I participated in a panel discussion recently with a moderator who communicates with activists that could be under nation-state surveillance. She asked this group of security-minded professionals what we considered the most secure form of electronic communication. The panelists fell awkwardly silent. Is there any politic way to say what we were thinking? The truth is something we often forget in an interconnected era: If you absolutely need a particular piece of data to be secure, the best option is not to write it down at all.
There is a reason that the most important or potentially contentious legally binding agreements require a written contract to be accepted by all parties. If you want a long-lasting confirmation of something, you record it. Things that exist only in memory are, by nature, ephemeral and kaleidoscopic.
This is why we were collectively at a loss for words; anything recorded or written digitally or physically is not truly secure. There is a continuum of security levels of data ranging from “maybe someone can only get the metadata” to “public and indexed by all major search engines.” But recorded data are always inherently less secure.
The most secure information is that which one person alone has processed, without recording it by any means. But that scenario naturally excludes communication since it requires two or more people. Therefore, the question becomes: what would be the criteria that make a form of communication more or less secure?
In short, the most secure conversation is one that has been processed by only two people, face to face. Whenever transmission over greater distance is involved, whether it is on paper or by phone or computer, this will either necessitate or increase the likelihood of it being processed by another party. Sometimes that third party is a living person, such as a mail carrier, and sometimes that third party is technological, such as an Internet Service Provider or via a telephone exchange.
Encryption of sensitive data is obviously a way to decrease the utility of that information if an unexpected person were to get hold of it, which is good enough for almost anyone in almost any situation. It’s how I would send most of my own sensitive information.
When you use end-to-end encryption, those third parties necessary to process the transmissions may not have access to the data within, but they certainly do have access to the metadata. In the aftermath of the Snowden revelations, few of us still wonder what the big deal is with sharing data about your data, if the original data per se is protected.
Just in case you didn’t catch that moment of collective panic: metadata collection is as if something analogous to Dewey Decimal System were automatically applied to communications so that the data about your data could be found without having to know who the author is or what the specific contents are.
This brings up the question of why we are protecting data. Some people seem to view protection simply from a perspective of reducing the chances of someone stealing data or using it for fraud. But there are other cases where things could be lost that are worth more than the time or money needed to recover from theft or fraud. While losing something like financial records is no small matter, there are subjects that some people find even more damaging to reveal to others. Arguably this could include mental or physical health records, but it could also be something as simple as gossip.
The journalist who was moderating our discussion is someone who uses electronic communications to discuss things that are literally matters of life and death; hence our awkward silence. The consequences of choosing a platform with a weak algorithm or shoddy security practices are a big deal. And because the group was composed of security-minded (Read: paranoid.) people, we all had the same thought – if we had to discuss something that critical, we would rather not do it electronically.
Most of us simply don’t chat about anything so fraught with danger. But that doesn’t mean that we don’t all have things that we really don’t want repeated or revealed to parties outside of the discussion. Maybe it’s information that is simply not appropriate to openly discuss right now but which might be okay to discuss in a few days or a few months’ time. Maybe it’s information that would be a significant inconvenience or an embarrassment if it were shared. Whatever the situation, it’s completely normal and common to have information we don’t want leaked to anyone else (or just not to have repeated to some specific person).
In the vast majority of conversations, encryption offers plenty of protection for our interactions. But as we often say in this industry: if you have a sufficiently determined adversary, he or she will get in. If the consequences of that disclosure would be too high, a face-to-face dialog may indeed be the best recommendation.