(1) Hello, and welcome to the encryption workshop and panel session.

(2) So the 2nd of May in the Year 2000 is a very important date in the development of operational security understanding because…

(3) on the 2nd of May in the Year 2000 US President Bill Clinton invented PokemonGo

(4) Or, rather, Bill Clinton signed some paperwork which disabled some ostensible global “safety” technology, thereby unknowingly laid the foundations for Pokemon Go, and much more, to be invented. You see…

(5) from its inception in 1978, until May 2000, all civilian use of GPS was hampered by a “precautionary principle” design restriction called “Selective Availability”, where without access to a special kind of GPS receiver, one equipped with a classified, secret, regularly-changed encryption key…

(6) …lacking access to such a receiver meant that the location reported by your GPS system would be inaccurate.

How inaccurate? Very inaccurate! Varying randomly by as much as 100 metres. You could be sitting in this building, but your GPS might tell you that you are standing on London Wall or wandering on your way along to Bank Station

(7) The intention of this was “safety”: in 1978 it was decided that the general public could not be allowed to have accurate positioning information in case armies of anti-democratic nation states, or in case terrorists amongst us, would use off-the-shelf GPS systems to build self-navigating “cruise missiles” that would crash into important buildings, and assassinate political leaders, etc.

(8) With this insight it’s ironic to reflect on this year’s efforts of Ukrainian drone-operators using off-the-shelf quadcopters to guide artillery and to drop grenades onto Russian tanks in an impressive display of asymmetric warfare,

(9) not to mention the growing use of GPS “geofencing” to keep quadcopters and other drones away from airport flightpaths.

(10) But: however well-intentioned, it turned out that Selective Availability had inherent massive negative economic and military consequences: the “military-secret” GPS receivers, were rare and required special handling (the encryption key material, even more so!) and they were more expensive to produce, and it was challenging to put large numbers of them into the field.

(11) This was so much of a problem that Selective Availability fundamentally compromised several purposes of GPS; during the first Gulf War troops begged their families to send them commercial, off-the-shelf GPS receivers because the military “Navstar” units were largely unavailable (some reports say: “two units per 100 vehicles”) and yet GPS was meant as a key preventative for stopping “friendly fire” casualties; and so the troops decided that “any location data is better than no location at all” even though the civilian units were inaccurate.

(12) Also: the overhead of standards and compliance meant that military receivers did not track advancements in user interfaces and display technologies, nor improvements in accuracy which featured in “commercial” GPS units enhancements that were motivated not least from efforts to circumvent selective availability, for instance by averaging locations over time, or by integrating alternative navigation beacons.

(13) So: in function and in practice, Selective Availability was doomed, and it was disposed-of, with the actual hardware capability being finally expunged from GPS’s specification by the Bush White House in 2007.

(14) But what if the world’s governments had forbidden civilian circumvention of selective availability, and what if it had never been switched off?

In that case, here in 2022 there would be:

(15) no Pokmon Go

(16) no Geocaching

(17) no Location-based Games

(18) no decent in-car navigation

(19) no Uber

(20) no Deliveroo

(21) Quite possibly no significant “gig economy” whatsoever

(22) no Google Street View

(23) Certainly no user-generated content on streetview

(24) no “sharing your location”

(25) no “finding your family” in a crowd, by using WhatsApp or similar

(26) If you’re the sort of person to track your child with technology, there would be no child “geofencing”

(27) AirTags and similar would be considerably less useful

(28) Similarly for stolen car trackers

(29) For people who find them useful, no speed-trap alerts

(30) no automated recording of walking routes, which sounds very pedestrian until you realise that there would probably be…

(31) no openstreetmap nor everything on-line for which OpenStreetMap gets used. We would all still be in hock to the Ordnance Survey for British mapping.

(32) no precision location for hikers, boats, pilots, …

(33) no precision crop-spraying

(34) …which means that there would still be excessive agricultural use of water, pesticides and fertilisers with dumping chemical runoff into streams and the groundwater system.

(35) no location-tagging of photos

(36) no searching photo-albums by location

(37) no photo-based open-source intelligence

(38) no solution to a bunch of crimes

(39) no open-source intelligence proving the cause of the crash for Malaysian Air flight 17

(40) …and this has just been a partial list of some things which selective availability would have compromised. A full list would be enormous.

If Selective Availability was still active, a huge and rich ecosystem of tools, activities, and industries would simply not exist,

(41) and worse: we would never know that they should exist by now.

(42) so, on that happy note: Hi, my name is Alec, and welcome to this panel on “encryption” Except … this is not really a panel on “encryption”.

(43) When I was approached to chair this session, my brief was to provide

[A…] workshop-style panel will explain and demonstrate encryption to the public. It will include a deep dive into:

• how the technologies work, and participants will be shown…

• how to secure their digital environment

• what to expect when submitting information securely to third parties, and…

• what strong encryption means

This will be followed by a debate between panellists on the merits and risks of encryption.

(44) I’ve done this many times in the past 30 years, and nowadays it’s a lot easier to explain:

(45) Encryption should look like your vintage SMS and phone and video-chat applications, but much nicer, and likely not cost anything to use, and (importantly) Governments and telecommunication industry lobbyists should be very angry about them.

(46) Also: all the other encryption that you use like the small, end-to-end-encrypted cloud of your devices your phone and tablets and smart-watches and fitness-trackers all sharing bookmarks and payment and other data amongst themselves?

You should probably not even realise that it’s there, although you should keep an eye out for journalists telling you that something is broken or missing.

And then you need to fact-check the journalists, and get angry, only if it’s true.

(47) Also: most people don’t really need to know how encryption works; there is no pressing obligation for a normal human being to be able to explain why Supersingular Isogeny Diffie-Hellman Key Exchange is suddenly a bad idea.

(48) The question of “how to secure your digital environment?” immediately raises the question: “from whom?” without answer to which we cannot meaningfully respond to it; there will be different answers …

(49) for you…

(50) vs: a teenager pursuing an abortion in some parts of the USA

(51) vs: an Iranian women’s-rights activist

(52) vs: whoever is our Foreign Secretary this week.

(53) in summary, the only legitimate answer to “how to secure your environment?” is: “it depends.”

(54) So, we’ve covered:

• explaining and demonstrating encryption

• how encryption works

• how to secure your environment

And the next question is…

(55) What do people expect when submitting information securely to third parties?

The answer is very straightforward:

(56) People expect that what they submit to third parties will not be seen, scanned, nor processed by “fourth parties”.

(57) The technical word for this is “Trust”.

(58) What people actually care about, what people actually expect, is that their credit card details will not be ripped-off and cloned in transit to Tesco’s website, and for that matter whether it is really Tesco (or one of their approved partners) on whose website they are clicking.

(59) People expect that iCloud or GoogleChrome Syncing will not leak their passwords nor their personal information.

(60) Similarly, for messaging, people expect that their messages will only be read by those people they intend;

• not by hackers

• not by platform employees

• not by government spies, nor covert law enforcement

(61) From people’s basic expectations we can derive the most fundamental political and moral questions of modern information technology; and with those we can define “strong encryption” as “encryption which meets those obligations” and thereby provides a firm foundation about which one may reason, in construction of innovations.

(62) Now: when I was approached to chair this session, I was asked if I have:

“an organisation which [I] work for/represent that we can list on the website?”

which presumably is meant as a kindness to attendees, so they can work out who to cheer and boo.

(63) I don’t have anything like that, not even in the past 2 years.

I am a full-time stay-at-home-dad, I am primary carer, I change nappies, do all of the laundry, most of the cleaning, prep food, wipe snotty noses, read books, sing songs ferry my daughter to activities, play “peekaboo” … and so I suggested to the organisers that:

(64) Maybe they could put me down as a “Consultant?”

(65) Evidently this was not quite what they were looking for, so everyone on the agenda suddenly gained improved speaker biographies reflecting some of what they do and have they have achieved, rather than merely who they work for.

(66) In doing so they implicitly made an important point: that we need to stop talking about “abstract labels” and talk instead about “impact”. So in the same spirit I will rename this session.

(67) This is no longer a session about “encryption”; instead, this is now a session on: “giving people everywhere, greater privacy, assurance and confidence, and enabling them to keep secrets, even from the state”

(68) This does not dilute the gravity of what we will discuss in the panel; the ability to keep a secret is dangerous, and the abilities to speak and share ideas in secret, are even more dangerous.

(69) These capabilities can assist disruption, they can assist conspiracy and assist genuine harm, they can undermine accountability and they can help enable bad people who intend to do bad things.

(70) NOTE WELL: all of these are “assistance” because it’s entirely possible, even quite commonplace, to be a “malicious actor” or “abuser” or “troll” while using unencrypted “cleartext” communication, with or without anonymity. Even “face to face”.

(71) In this world there are a small number of people very very genuinely bad people who would use greater privacy as they would any other public facility in order to do bad things.

(72) But to be adults in an open society we need to understand and discuss the cost/benefit analysis of “giving people everywhere, greater privacy, assurance and confidence, and enabling them to keep secrets, even from the state”

(73) Just as with GPS Selective Availability in 1978 we fear a novel technical capability (“privacy”) may be used to commit atrocious harm… but currently nobody is advocating for the other side of the balance scale.

This is bad because not only our fears are massively overblown and our proposed remedies, disproportionate…

(74) but also they they keep us from recognising that unobvious future innovations will probably stand upon our “giving people everywhere, greater privacy, assurance and confidence, and enabling them to keep secrets, even from the state”.

(75) To reframe a popular political cliche, we must consider the balance between “safety” and “a vast multitude of things which can be achieved and harms which can be avoided by giving people everywhere, greater privacy, assurance and confidence, and enabling them to keep secrets, even from the state” including several forms of safety.

(76) Which would you choose?

(77) It’s an emotive subject; some people with a deep-seated belief in the “precautionary principle” approach to “balancing liberties” will make arguments like:

(78) “if just one child is saved, then any amount of inconvenience will be worth it!”

So, it’s important to know for what follows that earlier this year the Home Office ran a 500,000 publicity campaign to lobby against encryption.

The big number on their website said that “14 million reports of suspected child sex abuse could be lost” through encryption; that number (14 million) was intentionally quoted out of context in order to get you upset and to make you feel angry.

(79) The facts start to become clear when you read Meta’s own analysis of the abusive content which they send upstream as reports, where in a sample they found that more than 90% of it was duplicates,

(80) …and that of the accounts sharing it, more than 75% did not appear to have any genuinely malicious or abusive intent.

(81) if you don’t believe Meta, you can read NCSC & GCHQ’s own recent analysis which provides similar numbers; GCHQ’s report starts from an even bigger figure of 29 million reports and it ends with 8,700 UK children safeguarded in 2021.

So that’s a ratio - if ratios were meaningful at all - of “0.03%”.

(82) But the GCHQ paper doesn’t go so far as to mention the final outcomes where for the same year according to Government figures 1,930 children had protection plans for sexual abuse which contrasts badly with 24,000 plans (over 12x) for neglect nearly 19,000 (nearly 10x) plans for emotional abuse.

(83) We have a big societal problem with child care, and although “tech” is a huge issue in children’s lives, “tech” itself is not the big societal issue. Care, is.

(84) But one other problem with heroically wanting to “save just one child” is that it is simply not how the world works.

For example:

(85) The number of people killed or seriously injured on the roads, including children has been mostly flat for the past ten years in the low “30-thousands”, only marginally decreasing since 2010 that is, until “lockdown” happened.

The year 2020 saw 6810 fewer people being killed or seriously injured (of which 2600 children) compared to the year before.

(86) So here is a concrete, manifest public good: we have an opportunity to save lives: we can reimpose national lockdown, save 26,000 children in the next decade, perhaps 68,000 people overall, and help save even more lives by reducing pollution, infection, etc.

Right?

But you don’t hear many people proposing this.

(87) Why not?

Perhaps because there is actually an unremarked balance where it is less important to protect abstract, hypothetical children than to enable an economy and to allow people to live their concrete lives.

(88) Speaking of “what people should be allowed to do” next we often hear an exclamation like

(89) “people should not be allowed to keep secrets from the state”; as-if doing so were some sort of tech-industry subversion of democratic governance.

In our society, we follow what is called “due process”, including search warrants which can include people’s devices.

We do this because there is nothing in our society that demands that people should be prevented from having privacy, assurance and confidence which enabling them to keep secrets, even from the state.

(90) This is the case, not least criminalising any such mechanism would outlaw “skulls”.

We can’t read minds, and if we could it would be highly dystopian.

So (excusing that there may be consequences) you are free to keep secrets about whatever you want within the confines of your head.

(91) And if you hear someone say that privacy and integrity should be pierceable by the state, don’t forget to ask “Which State? For which people?”

Perhaps Russia, where citizens are stopped on the street and their messenger histories, searched?

(92) Also: We can only wonder with messenger surveillance which states would have been permitted oversight of Sergei and Yulia Skripal’s WhatsApp messages, and who would have arbitrated that?

Would MI6 have sent a message to Facebook saying:

“Don’t let the FSB look at these people’s messages, even if they ask! We can’t tell you why. Trust us!”

Somehow that seems unlikely.

(93) The overall problem with pierceable privacy other than by grabbing someone’s phone under warrant and subjecting it to forensic analysis is that it is not selective: the process is not limited in purpose or scope however much one might pretend that it is.

So, in terms of risk from the state, your message content cannot be “only-a-little-bit-surveillable” in the same way that you cannot be “only-a-little-bit-pregnant”; analysis-capability and surveillance-capability are the same thing.

(94) And the historical progression of investigations under the Regulation of Investigatory Powers Act from anti-terrorism to fly-tipping and hunting for parents who are cheating at school catchment areas indicates strongly how any such surveillance function would become abused by Governments.

(95) But also let’s not pretend that there isn’t an actual problem again, as GCHQ’s recent paper put it, a societal problem which we do need to address: there are new models of harm like image-based sexual abuse, including “deep-fakes” of innocent victims, and there is child sexual exploitation imagery, where even decades-old illegal content can circulate and recirculate, and not all of it gets reported to the police.

(96) But is a technical fix permitting only “Selective Privacy”, preventing people from having strong privacy, assurance and confidence, enabling them to keep secrets, even from the state is that fair, proportionate, and reasonable in an open society?

If this is a societal problem, why pursue a technical fix?

Why drill holes in everyone’s data security and close-off future industries which may stand on that when we could instead try to eliminate or mitigate behaviours which drive the abuse and a market for such material, thereby protecting more children, overall: both those we know who are at risk, and others whom we do not?

(97) If addressing a societal problem in a social manner is not possible nor effective then why is the Home Office this week running a campaign to mitigate violence against women by educating men out of the habits which lead to it?

Why do that, rather than a nice technical fix like putting microphones into everyone’s houses?

(98) who can say?

(99) So: one last clich before we begin our panel session: it is sometimes glibly proposed that:

“if you have nothing to hide, you have nothing to fear”,

…but as a parent I (for one) also deeply understand…

(100) that I do now have something precious, not to hide, but to protect.

I want to protect my family’s and everyone else’s future interests.

I don’t want my daughter growing up into an Orwellian dystopia which lacks the freedoms and privacies and agency and control which we have hitherto enjoyed.

(101) and I firmly believe that that goal is best served by giving everyone everywhere, greater privacy, assurance and confidence, and enabling them to keep secrets, even from the state.

Yes, of course there are risks, but they are not great risks, and in any case… life in general is risky; that’s normal, and any attempted solution is worse.