Published on: 2020-11-16
Keeping encryption elitist
One opinion which I started questioning a lot in the last few years is educating people about encryption and providing easy access to end-to-end encrypted communication.
I find myself as one of the very few people in my entourage that half-believes in the necessity of policy initiatives for limiting access to end-to-end encryption, like the ones the EU is advancing.
Take as an example a tool like Signal, end-to-end encrypted messaging, open-source, funded mainly by private individuals rather than by governments and/or corporations subservient to said governments.
Young me thought that the idea of something like Signal, a tool that can be used by anyone to essentially make all their communications private, was amazing. Still-young-but-somewhat-older me thinks that making sure apps like Signal are not accessible to a wide audience might actually be an ethical goal.
I - Millions of LSD blotters, dozens of bombs
To answer this question I think we first have to understand something curious about the real world. Namely the fact that, in the vast majority of Europe and the US, you can buy LSD.
It's not very complicated to do it either, you can order from markets like Agora (or whatever kids are using nowadays) and get it delivered at home, from a vendor that's been independently verified by multiple sources which sent it to trustworthy labs which generated COAs for the stuff.
You can also buy it on the street in most places, without having to look too hard. At most, you have to go to a festival, but in the more civilized parts of Europe and the US it's probably enough to ask your tolerated-drugs dealer and he'll know a guy.
This is extremely surprising considering the prerequisites of making LSD, namely having access to:
- Lysergic acid
Those are not the only things one needs, but they are the most likely to get you in trouble if you try acquiring them. Ergotamine is a list I controlled precursor. Diethylamine is not controlled but is on the DEA surveillance list (i.e. if you buy a lot of it men with guns will come knocking at your door to ask questions) and I can't find the status of lysergic acid, but I assume its purchase is also monitored to some extent.
These substances are not easy to synthesize either, you can arguably make diethylamine fairly easily in a home lab. But, for ergotamine and lysergic acid, you basically need a large quantity of ergot and plants containing lysergamides. The latter might be easy to source, the former certainly isn't.
So an operation sourcing significant quantities of all of those 3, under the government radar, seems like a pretty complex business. It becomes even more complex once one considers how LSD is made. It's the kind of thing you can make in a "home lab" if that "home lab" is staffed by a group of skilled chemists and has very expensive equipment, it's not cooking meth.
The PiHKAL description above glances over steps that would require quite a bit of chemical engineering know-how to get right, e.g:
The residue was chromatographed over alumina with elution employing a 3:1 C6H6/CHCl3 mixture, and the collected fraction stripped of solvent under hard vacuum to a constant weight
There is a lot to unpack there, half a book could be written about each half of the above sentence, and it's one out of over a dozen detailing the process.
Granted, I assume that the recipe PiHKAL gives is not what people use on an industrial scale. But the point I'm trying to argue here is that making LSD is hard, it's a miracle we have so much of it.
All in all, one would need a fairly well-equipped laboratory, expensive enough to require selling millions of doses to get a good ROI. One would need a fairly sophisticated supply chain, requiring silent friends in a few key places and potentially some large ergot-producing wheat fields or greenhouses.
Yet LSD is priced at between 4 and 20$ for 100mcg depending on location. I'm not particularly surprised that the world has an ample supply of LSD, I'm just surprised that this is happening in the same world where, despite hundreds of terrorist attacks in Europe in the last few years, not a single building was demolished using TNT, not a single major water supply was poisoned, nor a single mass gathering bombed with white phosphorus.
Consider what's needed to make TNT, the gist of it would be:
- toluene (of course)
- nitric acid
- sulphuric acid
Or, to put it in other words, to make a few kgs of TNT all one needs are common baking and cleaning products, toluene (available over the counter in reasonable quantities with no tracking), and some fertilizer.
I'm not going to sit here on my theoretical horse and claim I could do it in a few days, but it's orders of magnitudes easier than producing LSD. Both in terms of required know-how and in terms of how easy it is not to get caught.
Essentially, all a terrorist group would need to produce enough TNT to kill dozens of thousands of people, would be 4 or 5 blokes with some basic chemistry knowledge going to different shops to source the required reagents over time, plus the standard equipment one might find in a meth lab.
It's hard to find numbers on how much TNT one needs to destroy a skyscraper. I will consider that 70kg of gunpowder was enough for imploding a medium-sized cathedral in the 18th century. I'd wager 20-100kg of TNT, even in the hands of someone with no demolition know-how, could bring down enough building in a very violent way (note: Controlled demolition requires much more explosive than just making the building collapse).
It's a laughably easy problem, the fact that terrorist attacks are as low impact as they currently are is nothing but a testament to the utter stupidity of those engaging in them.
The thing I'm harping on about here is coordination! Sourcing and producing illegal chemical requires coordination for a few reasons:
- Pooling together money for the lab
- Buying supplies in a way that allows one to stay under the radar
- Distributing in a way that allows one to stay under the radar
All those 3 coordination problems are much easier for someone wanting to murder thousands of people than for someone wanting to break down misconceptions about dualism with an HTP receptor agonist.
So why are the "good guys" able to make industrial quantities of LSD while the religious fundamentalists can't coordinate enough to make a tiny bit of TNT?
Well, encryption is a large part of the problem, or rather, of the fortunate solution we've stumbled into. Somehow the "good guys" are able to use it while the fundamentalists aren't.
This is not only limited to making bombs, coordination problems appear in a lot of areas. For example, the terrorists trying to kidnap and murder the governer Michigan were foiled because they used insecure communication methods.
II - Education and ill intentions
Note: Kinda talking around religious fundamentalists and other authoritarian ideologies here for the sake of brevity. There's plenty of other good resources around those debates though.
The world we live in contains fairly nasty people, maybe nasty is the wrong word, a better way to phrase it is people that are bought up in systems that instill them with a harmful attitude towards others. People which view materialism as a zero-sum game and arbitrary violence as an acceptable means of spreading an ideology.
Just to put this in perspective, let me quote a poll of Muslims living in France (from wiki) regarding "suicide bombing and other forms of violence against civilian targets to defend Islam":
64% of Muslims in France believed it could never be justified, 19% believed it could be justified rarely, 16% thought it could be justified often or sometimes
In other words, at least around 2% of the people of France are sometimes pro the idea of murdering innocents for the sake of the Islamic faith (e.g. using TNT, to demolish a building).
Now, back to the whole drug thing, 1.3% of French people used MDMA in the previous years based on surveys done during (as far as I understand) multiple years. I can't find numbers on psychedelic usage (i.e. non MDMA psychedelics), but I think it's reasonable to assume it's lower, e.g. ~1%.
So at any given time, France, one of the most secular and liberal countries in the whole world, has twice as many people that want the mass murder of innocents to advance and/or protect their fundamentalist religion, as it has people that want to buy LSD.
Yet somehow France has LSD, but no TNT-fueled mass murders. This is staggering, a blow to the efficient market hypothesis.
Maybe it would be more correct to make the association between people that bought LSD and people that donated money to a terrorist organization. But the statistics for that are (obviously) unavailable. Even so, maybe the numbers would drop to 0.2% vs 1% instead of 2% vs 1%, but the similarity of the scale still remains.
I think this boils down to the kind of people that use psychedelics versus the kind of people that want to see others murdered for a perceived slight to their culture. The difference in education level between the two demographics is probably fairly staggering.
Staggering enough that, even though encryption is free and open source for everyone to use, the religious fundamentalists lack even the vocabulary to understand it, while the necessity of it's usage and the way to do so might seem obvious to many psychedelic enthusiasts.
This propagates all the way up the chain. People donating to terrorist organizations probably doing so via unsafe channels, while people buying acid are doing it via safe~ish channels (e.g. calling the local imam via phone vs messaging your dealer via a telegram secret chat). People plotting terrorist attacks doing so via Facebook messenger or in a monitorable building, people producing LSD doing all in-person communications in secure locations and coordinating online via emails sent through TOR using quantum-safe encryption for the content.
Maybe I'm exaggerating, but you get my point. The way terrorists relate to technology is probably similar to your grandma, the way libertarian chemists do it is probably similar to your DEFCON obsessed friend.
This is not by happenstance either, it's tightly related to education. It seems intuitive (though, again, kinda talking around "the other side" here) that the more one understands the world the less likely they are to condone and participate in terrorism, but the more likely they are to become interested in psychedelic or at least agree with the basic "freedom over one's own body" liberal stance.
It's unlikely that in a more "enlightened" future one would still find terrorism, human trafficking, or any other forms of violent organized crime still happening. But ala, we don't live in that future and the vast majority of the world's population still lacks access to even Wikipedia.
III - Zero cost encryption
Hopefully, I've laid out the basic premise here, if so, most of my work is done:
- Operating outside of the law has a high coordination cost and is much harder without good use of encryption.
- While both "good" and "bad" actors operate outside of the law, the "bad" ones seem unable to act in any significant way due to being caught early by law enforcement when their movements grow.
- Usually causing arbitrary harm or doing something destructive is much easier than doing something useful and productive. So this is surprising, one would expect most "good" movements to have a much harder time.
- The current state of affairs, I suspect, is due to an asymmetric understanding of encryption, which is correlated with education levels.
- This is a fortunate accident and we should keep the current education requirements for accessing encryption if not even raise them.
Granted, I'm basing this on only one example, organized terrorism vs organized psychedelic production. I believe the list could include many others, a lot of examples of liberal political dissidents fairing much better than radical ones in spite of lower support come to mind. But maybe I'm overfitting on an example that's too small.
Still, assuming this premise is true, it seems like the behavior one would want to adopt towards encryption is exactly the elitist one that has been the norm for the past 2 decades.
To some extent, regulating encryption will probably have that exact effect, making sure it's only available around circles that are somewhat better educated.
In a worst-case scenario, where owning and distributing an end-to-end encrypted messaging app becomes illegal for individuals, the situation will probably be analogous to what happened with piracy via torrents.
One can still use torrent and plausible deniability to download any media to their heart's content, the legal apparatus is mainly used to restrict the access to tracker and make the less-apt users prone to making various mistakes. This has proven enough to stop a lot of torrenting.
Much as with torrents of copyright media, the enforcement here would be mostly de jure, not de facto, there would be no way of going the de facto enforcement route, encryption is already in the water supply. The software will still be widely available, it will just not be at the top of the AppStore when one searches "message".
This will introduce some overhead when using end to end encryption. I'm not talking about tremendous overhead, just something like:
- Rooting your phone and installing a custom ROM or otherwise removing any backdoors
- Manually downloading and installing TOR from a link then verifying the checksum provided by whatever Swiss-based freedom-advocacy found has a trustworthy website.
- Doing the step above to install a PGP toolkit.
- Messaging as usual through a peer-to-peer app.
All of this would still provide fairly good protection, even skipping the TOR, as long as you don't care about IP anonymity.
More realistically, the one thing that might go away as a result of EtE encryption regulations will just be EtE encrypted chats in popular messaging app, so that the government can have access to the messages stored on the company's servers.
This would likely mean that even the above steps would be overkill, one might simply be able to download fdroid and install something like "WhatsApp encrypted wrapper", exchange his public key with friends, and that's that. Heck, the hypothetical "WhatsApp encrypted wrapper" might even do the public key exchange for you (via WhatsApp) with any other people that have it installed.
I won't be hard to use encryption, it won't exclude people that are discriminated against by the government or the market. It would simply add a minimal technology education overhead. Make it an option that requires a bit of legwork, rather than the default.
At the end of the day, controlling the use of encryption is hard, dare I say impossible, without controlling software altogether. At most what can be achieved is a matter of availability.
All that's needed is for encryption to not be zero cost, for there to be some effort required in using it. Then, hopefully, putting in that effort will be equivalent to enough of an education that by the time someone understands encryption, they are no longer stupid enough to believe in Qanon.
IV - The practical path
I believe the practical path regarding encryption is one where lobbying is done for the right of using encryption legally, but not for the right of distributing it freely.
A rule such as "any public chatting service owned by a for-profit company needs to keep decryptable copies of all messages on its servers or 12 months" is probably the best middle ground one can achieve in the long run.
A situation where HTTPS is left alone and peer-to-peer end to end encryption, in general, is allowed to continue under the same legal status, just with some restrictions around distribution.
This kind of effort should be, of course, joined by a broader effort of educating people enough so that they understand the importance of encryption, once that happens we'll probably see a "pro encryption" movement much alike to the current "pro-privacy" movements, and any restrictions will be lifted.
But providing encrypted channels of communication as the default servers no purpose and can be rather dangerous.
On the other hand, it might be that I'm overreacting here, that I should at least wait for a dirty bomb blowing up before supporting these types of measures. I tentatively agree with this stance, but I'd argue that even so, this should lead to a shift in arguments from:
End-to-end Encryption should be easily available for communications between any two individuals, almost as if it were a fundamental human right.
End-to-end Encryption should be easily available for communications between any two individuals, up until considerable proof shows that this is untenable if societal cohesion is to be kept.
If restrictions upon the usage of encryption are imposed, they should be minimal and pragmatic, rather than trying to outlaw any form of communication that governmental entities can't access.
I'm still torn on this issue to some extent, but I certainly think the matter is not as black and white as my more idealistic self believed it to be.