These kinds of things lead us to a larger point, which is, you, as an individual, should not have to do this. You should not have to make these decisions. You should not have to study to be safe using the devices that you rely upon every day.
And this means, you have to be political. You have to talk about these things. You have to recognize that when somebody says, “Don’t worry about this, it doesn’t matter. If you have nothing to hide, you have nothing to fear.”, they are misleading you. They are deceiving you. They are disempowering you.
Because privacy isn’t about something to hide. It’s about something to protect. Privacy is the right to the self. Privacy is the right to a free mind. Privacy is the foundation of all other rights.
If you argue that if you have nothing to hide, you have nothing to fear, that’s no different than saying you don’t care about free speech because you have nothing to say. It’s an anti-social argument that says, it doesn’t matter what happens to the rest of society, it doesn’t matter what happens to my rights, cause I’m OK right now.
I’m not different, I’m not interesting, and I don’t need to be. I’ll adapt to whatever the rest of the world wants. And what you’re saying is, I don’t want freedom. I don’t want liberty. I just want to be.
As usual, this was another wonderful discussion with Edward Snowden, although there was one part that bothered me. Early on, Philip Zimmermann, the creator of PGP, came on stage to pose a few questions.
He started by talking about Citizenfour and Snowden’s attempts to contact Glenn Greenwald via encrypted email. Initially, Glenn had trouble setting this up, and Zimmermann commented:
I saw that, you know, as you were attempting to connect with Glenn Greenwald, with PGP, and he couldn’t be bothered to learn how to use PGP, my impression was, go find another journalist.
Afterwards, Phil chuckled (no one in the audience did), and Snowden did his best to be polite. To me, this remark was indicative of a terrible attitude, and exemplified why PGP failed at providing a secure communication solution for the people.
Throughout the presentation, Snowden called out the excellent work of Phil’s successor, Moxie Marlinspike. It makes me happy to see that, after all these years, we have a secure, easy-to-use solution for text and voice communication that can be easily recommended to friends, family, and co-workers. It is also encouraging to see that more people are recognizing the need for privacy in their lives.
In addition, I took time to review some of the changes that were made to Signal. In a recent blog post, Moxie expanded on the authentication mechanism now used in the app (i.e., Safety Numbers). If you have a moment, I recommend checking it out.
To reduce that confusion, we’ve simplified safety numbers to be per-conversation rather than per-user. This way, when Alice and Bob set out with the objective of verifying that their communication is private, they are provided with a single piece of information — a safety number for their conversation — which is a direct mapping for what they’re trying to accomplish. They are each shown only a single string of numbers in their conversation, and comparing them is more intuitive. Likewise, for in-person comparisons, there is only a single QR code to scan, rather than each party having to both scan and be scanned by the other as before.
This is the type of care that needs to go into designing secure communication solutions for the masses. Here, Open Whisper Systems (OWS) took an authentication model used by PGP (i.e., fingerprints), and greatly simplified it, based on user feedback. Individual contact fingerprints are still there, but the user does not need to know about them to accomplish verification:
However, there are some more advanced use cases which per-conversation safety numbers might not provide for (such as Charlie verifying Alice’s fingerprint by checking with Bob), so we designed the safety number format to be a sorted concatenation of two 30-digit individual numeric fingerprints. Advanced users that would like to use fingerprints for more complex use cases can separate the two fingerprints from the safety number if necessary.
I think this is smart, and the way that Moxie takes the time to explain OWS’s work in clear terms, in my opinion, makes him a paragon of what a 21st century cryptographer should be.