Re: How much privacy? [ I think this illuminates the issues very well ... djf]

[David Farber <farber () central cis upenn edu>]

From: Mike Godwin <mnemonic () eff org>
To: cyberia-l () birds wm edu
Date: Wed, 9 Feb 1994 11:28:57 -0500 (EST)
Cc: farber () central cis upenn edu (David Farber)




Trotter writes:


> The government's argument, I take it, is that the benefit is
> law enforcement.  That strikes me as at least as great a benefit
> as minimum wage laws; perhaps more, since it protects everybody
> (at least in theory), whereas min wage laws primarily benefit
> their recipients.  Maybe EPA regs are the better analogy:
> everybody gets reduced pollution; with Clipper, everybody gets
> reduced criminal activity.  Is that not a reasonable trade-off?


The problem is that the government refuses to be forthcoming as to what
kind of trade-off we're talking about. There are supposedly fewer than
1000 state and federal wiretaps per year. Yet we are being asked to
reconstruct the phone system and to risk billions of dollars in trade
losses when there has never been shown to be any crime associated with
uncrackable encryption whatsoever.


Moreover, there are fundamental political issues at stake. This country
was founded on a principle of restraints on government. A system in which
the privacy of our communications is contingent on the good faith of the
government, which holds all the encryption keys, flies in the face of what
we have been taught to believe about the structure of government and the
importance of individual liberty.


In short, the government fails to make its case in two separate
ways--pragmatically and philosophically.


> In reply to the latter issue, I don't think the government
> cares whether an accountant in India can password protect a
> spreadsheet.  I would guess that even Clipper or DES or whatver
> would be more than enough protection for such a person. I think
> the government cares that it be able to detect foreign
> intelligence that is relevant to US security or interests. I am
> not sure where I come out on the question, but at the very
> least it seems to me that the government is reasonable in this
> desire.


Yet there are some premises here that need to be questioned. Do we really
suppose that "foreign intelligence" is dependent on the American software
industry to develop its encryption tools? Diffie-Helman public-key
encryption and DES are already available worldwide, yet
Microsoft can't export software that contains either form of encryption.


No, the real issue is that, to the extent that a mass market arises for
encryption products, it makes the NSA's job more difficult, and it may
at some future time make some investigations more difficult as well.


When asked to quantify the problem, the government invariably begs off.
Government spokespeople say "Well, how would you feel if there were a
murder-kidnapping that we couldn't solve because of encryption?" To which
my answer is, "Well, I'd feel about the same way that I'd feel if there
were a murder-kidnapping that couldn't be solved because of the privilege
against self-incrimination."


Which is to say, I understand that limits on government power entail
a loss in efficiency of law-enforcement investigations and
intelligence-agency operations. Nevertheless, there is a fundamental
choice we have to make about what kind of society we want to live in.
Open societies, and societies that allow individual privacy, are
*less safe*. But we have been taught to value liberty more highly
than safety, and I think that's a lesson well-learned.


What's more, we need to be able to rational risk assessment, and that's
something that the government resists. The government subscribes to
the reasoning of Pascal's Wager. Pascal, you may recall, argued that the
rational man is a Christian, even if the chances that Christianity is true
are small. His reasoning is quasi-mathematical--even if the chances of
Christianity's truth are small, the consequences of choosing not to
be a Christian are (if that choice is incorrect) infinitely terrible.
Eternal torment, demons, flames, the whole works.


This is precisely the same way that the government talks about nuclear
terrorism and murder-kidnappings. When asked what the probability is
of a) a nuclear terrorist, who b) decides to use encryption, and c)
manages otherwise to thwart counterterrorist efforts, they'll answer
"What does it matter what the probability is? Even one case is too
much to risk!"


But we can't live in a society that defines its approach to civil liberties
in terms of infinitely bad but low-probability events. Open societies
are risky. Individual freedom and privacy are risky. If we are to make a
mature commitment to an open society, we have to acknowledge those risks
up front, and reaffirm our willingness to endure them.






--Mike