We all know that data sent over the Internet can be intercepted. How to prevent it? One method is to encrypt it. Various technologies exist for doing this, but they haven’t caught on with individual users, partly because people don’t really care, and partly because encryption software has been awkward to use.
That may be changing. PGP(.com) is now selling PGP 8.0, one version being personal encryption software, hoping for a mass market. I haven’t seen it, but reports on the Web describe it as user-friendly. If it or any similar product sells truly well, it will have major ramifications for the security state, the war on terrorism, and the balance of privacy versus governmental monitoring.
PGP stands for Pretty Good Privacy. It is encryption based on what is called public-key cryptography and was made publicly available years back by Phil Zimmerman over attempts by the government to prevent its release. The reason was fear that mobsters and spies would use it to make their communications impervious to federal interception.
Public-key encryption is not explicable in a short column. Briefly, it comes to this: You have two keys, each being a large binary number. One is your public key, which you can safely give to anyone, or put on the Internet. I can use it to encrypt my secret message to you.
The other number is your private key, which you reveal to no one. Only your private key can decrypt the message I sent you. (Or, depending, someone with governmental-scale resources.) So it doesn’t matter whether the message is intercepted. No one can read it.
Now, why does anyone care? Most e-mail we send isn’t very important. Few of us are aware of having had any e-mail intercepted. Hackers are an overrated threat, and so on. Usually, encryption doesn’t matter. But …
Governments, including ours, are adapting to the Internet age. They want to be able to monitor the communications of their citizenry. The reasons given are always good. The FBI, for example, wants to be able to monitor the Mafia. In this country, such listening-in is, or was, supposed to be done only with a warrant. It has worked. Mafiosi have gone to jail, and democracy has gone unscathed.
But two things have happened. First, the Internet has made possible massive, automated, undetectable surveillance of communications. Second, terrorism has provided (depending on your politics) a reason or a pretext for surveillance. Note such programs or attempted programs as Total Information Awareness, Tips and Carnivore.
Encryption, should it become common, would make much of this electronic watching worthless.
I will get mail saying that the National Security Agency has 40 acres of supercomputers that can crack anything. Inexplicably, NSA doesn’t tell me what it can crack. There is a difference, however, between being able to decrypt a selected message of interest, and being able to screen all Internet traffic. If it takes half a second to decrypt an e-mail, and you have 100 computers that do it, and there are 300 million e-mails sent a day, well, you are going to come up short.
Another point is that government isn’t the magic cryptographer it once may have been. Once only governments had any interest in codes and ciphers, and so were the best at them. Post-Internet cryptography is an industry attracting first-rate mathematicians who know all about supercomputers. Many of them refuse to have anything to do with the government so as not to have to sign nondisclosure agreements. As a rule, anything the civilian world wants to do, it does better than the government.
Now, if you think terrorists and criminals are more dangerous than the government, you will see universal encryption as a threat to national security. If you are more afraid of government, you will see it as a necessary counterweight to surveillance. Either way, governments don’t like it.