202

After that case in which Brazilian government arrested a Facebook VP due to end-to-end encryption and no server storage of messages on WhatsApp to prove connection with a drug case, it's become pretty common for friends of mine to start conversations about what cryptography is and why we should use it on a daily basis. The same applies with the iPhone terrorist encryption case in which the FBI broke in.

For non-techie friends, it's easy to understand the basics of cryptography. I have managed to explain them the basics, public key x private key, what is end-to-end encryption during communication(your data is not stored encrypted, but it is "scrambled" during data exchange), all the core concepts without enter on more technical words like AES, MD5, SSL, PGP, hardware encryption acceleration, TPMs, etc. They like to have encryption on their phones, but they always come up with the following concept:

If terrorists/criminals could be caught by not having cryptography in our world, I would not blame data surveillance by governments and companies, nor the lack of cryptography in our communications/data storage.

I explained that this point of view is somehow twisted (as a knife can be used to do crimes, but its primary use is as a tool), but I didn't keep their attention.

Is there a best way to explain the value of cryptography for end-users in our modern world? (Snowden and Assange stories seems like fairy tales to them too).

Compendium: Some of the explanations/concepts that didn't work so far:

  • Would you let the government have a copy of your house key?

    People tend to isolate data from house access, and they clearly would say "no, i do not want the government to have a copy of my house key and watch me doing private stuff. But if they are looking for a terrorist/criminal, it's fine to break the door". For them, it's okay since they don't break in your house while you are pooping. The existence of a "master key" on encryption world is fine to them. "My information is encrypted, but it could be turned into plain again in case of terrorism/crime".

  • Would you let others trace your life based on what you do online?

    "But Google already does that based on emails and searches...". This mostly shocks me, because they are "with the flow" and they aren't bothered with data mining. Worse, people tend to trust way too much on Google.

  • What about the privacy of your communications? What if you are talking dirty things with your boy(girl)friend?.

    "I don't talk about things that would harm others(criminally speaking) so, i don't mind on being MITM'ded.". Again, it's fine to them if a conversation about their sexual routine is recorded, if the intent is to investigate criminal activity on their city.

  • The Knife paradox.

    You can see on their faces that this is a good one, but instead, they say that "knifes aren't as dangerous as secret information being traded between criminals so, it's okay that Knifes are misused by criminals sometimes".

  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39829/discussion-on-question-by-nwildner-how-to-explain-that-cryptography-is-good-to). – Rory Alsop May 15 '16 at 22:35
  • 16
    Jon Callas (a well-known cryptographer) simply uses curtains as his analogy. You want curtains, you want your neighbors to have curtains. Too short for an answer, but less vulgar than the toilet answer below. – NL - Apologize to Monica May 16 '16 at 04:27
  • 2
    The comments on PseudoSu's answer raise a point I haven't yet seen directly made in these answers/comments: encryption, ideally, prevents one's communications from being spied on, altered, and/or spoofed **without one's knowledge**, which communications made in-the-clear usually don't. In some cases I'm okay with my privacy being compromised, but I definitely want to know whether to expect privacy or not. – Mathieu K. May 16 '16 at 11:47
  • 37
    Not sure it's even worth engaging, but you could always grab the latest headline about police malfeasance or criminality to point out that they're not always the good guys. "[So you're willing to trust your money and data to a group that executes unarmed civilians and plants weapons on their bodies?](https://www.washingtonpost.com/news/post-nation/wp/2016/05/11/former-north-charleston-officer-who-shot-walter-scott-indicted-on-federal-civil-rights-violation/)" You're many times more likely to be killed by a cop than a terrorist, so your friends are scared of the wrong threat, actually. – HopelessN00b May 16 '16 at 13:47
  • @MathieuK. Yeah, the same way that at your work, they warn you about security policies, and that your communication could not be confidential at all times. –  May 16 '16 at 16:16
  • 5
    If your friends think encryption is unnecessary, I'm sure they'll have no problem posting the passwords for all of their online accounts on 4chan. – Steve S May 16 '16 at 19:56
  • 4
    Again. They didn't said is unnecessary. They said that on specific situations(take your time to read all the content this question created) they would drop encryption to a "greater good". –  May 16 '16 at 19:58
  • 2
    Then the question isn't whether encryption is good - it's who you trust with your keys. – Steve S May 16 '16 at 20:10
  • 10
    There is no need to be BINARY on this subject. It is not because they trust the government/companies sniffing around on SOME of the communication, that they are stupid enough to post passwords as plain text online, or to abdicate door locks. This is the kind of argument that is not going to work or happen. "Cryptography is good" is not only about trust, but changing a point of view that tries to undermine cryptography just because some minority uses to do bad stuff... –  May 16 '16 at 20:39
  • 3
    Sorry, I guess I wasn't clear. What I'm hearing is that they want to hide info from some people, so they need encryption, but they're willing to let certain parties (e.g. the government) bypass it. In other words, the question becomes "Do you trust those parties that you are entrusting with this power?" Another important question: "Could those parties ever change in such a way that would cause you to stop trusting them?" - after elections for example... – Steve S May 16 '16 at 20:57
  • 13
    Even the TSA requires you to lock a gun case with a real lock (not a TSA lock). Sometimes it's a bad idea to allow everything to be accessible with a master key even when it's the "authorities" who control the master key. – Tyler May 16 '16 at 22:53
  • @HopelessN00b That's the right approach but still not a perfect example given that the suspect was fleeing the crime scene, which indicates some degree of guilt (an innocent person would have no reason to flee from a police officer). The officer still shouldn't have shot him, but that example can be argued both ways. Also that example wouldn't work so well in countries where the police don't carry guns. – Pharap May 17 '16 at 08:02
  • 2
    Most people don't realise what encryption protects or how reliant they are on it. I would start there. It protects your medical data. Your biometric data. Your WiFi/webcam from hacking. Your children's chats from snooping by abusers. Your online banking/ATM use. Your ability to transact/shop online. Businesses abilities to trade long-distance or using the web. Persecuted peoples ability to communicate with support+voluntary groups and be sure who they are talking to and that persecutors cannot read messages. Certainty that data has not been tampered. Confidentiality communicating fears/abuses. – Stilez May 17 '16 at 13:35
  • 2
    @Pharap [He was behind on his child support payments and didn't want to lose his job by being thrown in a debtor's prison](http://www.nytimes.com/2015/04/20/us/skip-child-support-go-to-jail-lose-job-repeat.html?_r=0). Anyone who doesn't get that isn't worth having a conversation with, or calling a friend. But whatever, if you don't like that example, wait a week for the next one. – HopelessN00b May 17 '16 at 14:11
  • 3
    @HopelessN00b You have just proved he wasn't innocent and he had committed a crime. The analogy fails since the victim was still technically a criminal. The 'non-techies' would probably argue that the authorities wouldn't target someone unless they believed the person was a criminal. To convince them you'd have to show them an example of the police getting it completely wrong e.g. harming someone who hadn't committed any crime due to either malice or misinformation. Again, I agree with your point, but I think your chosen example is flawed and could be contested. – Pharap May 17 '16 at 14:48
  • 2
    And things related to cryptography and government are getting worse every day - http://arstechnica.com/tech-policy/2016/05/feds-say-suspect-should-rot-in-prison-for-refusing-to-decrypt-drives/ –  May 17 '16 at 16:27
  • 1
    I think this question is phrased wrongly. Yes, most people think of the it in terms of "Is Crypto a good thing?". But I think everyone agrees it is a good thing. The real questions are "Is ubiquitous crypto a good thing?" and "Is weak crypto better than no crypto?". The problem is that most people don't understand that, 'weak crypto = no crypto'. – Aron May 18 '16 at 00:52
  • 3
    Be careful with phrasing: "crypto is good" is an opinion, not a fact. To quote Tom Leek's answer: "technology is morally neutral" - crypto is not good, nor is it evil; just like book printing or the Internet). At best, you can try to convince people that it is not evil, or even more, that *it is useful*. One more thing: these people "don't understand" your arguments not because they are stupid or lack technical knowledge: they are just naive. In their ideal society of honest and respectful people, you don't need locks or curtains - you have nothing to hide and nobody would look anyway. – molnarm May 19 '16 at 06:48
  • 2
    A thought occurs... I have some non-techie friends, and they generally don't buy into the government's arguments on this topic (including one who's former military, currently working as a firefighter), so I'm thinking that them being non-technical isn't the root of their position on the issue. You don't need to be technically literate to understand the hazards of giving the government (or anyone at all) the degree of power that comes with unrestricted access to everyone's data and communications. (Which is ultimately what results from banning crypto or creating a government backdoor.) – HopelessN00b May 19 '16 at 15:21
  • 1
    "From now I on, I will read all your emails and texts. I will catalog them and keep them in perpetuity. I will not tell you why I am doing this except that it is for the common good (as vaguely defined by me and changed as I see fit). I will not tell you under which conditions they will be used, when they are being used, or how they will be used." Now imagine if that statement comes from an authority that, based upon the whims of an un-elected unknown person, will callously bankrupt you, imprison you, and ruin your reputation through innuendo. – Tony Ennis May 21 '16 at 15:51
  • 1
    For the house key analogy, in my opinion, the following would be more correct : Would you be ok if you were forced by the government to leave a copy of your key outside on your door so that they could enter any time you want ? Obviously, not just the government would be able to open your door... – guigui42 May 23 '16 at 10:37
  • you should tell them to forget all FOD produced by government and law enforcement agency about terrorists and encryption, its what they tell people to make them feel bad for using encryption so they can continue to mass servaile the population – James Kirkby May 23 '16 at 13:38
  • @Tyler Is that true? Can you provide a link? That's a great point. – jsejcksn May 23 '16 at 18:35
  • @JesseJackson google "gun tsa lock". It's all over the internet on "how to fly with a gun" how-tos, though, oddly enough, not directly mentioned on their gun ruled page. Their page does say that "only you should have keys to your gun case," (paraphrasing) which implies that a TSA master key shouldn't open the lock. – Tyler May 25 '16 at 05:09
  • @Tyler You made a claim that the TSA requires something and I am asking you to point to the requirement. Where are you getting this information? – jsejcksn May 25 '16 at 05:11
  • @JesseJackson, the fact that I shared information does not obligate me to fact check it for you. But I'm magnanimous, so here: http://blog.beretta.com/10-gun-tips-you-need-to-know-about-flying-with-guns. See the footnotes for a quote from federal codes governing the TSA. – Tyler May 25 '16 at 05:25
  • @Tyler No worries, mate. I was just just looking for sourced information. If you work at the TSA and your boss told you, that's what I wanted to know. If you got it from Wikipedia, that's what I wanted to know, etc. Thanks for the link! – jsejcksn May 25 '16 at 05:28
  • 1
    Courtesy of [reddit](https://www.reddit.com/r/Showerthoughts/comments/4m0x0x/arguing_that_you_dont_care_about_the_right_to/?ref=share&ref_source=link): Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say – Daniel M. Jun 02 '16 at 02:42
  • 1
    @DanielM. THAT is a phrase of effect that could cause some brains to think about it. Many thanks :) –  Jun 02 '16 at 10:42

22 Answers22

353

"If lack of encryption allows FBI to catch terrorists, then lack of encryption allows criminals to loot your emails and plunder your bank account."

The rational point here is that technology is morally neutral. Encryption does not work differently depending on whether the attacker is morally right and the defender morally wrong, or vice versa.

It is all fear-driven rhetoric anyway, so don't use logic; talk about what most frightens people, personally. And people fear most for their money.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39885/discussion-on-answer-by-tom-leek-how-to-explain-that-cryptography-is-good-to-n). – Rory Alsop May 17 '16 at 11:15
  • 21
    Great post, just wanted to add an analogy I think hits close to home for backdoors. Putting a backdoor into encryption is like leaving your house key under the door mat. At some point a bad guy is going to find it, get into your house, kick your cat, and steal your dog. Bad guys are cruel. – dakre18 May 17 '16 at 20:57
  • 2
    yet ! i prefer the knife analogy (first a tool then a mean to kill) to the gun (first a tool to kill, then...). The moral neutrality is always debatable :) Nevertheless, cryptography is like clothes, you never want to be naked in public, even if you have nothing to hide, unless you are an exhibitionist of course o_O – yota May 18 '16 at 12:39
  • 1
    @dakre18, 'cause no one would want to kick your dog and steal the cat. That'd just be dumb. – Paul Draper May 19 '16 at 05:02
  • @dakre18 That should be an answer by itself. – SQB May 19 '16 at 10:32
  • I would vote this up twice if I could. – Brian Rogers May 19 '16 at 22:38
  • 1
    @yota This is something I've been grappling with for ages. A gun factory is perfectly legal. But "OMG ISIS IS USING TELEGRAM" is what scares people. For me, that's the ultimate hypocrisy right there. – Bell App Lab May 20 '16 at 09:15
  • Well and here's something inportant to keep in mind. Encryption exists solely to protect data. If you're data doesn't need to be protected then there would be nobody after it. Not the government. Not criminals. Not nosey neighbors. In such a world, either your data is physically inaccessible or there is no more crime. You're literally implying something that cannot exist. Such a world wouldn't even bother with house keys. Nobody would bother stealing your stuff. – user64742 May 21 '16 at 21:01
  • 3
    I use nearly the same technique - I remind people that encryption is what secures our credit card details, bank accounts, retirement plans, stocks... and also municipal water and gas systems, air traffic control... the list goes on (I leave off anything federal/military, because of course they would keep encryption). While strong encryption might be a factor that makes it harder to catch or prosecute a small amount of criminals and terrorists, it's also the main tool that is used to protect *literally everyone* from mass amounts of criminals and terrorists. – Jonathan Vanasco May 23 '16 at 15:13
  • 3
    "It is all fear-driven rhetoric anyway, so don't use logic" Critical nuance to articulate; very nice. – HC_ May 23 '16 at 16:39
  • I like your point "talk about what most frightens people". Apart from money, they also fear for their dick-pics: see [John Oliver on Government Surveillance](https://www.youtube.com/watch?v=XEVlyP4_11M) – Mifeet Nov 19 '16 at 08:54
82

I would take their argument and replace "cryptography" with "locks and keys on our houses" and see if they still agree:

If more terrorists and criminals would be caught by not having locks and keys on our houses, I would not blame warrantless searches by government and companies in our homes.

PseudoSu
  • 920
  • 5
  • 6
  • 86
    I agree with the answer, but if falls too short. Police can break any lock/safe in the physical world, but they can't break strong cryptography. The difference is that on the internet there is no such thing as distance, while locks are constrained by the physical world. A burglar can't break into thousands of homes at the same time, but a hacker can. Cryptography needs to be unbreakable, as it is the foundation of the technology around us. See the [video](https://www.youtube.com/watch?v=VPBH1eW28mo) on the topic from CGP Grey. – sitic May 13 '16 at 21:33
  • 4
    Whilst I agree the analogy as put falls short, I nevertheless follow this approach to have people imagine what conventional methods would be required to collate the same information as is provided by electronic monitoring: one would have to be followed everywhere by a surveillance team, who would listen in and record all one's movements/contacts/conversations, intercept one's post, plant bugs in one's home, copy all one's private paperwork... for those who send intimate communications, it could even be equivalent to having one's bedroom activities filmed. Scary stuff. – eggyal May 14 '16 at 08:10
  • @sitic: They may be capable of physically destroying any lock/safe, but that doesn't imply that they would have the capability to extract contents without damage from safes that were designed to destroy their contents in case of tampering. – supercat May 14 '16 at 20:24
  • People tend to isolate data from physical access to their lifes. They dont want the government to have the keys, but will not bother if their door is break to catch a criminal –  May 15 '16 at 19:23
  • 7
    @sitic I actually like this analogy because it highlights the biggest difference, and why cryptography is important. IRL the police can break a door with a battering ram/explosives, and they can easily control access to who has these items. In the digital world, no one can stop the rapid spread of items such as Jennifer Lawrence's nude pics, or a digital battering ram. ***The day the police gets the iPhone battering ram, is the day before the rest of the internet gets it.*** – Aron May 17 '16 at 03:30
  • @sitic Does it matter if the analogy falls short if it gets the point across? – Kevin May 17 '16 at 07:22
  • 2
    You should emphasize that the house would have no locks at all then. It's not like the police had a master key, there's no lock. You could also replace the door with a curtain. This does not only allow the police to check your home for criminals, it allows every guy on the street to sneak in, look around, and even take a souvenir with them! – Byte Commander May 17 '16 at 09:05
72

Explain it with questions: Do you close the door when you poop? Why? Everybody poops, you aren't doing anything special in there, so what do you have to hide?

If someone leaves a pile of poop downtown in the middle of the road does that mean we must all poop with door open? Simply because the pile of poop was gathered in a bathroom?

user1886419
  • 851
  • 5
  • 4
  • 11
    The Toilet Argument is probably the most effective. Even scaring people by threatening their money does not work with people that either have no money, or do not value money (both kinds of people exist in the developed world). But everyone shits with the door closed. We in the developed world have grown ourselves a sense of privacy that is nearly universally shared. People that don't care about your money threats, or threats of men in black armor digging in their underwear drawer... Those people all *do* close the door when they're pooping. – L0j1k May 14 '16 at 21:11
  • 8
    Wow, +1 for a nonconventional approach that is both effective and hilarious! – Wildcard May 15 '16 at 15:38
  • 4
    @Wildcard fits right in with the data leakage tag – user1886419 May 15 '16 at 17:03
  • 8
    Clearly you don't have young kids :) but +1 as this is the most succinct answer I've read – Mark Henderson May 15 '16 at 20:45
  • 5
    @L0j1k I've also heard an effective argument, for that category of people (unconcerned about losing money they don't have), used to convince people to care about ID theft: "There are other types of ID besides credit history. Someone could steal your medical ID to get treatment that later impacts the healthcare you receive. They could steal your tax identity to get a job, withhold insufficient (or no) taxes from their paycheck, and the IRS comes after you. Or they could use your identity to conduct criminal activities, and the subsequent investigation would point to you." – Dan Henderson May 16 '16 at 19:25
58

The thing I haven't yet seen anyone mention is:

Ordinary criminals are far more common than terrorists.

While crypto might help a terrorist evade the FBI (for a while, anyway) it also helps protect you from ordinary criminals who want to steal your money and hijack your computer for their own ends.

The question is, will you concretely give up your safety from ordinary criminals, so that the government can theoretically gain some information on a terrorist, that they can most likely get some other way anyway?

Another thing to remember is:

The more rare an event, the more newsworthy it is.

If terrorist attacks are so common that they only get mentioned in single paragraphs in the back pages of the newspaper, then maybe it's time to reconsider. But that's not the case. An attack anywhere in the western world is front page news for days or even weeks, precisely because of its rarity.


Cryptography secures many things in everyday life, some of which people will refuse to live without, if you put the question to them. It goes far beyond terrorists chatting with each other.

Will your friend give up online shopping? ATMs? Credit and debit cards? Downloading software updates - and not just for your computer, but for the avionics of an airliner? These things rely on cryptography and would be unsafe or impossible without it.

It is sometimes argued that the government could simply be given a master key or backdoor to crypto. But this won't work. If such a backdoor is created for the government, it is a security vulnerability that also becomes accessible to criminals. Ironically, someone used a backdoor in a mobile phone system, created for law enforcement, to listen to high level Greek government officials' phone calls. You can be sure that other criminals out there are exploiting backdoors that already exist, and are not getting caught.

Michael Hampton
  • 3,877
  • 1
  • 22
  • 32
  • 2
    As I recalll, in the Greek incident, it was never actually established who the perpretators were; it may have been garden-variety criminals, or it may have been the NSA, but nobody except the people actually involved *know*. (If you know more, please do add a reference to your answer.) – user May 15 '16 at 13:02
  • 8
    And of course, if you add a backdoor for *one* government, then *every* government will very likely want similar capabilities. You may be okay with giving the US government access, but do you feel equally comfortable about Russia, China, Belarus or Cuba having the same level of access? – user May 15 '16 at 13:03
  • 1
    @ypercubeᵀᴹ See http://spectrum.ieee.org/telecom/security/the-athens-affair – Michael Hampton May 15 '16 at 18:33
  • -1 x 100 Can we please stop spreading these myths, cryptographically secure 'backdoors' are perfectly possible (by using a symmetric cypher to encrypt the data and public key cipher to encrypt the key to the symmetric cypher for every recipient): http://stackoverflow.com/questions/597188/encryption-with-multiple-different-keys I am not a proponent of these backdoors (as I don't think the government should have access to all data), but lets not fight this fight with lies and deceptions. – David Mulder May 16 '16 at 09:04
  • 6
    @DavidMulder You're basically describing key escrow, which opens up a whole other can of worms. Yes, it's oversimplified; it was meant to be. But since you've chosen to comment, perhaps you could explain exactly what you feel is "lies and deceptions" here. – Michael Hampton May 16 '16 at 09:10
  • @MichaelHampton Technically it's true that online shopping without cryptography becomes very hard, but the deceitful nature of the argument is that giving the government backdoor access does not mean you throw encryption out of the window entirely. Indeed, what is necessary is a form of key escrow, but just because key escrow was sometimes done badly doesn't mean it can't be done correctly (as for example in the arrangement I described in my previous comment). – David Mulder May 16 '16 at 09:34
  • Nobody is asking for a total ban on encryption, what is being asked for is a controlled system where encryption can be pierced by government agencies. A difference that sometimes is not understood by popular media, but I would expect to be very clear to a security professional. – David Mulder May 16 '16 at 09:35
  • 3
    @DavidMulder Such a scheme is easy to work around: just wipe the backdoor key data leaving only that which pertains to the intended recipient. Which basically leaves the general public vulnerable to unauthorized access to or use of the private key (I'm betting tons of people would be hammering away at that one before you can even say "high value secret") but doesn't really do much to stop the bad guys because the bad guys will have the incentive to work around such a scheme. – user May 16 '16 at 12:38
  • @MichaelKjörling Well, lets take the famous iphone case, you could store that into the hardware encrypted storage module of the iPhone and make this key only usable when you have physical access to the device. I mean, none of this is ever going to stop the professionally trained terrorist or the organized crime top, but it would help against ordinary criminals. Am I a proponent? Definitely not, because I worry that future governments would misuse it (esp. when not limiting to physical access only), but, point is, government-only access is definitely possible in a secure way. – David Mulder May 16 '16 at 12:49
  • "if terrorist attacks are so common that they appear in the backpages of newspapers" I'd argue that this is already the case: many small terrorism items in the middle east, like IEDs in Baghdad, suicide bombers in Tehran or armed aggressors in Kabul are already so frequent that only "bloodiest attacks in X months" make any bigger headlines than a double paragraph and maybe a half-page picture. Or when Westerners died during the attacks. – Nzall May 17 '16 at 14:52
  • 1
    @MichaelKjörling If anyone actually feels comfortable about giving the US government access, remind them that the presidential candidate they aren't voting for might win and refer them back to some of the presidents that didn't do such a great job. If Watergate had been packet sniffing instead of phone tapping, the presence of encryption and/or a back door would have made for a drastically different ending. – Pharap May 17 '16 at 15:30
  • 1
    @Pharap I have "we don't know what the government will look like in the future" on auto-repeat as a part of my answer to people who don't fully grasp why privacy can be a good thing even if you are comfortable with whomever is in power today. – user May 17 '16 at 15:50
47

Imagine if, during the civil rights era, people had access to things like email and smartphones. People like the organizers of the Montgomery bus boycotts would have a little pocket computer that could tell the authorities where they’d been, who they talked to, and what they were talking about.

The authorities, at the time, considered these people terrorists. They were willing to turn firehoses and attack dogs on them, and they were doing their damnedest to keep at least the leaders under surveillance. Do you think they’d hesitate, if the option had existed, to court-order their phone companies to hand over personal data?

You can imagine a similar scenario in the early days of the gay rights movement. Things like sodomy and cross-dressing were illegal. If the option had existed, the authorities would have happily raided the personal data of any sodomite they could catch. You find one, you find others, and pretty quickly the beginnings of a movement get snuffed out.

The powers that be usually don’t like change, and if they have the power to squash it, they will. But they can’t squash what they can’t catch. In order for a society to grow and change in an organic way, it needs space for new and dangerous ideas to hide. In the computer age, without strong encryption, this space disappears.

Yes, that means actual bad actors have more room to maneuver as well. But I would argue the trade-off is worth it.

Cedrus
  • 607
  • 4
  • 2
  • 28
    While I agree with your perspective, I don't think this is a good answer. It's hard to convince someone with authoritarian viewpoints to treat authorities as threats, and it's not necessary to do so, because lack of encryption doesn't just make authorities an active threat. It makes **everyone** an active threat. – R.. GitHub STOP HELPING ICE May 14 '16 at 18:23
  • Besides, there are many ways to figure out who is communicating with whom even if the payload is encrypted. Almost every protocol we have in common use leaks metadata, often *gobs of metadata*, and for the kind of adversary you paint in this answer, metadata can be *far* more useful (and that is not to say that the payload data would be useless). – user May 14 '16 at 20:14
  • 14
    I'm unconclusive whether the term "civil rights era" describes the time when people fought to gain their civil rights - or to that past era when people still had their civil rights .. – Hagen von Eitzen May 15 '16 at 10:56
  • 2
    @HagenvonEitzen The funny thing is that this answer is bad because many people don't realize we're past the latter era. – Sebb May 15 '16 at 12:19
  • +1 This is exactly what the fourth amendment to the US constitution is for! – Brian McCutchon May 15 '16 at 21:11
  • @BrianMcCutchon The fourth amendment to the US constitution does not apply outside of the US. – user May 16 '16 at 12:32
  • 7
    Two useful stories to use: persecution of Jews in the Netherlands, where we sadly had one of the highest rates as we had the most efficient government registration of citizen faith. And secondly this poem: https://en.wikipedia.org/wiki/First_they_came_... is sometimes able to drive home the value of privacy better than any words. (Where encryption is fundamentally about protecting privacy) – David Mulder May 16 '16 at 12:53
  • 4
    `It's hard to convince someone with authoritarian viewpoints to treat authorities as threats [...]` Not to mention, a waste of time. You're right that this argument isn't going to convince authoritarian people, but neither is anything else. – HopelessN00b May 16 '16 at 13:53
  • @MichaelKjörling Of course, but that doesn't prevent me from invoking the wisdom of our framers, who I suspect would have supported encryption. – Brian McCutchon May 16 '16 at 18:33
  • 1
    This is an enormously political answer. Even if you have no desire to see a world without encryption, not everyone is going to agree with your viewpoint that society "needs space for new and dangerous ideas to hide" in order for it "to grow and change in an organic way". To the contrary, some (most?) of the largest movements in history were led by people willing to die for the cause. – jpmc26 May 22 '16 at 09:18
31

My response here is likely many in a sea of answers, but here's the breakdown of why encryption is good, why it's vital, and why breaking it is pointless.

-

Congress investigation found not a single terrorist plot was stopped by the NSA. So it's all taxpayer's cost for no profit

See here.

FBI Coleen Rowley at the London's whistleblowers conference remarked that the people who truly stop terrorist attacks are most often civilians, citing how two men on a hotdog stand apprehended terrorist suspects.

-

No encryption means items cannot be identified as authentic, allowing criminals to commit financial fraud - in their name

The recent losses of information from places such as Target, TalkTalk and others was due to a lack of security. Encrypted personal data means fraudsters can't use it.

-

No encryption on emails allows criminals and fraudsters to snoop on your personal details

Most people handwave and say 'terrorists' to make it acceptable, but the majority of scams come from social engineering attacks where the person pretends to be an authorised individual. They just cited your recent visit to the hospital and your personal social number, they must be the real deal! What, you need 500 smackaroonies paid up front now for my new surgery? Right away stranger caller.

They also prey on the vulnerable (elderly) and the ignorant.

-

No encryption means no security on security systems, for example... access passes at a nuclear plant

Your friends would have to be morons to advocate the weakening of security to err... protect security (?!) in this context. Biometric systems, card readers etc all rely on encryption to ensure outsiders don't simply hack in. Or they should do.

-

Your money and identity stolen means more crime

Some might be super naive, 'so what if they break in, my bank account only has X amount of cash!'. Whatever cash they steal becomes black money used in other criminal operations. Your stolen 50 becomes another pack of bullets for a crazed executor. Your 100 becomes the bribe to a guard in a human trafficking ring allowing women and children to be smuggled.

Your stolen identities becomes forged documents legitimising illegal immigrants, whether they be prostitutes or men seeking to commit further crimes.

-

Weakening encryption strengthens authoritarians

China have seen the UK and US's plans, and are following suit. It allows dictatorships like those seen in Saudi Arabia (where whipping is the punishment for criticising the government), Turkey (where prison is the punishment for criticising the government) and China (where jail and hard labour is punishment for criticising the government) to follow suit.

By seeing backdoors are possible, they too will request such features. By advocating the removal of encryption, you are advocating the punishment of people speaking out for human rights abuses.

-

Encryption is all or nothing

You can't have half measures. Any installed weaknesses hackers will find. So encryption either has to be completely secure, or not at all.

On the balance of probabilities, given no single encryption breakthrough has ever been proven to prevent or catch a terrorist, and there are so many crimes facilitated by poor, subpar security (identify thefts, bank fraud, etc), it weighs in favour of encryption, given the more encryption security, the fewer crimes.

-

What about XYZ using encryption?

ISIS have been declared technologically incompetent, and not surprising, you'd have to be pretty stupid to move to a county in a worse condition than your own in order to murder people for 'freedom'. And there are much bigger technological exploits in the wild that make car bombs look petty and trite - information security is far more important.

In terms of pedophiles, it is possible to setup sting operations (IE where they physically meet and get arrested). Encryption only hides online activities, but most laws are only broken when a physical action takes place. Deep cover agents and long-term infiltration operations can be done here.

-

So shortstop: ask them to name a SINGLE EXAMPLE of when breaking encryption STOPPED A TERRORIST ATTACK (note: the San Bernardio shootings weren't stopped by breaking encryption). If they can't name one, ask them to name how many cases of LOST or STOLEN INFORMATION there have been (make sure you have a long list to cite).

The contrast will be stark, and no-one with an ounce of common sense would suggest the removal of encryption ever again.

c1646091
  • 423
  • 3
  • 6
  • 2
    There's the breaking point of opinion isn't it. Authoritharians have no problems with people losing freedom and privacy, and would like to see people criticising the government in jail. For them, that downside is actually an upside. Enough so that they will gloss over the other downsides. – Magisch May 18 '16 at 12:39
  • 1
    "ISIS have been declared technologically incompetent." {{Citation needed.}} – Seldom 'Where's Monica' Needy May 19 '16 at 21:00
  • For the illegal immigrants part, it might be worth saying that yes, the majority are here to keep their heads down and live a decent life, but there are always people who go somewhere to make more money through crime – for example, drug dealers. With fake IDs, they can stay in the country legally as long as they like, rather than the government being able to get rid of them as soon as they're found. – Nic May 21 '16 at 15:24
  • @SeldomNeedy I'm a new user, so I'm capped to two links, so I decided between all the declarations, the bigger two to support would be the zero terrorist plots foiled and China following suit. I did originally attempt to include a link for sources declaring ISIS being technologically incompetent but I was impeded by the link limit. I consider out of the three biggies, that ISIS being incompetent was the most self-evident of the three and therefore dropped the link. – c1646091 May 22 '16 at 13:48
  • http://www.vocativ.com/313799/isis-kill-list-hackers/ - one source, and they're generally anti-technology: http://www.slate.com/articles/technology/future_tense/2015/03/isis_and_other_neomedievalists_reject_technology_modernity.html. Their usage of social media is a given, but does anyone recall the last time ISIS actually successfully hacked anyone? Now compare hackivists Anonymous. ISIS are more well known for violence than their technological skills. – c1646091 May 22 '16 at 13:56
26

To explain "cryptography" in your scenario requires an understanding of the value of "private communications". It's not about the technology, but about the benefit to society of being able to communicate privately, even from the eyes of your neighbours (i.e. those charged with governing the society).

This is more of a philosophical debate than a technical one.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 3
    Agreed. I sometimes try to have people imagine living under the Stasi, conscious of the pervasive monitoring of all one's communications: it leads to self-censorship, stifling expression that not only has huge cultural/political/economic value but also underpins one's own identity and self esteem. We already see people self-censoring, for fear that their legitimate communications are being monitored: what long-term psychological damage is this doing to our children, and society at large? – eggyal May 14 '16 at 07:59
  • 4
    Not just private communications, but authentication. Without cryptography, there is fundamentally **no way** to convey authority from a distance. Anyone can impersonate you to authorize actions (particularly, financial/property transactions) on your behalf. The ability to prevent this is mathematically equivalent to the ability to communicate in private. – R.. GitHub STOP HELPING ICE May 14 '16 at 18:42
  • 2
    Thank you! I've been saying this same thing for so long. The fundamental question: is it a human right to be able to have a secret? I think so. If Alice tells me a secret, then dies, and Bob wants to know that secret, do I have the right to take that secret to the grave? I think I do. Does the government have a right to force that secret out of me? I don't think they do. This is the only question. Technology doesn't change anything, only puts new methods of secrecy on the table. – The111 May 15 '16 at 05:26
  • 2
    @R.: My read is that the question doesn't apply to the entire field of cryptography, rather the application of it in **encryption**. Other applications, such as authentication, do not appear to be under scrutiny. – eggyal May 15 '16 at 09:26
  • 2
    Yeah. It's really hard to convince people when all they see is the terrorist iPhone cryptography case, and one of your friends is a psychologist that likes the idea of monitoring people with disorder, even when involves others privacy. –  May 15 '16 at 19:30
  • 1
    @eggyal: My whole point was that you can't get rid of one without getting rid of the other. It's the same math. – R.. GitHub STOP HELPING ICE May 16 '16 at 04:52
  • @R.: You can legislate, and throw those who break the law in prison... How effective that would be is a different matter. – eggyal May 16 '16 at 07:39
  • That's a very good point, but I'm not sure it really counts as an answer. This probably would have done better as a comment. – Pharap May 17 '16 at 14:51
  • 1
    @Pharap to explain "Crypto is good", you first need to make sure the audience values private communication. If they don't, then any explanation is moot. There are some cultures who do not value privacy at all, so trying to promote a technology to ensure it would be strange. But, once you shift the conversation to the privacy of communication, then the promotion of a particular technology makes sense. – schroeder May 17 '16 at 14:57
15

This is kind of a twisted point to make to anyone who's not familiar with the most trivial details of encryption and security, but I think it stands.

Zach still said it best. Encryption is the equivalent of keeping your pants on when you visit the Internet. It should be basic, and it's not our fault that banks and stores are willing to forgo a "no shirt, no shoes, no pants, no service" policy online, where they wouldn't in real life.

Although many of us may not know the details of how encryption works, the general thrust is easy enough for anyone to understand: we don't shout our credit card number or bank details at a waiter, or the clerk at the checkout counter in the grocery, for the same reasons we use encryption when we check out at Amazon.com. Even if we don't care whether someone knows those details about our life, it's 8561b0da13f41d736812e2f12b078a40 rude to be that noisy.

What most people miss is just how noisy the Internet actually is. If tcpdump existed for phones, I'd show the, that, but in the meantime just try your best to educate people as to what sending any information across the Internet is really like. My personal favorite metaphor? Sending a data packet into the wild is like making your toddler wear a sandwich board with a destination address and a message, putting him on the bus, and expecting the regular commuters and the bus driver help him get off at the right stop.

Even if all that happens, everyone on the bus route gets to read your angry drunken letter to the school board as your mindless infant blissfully follows strangers to the right house.

What does encryption give you? Easy. All it means is that no one knows what you actually wrote: all they know is where it's going. That's encryption, a nutshell. What the government wants to do, is allow a select group of auditors to read, laugh at, and ultimately reject or redirect your child — or decide to prosecute you based on what you wrote while you were in your boozy stupor.

Ryder
  • 271
  • 1
  • 8
  • 1
    They are familiar with encryption basics, but they would allow government to turn off encryption if they are searching for "threats" that they create as excuses to access ones data –  May 14 '16 at 16:03
  • 3
    @nwildner So your question is really about **"why not let the government (maybe *any/every government*) read all my data"**, and not so much about the general benefits of cryptography... – Xen2050 May 15 '16 at 03:22
  • 1
    @nwildner since you updated your question, it's clear that Zach's principle won't stand up to your "friend's" level-headed scrutiny. So what you're really asking is, how to psychologically manipulate these people into accepting the validity of your position over government propaganda? – Ryder May 16 '16 at 11:45
  • 1
    Which I get. Because they're good people. They believe they're good people. and the government would *never* knowingly hurt good people, or cynically manipulate good people into believing it's in their own good interest to let themselves be exposed on camera, twenty-four hours a day, seven days a week. Right? – Ryder May 16 '16 at 11:48
  • 1
    They know this to be true, because the government and other good people tell them it is. Since you're telling them otherwise, in the back of their mind they must recognize that you're disagreeing with good people— so you're not necessarily a good person like they are. You're some kind of Other. Unless you're mistaken, or you've been duped, then you must not like our government. And someone who doesn't like their government is an anarchist, a rebel, and a criminal. – Ryder May 16 '16 at 11:54
  • 1
    The discussions always end with those statements, about how good it would be if a Masterkey could be used to decrypt data in case of crime/rape/terrorism. Not a problem at all to get data from "violators of the law" but all ends on a way that they pretty much accept the fact of being watched, if a "greater good" is done on breaking encryption. So yes, "why not let the government read all my data" would be a better title, but maybe, there are good arguments that would avoid them into going to this pitfall of "government doing a greater good for people" in the first place –  May 16 '16 at 11:56
  • 1
    @nwildner then you need to put them on the spot. Extraordinary claims require extraordinary evidence, and the belief that allowing any agency that level of access is a good thing is mind-bogglingly ignorant. The burden of proof is on *them*, not you, and it's stupid to think otherwise. They need to provide you with at least one historical example where similar measures were taken by the government to the eventual benefit of the population. – Ryder May 16 '16 at 12:00
  • 2
    And yes, for them I'm some kind of vilan for not liking the idea of those masterkeys spread across companies/governments. "We should have a way to decrypt a murder smartphone", but they don't see how dangerous could be a company having a way to decrypt all it want. –  May 16 '16 at 12:01
  • If they can't find one, or even if they can, then it's still incumbent on them to argue why they think their government is an exception to the rule. – Ryder May 16 '16 at 12:02
  • That's why i created this question. Because they are good enough to understand criptography, but bad at thinking the damage that could be caused by switching off cryptography from people's life[or maybe i'm not a good teacher ;) ]. –  May 16 '16 at 12:05
  • 1
    I'm not normally one to complain about this sort of thing but 'retarded' is generally [considered offensive](https://en.wiktionary.org/wiki/retarded) to people with mental conditions. You might want to consider changing that analogy slightly before someone actually does take offence. The analogy works fine with just a normal child or even a package. (Some users may also take offence at the swearing, but I couldn't find what information security's policy is on swearing, so I'm not going to say anything about that.) – Pharap May 17 '16 at 15:07
  • @Pharap fair enough. Politically correctified, as per our marching orders for this hapless decade. – Ryder May 17 '16 at 15:29
  • 1
    @Ryder The stackexchange is (as people like to continually remind others) explicitly not a forum, and questions and answers are typically supposed to be professional and somewhat formal, meaning potentially offensive language and ([I double checked this time](http://meta.stackexchange.com/questions/22232/are-expletives-cursing-swear-words-or-vulgar-language-allowed-on-se-sites/22233#22233)) swearing should generally be avoided where possible. Again, I'm just the messenger here, I don't make the rules and I don't even agree with all of them. – Pharap May 17 '16 at 17:12
  • 1
    @Pharap you're absolutely right. I've replaced my swears with md5 hashes so that it's not even provably clear that my adjective doesn't collide with a more salubrious word. – Ryder May 17 '16 at 23:04
  • 1
    "noisy" vs "nosy"? – Ben Voigt May 20 '16 at 14:53
  • @BenVoigt there are no typos. Just happy little puns... – Ryder May 20 '16 at 15:28
15

I agree with the "It protects your bank transactions" answer, but I'd like to add a few thoughts:

Even if the government banned encryption or forced a backdoor, it wouldn't stop terrorists. Encryption isn't a physical good- it's a mathematical process. Banning encryption would be like banning adding or multiplying (or large semiprime numbers)- criminals would still do it anyways, and the rest of us would be worse off. They don't care if it's banned, and encryption algorithms are simple enough to implement, even without commercial products.

This argument has been made before, but if the US forced a backdoor in encryption, we wouldn't be able to sell too many services to other countries. Other countries might also follow the lead and ban encryption or force their products to have a backdoor. The software market just got a lot smaller. You might be fine with a doorknob where the US owns a master key, but how about if France owns one? Russia? China?

Continuing the theme of fear-based strategies, you can explain how without encryption, a MITM attacker can pass off their data as legitimate. They can download malware or trick you into entering a CC# or password. While phishing attacks and drive-by downloads still exist with encryption, it's much easier for MITM attacks to appear legitimate without encryption.

Daniel M.
  • 251
  • 1
  • 4
  • 1
    This is a really important point. Banning encryption would do nothing. Encryption is already a thing the bad guys possess, outlawing it would mean nothing to people who are already outlaws. Murder is already outlawed, but the bad guys still do it. – Qwerky Jun 02 '16 at 16:00
12

Use the same terrible logical argument that the RIAA used in their anti-piracy propaganda pieces from the early/mid 2000s.

You use an armored car to securely move money, encryption is that armored car for transactions on the internet.

--or--

You keep your valuables in a safe, so you want to keep your data encrypted.

--or--

You keep your front door locked, encryption is that front door into your data. If you login to your bank unencrypted, then you left your front door unlocked and are allowing anyone else to come by and walk into your den.

Allison Wilson
  • 429
  • 2
  • 9
  • 6
    I don't remember the RIAA propaganda logic... are these points supposed to be "terrible" or good? – Xen2050 May 15 '16 at 03:17
  • 3
    Who is this RIAA you speak of? :) – Nathan May 15 '16 at 21:40
  • Recording Industry Association of America. The point I was making was in reference to how effective propaganda / manufactured consent / advertising is created. You want to incite an emotional response in the recipient and relate the concept to something that they can easily understand, even if factually wrong. – Allison Wilson May 17 '16 at 15:12
  • I can't say that I agree with this- at all. Some problems with using bad analogies and false "facts" are 1. They are easily disputed by people who know a little bit, not even a lot about the subject. 2. For a layperson to learn more about the subject, they then have to **unlearn** the false facts about the subject. This makes learning real things much harder and brings false notions into the field. 3. It encourages using logical fallacies in arguments, regardless of topic or side, and life would be much better if more people knew to avoid those. – Tyrannosaur May 17 '16 at 20:24
9

The way I like to explain things to people is through movies.

Last night I watched the movie Sneakers. The entire plot of the film is about a "little black box" that can break any encryption anywhere.

SPOILER

After stealing the box from the University Professor who invented it, it gets into the hands of the bad guys- the head honcho himself explaining his plan to use it to destroy the world, specifically money and ownership. The main characters spend the rest of the movie trying to steal the box again so they can give it to the NSA (for techies, this part is probably a lot scarier now than it was in 1992).
At the end of the film, the protagonists trick the NSA and keep the chip for themselves, using it to steal money from causes they don't like and give to causes they do.

What is being proposed by people who want no cryptography to exist is basically for every person that has a computer to have access to such a "little black box" - anyone could log in anywhere, look at any data they wish, and change whatever they want.

A (slightly) more reasonable proposition currently being desired by many politicians and laymen is a "backdoor" or "master key" in encryption algorithms, so that the villains do not have access to the data, but the "good guys" do. This is basically the equivalent of handing one of Sneakers' "little black boxes" to the NSA/FBI/law enforcement/whatever. Why is this so bad? Well, if one exists, two can also exist. Even assuming that the "good guys" only use it for "good purposes" and their security systems are such that no leaks are possible for the bad guys to get at their black box, the bad guys can design their own "master key". For a bad guy to break the encryption in this case, he would only have to crack open the back door. Which would be comparatively easy. And in all proposed systems I've heard about, once they crack one back door, the bad guy would have access to all back doors.

Tom Leek is right, people fear for their money. And having backdoors to encryption would make that money vulnerable.

The discussion of why it is bad for the government to have unfettered access to one's data is for a different time, but the simple answer to that is because you cannot trust any government that much. I like to refer to Captain America: The Winter Soldier for that one.

Tyrannosaur
  • 259
  • 1
  • 4
  • It looks like I can't do spoiler text on security.stackexchange. If it is indeed possible, do tell. – Tyrannosaur May 14 '16 at 22:29
  • Maybe putting the spoiler part at the end of the answer, and surround it with "*SPOILER!!!*" would be good enough – Xen2050 May 15 '16 at 03:26
  • 1
    A key is not a backdoor. A key is not a sneakers box that can break anything. A key is what you use to decrypt your data, and it's different from what Joe uses to decrypt Joe's data. If Apple gives Joe's keys to the FBI or a criminal steals Joe's keys, your data remains as safe as your keys. – Dave May 17 '16 at 12:57
  • 1
    I was talking about a universal key or a way to obtain universal keys- some way for an entity to open any arbitrary encrypted data. A key may not be a backdoor, but a master key would be, and we **are** talking about backdoors here. This is what all the commotion is about. – Tyrannosaur May 17 '16 at 14:47
  • Quite. A backdoor would have to take at least one of two (simplified) forms: either a "master" key that could decrypt all communication using the scheme for which it was created - which can be leaked or cracked - or a database of *everyone's* private keys (which could *also* be stolen or leaked, as in order to be useful it would need to be network-accessible and it doesn't matter how many layers of security there are it's an instant, high-value target) – Darael May 22 '16 at 03:50
7

I am going to take a bit of a different turn to answer the question.

It is impossible to prevent the use of encryption, so everyone should use it. If for some reason encryption were to be banned, what would prevent people from using the current algorithms and transmit data? All data is is bytes so you could not even prove that it was encrypted in the first place.

Because criminals will use this method to communicate if it is legal or not, why shouldn't the general public? It would make everything more secure and prevent data hacks (like the other answers elaborate on).

Eric Johnson
  • 715
  • 1
  • 6
  • 11
  • 8
    When strong crypto is outlawed, only outlaws will have strong crypto. – barbecue May 16 '16 at 23:49
  • Not to mention that they could use strong crypto in addition to steganography, so they would just start hiding messages in harmful data. Like, say, nude pictures on the internet. What are you going to do about that? :D – Luaan May 17 '16 at 08:25
5

Try thinking just as much of how you present as much as what you present

I'm going to present my argument with a few attention grabbing words here... but in truth what you need to do is start a discussion much life we do here. A good way is to grab their attention.

If a knife is used to kill a man, is that knife evil?

Obviously the answer to that is no. However what is a knife more than a tool? What is to kill more than a harmful action? What is evil more than a moral view? If we rewrite this question very generically it becomes

If a tool is used to do harm to people, is that tool bad?

The answer to this question is obviously No. A tool is nothing more than a medium to perform an action. Much like paint can be used for art, it can also be used for protest, defacing, or even destruction. What matters here is not the use of the tool itself but of the desire of the operator. If an operator intends to do harm, there will always be tools to do harm. If an operator intends to do good, there will be the same tools to do goo.

The duality of it all is that a tool is a tool. It is in the hands of the person that determines whether the action performed is for good or for evil. Those actions can only be judged by others and thus it is only through our eyes that we can pass judgement. Because we are the ones to judge your friends statements aren't wrong, but they show ignorance of what cryptography really is, and how they should not be the ones to judge it. If they can not explain it without mentioning the word itself, then they do not understand it enough to speak on it.

A good basis for discussion and not argument/bandwagon

"If you are to judge cryptography you must know what it is and what it does. If you can answer that to me I will listen to your stance, so please explain to me what cryptography is so we are on the same page." The statement not only shows you have an understanding yourself, but it asks if they have an understanding in you asking for them to clarify it to you. If they are wrong, they have already opened themselves to a debate about if they really know what it is.

At this point if you can prove them wrong, or raise sufficient doubt in their argument, the group mentality is shifted onto you as the default authority. Remember you don't have to disprove their arguments, you must just prove them wrong. A good example of this comes from the movie "Thank You for Smoking"(Rated R) in the following scene:

Joey Naylor: ...so what happens when you're wrong?
Nick Naylor: Whoa, Joey I'm never wrong.
Joey Naylor: But you can't always be right...
Nick Naylor: Well, if it's your job to be right, then you're never wrong.
Joey Naylor: But what if you are wrong?
Nick Naylor: OK, let's say that you're defending chocolate, and I'm defending vanilla. Now if I were to say to you: 'Vanilla is the best flavour ice-cream', you'd say...
Joey Naylor: No, chocolate is.
Nick Naylor: Exactly, but you can't win that argument... so, I'll ask you: so you think chocolate is the end all and the all of ice-cream, do you?
Joey Naylor: It's the best ice-cream, I wouldn't order any other.
Nick Naylor: Oh! So it's all chocolate for you is it?
Joey Naylor: Yes, chocolate is all I need.
Nick Naylor: Well, I need more than chocolate, and for that matter I need more than vanilla. I believe that we need freedom. And choice when it comes to our ice-cream, and that Joey Naylor, that is the defintion of liberty.
Joey Naylor: But that's not what we're talking about
Nick Naylor: Ah! But that's what I'm talking about.
Joey Naylor: ...but you didn't prove that vanilla was the best...
Nick Naylor: I didn't have to. I proved that you're wrong, and if you're wrong I'm right.
Joey Naylor: But you still didn't convince me
Nick Naylor: It's that I'm not after you. I'm after them.

Here you can see he is clearly explaining to his son that to win the majority you must not target the argument, but the audience. Once the audience knows that someone here is that authority then they are much more likely to listen.

Think about what you say just as much as what you say. ~Anonymous

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • The knife paradox didn't work so much with people. Some of them would rather like to replace metal knife with plastic knifes if this could be a solution to make knifes more "terrorist safe". –  May 14 '16 at 15:49
  • 1
    ... then you missed the point of the abalogy. It's to point out the knife is JUST a tool. Terrorist have nothing to do more than imparting intent into it with their actions. – Robert Mennell May 14 '16 at 15:52
  • I have pointed out to them that a Knife was made to cut bread and slice meat, not to kill in the first place like a sword, and the knife was not the one to blame. And yet, they think that the harm made by a knife on the world is less dangerous than the hard that is done by hiding information from the government, that's why they can deal with the knife idea, but not the cryptography(their point of view) –  May 14 '16 at 18:45
  • 2
    Then ask them their bank number. Ask them their weight. Ask them their mothers maiden name. If they wouldn't share that with you, their friend, why would they share it with the public on the internet? – Robert Mennell May 14 '16 at 18:46
  • @RobertMennell A lot of your argument is highly relevant to the the gun control debate, where, in fact, a great many people are willing to blame a problem on a particular tool and ban it... so maybe not the most persuasive argument. For that matter, some countries, such as the UK, [have knife-control laws and campaigns](http://www.snopes.com/2015/06/22/save-a-life-surrender-your-knife/). – HopelessN00b May 16 '16 at 14:02
  • @HopelessN00b I think you may have missed what I was presenting if you looked at the knife only. My suggestion is that he needs to present in a manner more appropriate to his audience with a good argument. – Robert Mennell May 16 '16 at 15:52
5

Cryptography provides not just security, but also privacy. So the same arguments that apply to debates about privacy vs. safety also apply here.

With privacy vs. government surveillance, many may argue, "if you don't have anything to hide, you have nothing to worry about!"

ACLU and other organizations have made excellent articles to respond to that argument. For example, ACLU's Plenty to Hide which points out:

  • Some people do have things in their private life, that should stay private if they want it to, but isn't necessarily illegal. Things like being gay; having an affair; being pregnant; having certain diseases; etc. The classic Bob and Alice would be in big trouble with Eve without strong encryption; more to the point, medical records are actually legally required to be stored safely as far as I know.
  • Governments make mistakes sometimes. You could get on a watchlist/no-fly list/etc. by accident; the more people are being watched, the more mistakes will be made, just by virtue of percentages in what must be an inexact science. Remember Operation Troll the NSA?
  • Maybe you do have something to hide, but you don't know it. Or it's long ago in your past. Laws are complicated and it's pretty much impossible for one person to know all of them by heart. All it would take is one organization or powerful person with a vendetta against you, and you could find out pretty quickly!
  • Some things just aren't meant to be public. Someone already brought up closing the door to poop. Other things are like singing in the shower. Or, more appropriately for cryptography, videos of embarrassing moments, intimate photos, etc. aren't really wrong but nobody wants them distributed all over the Internet.
  • Even if you don't care about hiding something, someone else might, and it could impact you negatively. Visits to Internet gambling sites or specific stores could impact job prospects or credit offers if someone has gotten access to your web traffic. Also think about social media posts, and how employers may view them. Although this is more a tracking/privacy settings thing than an encryption thing, there are places where it applies.
  • People just need a space away from prying eyes to feel secure and...human.

Anyway the ACLU and other organizations like the EFF probably have a wealth of privacy-related materials that could help you get your point across. Even if they can brush off 5 of the 6 points above, one might get through. And there's more out there.

Edit: I just realized the following portion is pretty much Cedrus's answer

Other sources of inspiration could include interviews with well-known cryptography experts, who often are asked why they do what they do. As an example, Moxy Marlinspike talks about how for society to progress, sometimes people need the ability to break the law. The American Civil Rights Movement, the fight for Gay Rights, various Independence movements, the Underground Railroad and abolition, and more depended to some extent on having "safe" spaces away from surveillance; he points out that we may not even know that we want the laws to change without the ability to see, experience, and discuss those things that are illegal. Even if it wasn't around at the time of those movements, a lack of encryption would take away some of the most powerful of those safe spaces in the modern world.

Ben
  • 3,846
  • 1
  • 9
  • 22
3

The primary reason why encryption exists, particularly public encryption, is that many clients must be 'publicly' able to send secret messages or communication,which is not only used by facebook and google, but pretty much the whole internet. Today, we are moving to a world, where everything can be done online,from transferring money overseas(online banking) to using Banking and what not. What is extremely relevant to the way the world functions is what we do online:-

1.Shop:- If by any chance, even one of the modern encryption standards is broken, then we wouldn't be able to securely pay online, not even a penny, as it would be intercepted by someone else. No more online payments.

2.The overall ECONOMY:- Stock markets mostly function online these days, pretty much the whole economy of all big companies across the world depends on it, and it further depends on secure-non interceptable communication, about buying and selling of stocks. If these communications are intercepted, trillions of dollars worth of stocks would be untraceable which is extremely scary. No more ATMs or any other banking services. All the banks these days function online, no more. And we know that the world depends on THEM.

3.Communication:- This is the most obvious consequence, no more safe and secure communication. No more private chats, neither business or technology secrets. So, we go back to the 18th century mode of business, where every single business decision must be privately communicated.

4.Piracy:- Already, we face a lot of trouble due to privacy, it would be escalated further due to such a situation.

5.Security:- So, talk about security.... Recently some terrorists were caught in Delhi,India who claimed to have learnt ways to make bombs online... In this world, almost all the data is stored online(or in servers, leave that, computers) ENCRYPTED, be it secure government data or intelligence.. EVERYTHING in this world would be spilled over. No trust between countries and endless wars. No more national secrets. Just think about the chaos. Terrorists would have info about EVERYTHING, where the president is moving, which way is the army going, which room of your house are you in.... EVERYTHING, and talk about security now....

6.Fundamental human rights:- Another obvious disaster.

7.Intellectual property:- More and more nations are recognising intellectual property these days, most of which is stored ENCRYPTED, which again is an asset worth billions, would be spilled over in a minute...

Considering these points, and many more not considered here(Transport, IT, Space, THE ECONOMY) , we can safely assume that ENCRYPTION is the very basis of an internet oriented world or the information age. Without it, the whole present day economy will be ruined, and we will be running back to the 18th century, LITERALLY. Because, if encryption was gone, not a single computer oriented software company would exist(there revenues zeroed out)(if you know the working methods of software companies, centralised cloud based), and you can imagine not having internet at ALL... These are just extreme circumstances where I am assuming that all encryption schemes are gone, which is very unlikely to happen.

So please make them understand that breaking encryption isn't just taking away there individual rights, but also pushing the whole human civilization back by centuries.

If a backdoor can be made by the gov. the same can be done by any of the hacker groups(maybe they have done it, but pretty unlikely as it requires a LOT of computing power) and so, again the situation becomes SCARY....

  • That's an interesting answer, but I fail to understand how terrorist could know "which room of your house are you in". Unless you live in a building with a lot of indoor surveillance cameras (Presidential palace?) or unless the government has a secret system to constantly monitor everyone inside their own houses, this shouldn't be possible. Am I missing something? – A. Darwin May 17 '16 at 15:12
  • @ADarwin, almost everyone owns a smartphone which has almost everything required for basic surveillance including GPS, so, a basic flaw in encryption could spill a lot of personal information including current location. Also, if there are other surveillance systems, then it becomes easier. I have also mentioned that there are extreme consequences I am talking zbout, but still, it is Grave – LakshyAAAgrawal May 17 '16 at 15:18
3

Ask them if they would be okay with the bank storing their PIN and account number on pieces paper on a billboard in front of the bank. Or their porn viewing habits on front of their house.

Cryptography is literally everywhere. Discussing what-ifs doesn't change the fact that cryptography will never go away, it's like trying to have a discussion about the merits of square wheels. It is (in many forms) essential to day to day computing.

I assume the point of view of your friends comes from the recent incredibly embarrassing speech from David Cameron. There is no way to ban encryption, unless you can physically control the entire internet and every machine connected to it. Besides, banning encryption has a single target, and it's not the terrorists. Banning encryption locally only opens up your lawful population's data to the government. Criminals and terrorists don't give a dime about laws.

  • 7
    "Criminals and terrorists don't give a dime about laws." It's incredible how many people completely fail to see this point :) – Luaan May 17 '16 at 08:26
3

There's plenty of good answers here, but I'd like to point out one non-security answer: your friends always say that it's fine to break encryption for "bad guys/criminals/terrorists". But that's not how this is going to be used, even in theory (and law).

Whatever the approach, this will apply to anyone suspect of being a "bad guy/criminal/terrorist". And that's a much bigger group of people than actual BGCTs. In fact, it can very well cover every single person on Earth, and the truth is, it's very much possible that you are a criminal as well, without knowing it - I assume you don't know every single sentence of whatever laws apply to you, even when you only consider your local authorities.

Most suspects did nothing wrong whatsoever - for most crimes that happen, there's usually multiple suspects, and it's very rare that all of those participated in the crime (or anything they considered criminal at all); yet every one of those people would be open to decrypting every single bit of their data and having it scrutinized. And all this massive break of privacy for what? Criminals break the law - that's kind of the definition of what "criminal" means. If you ban or restrict encryption, or you add backdoors and prohibit using encryption that doesn't have backdoors, do you think the criminals are going to honor those laws? It's not like you can tell if a piece data is encrypted or not - and even if you could, there's plenty of steganographic approaches that allow you to hide secrets (in this case, encrypted messages) in harmless looking data. And then one day, someone finds out that your nude pictures were used to send messages between terrorists :P

Luaan
  • 217
  • 2
  • 7
1

I'm not going to go into the technical aspects - others have already answered that, and it's not really what the question is about.

Rather, you can say a couple of things. My answer will be somewhat US centric because that's what I'm familiar with, but similar examples will exist elsewhere. It is also somewhat broader - rather than specifically focusing on cryptography, my answer relates to privacy in general.

  • Tailor your answer to the person. Find something they care about. For example, if your friends are strong believers in the Second Amendment, remind them that no cryptography will also mean that the government has access to all their firearms records. Also remind them that the police in Hialea, Florida, was caught installing cameras with license plate readers pointing into the parking lot of a gun dealer. Similarly, if your friends are passionate about abortion, remind them that abortion records would also be accessible. Everybody has "something to hide", most people just don't realize it.

  • If you think that you aren't interesting to the government, please explain why the Soviet Union, East Germany and North Korea spent an untold amount of effort on spying on everybody, including ordinary citizens?

  • Ask your friends to think about exactly how the USA is different from the Soviet Union. Hint: the main difference is that the Soviet Union spied on their people, while the USA didn't - or so we thought.

  • Would your friends be OK with a law that outlaws envelopes and that your pay stubs are mailed on postcards? Explain that cryptography is simply an electronic version of a sealed envelope.

  • Accept that this person trusts the government. That's a personal value decision anyway, not subject to fact-based arguments.

  • Ask if he would still be OK with it if the government changed? Would you trust Donald Trump (who is known to be very underhanded and vindictive) with access to your private data? Or conversely, would you trust Hillary with access to that data?

  • Would you trust Joe McCarthy or J.Edgar Hoover with access to such data?

  • What if Weimar Republic had had this capability - and it had then fallen into the hands of Hitler, and subsequently of East Germany?

  • You can also point to William Binney. He was an NSA whistleblower before Edward Snowden, and he revealed that the NSA not just hypothetically, but actually specifically targeted Supreme Court Justices, high-ranking military officers, and even then-Presidential candidate Senator Obama. It is of course speculation, but entirely possible that General Paetraeus was the victim of a targeted release of spying data, and that the "jilted-lover" story is just a cover story.

  • Even if you trust the current and all future governments, or you think the government wouldn't be interested in you, how about "bad apples" in the system, such as the police officers who used surveillance data to hunt down and blackmail gay men (happened in 1997, I believe)?

  • How about cryptography used by the military? When your friends reply that this cryptography is acceptable, then point out that the FBI has recently been trying to pressure a developer of a Navy-funded encryption network into building a back door. The developer's name is Isis Adora Lovecruft, and she ended up fleeing to Germany. She is working for The Tor Project, Inc., which receives major funding from the Navy.

In the end, though, don't try too hard to convince your friends. It's far more important to work within the technology community, and most of those people are already aware of the importance of cryptography.

Kevin Keane
  • 1,009
  • 7
  • 8
-2

I would try to use an analogy that doesn't employ logical fallacy. This is difficult, but perhaps explain how cryptography is used in banking, healthcare, etc. to ensure privacy, security, and the integrity of services.

Ultimately it is our responsibility to make sure they understand it, everyone needs to understand it now that it has become a controversial issue.

  • 1
    This doesn't really answer *how* to explain that cryptography is good, especially not "to non-techie friends." I suppose your response is "Make them become techies," which isn't very helpful. – Wildcard May 15 '16 at 15:40
  • Also, there are so many logical fallacies in the authoritarian position on this topic that it's mind-boggling. Logic doesn't convince people, emotion does. – HopelessN00b May 16 '16 at 14:06
-2

Cryptography is the technological equivalent to the Bill of Rights. Just like, say, the right to a fair trial sometimes seems silly when the case is crystal clear, we anyway would not want to do away with it just for the convenience of an exception.

Tom
  • 10,124
  • 18
  • 51
  • 3
    That's a really unfair comparison. The government can't just ignore cryptography when it's inconvenient, or engage in Orwellian redefinitions with math, after all. – HopelessN00b May 17 '16 at 14:08
  • It's not supposed to ignore the Bill of Rights, either. – Tom May 18 '16 at 09:34
  • 1
    But they do, because they can. Proper cryptography does not have this drawback of being able to be ignored or redefined at the convenience of those power. – HopelessN00b May 18 '16 at 17:44
  • Short and memorable, or correct on every detail - pick one. :-) – Tom May 19 '16 at 09:43
  • It's not a minor detail that one can be (and is) completely ignored or redefined at the government's convenience and the other cannot be. It's a very important, very fundamental difference. – HopelessN00b May 19 '16 at 14:50
-2

You should explain using a demonstration by hacking them. Get them connected to your network and then perform an ARP spoofing for a man-in-the-middle attack. The works almost every time for fully patched Windows computers. Alternatively, since it's your network, you can just use the router for MiTM, but that wouldn't be as cool. Then, show how the lack of encryption can allow you to steal cleartext credentials, and inject malicious content into the webpage, like downloading of malware or redirection to phishing websites. This demonstrates the practical usefulness of encryption in a network.

Even more critical is in an enterprise environment, where this can be used to gain domain admin access. Many internal portals contain self-signed certificates or no encryption. You can use this on a domain admin to steal the keys to the kingdom.

Interceptor-NG is a good tool for this.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Daniel Grover
  • 872
  • 5
  • 10
-6

[Non-techie friends] clearly would say "no, i do not want the government to have a copy of my house key and watch me doing private stuff. But if they are looking for a terrorist/criminal, it's fine to break the door".

It sounds like your non-techie friends are onto something. As most answers have said, this isn't a technical question, it's an issue of public policy. We have organized ourselves into a society with a government because we prefer the protection of a constitution, a legal system, and a criminal justice system over anarchy, extortion, and mob justice. So you need to answer the question "is society better off when the FBI can investigate crime than when it can't, and what limits should be placed on its investigation?" When ATMs first came out 4 decades ago there was concern about the Big Brother police state that would result from having ATMs with cameras everywhere. Yet now the only time cameras are in the news are when an ATM photo helps catch a carjacker, surveillance cameras spot Boston Marathon bombers, or cellphone videos catch a fight between police and suspects. Seriously, does anyone EVER say that cameras catching Ray Rice knocking out his girlfriend in an elevator are an invasion of privacy nowadays? That concern is so 1970's.

Obtaining lawful access to encrypted communication is the same issue as obtaining lawful access to photo/video surveillance. It should require authorities to justify why they need it, but after providing that justification, it should be made available. If the police ask for a warrant to break into your house so they can watch you poop, it won't be granted. If they ask to listen in on phone sex with your girlfriend, it won't be granted. But if you are using your phone to buy a 13 year old from a child trafficker, they probably should be given the cryptographic keys that would let them listen in. Do you value absolute privacy over the safety of your 13 year old daughter? The answer to that has nothing to do with cryptography.

Dave
  • 105
  • 4
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39970/discussion-on-answer-by-dave-how-to-explain-that-cryptography-is-good-to-non-t). – schroeder May 18 '16 at 17:16