Secrets and lies

There is a new technical area which has considerable implications for discussions of privacy. This new area is cryptography, an area that is a lot more extensive than sending messages in secret codes. With recent developments all the following have come together:

• Untappable communication. The fundamental thing that cryptography does is to make it possible for a group of people to communicate with each other in a way that is (so far as we know) virtually impossible for anyone to eavesdrop upon. However good they are, ordinary safes can always be opened by using cutting tools or explosives. The new computerized 'safes' are much more secure.
  
  
• Unforgeable signatures. It is possible to 'sign' an electronic document better than it is possible to sign physical documents. An electronic signature using sufficiently strong encryption techniques is virtually unforgeable, easily identifiable, and it is virtually impossible for the signed document to be changed without the change being detected.
  
  
• Public key security. So-called public key cryptography permits a range of new ideas. The simplest is that a person (or organization) can advertise their 'public key' (of which they may have several) which anyone in the world can then use to send secure messages back to that person. By using the public key, anyone can 'lock' messages, and only the person who owns the key can decode them.
  
  
• Group security. Just as conventional safes can be designed so that two or more people must be present to open them, many sorts of group security are possible.

These ideas arose only in the 1970s; new, then, in the sense that cryptographic techniques have been otherwise basically unchanged since biblical times. These new technological possibilities raise a host of political and moral questions, mostly centred on the conflict between individual freedoms and the interests of the society to which we belong.

Anonymity and audit trails

Take electronic cash for example. With digital signatures, it is straightforward to write an unforgeable cheque. More can be done, however. Someone can order goods from a supplier through the Internet and arrange for their payment without any bank knowing either their identity or the identity of the merchant. This is surprising, because the bank has to be involved to confirm the creditworthiness of the account.

There are two conflicting views about cash: coins are very convenient, but they are hard to track; conversely, cheques and other paper transactions are more tedious, but are much easier to track (even paper currency has serial numbers). Individuals prefer the freedom of coins, and organizations and governments prefer the audit trails left by paper records.

The controversy is this: the different sorts of electronic cash can, in principle, be even more anonymous than conventional coins, or on the other hand, electronic cash can be even easier to audit, depending on what 'you' want. There are many 'yous' in this equation: nations want to have more control, banks and commerce want efficiency and profit and individuals want autonomy and trust. Furthermore, the military and secret services are interested, as the technology to do these things relies on various forms of 'secrecy', which is their stock-in-trade.

There are parallel issues with secure voting. Voting is a bit like spending money: you can only 'spend' what you are given, typically one vote; you can only spend it once; and you must be able to spend it anonymously. Also, just as people want to count money accurately, they wish to count votes accurately. So, the issues are technically almost identical.

Big brother is watching you

Governments feel uncomfortable with citizens having essentially unbreakable security. In particular, it is argued that law enforcement agencies must always have a right to access people's secrets because occasionally their secrets are illegal.

This can be made possible but should it be allowed? Let us consider, for example, various forms of key escrow. (Escrow is a legal term meaning something held by someone until some condition is fulfilled, for instance some money may be held in escrow until a child is 18.) The basic idea is that your secrets are really secret to everyone except to suitably authorized people (such as judges, or the police). For anything you decide to lock up electronically, you would be required to lodge a 'copy' of the key in escrow, that is in a secure place that could be accessed in emergencies. This is obviously a good idea if you have sealed your last will and testament, which must only be read when you are dead! But it may not be a good idea in many other areas of life, since it assumes the escrow agency is always trustworthy and works in your interests.

There are some delicate balances to be struck here. For example, there is a difference between giving the police the right to access our secrets if they have justified their reason to collect evidence (say, if they have a warrant), and designing the technology in such a way that the police have a blanket mechanism for surveillance. Even if we have grounds to trust our own police, not all users of the technology might be so worthy of trust.

There are very similar arguments for and against monitoring what is being done. In electronic cash, there is the privacy of the way the individual spends his or her money, against the wishes of the banks or the State to monitor appropriate behaviour. In voting, there is the privacy of the voter's opinions against the necessity of counting votes and guarding against fraud.

Modern cryptographic methods can achieve almost any desired balance of outcomes; what is tricky is deciding what outcomes we want. Amongst all the technical possibilities, there will be ones that suit 'society' more than others; and what suits society may not be what suits individuals, or particular groups of individuals.