The Case Against Email That Makes Warranted Searches Impossible
A dissent from the e-mailbag
Earlier this week, I wrote about an effort to develop an encrypted email service that guaranteed its users privacy from the prying eyes of the NSA, and that had a user interface so easy to understand that a typical grandmother could figure out the technology. A subsequent piece took aim at a reader who harshly criticized the effort. Below is a response from another reader who also argues that tech folks should think twice before creating products that bestow anonymity on everybody.
As a fierce privacy advocate, a Wikileaks supporter, the owner and developer of a Bitcoin casino, and a refugee from the US who has lived afuera for 7 years following DHS and police intimidation (that stemmed from an anti-Bush farce I wrote and published online in 2006), I usually enjoy your articles and agree wholeheartedly with your opinions on Fourth Amendment and digital-privacy issues. Having said that, I think in this case you are fundamentally misunderstanding what Mr. Levison et al. are actually considering building, and the potential danger it poses to a teetering, reckless and tribally fragmented civilization on an overcrowded planet.
You make a great analogy about the opacity of our walls, vehicles and backpacks, but the parallel fails when you say that "with a warrant, criminals can be targeted." The whole idea behind Lavabit, Silent Circle and Levison's new open-source initiative is that even with a warrant, there is no information on users or their transmissions that the company could give to governments, even if it wanted to. That is well beyond the level of privacy anyone had or expected who wasn't using a private, offshore mail server, encrypting everything on the client side, and only communicating with trusted counterparts who had a similar setup.
It's in the terms of service of every service provider, and relatively common knowledge that ISPs, mail hosts and webmail providers will cooperate to the extent of their ability with law enforcement upon request. Even a relatively dark net technology like Bitcoin is ultimately traceable, as shown by the Silk Road investigation, if enough manpower is put into following a transaction to its source and ultimate destination, and if offshore exchanges were to be served with international or local warrants. This provides at least some small remedy for law enforcement with a specific target, while leaving the majority of transactions opaque without extensive resources being thrown at them.
The Snowden revelations obviously made clear that government requests for our communications have far exceeded the scope and scale that anyone wanted to believe. And clearly a state of affairs where a runaway government agency treats our electronic communications as their personal panopticon needs to be dealt with and halted on legal grounds. However, the protocol shift being proposed is one that explicitly leaves government with absolutely no options, legal or otherwise. The danger I see is that, unlike two people communicating in code over private mail servers, wherein both parties have to know and trust each other personally before being able to configure such a setup and trust that it's free of anyone playing man-in-the-middle, a broader spread of end-to-end encrypted dark social/mail networks would allow people who have no prior trust arrangement to discover each other, verify post-fact to limit infiltration, and exponentially multiply the number of incredibly dangerous schemes that could be concocted between dozens of conspirators with varying access levels and all the usual cellular structure protections, only this time completely in the dark from day one. And that is a level of opacity that we have simply never enjoyed or even envisioned in the analog world.
In July, during the height of Snowden-mania, I actually started writing a piece of online software, including both anonymous P2P mail systems *and* privately configurable, free forums that would be encrypted and only decrypted client-side on a message-by-message basis based on multiple-pass encryption that included only public keys for readers or groups specified by the writer of each post. In other words, even the name of the forum is gibberish if its founder doesn't include the public key associated with your anonymous account. This is along the lines of Mr. Levison's proposal, where the company only holds public keys of completely anonymous mail users, but even more dangerous.
After a couple months in development of the platform, I began having some long conversations with another expatriate developer friend who is at least as much of a civil libertarian as I am about the morality of building what I was building. Because it occurred to me that once it was out of the barn, it was going to be gone. And as in-love as I was with the privacy and technical aspects and challenges and potentially revolutionary, dictatorship-smashing nature of the software, I was afraid I was losing sight of the incredible death and destruction that could be caused by what I was making—no matter how high-flown and democratic and individually liberating the ideals behind it. After a lot of soul-searching, I realized that I didn't want to be the one responsible for people dying, or a neo-fascist group plotting a sudden revolution, people mobbing abortion doctors or burning down churches or trading chemical precursors, or a dozen kids getting together to shoot up their school, or someone detonating a bomb. Or God-knows-what-else.
Yes, I optimistically believed that the secure structure I'd build would be proof that in the end, democratic, human rights, anti-violence, anti-war activists would win by their overwhelming numbers and the basic goodness of humanity—in an all-out free-market war between secret conspiracies—a very American and naïve hope, maybe, but one that I still have. But the truth was that I wasn't personally willing to shoulder the burden of all the battles the "bad guys" might win along the way, or even a single injury that might result from it. Because my own atheist, anarchist conscience couldn't live with that.
And so I shut down the project last month.
So in sum, I think there's a little bit that has to be left for the government when we talk about building easy-to-use, widespread technology that enables relatively unsophisticated but potentially very dangerous people to conduct all their actions in the dark, without any restraints whatsoever. And I don't think I'm making any effort to stigmatize or downplay the urgent need for more privacy by saying so. What we need are government agencies that are responsible to citizens and act within the law; the abolition of secret courts and tribunals; and the ratcheting-down of the spy state. I think even Snowden would acknowledge that this has to be the primary goal. The question of whether to support the building of totally opaque, black-box systems is a personal one, but not one to be undertaken without a good look at one's own conscience. I personally didn't have a "road to Damascus" epiphany, so much as a nagging doubt and a good look at my own motivations for being the one responsible for providing such a service to the world.
I'd like to open this one up for discussion. I'm not sure I understand why this technology would protect terrorist groups from infiltrators, but perhaps that is my failure. It also seems to me that the most sophisticated, well-funded, most dangerous criminal groups will figure out how to encrypt anyway, and non-criminals will be the main beneficiaries. But what I'd really love—in addition to hearing from people by email and in comments—is a response from Ladar Levison. I'll see if I can make that happen.
Wouldn't it be something if NSA overreach leads to a world where, rather than being able to get the bulk of private-communication data with a warrant, there's a technocultural change that ultimately leaves the feds a whole lot weaker than they were? This wouldn't be without precedent. National-security-state defenders often bemoan the rules that prevented the FBI and CIA from sharing information before 9/11. Less often remarked upon is the reason why those rules were put in place: because the national security state was so out of control and behaved so unethically prior to the Church Committee reforms that an generation of Americans reasonably judged it to be a greater threat to a free society than our foreign enemies.