Encryption and Responsibility: A Note on Symphony

Typically, those of us concerned about the widespread use of encryption and anonymization technologies like Tor are depicted by crypto advocates as “anti-encryption” or “freedom haters” or “mind-murdering censors” or worse. Despite the level of detail these people can bring to technological matters, they often portray the political options as very stark: either “encryption” or “no encryption.” Like so many other things today, it can be like arguing with the proverbial wall to get our opponents to see that we do not want “no encryption.” All encryption and anonymization schemes are not the same. We don’t want encryption not to be used. We want encryption (and anonymization) schemes that make sense. We want them to be used responsibly.

Finally we have a fairly clear case at which we can point to make this clear. Over the past year, a coalition of investment banks have been working on a comprehensive secure communications package called Symphony. The makers of Symphony state that the software provides “a platform for communities of financial services professionals to communicate securely and efficiently using compliant standards and end-to-end encryption.”

Let me be as clear as possible: I think this is a good idea. It is necessary. It is appropriate.

But the Symphony marketing literature included some statements that made people like me worry, for just the reason I worry about services like Tor. It looked as if the service was structured not just to protect the integrity of bank communications, but to hide them from regulators. The marketing language distinguished Symphony from previous communication tools for the financial industry that were “limited in reach and effectiveness by strict regulatory compliance,” while Symphony would “prevent government spying” and would “guarantee that data deletion is permanent.” These promises go well beyond encryption per se.

This caused the New York Department of Financial Services (NYDFS), one of the major regulators of the financial industry, and Senator Elizabeth Warren, one of the leading consumer advocates in the US, to raise concerns about Symphony. NYDFS has to be able, in the proper legal context, to see any and all communications in which the banks it regulates engage. They do not and should not need warrants to see those communications. Even the “legal fiction” of corporations being persons does not go so far as to grant them, qua corporation, the full protection of the Bill of Rights. Regulators can, do, and must examine corporate communications according to the regulatory rules in place, not under criminal or even civil warrant. The companies exist according to certain rules with which they agree to comply, including regulatory oversight. That is the law. It is a good law. In many cases, the application of this law is the only thing that has uncovered major misdealing in the financial industry, including, as both Warren and NYDFS point out, the Libor price-fixing scandal. If anything, “freedom” as I understand it requires much more thorough and rigorous oversight of the financial industry, not less. Among other things, banks are not, in general, allowed to delete any of the data generated in the course of doing business, in order that regulators can backtrack through their actions to ensure compliance.

Despite Symphony appearing to advertise itself specifically to bypass regulatory oversight, at least one well-known crypto advocate attacked Warren for daring to question any part of the Symphony system, as if regulatory oversight of corporations is an affront to “freedom,” while the use of encryption is such an absolute right, even for corporations, that the integrity of such a widely-praised consumer advocate as Warren could be called into question for daring to say anything that even smacked of concern about encryption.

Well, now we have a resolution to this story, one that I hope gives clarity to what “people like me” want, and why encryption is something we should be concerned about while at the same time not wanting to eliminate it. On Monday, NYDFS announced a settlement agreement with Symphony and four of the banks sponsoring it. The agreement allows the project to move forward almost as originally proposed, with the following provisos, relating specifically to what concerned both NYDFS and Elizabeth Warren:

• Symphony will retain for seven years a copy of all e-communications sent through its platforms to or from the four banks;
• The four banks will store duplicate copies of the decryption keys for their messages with independent custodians (i.e., custodians not controlled by the banks).

Among the many interesting things about this development is the second point constitutes a form of key escrow. Key escrow is one of the technologies that crypto advocates frequently dismiss as destructive of security; one of the most prominent and reasonable crypto advocates, Matthew Green of Johns Hopkins University, is no fan of key escrow. I have so far found the arguments against it unpersuasive, in part because they take such a big-picture view of the world that they suggest there might be one giant escrow authority holding all the keys to everything. Here, although the details haven’t been made public, Symphony and the banks appear to have agreed to create an escrow authority specific to their software platform. Perhaps that will introduce vulnerabilities into their system; perhaps not. We have a good test case from which to observe. Observing from the outside, it is hard not to think that Symphony and the banks would not have agreed so quickly to something that the numerous cryptography experts on Symphony’s (and the banks’) payrolls thought made them vulnerable. If this works, as I suspect it will, we have a model that might be applicable elsewhere.

This agreement sounds like exactly what I hope for. Encryption is widely used to secure communications in an appropriate fashion. But it is not deployed so as to put the powerful, especially corporations, above the law.

One thing this shows is that all encryption and anonymization schemes are not the same. Responsible encryption schemes are not just welcome; they are necessary. But irresponsible encryption schemes really do threaten fundamental political principles, especially including the rule of law. Despite the fact that many crypto advocates appear to strongly endorse it, I remain very concerned about Apple’s iMessage encryption, which is designed to make the service of all warrants impossible, and which the New York Attorney General and others have claimed has blocked a variety of fully-legal warrants in the few months since it has become available (Matthew Green has posted some comprehensive discussions of the iMessage system, though I think he gives too much credence to the crypto advocates’ typical excessively paranoid skepticism toward all statements made by law enforcement officers). Many crypto advocates have promoted this system for reasons that I find incomprehensible within our system of constitutional governance. All encryption is not the same. Symphony may be a responsible encryption scheme, while iMessage may not be.

It is hard for me not to wonder whether DFS and others have noticed the part of Tor’s promotional materials where they boast that “business executives use Tor.” The arguments for using Tor inside businesses have never made much sense to me, since most businesses are required, contractually and/or legally, to be aware of and record all relevant communications that take place under their name.

Thus, when what must be a luddite and technophobic company called IBM recommended in August that businesses should block Tor, one of Tor’s original developers weighed in on this discussion on the Tor-Talk list, not to take IBM’s concerns seriously, but instead to point out reasons why “your company would have a reason for you to use Tor.”

This is exactly one of the main things that has had worried me about Tor all along. Most of the people involved with the Tor projects have become political advocates, pressing hard for one side of a debate that should be nuanced and of which the other side should be taken very seriously. (Aside to certain people who have asked: when I use the term “politics” like this I mean it in the sense used by political scientists and other academics: matters that affect the arrangements of power that structure society and social institutions. I do not mean “politics” in the sense of being a Republican or Democrat, although the kinds of politics I’m talking about certainly can have consequences for these more formal party politics). Personally, I hope that NYDFS decides to look into the use of Tor by the same banks that use Symphony; exactly for the reason that Symphony has to be configured so as to fit into sensible regulatory requirements, Tor, which cannot (as far as I know) be configured in this way, or at least does not come that way out of the box (i.e., in the Tor Browser Bundle) should be blocked by banks, and by all corporations that have regulatory oversight. So should all tools that enable unrecordable. undecryptable, electronic transactions (which goes far beyond “communication”). The fact that spoken word conversations not held on the phone are not recordable (but also not encrypted) does not somehow entail that we should, let alone that we must, proliferate tools that expand this capability over distance and time. Nobody who loves “freedom” should want corporations to conduct their business outside the law.