Six Lines

Encryption isn't Even a Luxury

Posted by Aaron Massey on 31 Mar 2016.

There’s a piece in the Atlantic on encryption titled “Encryption Is a Luxury” that’s worth reading, but I don’t think the author is quite pessimistic enough. The premise of the article is essentially that Android phones, which are sometimes a tenth of the cost of Apple’s iPhones, have comparably terrible encryption practices and tend to be owned by people who cannot afford iPhones. Thus, encryption is something only the wealthy can afford. As the subtitle puts it: “The people that most need privacy often can’t afford the smartphones that provide it.”

The problem with this article is that the kernel of truth inside it doesn’t live up to the title, or even the subtitle. The part of the article that’s accurately portrayed is that Android security measures is a wasteland, mostly because of its rather fragmented ecosystem. Even then, many of the default applications are poor when compared to iPhone’s defaults. The article cites messaging with end-to-end encryption as an example. All of this is both true and extremely important.

Unfortunately, even if you were to magically replace every single Android phone with a fully up-to-date iPhone with the latest and greatest security available, we still wouldn’t have the “Encryption” the author wishes we did. Yes, the average iPhone is more secure than the average Android phone in practice. But neither one is going to help against a determined attacker. Here’s how Matt Blaze puts it:

But the worst kept secret in computer security is that systems are far from secure. While we can build large scale software systems that seem to work, we can’t build them to reliably resist serious attack. That includes just about about everything in use today.

By setting up their article with the premise that the wealthy can afford security, they are presuming that what the wealthy are getting actually exists. The problem is that it doesn’t. At a fundamental level, we cannot actually secure software systems reliably. This is a variant of the black-or-white fallacy. What good is full disk encryption on a phone when it can be bypassed so easily? What good is end-to-end encryption when unencrypted copies are stored in the cloud? Spaf regularly compares end-to-end encryption to “arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench.” Maybe Apple isn’t living in a park bench, but they clearly have their work cut out for them.

The article is much more depressing than the author originally intended. The author’s intent was to “wake up bourgeoisie” to the struggles of those who cannot afford iPhones, but the reality is that the bourgeoisie aren’t even awake to their own inadequate security.