‘Encryption is useless’

Once upon a time…

I touched on this story in my article, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, but i wanted to give it a dedicated page and expand on it because i keep coming across bits of information which seem to verify something i was told that is rather disturbing.

So i once sold a PC to a guy who said he had worked for the government either directly or as a contractor, i don’t recall which and he didn’t state which department he worked for. He said he had a security clearance and, as i recall, it was a crypto clearance. He left me with the strong impression that he wasn’t going to provide a lot of detail as to what exactly he did, however i had no reason to disbelieve anything he said since he seemed genuine and very matter-of-fact. Our time together was short because he had to be somewhere else, but we chatted a while and he touched upon some extremely interesting topics that i wanted to know more about and so i suggested that we continue our conversation through encrypted email. He looked me and responded with a three word reply that stuck with me ever since: “Encryption is useless.”.

Obviously encryption is not useless, but i think what he meant by that statement was that, whatever government department or agency he worked for, they had the ability to break whatever encryption existed at that time. While i was somewhat skeptical about his statement back then in 2003 or so, that skepticism has since evaporated. First of all we have to consider the computing power that the “intelligence” communities have access to. Let’s assume that you’re encrypting an email using some supposedly highly secure encryption technique along with a very long and secure passphrase, and let’s further assume that it would take roughly 10,000 years for the average computer to break it. Would you feel confidant using such encryption? Well, what happens if that code breaking computer is 10,000 times more powerful than yours? And what if you chain together 1,000 of those computers? Breaking that encryption might now take just a few hours. Does the government not have access to computers that are orders of magnitude more powerful than anything the general public has? And what might they have that we don’t know about?

Whether encryption is useless or not depends entirely upon the threat that we want to mitigate i think. For example, if you wanted to download copyrighted content and protect yourself from having your ISP monitor your internet traffic and send you nasty-grams, then encryption is certainly not useless. However given what i have read and heard over the years, i strongly suspect that encryption is not effective if it is, for example, the NSA that decides to target you and i think that multiple statements and documents released by Edward Snowden verify that. There is perhaps another possibility here though. What if, as some suspect, Snowden was allowed to leak what he did, sort of as a limited hangout? Personally i think Snowden is genuine, but that doesn’t necessarily mean that the information in the documents he released wasn’t intended to be released. What if the U.S. intelligence community wanted to quell a potential uprising by we the people? It is apparently a historic fact that one way to accomplish that is to make people think that they are being surveilled which, in turn, compromises their ability to communicate. While i think we can be reasonably certain that everything we say or do on-line, or while in the presence of a smartphone, can be spied upon and stored indefinitely, how does one process such a vast amount of data? Snowden also raises this question and states that the massive, ongoing and patently illegal and unconstitutional data collection practices as employed by intelligence communities are not effective in preventing threats because of its scope. Even with the aid of software, there is still simply too much data to sift through according to what Sonwden and others have said and therefore the tiny fraction of it that is relevant to you personally kind of gets lost in the cloud as long as you don’t wind up on some watch list.

In closing i would say that it doesn’t matter if the threat is real or not, or whether strong encryption can be broken or not. Since we simply cannot know for certain in all instances, we must assume the threats are creditable, however i do not wish to scare people unnecessarily. I think that activists, journalists, whistle-blowers and everyone else should never be dissuaded from communicating, however i also think we need to at least be aware of the threats.

Oh, and by the way, if you ever do receive a copyright notice from your ISP, ignore it and do not acknowledge that you were sent one. If they really intend to prosecute, don’t worry, they will contact you again. Don’t fall into the trap of admitting something which can later be used to prosecute you. If you want some more info in that along those lines, read my article, Dealing With The Fuzz.

Resources used to write this article

Leave a Reply

Your email address will not be published. Required fields are marked *