For centuries, cryptography was the exclusive preserve of the state. Then, in 1976, Whitfield Diffie and Martin Hellman proposed a practical method of establishing a shared secret key over an authenticated (but not confidential) communication channel without using a prior shared secret. The following year, three MIT academics – Ron Rivest, Adi Shamir, and Leonard Adleman – came up with the RSA algorithm (named after their initials) to implement it. It was the start of public key cryptography – at least in the public domain.
From the start, the state authorities were not amused by this development. They were having even less fun when in 1991 Phil Zimmermann created quite good privacy (PGP) software for signing, encrypting and decrypting texts, emails, files and more. PGP has raised the specter of ordinary citizens – or at least the most geeky among them – able to wrap their electronic communications in an envelope that even the most powerful state could not open. In fact, the US government was so enraged by Zimmermann’s work that it defined PGP as ammunition, which meant it was a crime to export it to the Warsaw Pact countries. (The Cold War was still relatively hot then.)
Over the next four decades, there was a conflict between the desire of citizens to have communications unreadable by the state and other agencies and the desire of those agencies to be able to read them. The aftermath of 9/11, which gave states carte blanche to snoop around anything people did online, and the explosion of online communications via the internet and (since 2007) smartphones, have escalated the conflict. During the Clinton years, US authorities tried (and failed) to ensure that all electronic devices had a secret backdoor, while the Snowden’s revelations in 2013 pressured internet companies to offer end-to-end encryption for their users’ communications, which would make them unreadable by security services or by tech companies themselves. The result was something of a stalemate: between tech companies facilitating unreadable communications and law enforcement and security agencies unable to access the evidence to which they were legitimately entitled.
In August, Apple opened a loophole in the industry’s armor, announcing it would add new features to its iOS operating system designed to tackle the sexual exploitation of children and the distribution of images of abuse. The most controversial measure scans the photos on an iPhone, compares them with a database of known child sexual abuse (CSAM) material, and notifies Apple if a match is found. The technology is known as client-side analysis or CSS.
Powerful forces within government and the tech industry are now pushing for CSS to become mandatory on all smartphones. Their argument is that instead of weakening the encryption or providing law enforcement with backdoor keys, CSS would allow scanning of data on the device in the clear (i.e. before they are not encrypted by an application such as WhatsApp or iMessage). If targeted information was detected, its existence and, possibly, its source would be revealed to the agencies; otherwise, little or no information would leave the client device.
CSS Evangelists claim it’s a win-win proposition: providing a solution to the encryption debate against public safety by offering privacy (end-to-end encryption unimpeded) and the ability to successfully investigate serious crimes. What not to like? A lot said an academic article by some of the world’s foremost computer security experts, published last week.
The motivation behind CSS lobbying is that the scanning software is installed on all smartphones rather than being installed clandestinely on the devices of suspects or by court order on those of ex-offenders. Such universal deployment would threaten the safety of law-abiding citizens as well as offenders. And while CSS still allows end-to-end encryption, this is irrelevant if the message has already been scanned for targeted content before being sent. Likewise, while Apple’s implementation of the technology simply searches for images, it doesn’t take much to imagine political regimes searching in text for names, memes, political opinions, etc.
In reality, CSS is a technology for what in the security world is called âmass interceptionâ. Because it would give government agencies access to private content, it should really be treated as wiretapping and regulated accordingly. And in jurisdictions where mass interception is already prohibited, mass CSS should also be prohibited.
From a longer term perspective of the evolution of digital technology, however, CSS is just the latest step in the inexorable intrusion of surveillance devices into our lives. The trend that started with reading our emails, shifted to recording our searches and browsing paths, exploring our online business to create profiles to target advertising to us and the use of facial recognition to allow us to enter our offices now continues by entering the house with “smart devices relaying everything to motherships in the” cloud “and, if CSS were to be sanctioned, entering directly in our pockets, purses and purses. There is only one barrier left: the human skull. But, rest assured, Elon Musk undoubtedly has a plan for that too.
What i read
Wheels in wheels
I’m not an indoor cyclist but if I was, The Counterintuitive Mechanics of Peloton Addiction, a confessional blog post by Anne Helen Petersen, might give me pause.
Get out of here
The Last Days of Intervention is a long and thoughtful essay in Foreign Affairs by Rory Stewart, one of the few British politicians who has always spoken of Afghanistan with common sense.
Whistling on Facebook is only the first step is a bracing piece by Maria Farrell in the Conversationalist on Facebook Whistleblower.