Avoiding the Digital Panopticon
The Digital Panopticon
The ‘Panopticon’, or the ‘Inspection House’ is a type of prison designed by the late 18th century philosopher Jeremy Bentham. Its design is such that a single security guard can sit in a central tower and monitor a large number of inmates through the clever placement of lights and mirrors, while the guard themself is invisible to inmates. Its effect is such that inmates know they cannot all be watched simultaneously, yet they cannot know when they are being watched. Creepy.
Fast forward 200+ years to the dawn of the Digital Age. It doesn’t take much imagination to see how the Panopticon concept translates to prisons today. In fact, modern-day prisoners are monitored constantly through audio, video, heat and motion sensors to make the job of a prison guard easier and safer. Great!
But what if we take the concept one step further? What does an online adaptation of the Panopticon look like? A single person (or computer) could easily monitor the daily activity of thousands — millions of ‘inmates’. In place of lights and mirrors, insert financial records, mobile phone location history, all written communications, TV and internet browsing preferences… the amount of digital data the average person creates in a single day would have been unfathomable just 25 years ago. So what if the few in the observation tower started to point their tools at the many law-abiding citizens? Forget the notion of ‘if’, this is already the case, as famously documented in the Snowden Leaks. Are we collectively asking for a world of mass surveillance and do we even get a choice? Some authoritarian regimes have in place today systems of mass surveillance and social credit scoring - the stuff of late 20th century Sci-Fi.
“We have two paths we can take; we get the [Chinese Communist Party] surveillance state exported to the rest of the world and get herded into our digital panopticon, or we do the hard work and build out open and distributed systems and stand up for liberty in the digital age.”
— Marty Bent, writer and privacy advocate
Lets dig deeper.
Encryption is an Asymmetric Technology
For the sake of this article, lets agree that an asymmetric technology is one that is easy to employ but comparatively difficult to combat. In other words, a technology that can be obtained and used by an individual, but one which an adversary with considerably more resources would need to go to great efforts to stop - and particularly to stop a group of individuals - from using.
Many such technologies have already changed the course of history. Politics aside, we can all agree the following examples have shaped our world in a meaningful way: the printing press, radio communication, the combustion engine, the AR-15 rifle, the personal computer, the internet. All are tools which empower individuals, for good or evil. And while it is trivial for a government, cartel, or otherwise powerful organization to stop any one person from using them, it is near impossible to stop a large group of individuals all at once. This brings us to encryption… almost.
A long time ago, in a world before the internet, people acted and communicated freely with minimal risk of being spied on. Sure, if ‘they’ wanted to know what you had for dinner last night they could find out, but in theory you, a good upstanding citizen, needn’t worry. If a letter arrived unopened you could be reasonably sure it wasn’t read by any spies along the way. On the other hand, an email or any other piece of digital data can be duplicated trivially and rerouted to tens of thousands of recipients in a matter of seconds without the original sender’s or intended recipient’s knowledge. Furthermore, powerful data collection tools combined with ever-refined machine learning software make the surveillant’s job easier and more effective by the day. Yikes!!
Luckily, encryption is the asymmetric-technology-last-line-of-defense against the Digital Panopticon. Put simply, encryption is the process of transforming data until it is unrecognizable through use of an algorithm. For this to be useful, the recipient of the encrypted data must then be able to decrypt it with a secret code or ‘key’. There are many forms of encryption, but what we are mainly interested in here is what is called Public Key Cryptography.
Crypto Means Cryptography!
For a moment try to forget the kind of ‘Crypto’ your eleven year old brother trades on a sketchy, illiquid exchange platform headquartered in Malta. Public Key Cryptography or Asymmetric Cryptography is the idea that two parties, call them Alice and Bob, each have a ‘public key’ and a ‘private key’. They are each free to share out their pubkey without fear of leaking data, but they must keep their privkey a secret. Through some ingenious math magic, combining Alice’s pubkey with Bob’s privkey or vice versa allows them to send data between one another which would look like jumbled nonsense to anyone intercepting it along the way. Cool!
The implications go far beyond our little chat between Alice and Bob. If you didn’t know, nearly every interaction you have online utilizes some form of encryption. Every time you log into an account using a password. Every time you open your phone with your fingerprint. Every time you type something into DuckDuckGo — err..Google — you are harnessing the power of encryption. It is happening all the time in the background of applications, communication protocols and online services, all invisible to the end user. Without this critical tool the average user couldn’t hope to keep any digital data private. And yet, the war is far from over. The battle for privacy is fierce and ongoing as new clever deanonymization techniques are developed.
“[encryption] can help protect your personal data and privacy from any outside intrusion, whether that threat comes from a government, a major tech firm, or a rogue hacker.“
— Alex Gladstein, Chief Strategy Officer, Human Rights Foundation
“The Overton Window on privacy is changing.”
— Alex Gladstein
EARN IT Act is a Red Herring
Currently in the United States, the 1996 Communications Decency Act, Section 230 ensures that ‘online providers’ (web services, messaging apps, social media networks, etc) may not “be treated as the publisher or speaker of any information provided by another information content provider.” Translation: the platforms themselves cannot be held accountable for content a user publishes on or relays through it. This is a win for the vast majority of honest users of these platforms. It allows the software developers to build secure encryption layers into their product without fear of being sued or shut down due to the actions of a single bad actor. On the Communications Decency Act:
“Section 230 enforces the common-sense principle that if you say something illegal online, you should be the one held responsible, not the website or platform where you said it (with some important exceptions).” […] “It is the single most important law protecting internet speech.”
— Electronic Frontier Foundation
Now, in the midst of the global COVID-19 pandemic, there is a sly bill making the rounds in Congress which threatens to throw these guarantees out the window. The so-called EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies) put forth by Senators Lindsey Graham (R-SC) and Richard Blumenthal (D-CT) does not once mention the word encryption. Yet, it would require online service providers to grant “lawful access” to authorities whenever they demanded it. Most experts agree there is no way to comply with this proposed mandate other than to build secret access points commonly called ‘backdoors’ into their encryption techniques.
The problem with this logic is if the company or government agency can use a backdoor to intercept and decrypt data, so can anyone else who discovers it! Have we learned nothing from the Equifax breach and countless credit card and database leaks in recent years? These hacks will become simple tasks if we start forcing companies to purposely build flaws into their security model. There has been significant backlash to the bill among tech leaders and writers. Notably, messaging service Signal developer Joshua Lund published a blog stating they will have no choice but to cease operations in the US should the bill pass. Signal is arguably the only secure messaging application that has achieved mainstream adoption in the US.
“[EARN IT] uses the laudable aim of fighting child exploitation to cynically launder law enforcement’s unsuccessful, decades-long effort to undermine strong end-to-end encryption.
— Julian Sanchez, Senior Fellow, Cato Institute
The enforced weakening of privacy-enabling technologies is a slippery slope towards a surveillance state. The Digital Panopticon. To varying degrees of success and severity, authoritarian regimes such as the Chinese Communist Party, Venezuelan, North Korean, and Zimbabwean regimes have shown the world what the other side can look like.
I am hopeful that the EARN IT Act will not pass. But should it pass, I am hopeful yet. To date, strong encryption methods have not been broken and are relatively easy to deploy into software. Most importantly, the people building and employing them are not to be underestimated.
Finally, below is a short list of interesting projects working on robust, privacy-enhancing tools that you may find interesting. Let us not be the subject of a dystopian Sci-Fi novel. Let us keep our data ours.
- GnuPG (GPG): free implementation of the OpenPGP standard for encrypting and signing data and digital communications. FOSS.
- Tor Project: peer-to-peer communications network facilitating private internet access. FOSS.
- Tails OS: security-focused Linux distribution which can be live-booted via USB stick or DVD. FOSS.
- Graphene OS: security-focused mobile OS, easily installed on older Samsung Galaxy models. FOSS.
- Bitcoin: pseudonymous, censorship-resistant peer-to-peer value exchange protocol. FOSS.
- WireGuard: cutting edge VPN tunneling software. FOSS.
- SecureDrop: anonymous whistleblower submission system managed by the Freedom of the Press Foundation. FOSS.
- NYC Mesh: alternative peer-to-peer internet service mesh network, currently available in Brooklyn and Lower Manhattan.