Most People Don't Care About Cryptography, and That's a Problemby@davidecarmeci
882 reads
882 reads

Most People Don't Care About Cryptography, and That's a Problem

by Davide CarmeciDecember 9th, 2023
Read on Terminal Reader
Read this story w/o Javascript

Too Long; Didn't Read

This article delves into the critical yet often overlooked importance of cryptography in our digital lives. It discusses how platforms like Signal, WhatsApp, and Telegram differ in their use of encryption, the impact of government regulations on privacy, and the significant role cryptography played in the Panama Papers. The piece emphasizes the need for public understanding of cryptographic principles to protect digital privacy and security, offering resources for all skill levels to become more cryptography-savvy. The author advocates for informed digital citizenship in the face of increasing privacy threats and legislative challenges.
featured image - Most People Don't Care About Cryptography, and That's a Problem
Davide Carmeci HackerNoon profile picture

In 2016, when I began advocating for a switch from WhatsApp and Telegram to Signal in conversations with colleagues, friends, and family, I made a startling discovery: the vast majority of people, especially those outside the cybersecurity field, seemed largely indifferent to the crucial role of cryptography in our everyday lives. This apathy was particularly pronounced during discussions about Facebook's plans to integrate its messaging platforms with WhatsApp.

The concern here stems from the different approaches to privacy and security adopted by these platforms despite them utilizing the same end-to-end encryption protocol developed by Open Whisper Systems. WhatsApp, operating under Facebook, has been scrutinized for its potential use of metadata, raising questions about user privacy. On the other hand, Signal's open-source nature and minimal data collection practices are generally perceived as more secure and private, underscoring its commitment to user privacy.

Telegram, another popular messaging app, offers end-to-end encryption only in its 'Secret Chats' feature and not in regular chats or group chats. This critical distinction is important for users to understand when selecting a messaging platform based on their privacy needs.

This scenario underscores a broader issue: the public's lack of awareness about the critical importance of robust cryptographic practices in safeguarding our digital interactions. It seems that many fail to recognize that cryptography forms the bedrock of our online communications, whether it's for personal conversations, financial transactions, or sensitive data sharing. As I engaged more in these discussions, it became clear that a fundamental understanding of how our data is protected—or possibly exposed—is vital due to our increasing reliance on digital platforms.

If you are contemplating a switch from WhatsApp to Signal or wondering about Telegram's position in this context, a comprehensive comparison of these platforms is available in this article on CyberNews. This piece thoughtfully explains the nuanced differences in how these apps manage end-to-end encryption and user data, highlighting the intricacies of cryptography in everyday use.

Cryptography ignorance is a bliss for Government regulators

In the halls of the European Union, a bill has sparked significant debate with its aim to weaken end-to-end encryption, ostensibly to combat child sexual abuse. Despite some good intentions, this legislative effort is mired in controversy due to its potential impact on the privacy rights of EU citizens. A detailed analysis by Riana Pfefferkorn at Stanford's Center for Internet and Society, available here, delves into the complexities of this issue. The EU's draft Child Sex Abuse Regulation suggests that online service providers proactively scan their services, including private communications, for abusive material, a major shift from current laws that allow for voluntary detection.

This proposal has triggered dissent among EU member states, underscoring the tension between child protection and the rights of over 447 million EU citizens. The bill's approach to end-to-end encryption, a cornerstone of digital privacy and security, has raised significant legal and technical concerns. End-to-end encryption safeguards communications from external surveillance, but poses challenges for law enforcement in detecting illegal activities. The ongoing debate in the EU highlights how a lack of public understanding of cryptography can be exploited by regulators. Policies lacking a comprehensive grasp of encryption and its implications risk inadvertently undermining the foundational principles of privacy and security. An informed discussion, considering both the technical realities of encryption and the legal frameworks governing digital rights, is essential.

In Australia, the government has passed an unprecedented law that poses a significant threat to global privacy. Known as the TOLA Act, this 2018 legislation compels tech companies to provide Australian authorities with access to encrypted messages, essentially mandating the creation of backdoors. Despite a recent review proposing additional safeguards and oversight mechanisms, the law's core mandate, particularly regarding access to encrypted communications, remains largely intact. This move has serious implications, as it not only compromises the security of communications within Australia but also sets a dangerous precedent globally. The law's broad scope and potential for misuse raise significant concerns among privacy advocates and security experts. More details about this concerning development, including the recent review's findings, can be found in this article by the Foundation for Economic Education.

Similarly, the United Kingdom is on the cusp of adopting policies that could significantly weaken encryption worldwide. The Online Safety Bill, ostensibly designed to enhance online safety, paradoxically risks making individuals less secure online. The recently passed bill mandates that tech companies weaken their encryption services, potentially exposing users to increased cyberattacks and privacy violations. The far-reaching implications of these legislative actions are explored in greater depth by the Electronic Frontier Foundation and The Conversation.

Panama Papers and the Value of Cryptography in Journalism and Advocacy

The Panama Papers were a groundbreaking revelation in the world of investigative journalism, showcasing the transformative power of encryption in the fight against global corruption. In 2016, over 11.5 million documents were leaked from Mossack Fonseca, the world's fourth-largest offshore law firm, uncovering the intricate financial dealings of the elite. The leak revealed the identities of individuals and entities involved in potentially illicit activities across more than 214,000 offshore companies. Encryption was crucial in this process, as it protected the identity of the whistleblower, known as "John Doe," and ensured the secure and confidential transmission of this sensitive data. This case demonstrated how strong encryption is not only a technical tool but a fundamental enabler of privacy, democratic principles, and journalistic integrity.

In an era where digital security and privacy are increasingly under threat, the story of the Panama Papers serves as a potent reminder of the essential role of encryption. Bastian Obermayer, the investigative journalist who brought the Panama Papers to light, emphasizes this in this article for Euroviews. He recounts how the insistence on strictly encrypted communication was a lifeline for the whistleblowers, enabling them to safely share information that would shake the world.

As Obermayer points out, without strong encryption, the risks to both the source and the journalists would have been exponentially greater. The investigation into the Panama Papers not only brought to light financial crimes and global corruption but also highlighted how encryption empowers individuals to challenge powerful entities and expose injustice. However, this crucial tool for maintaining privacy and enabling transparency is facing legislative challenges globally, from the UK's Online Safety Bill to the US's EARN IT Act and the EU's Child Sexual Abuse Regulation proposals.

Encryption, as Obermayer asserts, is a massive asset for democracy. It allows for private conversations, which are essential for a healthy public discourse and investigative journalism. The Panama Papers are a testament to the power of encryption in giving a voice to the voiceless and standing up against injustice. It's a narrative that emphasizes the need to not only understand but also to defend strong encryption – for it is in this technology that the strength of our democracies and the protection of our fundamental freedoms lie.

Cryptography 101: Public key cryptography (PKC) and the RSA algorithm

In the following paragraph, I will share a series of resources for people of different backgrounds interested in learning more about cryptography. However, the world would already be in a better place if most people had a basic understanding of two of the pillars of modern cryptography: public key cryptography (PKC) and the RSA Algorithm.

In 1976, Whitfield Diffie, Martin Hellman, and Ralph Merkle revolutionized electronic communication security by developing public key cryptography (PKC). This innovative method forms the cornerstone of modern secure communication, ensuring the confidentiality and integrity of our digital interactions.

Public and Private Keys: The Essence of PKC At the core of cryptographic security are two types of keys: private and public. These keys are essential to asymmetric encryption, a method where different keys are used for encrypting and decrypting messages.

  • Private Key: This key is confidential and exclusively known to the user. It's never shared and is used primarily for two purposes: decrypting data encrypted with the corresponding public key and signing digital documents to authenticate the sender's identity.
  • Public Key: Contrasting with the private key, the public key is openly shared and available to anyone. It is utilized to encrypt data that can only be decrypted by the matched private key, thus ensuring that only the intended recipient can access the transmitted information.

The RSA Algorithm: Building on PKC Principles The RSA algorithm, developed by Rivest, Shamir, and Adleman, is one of the first and most widely used public-key cryptographic algorithms. It builds upon the principles of PKC established by Diffie, Hellman, and Merkle. This algorithm is a fundamental technology behind many secure systems we depend on today, from HTTPS protocols on the internet to secure email communication.

  • Functionality: RSA functions by generating two large prime numbers in secret and multiplying them to produce a public number. The security of RSA hinges on the difficulty of factoring this large public number back into its prime components.
  • Use Cases: RSA is integral in various applications, including digital signatures, secure data transmission, and encryption of sensitive information. Its extensive use is a strong indicator of its effectiveness and security.
  • Challenges and Limitations: RSA, while robust, confronts challenges like increasing computational capabilities and the potential impact of quantum computing, underscoring the need for continuous development in cryptographic methods.

The Significance of PKC and RSA Understanding the basics of PKC and the RSA algorithm is crucial for anyone involved in cybersecurity or digital privacy. These concepts are practical tools safeguarding our digital lives, not merely theoretical ideas. Their comprehension clarifies much of the encryption we encounter daily and empowers us to make more informed decisions about our digital security.

Resources to Become Cryptography-Savvy

The journey to becoming a cryptography-savvy user is a path of continuous learning and engagement. Whether you're a novice with no technical background or someone looking to deepen existing knowledge, the world of cryptography offers an array of resources to explore. Here's a guide to help you navigate this journey, categorized for different levels of expertise.

For Beginners (No Technical Skills Required):

  1. "The Code Book" by Simon Singh: A comprehensive introduction to cryptography's history and principles.
  2. Khan Academy's Cryptography Course: A user-friendly online course covering the basics of cryptography.
  3. TED Talks on Cryptography: Engaging talks that make complex concepts in cryptography accessible.

Intermediate Level (Some Technical Background Helpful):

  1. "Cryptography: The Key to Digital Security, How It Works, and Why It Matters" by Keith Martin: Delves deeper into cryptographic principles and digital applications.
  2. Coursera's Cryptography Courses: Intermediate-level courses offering deeper insights into cryptography.

Advanced Level (Technical Skills Required):

  1. "Applied Cryptography" by Bruce Schneier: A classic text for those with a solid technical background. Find it on Amazon
  2. MIT OpenCourseWare's Cryptography and Cryptanalysis Courses: Challenging courses for an in-depth understanding of advanced topics.
  3. Cryptography Algorithms: A guide to algorithms in blockchain, quantum cryptography, zero-knowledge protocols, and homomorphic encryption" by Massimo Bertaccini: Build real-world cryptography knowledge and explore modern algorithms. This book is ideal for deepening your understanding of advanced cryptography concepts and applications.

Online Forums and Communities:

  1. Cryptology Subreddits and Online Forums: Engage with communities on Reddit for insights and discussions.
  2. GitHub Repositories: For practical understanding, explore projects related to cryptography on GitHub.

Staying Updated:

  1. Blogs and Newsletters: Keep up with the latest developments by following leading cryptography blogs (Bruce Schneier's Blog) and subscribing to newsletters.

Remember, becoming knowledgeable in cryptography is about more than just learning; it's about understanding its societal impact, advocating for digital rights, and ensuring security. Share your insights and learnings with your network to contribute to a more informed community.

How I Protect My Data

In my pursuit of digital privacy and security, I carefully select platforms renowned for their robust encryption and commitment to user privacy. However, I am acutely aware that in the dynamic world of technology, no solution is ever permanent. Changes in company ownership or philosophy can alter the landscape, requiring constant vigilance and readiness to adapt.

Signal for Instant Messaging: My primary choice for instant messaging is Signal. Praised for its end-to-end encryption, Signal ensures that my communications remain confidential. As an open-source platform, it undergoes regular scrutiny by the cybersecurity community, enhancing its trustworthiness. Signal's commitment to privacy is not just about robust technology; it's also about a philosophy that values user privacy above all else.

ProtonMail for Email Communications: For email, I rely on ProtonMail. Based in Switzerland, a country known for its strong privacy laws, ProtonMail offers end-to-end encrypted email services. This means that not even ProtonMail can access the contents of my emails, ensuring complete privacy. Their use of open-source encryption and their transparent operational policies align with my personal security requirements.

Exploring Decentralized Solutions: Beyond these platforms, I am also exploring decentralized solutions, particularly blockchain-based communication tools. Decentralization offers a unique advantage by removing the single point of control or failure, which is a vulnerability in centralized systems.

One such example is Status, a blockchain-based chat platform. Status operates on the Ethereum blockchain, providing not only messaging services but also a crypto wallet and a decentralized web browser. Its open-source and peer-to-peer protocol offers transparency and security, resonating with my approach to digital privacy. The platform's commitment to user sovereignty and data protection, free from corporate oversight or governmental interference, presents a promising alternative in the ever-changing digital landscape.

In conclusion, while platforms like Signal and ProtonMail currently meet my privacy and security needs, I remain open and attentive to the developments in decentralized solutions like Status. The digital world is in constant flux, and staying informed and flexible is key to ensuring the enduring safety and privacy of my data.

Understanding Cryptography: Protecting Your Privacy Rights

In this rapidly evolving digital age, the significance of cryptography extends far beyond the realms of specialized cybersecurity professionals. It touches the lives of every individual who interacts with the digital world. While becoming an expert in cryptography may not be feasible or necessary for everyone, having a fundamental understanding of its principles and implications is crucial. This knowledge empowers us to make informed decisions about our digital privacy and security and to critically assess the policies and technologies that govern our online interactions.

As we have explored, cryptography is not just a tool for safeguarding data; it's a cornerstone of our digital rights and freedoms. Whether it’s choosing secure communication platforms, understanding the legislative landscape, or simply staying informed about the latest developments in encryption and privacy, every step you take toward understanding cryptography strengthens your position in the digital world.

Remember, in the fight for digital privacy and freedom, awareness is your greatest ally. You don't need to be an expert, but understanding the basics of cryptography and staying informed about how it impacts your life is a step towards a more secure and private digital future.