Ciphertext in a Bottle: Exploring Privacy in a Network Society
Isaac Quinn DuPont
June 2006
Privacy is closely associated yet distinct from the powers of liberty, freedom, and autonomy. The network society affects these powers in interesting ways, often causing public worry. Indeed, more people worry about the invasion of privacy online than in any other medium [Tavani, 1999,12]. When online we are told to accept and purchase privacy enhancing technologies ( PETs) in attempt to ensure privacy. What sort of privacy is afforded by these technologies? Can the world wide web be a private sphere? Is a private sphere necessary?
By far the most common PET is cryptography. Despite its wide applicability, cryptography has not received any scholarly attention in relation to privacy. Popular literature is much more likely to discuss cryptography and privacy but, not surprisingly, lacks rigour and attention to distinctions.
I recently met with a first-hand example of this problem and saw what ideational consequences it can sow. I was attending a lecture by an eminent legal scholar who was discussing privacy issues regarding Radio Frequency Identification Devices ( RFIDs). To my dismay, this scholar thought that RFIDs, even those properly secured through standard cryptographic techniques, could not be trusted to protect privacy. His point was not a complicated legal one-the discussion broke down on the (perceived) technical inadequacies of modern cryptography ("I don't trust it, someone will break the cryptography"). To be sure, cryptography is no panacea, but lacking knowledge of the fundamental underpinnings of modern cryptography caused this scholar to dismiss the technology out of hand-without investigating the interesting and complex privacy issues.
This paper will offer a brief primer on cryptography in effort to redress technical misunderstandings. Then, a brief history of privacy scholarship will survey many of the theories of privacy, concluding with Moor's control/restricted access theory which is currently the 'leading' theory of privacy. Finally, the implications of cryptography will be assessed in light of a theory of privacy (loosely equivalent to Moor's).
1 Cryptography Primer
Cryptography has been an open scholarly field of study since the early 1970's. In the late 1960's Whit Diffie became fascinated with cryptography but was unhappy with the current state of cryptographic research, since all of the interesting cryptography was classified by the military. Eventually, Diffie came to work intimately with Martin Hellman, and collectively they created the basic building block of public key cryptography (known as the Diffie-Hellman Key Exchange). Their discovery launched a scholarly and commercial interest in cryptography.
Prior to Diffie and Hellman's discovery, the only (publicly) known cryptographic primitives were (rudimentary) symmetric key algorithms. Symmetric key cryptography uses a "key" (typically some string of bits that act as a password of sorts) to encrypt some data, and the same key to reverse the encryption process. Obviously, the key must be kept secure, and hence the system is also know as "private key cryptography". Symmetric key cryptography uses some algorithm to "mix in" the key material with the data.
In the simplest of cases these algorithms are transposition or substitution ciphers. In a famous example, Julius Caesar is said to have communicated with his generals in the field using a very simple transposition cipher. Caesar had a ring with two concentric rotating circles on it, each having a complete alphabet printed around the circle. Caesar would securely inform his generals of the number of spaces to the left or right that he was turning the inner or outer ring. The transposition of the ring is the key information (i.e., the key is the number of spaces the circle was turned). Caesar would then encipher a text by writing the corresponding letter (that lined up) from the other circle. The resulting text would not be readable, but could be decrypted by reversing the process (looking up the ciphertext letter on the one circle and writing down the corresponding letter on the other circle to create plaintext). Obviously, cryptanalysis (codebreaking) of the ciphertext would be very easy. Since letter frequency is not the same for all letters in any natural language (the letter E, for example, is the most common in English) simple frequency analysis of the ciphertext would reveal associations and statistical anomalies (e.g., if the transposition cipher was A=B, B=C, etc., then the most frequent letter in the ciphertext would be F, because E=F and E is the most frequent letter in English). Once the key is revealed, it is trivial to decrypt the rest of the message, and every subsequent message (until the key is changed).
Modern symmetric cryptography is essentially the same, except much more complex algorithms diffuse any statistical anomalies (through multiple 'rounds' of the algorithm); this creates data that is indistinguishable from purely random data. Symmetric cryptography is typically used for 'bulk' cryptography because it is computationally fast and very secure. Modern symmetric key algorithms typically employ the computational difficulty of performing multiplication modulo in a finite field (the details are extremely technical, but think of doing long division on very large prime numbers and you will get some image of the process).
The Advanced Encryption Standard (AES) is the current standard symmetric key algorithm. AES only has an official key length of 128 bits, but longer keys are possible using the same algorithm (256 bit keys are required for TOP SECRET government data). The key length is an indication of the length of time it would take to perform an exhaustive keyspace search ('brute force' attack), but is not an indication of the quality of the randomness of the ciphertext (i.e., the ease of cryptanalysis is based on the quality of the algorithm, while the computational power required to perform a brute force attack is based on the key length). Currently even the fastest distributed supercomputers are only able to crack a 55 bit version of the algorithm (although no one knows what sort of computers the NSA may have). For each bit of extra key length the computation required doubles, so that cracking a 56 bit key would take twice as much computation as cracking the 55 bit key, and cracking a 57 bit key would require four times as much computation. 128 bit keys will be secure from brute force attacks by even the fastest supercomputers for at least 30 years given the current rate of increase in computational power (and we are approaching theoretical physical limits).
Public key cryptography uses an asymmetric key system, which is also known as a split-key system. The process of public key cryptography is counterintuitive, but in essence there are two linked keys (a public key and a private key); encrypting data with the public key can only be decrypted with the corresponding private key (hash algorithms can also be used, but that is another essay). For example, when I encrypt my email using GNU Privacy Guard (an open-source implementation of Pretty Good Privacy, or PGP) I use the recipient's public key (which was exchanged previously and is known publicly) to encrypt the message. Later, the recipient uses her private key (known only to herself) to decrypt the message. Only the private key can decrypt the message, but anyone with the public key can encrypt the message (i.e., anyone can send her an encrypted message that only she can read).
Public key cryptography is the backbone of secure internet commerce, typically implemented through Secure Sockets Layer (SSL) technology. Public key cryptography solves the problem of having to exchange a private key without a secure channel (since the internet is inherently an insecure channel). However, since public key cryptography typically uses the difficulty of computing large prime number factorization, it is much slower than private key cryptography (1000 times slower). Because of its resource intensive nature, public key cryptography is typically used to encrypt (and securely exchange) the 'session key' used for subsequent private key cryptography. Thus, once the private key has been securely sent through the public key system all data is encrypted using the much quicker private key cryptography.
Currently all standard cryptography algorithms (with appropriate key lengths) are considered secure when implemented properly (although all too often they are not implemented properly). There are know attacks, but usually these involve attacking the cryptographic system (as it is implemented) rather than the algorithm.
Many controversial technologies use cryptography, and as a neutral technology it can be either privacy enhancing of privacy diminishing. When used for personal encryption, such as email messages or secure internet commerce, privacy can be enhanced. Yet, cryptography is also used in privacy crippling technologies such as Digital Rights Management (DRM) or RFIDs. DRM typically has two functions: a surveillance communication (the DRM device 'calls home') and a restrictive (or 'enabling') cryptographic function [Kerr, 2004,89]. Cryptography is used to make data unreadable/unusable unless the user has the appropriate rights. The surveillance communication checks that the user has the appropriate rights and sends a key to allow the data to be decrypted. DRM is rarely successful however, because the data can be viewed in its encrypted form and its unencrypted form (allowing for a 'known plaintext attack').
RFID cryptography is much more traditional: when a secure RFID is read by a scanner it engages in a public key exchange and decrypts its contents, given an appropriately linked private key. RFIDs are much more secure than DRM if implemented properly, but are still subject to some attacks (notably a 'power analysis' attack). Oddly, RFIDs can be used for surveillance or anonymity. Current highway toll systems (such as Ontario's #407) use an RFID technology for highspeed payment. This payment is secure but not anonymous, thus vehicles are tracked as they move through the highway system. The first highway toll system to employ cryptography, however, was quite different. The system allowed vehicles to pay the toll yet remain anonymous. This miracle of cryptographic thinking makes electronic commerce more anonymous than cash transactions, but the anonymous system has never be used.
2 Theories of Privacy
Brandeis and Warren [Brandeis, 1890] are typically cited with providing the first normative account of privacy. Their theory has great intuitive appeal; simply put, privacy is "being left alone" ([Kerr, 2004,90] & [Tavani, 1999,266]). Their theory (known as non-intrusion theory) confuses privacy with liberty. The conflation of liberty and privacy is an attempt by these theorists to make privacy a universal right. The argument is that if privacy is a necessary condition of liberty, and liberty is a right, then ipso facto privacy is a right. Some theorists use the right of autonomy to the same end [Moor, 1997,quoted Johnson, 28]. Critics argue that one can have liberty but no privacy, or privacy but no liberty [Tavani, 1999,266].
The seclusion theory suggests that the ability to temporarily or permanently withdraw from society constitutes privacy [Tavani, 1999,2]. The seclusion theory suffers from similar criticisms as the non-intrusion theories, yet is more effective in distinguishing liberty from privacy. Specifically, seclusion theories lack the explanatory power to accommodate granting privacy powers to others or suspending one's own powers, e.g., when one agrees to an End User Licence Agreement (EULA). The seclusion theory's merit is a subtle point that is often overlooked. It is difficult to understand the feeling that one has when privacy has been invaded without intentionality. E.g., when a DRM technology disables my music device I will feel as though my liberty is restrained. The seclusion theory, however, is able to distinguish liberty from privacy because it suggests that privacy is denied not because I have less liberty, but rather because the DRM technology has crippled my ability to withdraw from society [Cohen, 2003,6]. I cannot withdraw from society because the technology is tied to the device.
Control theory addresses the criticisms against seclusion theory and is better able to accommodate popular notions of privacy. It is now rare for privacy to be described as an intrusion or interference; rather, privacy tends to be characterized as the unsanctioned or unintended dissemination of information. The control theory is well suited in this regard. While there are multiple particular characterizations of control theory (e.g., [Fried, 1970] and [Rachels, 1995]), in general one has privacy "if and only if one has control over information about oneself" [Tavani, 1999,267]. The critics argue that one rarely (if ever) has total control over all information about ones' self, and thus the control theory leads to a contradiction [Tavani, 1999,267]. Yet, an implementation of control theory such as the one developed by Rachels can effectively parry this criticism: Rachels views privacy as essentially a Rawlsian primary good that is necessary to foster close relationships in society. On this account, it is obvious that total control of personal information is not necessary, indeed, relationships are formed due to the exclusive sharing of personal information.
Moor's control/restricted access theory of privacy is the most recent well defended theory of privacy. Moor's theory is primarily contextual or situational; the context defines the access restrictions. Essentially, one has privacy in a situation "if in that particular situation the individual is 'protected from intrusion, interference, and information access by others' " [Tavani, 1999,267]. According to Moor's theory, there is a distinction between naturally private (e.g., physical protection) and normatively private (e.g., moral or legal sanctions and norms). Naturally private situations can lose privacy but not be invaded, whereas normatively private situations can be invaded (e.g., when a right is ignored). As we will see cryptography requires a conception of normative privacy, but enhances natural privacy.
3 Privacy and Cryptography
Public key cryptography seems somewhat magical in its ability to securely transfer information across an insecure channel, although I attempted to explain the fundamental idea of a split-key system to alleviate this wonder. What was missing from the prior discussion, however, was the requirement of good authentication for a public key cryptography system. To return to the prior email example, if I send an encrypted email message to a recipient (let us say to Jane) using GNU Privacy Guard she will be able to use her private key (the private half of the split-key) to decrypt my message. There is no need to securely transfer a private key (as is required with private/symmetric key cryptography), because of the interesting nature of the linked- or split-key(s), and yet Jane is able to read my email securely.
The cryptography system breaks down, however, when an attacker engages in what is known as a "meet in the middle" attack; this is the same attack that is the basis of phishing on the world wide web. Without an appropriate (and accurate) level of trust, Jane cannot be sure that the encrypted message is really from me. There is nothing stopping someone from opening a similar email account, such as quinn.dupont@gmail.com, and sending an encrypted email from that account using a key generated from GNU Privacy Guard while impersonating me. The solution is to establish a web of trust (a linked web of vouching for known-to-be-authentic key signatures bound to email addresses) or use a trusted third party (which verifies the identity of the person/organization using traditional means-this is the method used in SSL).
Trust is central to the authentication problem of public key cryptography, yet this is a human and not a technical problem. Trust can be conceptualized in various ways, but most agree that it is an intentional belief. One such formalization of trust employs modal logic, such that "trust is the degree to which an agent considers an assertion to be valid for the real world" [Reagle, 1996]. Thus, a web of trust is an array of possible world states where trust is probabilistically distributed. A trusted third party system is (on this model) essentially a game theoretic decision.
A properly functioning cryptography system is not one that merely ensures security, because security is not the same as privacy. A properly functioning cryptography system ensures privacy by establishing trust (called authentication in the electronic realm) and maintaining security. Given Moor's theory of privacy the distinctions of naturally private and normatively private come together. Trust relies on normative powers, either norms (a modal array, or web of trust) or legislated powers (a trusted third party), whereas cryptographic security establishes a naturally private sphere. Essentially, cryptography is a 'situation' in Moor's vague sense, and is necessary to a flourishing society. Like Rachels, Moor claims that "without protection [i.e., security] species and cultures don't survive and flourish", but Rachels' thinks that security also implies privacy. Yet, in a later paper Moor dismisses PETs as a method of ensuring privacy [Tavani, 2001,6]. Here, Moor argues that PETs are a form of the management of privacy, but are logically distinct from privacy. Moor's specific criticism of cryptography is a practical one, he thinks that cryptography is difficult to implement and worries that cryptography can be used to good or bad ends, to wit, "there are good reasons to be skeptical about how easy and effective PETs are to use." [Tavani, 2001,11]. I have attempted to show that cryptography can be done right, like any engineered product, and that it relies on sound mathematical theory and not magical conjuring.
4 Conclusion
Personal privacy in the network society is dialectical, it can either free individuals to remain anonymous in communication and commerce or eliminate all places to hide, act, and think freely. Barlow opines that the latter will occur when "all new intellectual creations will be put in cryptographic bottles" [Kerr, 2004,quoted Barlow, 88]. Barlow is specifically worried about the effects of DRM, but as I have shown cryptography underlies a host of technologies-not all of which restrict privacy or freedom. Cryptography creates naturally private spheres that are essentially situational. Picking up on Rachels' point, privacy establishes intimate relationships (either human or electronic), and when excluded from the relationship one feels the pang of restriction. Normative privacy is the tacit acceptance of natural privacy which is either created or assumed (on account of the implicit right to liberty).
I have shown that a robust understanding of privacy is not guaranteed by PETs, but that the technology can be secure. Further, world wide web communications can be private if legislation establishes trust (normative privacy) and modern cryptography (natural privacy) secures the channel. Finally, a online private sphere is necessary because private relationships foster societal growth in the network society.
References
L. Brandeis and S. Warren. The right to privacy. Harvard Law Review, 1890.
Julie E. Cohen. DRM and privacy. Berkeley Technology Law Journal, 18:575-617, 2003.
C. Fried. Privacy: A rational context. In Anatomy of Values. Cambridge University Press, 1970.
Ian Kerr and Jane Bailey. The implications of digital rights management for privacy and freedom of expression. Info, Comm & Ethics in Society, 2(1):87-97, 2004.
James H. Moor. Towards a theory of privacy in the information age. Computers and Society, pages 27-32, 1997.
James Rachels. Why is privacy important? Philosophy and Public Affairs, 4(4):323-333, 1975.
Joseph M. Reagle. Trust in cryptographic economy and digital security deposits: Protocols and policies. Master's thesis, Massachusetts Institute of Technology, May 1996.
Herman T. Tavani. KDD, data mining, and the challenge for normative privacy. Ethics and Information Technology, 1:265-273, 1999.
Herman T. Tavani. Privacy online. Computers and Society, pages 11-19, December 1999.
Herman T. Tavani and :James H. Moor. Privacy protection, control of information and privacy-enhancing technologies. Computers and Society, pages 6-11, March 2001.