CYPHERPUNK LEGACIES Post by Rusty The most important aspect to an individual's digital rights in the 21st century is encryption. And it's under threat once again. The problem--one common to many internet issues--is that despite its overwhelming importance, encryption's neither easy to fully comprehend nor does it make for a simple, sexy narrative. *** "Privacy is the power to selectively reveal oneself to the world." -- Eric Hughes, from "A Cypherpunk's Manifesto." *** I've been combing through the Cypherpunks listserv archives from 1992-1998, trying to glean philosophical insights into the first major fight over whether safe & complete encryption could be available to everyone on the web. Of course, cypherpunks were never a cohesive group; they are more of a loose confederation of folks who see encryption as a liberatory foundation for individual autonomy. But what an intersection of minds: mathematicians, programmers, engineers, lawyers, shitkickers. The listserv grew out of a meeting of what mathematician Eric Hughes sarcastically dubbed Cryptology Amateurs for Social Irresponsibility (CASI). This invitation-only meeting took place in Hughes' home in Berkeley, CA. Twenty cryto activists were invited including John Gilmore--who had founded the Electronic Frontier Foundation with Mitch Kapor & John Perry Barlow only 2 years previously--& Timothy May, an electronic engineer who founded a crypto-anarchist movement. Many in this crew shared deeply libertarian beliefs in the sanctity of the individual & a suspicion of governmental power. According to Stephen Levy, May, "produced a fifty-seven page handout, along with an elaborate agenda including discussion of 'societal implications of cryptography,' 'voting networks,' and 'anonymous information markets'" (210). Participants played games & exchanged PGP public keys. Judith Milhon, going by the handle St. Jude at the time, declared at one point, "You guys are cypherpunks!" (Levy 211). The name stuck to the group. Hughes decided to keep the momentum going by starting the Cypherpunks listserv on John Gilmore's server (with the delightful domain name of toad.com). In a few weeks, 100 participants had joined & by 1993, the number mushroomed to 700 (Levy 211-2). The community connected through the listserv was incredibly active with multiple thought-provoking posts being fired off in a single day. Participants shared transcripts of lectures on cryptography, reading lists, manifestos, & sometimes line-by-line responses to each other's posts. As in much of the early internet, there is a freewheeling, iconoclastic tenor to their conversation, but there's also scientific precision & passionate belief. The cypherpunks were trying to give the public the tools to encryption not for personal gain, but in order to make the internet safer for all of us. Here in the U.S., cypherpunks helped fight the Crypto Wars against the FBI & the NSA, forcing the government to stop considering cryptographic alogorithms as classified munitions & seeing them as protected speech. *** "'The world has already been taken over. You may have noticed this. We're just trying to get some of it back.'" -- Judith Milton AKA St. Jude, "Cypherpunk Movement," from an email dated 1992-09-25 *** I'm not a programmer & my grasp of mathematics has never moved much beyond high school algebra so there's much in the Cypherpunks listserv that I do not understand. I see heated discussions about program bugs & I treat them like tricks in a magic show: I clap at the appropriate times, but I don't always grasp the inner workings. However, the emails between members fascinate me because they articulate a vision for a less abusive world, a world where individuals maintain control. *** Reading through these archives can be eerie; cypherpunks saw how governments wanted shoddy encryption with back door vulnerabilities so that they could collect information on their citizens. As early as 1992, some members predicted how a government could just gather as much data as possible on all citizens, then retroactively examine it when needed, weaponizing it against individuals deemed to be threats. Look at this scenario that electrical engineer Keith Henson articulates in an email on 1992-10-27 "One consequence of this proposal would be the capturing of *all* email traffic for (possible) subsequent decryption under a court order. After all, how could you complain? They couldn't read your messages of the last ten years unless they happened to get a court order. Knowing how easy it is to get a pliant judge to issue an order, this would be really chilling." Henson essentially predicts the NSA's post-9/11 PRISM program in which metadata on all Americans' calls were gathered, the very same program that Edward Snowden leaked to the public. *** "You don't understand the theory of power. Simply make the penalty for encryption without registry, larger than the penalty for any other crime. Then no crime can be hidden behind it. It's like getting Al Capone for income tax evasion; if you investigate someone and they are enforcing privacy on their communications, you can put them in jail for life for that, and can stop worrying about the original suspected offense." --John Gilmore in an email dated 1992-10-27. *** Reading the list can also be surreal. Basic encryption programs that we all take for granted like PGP [Pretty Good Privacy] were considered illegal if they crossed U.S. borders. I'm thinking of how PGP's inventor Phil Zimmerman was charged with "exporting munitions without a license" in 1993 because PGP was being used to protect the communications of grassroots political groups across the globe. Members in the Cypherpunks listserv followed Zimmerman's trial closely, of course, & debated the relative safety of being found by government officials with encryption programs. In 1994-1995, some members discussed whether U.S. Customs would be able to spot encryption programs on laptops. Carol Anne Braddock in a 1995-01-01 email, writes: "I couldn't agree with the general drift much more. The real objective is to get the customs officials used to the procedure of dealing the cryptograhic materials. Your best asset is a good feature reporter and a photograher. Right now, I don't think U.S. Customs is going to ask you if you have PGP in your PC if you leave the country, or return either. They should, and I'd be proud to say yes." Bringing computer code on a plane treated like carrying a bomb! After a protracted battle, Zimmerman ultimately won his case. He smartly published PGP in a book, arguing that it was protected speech. In this way, the fight over encryption also became a fight over what kinds of information citizens are allowed to share with each other. *** I saw this meme circulating on Mastodon the other day: DANCE LIKE NO ONE'S WATCHING, ENCRYPT LIKE EVERYONE IS. *** At its core, the Cypherpunks mailing list considers the issue of trust in a world that so often is lacking it. A lot of the cypherpunks saw that trust would be even harder to maintain in an online world because the difficulty of authentication. Eric Hughes proclaims in a 1992.10.06 email: "In the electronic world, all you have are persistent pseudonyms." Hughes argues that what matters in digital interactions is not trust, but rather persistence. In other words, I don't care who you "really" are, just that I know you'll consistently act in a particular way. This idea led many cypherpunks to ask the question: can we create an internet that does not require trust to operate? One can see how these early conversations would lead to the development of blockchain & zero knowledge architectures, or ledgers of interpersonal transactions that both allow anonymity, but don't allow manipulations in the record. *** The fight to protect encryption never ends. The FBI is currently pissed that Apple won't break the encryption on the San Bernadino shooter's iPhone. The Attorney General William Barr has made it quite clear that he views encryption with deep suspicion. And now there are various forms of legislation trying to attack encryption indirectly, to hold internet platforms liable for how users employ it. *** My recent letter to Lindsey Graham: Dear Senator Graham: I strongly urge you to reconsider pursuing the EARN IT Act legislation because it threatens the very existence of end-to-end encryption. While EARN IT's explicitly stated goal is to work against child sex abuse material (CSAM) on internet platforms, it actually is trying to eviscerate Section 230 of 1996's Communications Decency Act (CDA), which holds that internet platforms cannot be held liable for what users do or say. First of all, federal law already fights against CSAM. According to Stanford's Center for Internet & Society: "Federal law, specifically Chapter 110 of Title 18 of the U.S. Code (18 U.S.C. ยงยง 2251-2260A), already makes everything about CSAM a crime: producing, receiving, accessing, viewing, possessing, distributing, selling, importing, etc." The problem with EARN IT is that, in its current form, it would create a commission not elected by voters who would write a set of "best practices" for platforms that would attack one of the core American rights: the right to privacy. Many parts of the federal government, include the FBI & the Attorney General, have made it clear that they despise encryption. I believe EARN IT would grant both the oversight commission & the Attorney General powers to attack encryption in its foundational role in the communications of everyday, law-abiding people. I believe that this piece of legislation is hiding its full intent under two cloaks: trying to fight CSAM & popular outrage against social media companies. Senator Graham, if you truly care about protecting Americans & limiting the powers of our federal government, you will stop pursuing EARN IT. *** These daring words from John Perry Barlow feel like a good ending. Certainly dramatic: "You can have my encryption algorithm when you pry my cold dead fingers from its private key." *** Resources Zipped files of Cyberpunk listserv: Eric Hughes' "A Cypherpunk's Manifesto": Steven Levy, Crypto: How the Code Rebels Beat the Government--Saving Privacy in the Digital Age, New York: Penguin, 2001. Riana Pfefferkorn,"The EARN IT Act: How to Ban End-to-End Encryption Without Actually Banning It," Stanford Center for Internet & Society.