Conor Friedersdorf Takes the Bait on Encryption

Over at the Atlantic, Conor Friedersdorf has taken my bait on encryption. The other day, I proposed separating the end-to-end encryption discussion into two distinct questions: First, we should ask whether a world of end-to-end strong encryption, in which whole categories of surveillance are impossible, is a desirable outcome. Then, second, we should ask whether the costs of retaining the possibility of surveillance are too high in security and privacy terms. On the first question, I wrote the following:

Conceptually speaking, I am with Comey on this question—and the matter does not seem to me an especially close call. The belief in principle in creating a giant world-wide network on which surveillance is technically impossible is really an argument for the creation of the world's largest ungoverned space. I understand why techno-anarchists find this idea so appealing. I can't imagine for moment, however, why anyone else would.

Consider the comparable argument in physical space: the creation of a city in which authorities are entirely dependent on citizen reporting of bad conduct but have no direct visibility onto what happens on the streets and no ability to conduct search warrants (even with court orders) or to patrol parks or street corners. Would you want to live in that city? The idea that ungoverned spaces really suck is not controversial when you're talking about Yemen or Somalia. I see nothing more attractive about the creation of a worldwide architecture in which it is technically impossible to intercept and read ISIS communications with followers or to follow child predators into chatrooms where they go after kids.

I separated this question precisely because I think it's important in the encryption discussion to smoke out the in-principle libertarianism that asserts some deep-seated right to encrypted communication and distinguish it from the practical concerns that worry that the costs of retaining law enforcement access is too high relative to the benefits. The former is an ideological position to which facts and technological possibility are irrelevant. The latter is one that might be highly responsive to technological development. 

Friedersdorf, as I knew someone would, has taken me up on the principled challenge:

The problem lies in the limits of his analogy.

In an ungoverned territory like Somalia, bad actors can take violent physical actions with impunity–say, seizing a cargo ship, killing the captain, and taking hostages. If authorities were similarly helpless on America’s streets–if gangs could rob or murder pedestrians as they pleased, and police couldn’t see or do a thing–that would, indeed, be dystopian. But when communications are encrypted, the “ungoverned territory” does not encompass actions, violent or otherwise, just thoughts and their expression.

No harm is done within the encrypted space.

To be sure, plots planned inside that space can do terrible damage in the real world–but so can plots hatched by gang members on public streets whispering into one another’s ears, or Tony Soprano out on his boat, having swept it for FBI bugs.

I wonder what Wittes would make of a different analogy.

In the absence of end-to-end encryption–indeed, even if it becomes a universally available tool–the largest ungoverned space in the world won’t be Somalia or the Internet, but the aggregate space between the ears of every human being on planet earth.  

No authority figure can see into my brain, or the brain of Chinese human-rights activist Liu Xiaobo, or the brains of ISIS terrorists, or the brains of Black Lives Matter protestors, or the brains of child pornographers, or the brains of Tea Partiers or progressive activists or whoever it is that champions your political ideals. If government had access to all of our thoughts, events from the American Revolution to the 9/11 terrorist attacks would’ve been impossible. Reflecting on this vast “ungoverned territory,” does Wittes still regard as uncontroversial the notion that  “ungoverned spaces really suck”? More to the point, if it’s ever technically possible, would he prefer a world in which government is afforded a “backdoor” into my brain, yours, and those of the next Osama bin Laden, MLK, and Dylann Storm Roof?

Friedersdorf puts forward two ideas in these paragraphs, both of them underdeveloped and worth exploring.

The first is his idea that cyberspace involves a neat division between thought and action—that is, that you can encrypt thought and expression, but you cannot encrypt deeds. So an ungoverned space consisting of encrypted communications is fundamentally unlike the ungoverned space of Somalia, because you have to step outside of it in order to do any actual harm. And once you're in the real world, you can be investigated and captured.

As a preliminary matter, it is worth noting that Friedersdorf here is dead wrong in his empirical assertion. Code—including malware—involves not the expression of ideas but making computers, and sometimes things other than computers, dothings, can be sent using encrypted channels. Stolen intellectual property is routinely exfiltrated in Friedersdorf's words "within the encrypted space." Child pornography is moved around the world and stored using encryption. Illicit transactions are conducted routinely online. Money can be stolen online (think about someone breaking into your Paypal account). The problem of cybersecurity would be a rather easy one were Friedersdorf correct that "the 'ungoverned territory' does not encompass actions, violent or otherwise, just thoughts and their expression."

It is true, so far anyway, that the realm of violent action normally involves recourse to the kinetic world. But that is growing less true by the day. Drones, after all, are operated remotely using communications channels. In our book on The Future of Violence, Gabby and I describe "sextortion" cases that amount to a sort of online coerced sexual activity that takes place entirely remotely. Friedersdorf sounds very 20th Century when he suggests that you can't do someone any real harm without stepping into the "real world."

But let's assume for a moment that he is correct—that the online world is a world of ideas, thought, and communication only. Does it follow conceptually that we should be comfortable with its being unsurveillable? Certain communications, after all, involve commands between people ("Shoot that guy") or conspiracies between people ("Let's blow up the Congress of the United States, okay?"). A conspiracy, after all, is an agreement (communication) between two or more people, plus an overt act. Even if we accept that the overt act cannot take place by means of an encrypted channel, the agreement certainly can and increasingly does. We did not accept about telecommunications that because the vast majority of phone calls are innocent and many of them are sensitive and one cannot do violence over the phone that we should make telephone surveillance technically impossible. Even assuming Friedersdorf's erroneous premise, why should we aim conceptually to create a worldwide telecommunications infrastructure in which terrorists, hackers, and child pornographers are as secure as dissidents and democratic citizens? To be clear, I understand why cybersecurity needs may require us to accept this outcome in practical terms. I fail, however, to understand why we should aspire to it.

This brings me to Friedersdorf's rather interesting effort to turn the tables and offer a hypothetical world of his own: "In the absence of end-to-end encryption—indeed, even if it becomes a universally available tool—the largest ungoverned space in the world won’t be Somalia or the Internet, but the aggregate space between the ears of every human being on planet earth." Friedersdorf means this as a dystopian vision, but it is quite literally the world we have always lived in. Communications of all types have always been possible to surveil. Have a private conversation with someone; someone else may be listening unbeknownst to either party. Write a letter; it can be intercepted and read. Use a code; it can be broken. Talk on the phone; you might be wiretapped. The innovation here lies not in the idea of the possibility of interception; it lies, rather, in the idea of the impossibility of decryption, in the notion of a norm of almost-perfectly secure communications.

As such, Friedersdorf's suggestion that I am pushing ever further into people's heads is a little bit mischievous. The insides of our heads, after all, are truly the arena of pure ideas (you cannot think an act of violence) and, as such, are unregulated. And the question before us is not whether that zone of impunity will shrink. The question, rather, is how much it will grow and whether we will for the first time contemplate a global information infrastructure that is in many instances (but for the possibility of betrayal by a communications partner) as secure as that space between our ears. There are, as I have discussed, practical reasons why we might have to extend the zone of impunity for the first time beyond the individual's head. But we should not underestimate the gravity of that step or kid ourselves that it will be without big consequences.