue to do so in future.
Good point. I revise my prediction to “after the next big terrorist attack the U.S. will heavily regulate encryption.”