I have so far restrained myself from using this blog to rant or spew my opinions. However, with my amateur interest in cryptography, and my not-so-amateur interest in liberty and freedom, the news about US spying has piqued my interest. I want to talk about a point I think a lot of people are missing. Read on at your own risk
The NSA and Edward Snowden have been all over the news lately and sparked a million online responses, so I don’t expect to say anything novel about the situation. I’m sure somebody has said or at least thought the same idea I’d like to express. I’m not interested in the legality of the NSA’s actions, or the legality of Snowden’s actions. I doubt I’ll convince anybody to change his/her mind about whether the NSA should be spying, about the war on terror in general, or about what to do with Snowden if he’s ever caught. What does make me curious and confused is the reaction that the entire situation is no big deal if you have nothing to hide.
It is not a new idea to me or many people that we are all breaking some law at any given time. With as many laws as we have in the United States, with their vast complexity, and vague wording, we are all inevitably doing something illegal. The most concise articulation of this idea I’ve found was made by Moxie Marlinspike. He makes the additional point that we should have something to hide. If we are all breaking the law then the only thing that separates the average man from the terrorist is severity. In the eyes of the law enforcers, none of us are “law abiding citizens”. We are all on a spectrum, from the guy with the small lobster, to use Moxie’s example, on one end, to the person who will commit the next ghastly terrorist attack on the other end.
Internet and electronic security and privacy measures also lay on a spectrum. There is no absolute “safe” or “unsafe” state. Most of us think of internet security in terms of hackers or identity thieves. We may or may not take steps to protect ourselves from these threats. If you read enough security-related blogs (or LifeHacker posts), you begin to realize the myriad of ways to protect yourself: you can create elaborate email passwords, or encrypt your Dropbox files, or password protect your phone, or limit using open Wifi connections. The list is endless, each requiring increased effort and providing an increase in internet security/privacy. The distilled advice of most security discussions is that you can never be absolutely protected, and the best option is to adopt enough privacy techniques so that you are not be the “low hanging fruit” for identity thieves. The key point is that the cumulative steps you implement put you on a spectrum with the rest of us, with your grandma, whose email password is “password” on one end, to the tinfoil hat guy who uses PGP to encrypt his grocery list on the other end of the spectrum.
I would suggest that maintaining your security/privacy from the government is also part of this spectrum. Most of the techniques to protect yourself from the government are the same as protecting yourself from identity thieves. Alongside regular citizens, we can place terrorists on this privacy spectrum too. Some not-so-bright terrorists might get placed in the middle, exposing themselves to being surveilled and ultimately caught. Some of the more cunning terrorists would be placed toward the “extremely well protected” end of the spectrum.
Anti-privacy terrorist-fighting technology evolves just like every other technology. Small incremental improvements happen over time as engineers and scientists develop new techniques and research new ideas. Anti-privacy technology isn’t going to jump from cracking the German’s enigma device in 1940’s to cracking PGP or AES in the future without many small improvements along the way. While we can only speculate on the details of the NSA’s PRISM program, I would wager that PRISM is one of these less-technologically advanced techniques. In addition to its incrementally-improving nature, anti-privacy technology is always reactionary. It is forever responding to advancements in privacy technology. As such, anyone on the bleeding edge of privacy technology will be forever out of reach of anti-privacy technology.
Terrorists and counter-terrorists respond to incentives that drive their behavior, the same way we all respond to incentives. The negative incentives of incarceration and mission failure encourage terrorists to evade detection by operating near the bleeding edge of privacy technology. Similarly, the incentive to maintain their agency’s budget and position incentivize counter-terrorists to show measurable results that they are successfully thwarting terrorists.
All of these points combine to form an inevitable situation. Of all people, terrorists have one of the greatest incentives to use cutting-edge privacy technology. Anti-privacy technology will never be able to circumvent the newest privacy technology. These two facts combine to set the anti-terrorist organizations’ goals of catching terrorists as nearly impossible. When the anti-terrorists fail to apprehend the most severe terrorists, they will be incentivized to produce results in other ways. Recently the FBI has been accused of entrapping “mentally ill or economically-desperate” people, resulting in mostly ancillary charges like lying to the FBI. This is the direct reaction to a need to “show results”.
This brings me back to John Q. “I have nothing to hide” Public. By acting like you have nothing to hide and thinking that you certainly won’t be a target of the spying, you actually make it easier for anti-terrorist organizations to target you. You move down the security spectrum to become the “low hanging fruit”. Its the perfect combination of bad news. First, anti-terrorist organizations need to catch someone. Second, the few (if any) techniques/technologies you use to maintain your privacy put you in the group of people “accessible” by today’s anti-privacy technology. Third, you are certainly doing something illegal. Its only a matter of time before we hear about somebody’s grandma being prosecuted for her involvement in a illegal-lobster-smuggling terrorist group with evidence gained from her compromised Hotmail account.
You don’t have to be paranoid to see how a maintaining your internet/electronic privacy can protect you from unscrupulous individuals and governments alike.