A call for action: forget encryption laws, make RFC 3514 mandatory ??

Disclaimer: This is yet another personal rant. The topic makes me cringe...Let me know your views in the comments section.

I believe that one of the issues with politicians making speeches about #infosec and #cybersecurity is that they seldom have the actual knowledge about what they are talking about. And seldom they look for support in people that are knowledgeable about it. This usually leads to half-truths, bad examples, and lengthy discussions with little or no results at all.

Case in point: the #encryption debate that has been going on for years. All the hours of rhetoric wasted in trying to paint encryption as a national security issue: "terrorists use encryption", "sex traffickers use encryption", "there is the need to regulate encryption", and so on.

At the end of the day these discussions are just a precursor for the implementation of Mass Surveillance. You get promised that you'll have better security and safety. That you will be safe, if we can just convince you that using encryption is almost a crime in itself. After all, only people with things to hide would want to use it, right?

"If you have nothing to hide, then you shouldn't mind if the government takes a peek at what you're doing. All for the sake of keeping YOU and EVERYBODY ELSE safe".

It makes sense in a kind of Orwellian way. The figure of the State controlling everything, making sure everyone is well-behaved, happy citizens make happy countries and all that. I'm not going to go into philosophic avenues on this one. If you haven't read 1984, please do so.

In the event anyone actually reads this post, it is important for you to understand that encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. In a nutshell, it's a way to keep stuff from prying eyes. It has been used for centuries.

Most governments and states cannot accept encryption unless they control it. The thought of something existing that cannot be easily read or accessed sends shivers down many spines sitting in places of power. Whether those seats are democratically elected, "democratically" elected, inherited, reached by dethroning someone else or otherwise obtained. It doesn't matter. People in power always fear what they cannot control because, at some point, it can be a threat to the status quo, and to them.

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.” ― Edward Snowden

So encryption becomes a matter of public policy and discussion. Governments implement export control laws in order to control knowledge dissemination or, in some cases, they can simply make sure there are several types of encryption and that the most commonly used types "must not harm the state security and public interests".

Several countries already limit who can encrypt their communication or the strength of encryption allowed, such as Cuba, Pakistan and India. Others, such as Russia, Morocco, Kazakhstan, Pakistan and Colombia, sometimes go as far as banning it altogether. (1) (2)

A central part of this discussion are the arguments "if you have something to hide, should you be doing it?" or "are you doing something you're not supposed to?". The thing is that this rhetoric puts the issue where it shouldn't be - in the citizen, the individual. It is important to understand the fallacy here - the citizen is not the responsible part, it's the State that wants to know what he is doing, when they want. The citizen is the abused part, because it's the citizen that waives his/her rights for privacy for a misguided sense of shame or security, whatever the State is selling as a justification for invading his/her privacy. At the end of the day you don't have to use encryption, but you also shouldn't feel guilty for using it. And forbidding law-abiding citizens the access to decent encryption does not contribute in anyway for their security or safety, because law-abiding citizens are....well, law-abiding citizens. It's the ones that break the law that are the problem and, let's be honest, those don't care about the law.

In the 10th of December 2019, a coalition of civil society organisations as well as private companies and security researchers called out to three governments - US, UK and Australian - to allow technology companies to offer strong encryption tools such as Signal or WhatsApp to the public. In this statement it is highlighted that should governments enforce the removal of end-to-end encryption protection on consumer messaging services, it would put the citizen, the individual at risk. Think journalists like Jamal Khashoggi, think human rights defenders, or people defending the right to decide your own sexuality, or you. Yes, you who are reading this article can also be a target and as such, services and products can be bought and acquired to spy on you. I will refrain to mention the NSO Group tools or the lawsuit Whatsapp has filed against them.

Take away: It doesn't matter if you don't have anything to hide, as long as you have anything that someone else wants.

This call-out to governments is not the first one, also. The platform Secure The Internet, also publishes a very similar appeal. The Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression of the United Nations presented a report in 2015 with the conclusion that "encryption and anonymity enable individuals to exercise their rights to freedom of opinion and expression in the digital age and, as such, deserve strong protection.".

Trying to stop or control the use of encryption with the rhetoric of safety and security for all is only that...rhetoric. Governments worldwide would have better luck forcing the mandatory implementation of RFC 3514 to ensure a safe and secure cyberspace. A pity it's a April Fool's tech joke.

Take a look in your country and see what your government is deciding about encryption and then stand up against any activity that tries to ban it, control it or in any way reduce the protection if gives. It's your right and your duty.

(1) https://www.amnestyusa.org/reports/encryption-a-matter-of-human-rights/

(2) https://commslock.com/world-map-of-encryption-laws-and-policies/