Encryption Alone Doesn't Protect Privacy
Posted by Aaron Massey on 14 Aug 2013.
Matt Might is a professional hero of mine. He’s a prolific blogger and a successful academic, and I admire his work greatly. In particular, I’m a big fan of his 12 resolutions for programmers. Sometimes this is exactly the sort of thing that someone needs to help them change things for the better.
Unfortunately, Might’s recent post is exactly the sort of thing that annoys me about technologists and their views of privacy and security. Actually, it’s not even the entire post that annoys me; it’s the framing for the post. Consider his introduction:
Encryption makes privacy a right that can be claimed rather than granted.
Plenty of others have weighed in on the merits of encryption and its importance in modern times.
I won’t weigh in further.
Pithy? Yes. Accurate? Sort of. Misleading? Absolutely.
There’s a saying that the Eskimos have a plethora of words for snow because the differences for them are more meaningful and apparent than for, say, the average American.1 I would like to suggest that privacy is a concept for which we simply may not have enough words. There are many kinds of privacy, and some conceptions of it are more meaningful than others.
Does encryption protect privacy? Yes, for some definitions of privacy. Might recommends using GnuPG. I do too. It’s a great tool, and I use it myself. However, it won’t protect your privacy, at least not for some rather meaningful conceptions of privacy. It can protect the content of your communications, but it’s not going to do anything about the associated metadata like who you were talking to and when you sent those emails. Unfortunately, if you’re using email, then you’re going to have to provide a recipient and you’re going to have to send it at some point.2
The differentiation between the protections encryption can provide and the broader societal understanding of privacy is an important one to make,3 particularly with the recent NSA revelations. One claim raised by proponents of the NSA’s system is that it’s only collecting metadata and not the contents of the communications. Matt Blaze, argues persuasively that metadata collection may be more important than content collection. You don’t have to know what email address A and email address B are talking about to know a log about whether or not they operate in the same circles. If they are emailing one another or even the same network of addresses, then you can make some valuable conclusions about their communications. More importantly, using GnuPG to encrypt email won’t protect either individual from this sort of collection.
Email is not the only technology where this argument applies. Encryption alone doesn’t protect your privacy or ensure your security. Privacy and security are fundamentally not technology problems; they are societal problems. They existed long before computers were invented, and they will continue to be problematic long after whatever comes next. We need technologies that help us mitigate privacy and security problems, and the tools that Might recommends can be powerful mitigations. They are, however, not solutions by themselves.
I sympathize with people who want to make the distinction as clearly as Might tries to in his post.4 Unfortunately, ‘privacy’ cannot be protected with reductionistic thinking. Using encryption is good, but it’s not a panacea. The NSA can still learn a great deal about you, even if you used every tool mentioned in Might’s post. Perhaps more importantly, encryption does not “make privacy a right that can be claimed rather than granted.” It’s misleading to think of privacy as a right to be claimed5 through the conscientious use of certain technologies. It’s probably also misleading to think of ‘privacy’ as a right simply because no one seems to know what it means. Privacy is a fundamentally holistic concept that cannot be protected by a finite set of tools or technologies alone.
It is also a differentiation that computer science academics have not made particularly well. Look at the past proceedings for the IEEE Symposium on Security and Privacy. There’s a clear focus on formal proofs for and algorithmic verification of privacy. Basically, S&P traditionally equates privacy with encryption or the protections it provides. People who work on usable privacy and security, privacy (or security) as a part of software engineering, or privacy and regulatory compliance tend to publish elsewhere. I don’t believe these communities should be this separated. ↩
And I hate disagreeing with someone I admire, but I suppose that’s what you get for voicing an opinion on the Internet. Matt, if you’re reading this, keep doing what you do. ↩
Thinking of privacy as a right may be particularly misleading in the United States where the assumption generally goes the other way around. If the government wants to do something to you, they usually have the burden of proving their case to be rational rather than you having to “claim your rights.” Of course, this became much more complicated with the Katz decision. ↩