The Impossibility of a Modern Crypto Ban

A commenter noted while ago to my article – regarding Snowden believing best way to fight surveillance is technology not policy – that, couldn’t the government simply ban cryptography? Make encrypting your messages illegal? Fortunately for us, the answer is, no – absolutely not.

But why not? It seems simple enough. After all, it isn’t that hard to tell if somebody is using encryption or not. However it isn’t so simple.

The government aren’t the only ones stopped by our cryptography. In fact, in bringing encryption to the internet, that wasn’t even our intention. Encryption was there to stop hackers, tricksters on the internet who would steal your personal data, manipulate your communications, and generally cause mayhem – for profit or for the lulz.

Regardless of what the government wants, we’re still going to need OpenSSL for that reason. OpenSSL, which provides security for HTTPS, is the main barrier to prevent people from sniffing our passwords or impersonating the sites we like to visit. Banning OpenSSL from the internet would be a disaster, both to implement, and then also for all the people who have to abide by it. You would no longer be able to bank securely on the internet anymore. You wouldn’t know if you were connecting to the right server or not. You wouldn’t know if your passwords were being sniffed over the wire.

In that same vain, more ‘local’ things like secure WiFi, encrypted file package, full disk encryption, etc, couldn’t be banned in the literal sense. Such a ban would be impossible to enforce – not to mention dangerous for business.

What would be far, far more likely is if the government were to ban using cryptography to prevent revealing secrets to them, making it a crime to do so (Essentially, this would be a charge to stick on all resistant suspects). While questionably a violation of the 5th Amendment, they’d be far more likely to get away with that than a full-on cryptography ban. In fact, you wouldn’t even need the legislature to do this: a supreme court case could conceivably make the use of encryption in some cases espionage or obstruction of justice.

This would also give them an excuse to put in ‘compliance’ backdoors into common infrastructure. Common phones, encrypted mail services, etc, would be given backdoors for law enforcement – as the companies who manage said services would not want to be charged with using cryptography against the State. Open-Source software, having no business that can be held liable holding it back, will remain backdoor free… or so far as we know.

In other words, what is already happening.

After all, it wasn’t so long ago that iPhone backdoors were a touchy subject on the internet. Could the feds make another attempt? Conceivably. But what would that mean for us?

Though it may get harder for us, I’d bet good money there is going to be no crypto ban. The closest we’ll get is a regulated IoT (Internet of Things devices being regulated for ‘higher security’), and more laws preventing people from using cryptography to protect themselves against law enforcement.

But neither of those things will help the NSA’s mass data collection though.

After all, though not perfect, isn’t forcing the government to get a warrant for our stuff what we wanted in the first place? Even if the government adds consequences to using cryptography against them, they can’t remove it because of personal security concerns and for practical reasons. Who is gonna make every web server on the internet stop using TLS? What about SSH?

Such legislation involving a full-on ban of cryptography is unlikely to pass. Despite having no particular care for us, Congress isn’t going to sign off on making the US a ripe target for cyberattacks (which is already becoming popular rhetoric for use by both ‘sides’).

Meanwhile, using your cryptography to thwart NSA mass surveillance is always going to be legal. Because right behind the NSA are other governments, and right behind the other governments are hackers and script kiddies looking to profit and lol off of anything vulnerable.

…so I’m not worried. Not that worried, anyway.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s