Among the digital elite, one of the more common reactions to the recent shocking disclosures about intelligence surveillance programs has been to suggest that the way to prevent government snooping is to encrypt all of our communications.
While I think encryption might be an important part of a solution to the total surveillance problem, it strikes me as much more problematic than many people, especially encryption advocates, seem to think, and in certain ways actually not at all welcome and not an appropriate democratic response to surveillance. What is particularly troubling is that the issues I am going to discuss are obvious and clear ones that anyone interested in democracy, constitutional government, or rule of law should be thinking hard about, and yet despite intensive searching and Twitter solicitation on my part, I have been unable to find any real discussion of the problems, even while it is easy to find unambiguous, detailed, and explicit advocacy for technical solutions that raise the problems I mention here.
Let’s leave aside the technical questions. Let’s suppose for the moment that perfect end-to-end encryption is possible—that it becomes possible for individuals to hide everything they say and everything they write and every document they create and every transaction they perform from any surveillance, ever. This is clearly the goal advocates aim toward, without hesitation. This is to some extent what a service like Tor already provides.
On what legal or ethical basis do advocates assert that they have the right to do this?
The knee-jerk answer, although we do not find even this discussed, is to claim a right to privacy. In the US, there is no unambiguous constitutional right to privacy—none of the Bills of Rights specifically grants a right to privacy by name. Case law, and readings of the 4th (against unlawful search and seizure) and 5th (against self-incrimination) amendments in particular, have led to a tacit right to privacy. Here is how one of that right’s fiercest advocacy groups, the ACLU, explains that right:
The right to privacy is not mentioned in the Constitution, but the Supreme Court has said that several of the amendments create this right. One of the amendments is the Fourth Amendment, which stops the police and other government agents from searching us or our property without “probable cause” to believe that we have committed a crime. Other amendments protect our freedom to make certain decisions about our bodies and our private lives without interference from the government – which includes the public schools.
Note what this does not say. It does not say, anywhere at all, that citizens have the right to hide their activities from law enforcement when they do have probable cause. It does not give us the right to conduct criminal activity and to hide those actions completely from the government.
In the writings of some of the major Enlightenment philosophers on whom the Founders of the US relied in fashioning this country, we find the notion of the “social contract.” As Wikipedia puts it, “Social contract arguments typically posit that individuals have consented, either explicitly or tacitly, to surrender some of their freedoms and submit to the authority of the ruler or magistrate (or to the decision of a majority), in exchange for protection of their remaining rights.” This is clearly what the framers had in mind when they created a constitutional form of government (an alternate formulation favored by thinkers like David Hume, “consent of the governed,” raises similar questions). Today, especially among digital advocates, we read about our system of government being a democracy (despite it actually being a republic, or representative democracy); we read quite a bit less about it also being a constitutional democracy, a government of laws and not men.
Yet the non-absoluteness of the right to privacy is a perfect example of what the rule of law means. In order for most of us to be relatively free, we each must sacrifice a little bit of our freedom. In order to have a relatively free society, we cannot have absolutely free individuals. Being a citizen—accepting the privileges, rights and responsibilities that go along with citizenship—means accepting some of these limits. Some of them are straightforward curtailments on what some might see as liberties: I’m not free to murder another person, to take their belongings without compensation and against their will, or even to practice medicine without being duly certified by the appropriate authorities. We sacrifice these freedoms because we have both history and logic to tell us that as a whole we are better off if we each individually make these sacrifices. Despite the murderer’s freedom to kill being constrained by law, most of us are better off if killing is illegal. Despite the amateur surgeon’s freedom to perform an appendectomy being curtailed (and note that the amateur surgeon might even be perfectly competent at performing the appendectomy, so that society as a whole loses the benefit of that skill), we have decided that society as a whole is more free if we require doctors to have licenses.
If all communications are effectively encrypted, surveillance and retrospective investigation of those communications become impossible. That might sound good to you, but it does not sound good to the victim of a violent crime or murder, to those of us who want the financial industry investigated, to those of us who would like political and corporate actions to be thoroughly investigated, and so on. Under the right legal circumstances, under any regime of power, law enforcement must have access to communications and even more so to digital data that actually comprise commercial and legal transactions, in our society, under our laws. The 4th and 5th amendments could have been written: “under no circumstances may government search a person’s property.” They are not written that way. They clearly give the government not just a right but the obligation to investigate violations of democratically-enacted laws. Suggesting anything else is proposing a vastly different model of governance from the one we have. I am open to and want to read such proposals, but one does not find them in the writings of digital encryption advocates.
It is ironic that much of this discussion comes up in the context of the shocking nature of Edward Snowden’s revelations, where the shock value emerges precisely from the incompatibility of the NSA’s conduct with most of our readings of the 4th Amendment itself, the same 4th Amendment that guarantees the government the power to search and seize our papers under the right circumstances. My own criticism of the NSA surveillance programs are based exactly on what seem to me their incompatibility with the 4th and 5th amendments. Rule of law, and the citizenship that enable it, are package deals. If you want the protections, if you want the democratic rights and privileges, if you want the Constitution to mean something, you have to go along with the obligations as well. Though it is not usually taken this way (because until recently nobody even thought to raise the question), the 4th Amendment gives the government the right and the responsibility to “search and seize” the “persons, houses, papers, and effects” of citizens. By asserting the right to prevent law enforcement from conducting such legal searches, you are asserting your independence from the Constitution. You are entitled to do that in some sense, but I do not see how you can do that and also claim the rights accorded under the rest of the Constitution. You are entitled to renounce your citizenship. But if you assert that you have the right to put yourself entirely beyond the reach of the law for any of your actions, you are asserting your right to opt out of one of the very most basic elements of the social contract. I don’t want Jeff Skilling or Raj Rajaratnam or Colin McGinn or WorldCom or Citigroup to be able to conduct its business beyond the reach of law enforcement, and the price for that is that I’m not entitled to do so either.
Cyberlibertarians have an almost astonishingly selfish and self-centered view of freedom. They look at their own sphere of influence and demand total freedom within it. They do not, typically, look in a general way at society and ask what it means for all of us to be meaningfully free, especially if that general social freedom might (heaven forbid) put constraints on their own behavior. For most of history, desiring to be free from violence and serious crime has been understood as a basic part of the social contract. We can’t have that if all communications are encrypted.
I say this from a position profoundly critical of the security state, the huge amounts of government secrecy, the total surveillance programs we are all reading about, and so on. Among many other problems, the government assertions about these programs argue that the State’s perfect right to security inspection makes imperfect the citizen’s right to privacy. This especially comes out with regard to oversight, where we are repeatedly told that any revelation of methods and procedures compromises the security measures so entirely that it is impossible. I think that is a terrible misreading of history and law. What must be imperfect, so far as a balance is to be struck, is security, not privacy. Citizen privacy is a bedrock aspect of common law and in much of the thought of the US framers. We need to know—to know, not to believe—that our government only surveils citizens and even non-citizens in compliance with the law and constitution. We lived under this kind of regime for decades, with regard to the phone, mail, and wire communications, and we need to get back to it. But tilting toward privacy is not to deny the security functions of government altogether. Denying those functions seems to me a denial of a principle so fundamental that we must ask just how and why you do consider yourself to be a citizen and to be bound by the rule of law that constitutes democratic governance itself. Further, failing even to have this conversation suggests that cyberlibertarians tacitly subscribe to a notion of governance that is wildly out of step with what we understand as democracy.
Let’s face it: there is nothing hypothetical about these concerns. While we read frequently about the uses of Tor in politically-repressive states, most of us know that the most visible use of Tor is the Silk Road, a Tor hidden service marketplace in which the major product is illegal drugs. We might argue about whether having this service makes the drug trade more or less safe, more or less widespread, increases or decreases drug addiction, etc. What we can’t argue about is that because drug use is largely seen as a victimless crime and is engaged in by huge numbers of people, it is especially visible. Even if you think it’s OK for drug dealers and users to conduct their business in such a way that it is impossible for law enforcement to monitor it with a legally-obtained search warrant, the visibility of the Silk Road suggests that Tor is used or could be used for other kinds of crime. We certainly have anecdotal reports that Tor and similar services are implicated in the spread of child pornography, and the Silk Road itself has been used for illegal weapons sales. End-to-end encryption is currently being used to hide criminal activity. Further such encryption will make hiding it even easier. Full encryption would make hiding it standard, and make law enforcement something between difficult and impossible. The basis on which that happens is the assertion by cyberlibertarians that they are not subject to the laws that constitute our society. We should be having a thick and robust discussion about these problems, not just presuming that it is fine to opt out of citizenship obligations if you have the technical means to do so. That this discussion is not taking place is itself an indication of the atrophied state of political discussion in our “information age.”
Update, Dec 17, 2014: This piece has gotten some attention recently due to the fallout from Pando’s reporting on Tor, and Pando’s reposting of my “Tor Is Not a ‘Fundamental Law of the Universe.'” In a very interesting Twitter discussion with W. Greenhouse, it became clear to me that the word “encryption” here may be a bit of a distraction. Encrypted services in and of themselves are, for the most part, not what I’m getting at, but rather the kind of service Tor offers, which at least advertises itself as making all communications, including metadata, invisible to any sort of observation. Though what “encryption” and “anonymity” mean as one starts to install them throughout the system remains an open question. I definitely want banks and brokers to be able to encrypt the traffic between themselves and their customers, and I don’t have a problem with companies using VPNs to conduct remote business with clients and employees (although my quick guess would be that all of these services, at least within major companies, exist within significant compliance regimes–ie, requirements to store, report on, and produce the records of such communications when required to do so by warrant). But I don’t want banks and brokers hiding their activities so routinely that it becomes even more difficult than it already is to document wrongdoing inside of them. The Tor Project website boasts that “business executives use Tor,” and offers a bunch of positive sounding use cases, but it is not hard to think of many ways “business executives” might find Tor extremely helpful in evading legal and regulatory requirements.