Tuesday, June 06, 2006

We need good ubiquitous encryption and we need it now.

As you all know, email is a disaster. We have spam to deal with, we have spoofed identity issues, we have privacy issues, etc. All of these can be solved by using encryption. But I want to take this a step further and say that we need it for phone conversations as well.

First, let me explain what I mean here. Using public key encryption we can accomplish two very important things. We can do either one or both at any time we wish. We can encrypt our communication so that only the intended recipients are able to receive it. And we can also use encryption to identify ourselves conclusively to the recipient.

You can see that by having digital ‘signatures’, we can eliminate the spoofing, phishing and spam problems in email quite easily. Once we can be sure who is communicating with us, we can then feel free to go back and prosecute the sender (in the case of spammers) or we can choose to not communicate with them (phisher). This can apply to telephone conversations as well. I just got a call from my bank asking for some information. Now. How do I know that it was them who called me? Because they knew my name and what bank I was involved with? Should I trust that? If I didn’t want to give out the info what recourse would I have?

Caller ID wasn’t used in this case. As is the case with most banks and big companies, their ID was blocked. I’m sure that a dedicated identity thief could probably hack the Caller ID system so I’m not really confident in that either. If we had encryption we wouldn’t have this issue.

Some say that encryption all the time would thwart the government attempts at countering terrorism. I’m not going to get into this since it would require me to write a whole lot and get way off topic. I will say that encrypted emails and phone calls, would be much better evidence in a trial than non encrypted emails and phone calls for 2 connected reasons: 1) tampering with the contents is virtually impossible, 2) the identity of the sender could be more positively identified. Of course the govt. has to be able to decrypt the messages which is easy to do once they know the private key of the sender and I would assume someone under investigation could be compelled in some legal way to give up their key just like they can have their homes searched, etc.

In all, we have a right to privacy and we have an obligation to others to positively identify ourselves to each other when we communicate using electronic means. Encryption is the way. If we started demanding it more, maybe the tools would be developed to make it painless to use.

No comments: