As of late, I’ve been re-reading Neal Stephenson’s Cryptonomicon for the umpteenth time. It’s gotten me to thinking about journalism, encryption, and my own level of paranoia when it comes to privacy and data security—which, were I based in a different country, would be considered “near pathological” but in Colombia is merely, as a friend put it, “situation-appropriate risk management”.
In the interest of full disclosure, it must be noted that I am neither a crypto expert nor a truly seasoned journalist. This is merely my own speculation on the subject.
Today when we talk about cryptography (writing codes or encryption schemes) and cryptanalysis (breaking same) we talk about computerized code-breaking, generally speaking. Specifically, I am thinking about individuals or small groups of individuals (as opposed to governments or globe-spanning crypto-cabals) who might have a vested interest in making sure that other people don’t read what they have on their hard drives. I spend a lot of time thinking about journalists, so here we are.
In 1929, US Secretary of State Henry Stimson dissolved a government wire-tapping apparatus, known as MI-8 or the Cipher Bureau. He would later quip in his memoirs that “Gentlemen do not read one another’s mail.” Unfortunately, the world today isn’t too well-populated with gentlemen.
There are two main groups that might be interested in reading journalists’ mail: governments and non-governmental, extra-legal entities. The latter might include organized crime syndicates, militias, rebel groups, or any group that values its privacy (but not, interestingly, the privacy of anyone else).
Governments don’t like crypto, generally speaking. Despite their penchant for keeping secrets, it irks them when non-governments, or, for that matter, other governments, keep secrets from them. Developed nations usually have intelligence apparatuses of sufficient sophistication as to make individual encryption schemes irrelevant. If the NSA, MI-5 or the Moussad really wants to know what you’ve got on your laptop, it’s only a matter of time before they learn what they want to know.
In addition, the United States has a customs & immigration policy where electronic devices can be examined or confiscated at ports of entry. If you don’t give them the encryption key, they’re perfectly within their rights to take it until you do, or until they break it. A terribly clever monkey using some ridiculously difficult-to-break encryption scheme is going to find that his laptop is now an impregnable date fortress-cum-paperweight in some ICE office.
It’s also important to note here, for those who might cry foul, that if customs and immigration agents were police officers, this would be blatantly unconstitutional. Refusing a search doesn’t count as probable cause for cops. ICE agents, however, are to your average shield-carrying protecting-and-serving patrol officer what Judge Dredd is to Barney Fife. (“I AM the law!”) Try and invoke your Fourth Amendment rights, or, as a journalist, your First Amendment rights, and you can probably look forward to a long, unpleasant interrogation, and you’ll still lose your HDD.
On the other hand, developing nations and your less scrupulous developed nations are much more inclined to say “screw it” and indulge in Lead Pipe cryptanalysis. (LPC, a term coined by webcartoonist Howard Tayler, is “where you skip all the fancy hacking and just beat the password out of somebody with a lead pipe.”)
Some other alternatives: There are some encryption schemes that are designed to be resistant to machine cryptanalysis, i.e., setting a few dozen supercomputers to chug through every possible encryption scheme.
There is, however, no encryption scheme that is resistant to LPC. You’ll lose your data and be left wheelchair-bound by some “enhanced interrogation.”
A better policy would be to not keep anything sensitive on your hard drive. If you have the option and trust your ISP, upload any necessary documents to an FTP server that you feel you can trust. However, make sure that the server is not physically located (i.e., in Meatspace, subject to national boundaries) in the country in which you work, in any country which might have a keen interest in what you’ve got on that server, or any country which could theoretically be manipulated into turning over data on that FTP server.
Remember that, at least in the US—and in most other countries where a journalist’s privacy might be in jeopardy—there are no over-arching Shield laws to protect journalists and their sources, and data can be subpoenaed or confiscated.
The best policy? Just as a savvy journalist doesn’t write down anything in a notebook that some nosy entity might want to look at, don’t commit to digital format anything you don’t want to be read.
Send lawyers, guns and money,
J.
No comments:
Post a Comment