SAN FRANCISCO - In the age of mass digital surveillance, how private should your data and communications be? That question is at the heart of a cryptography panel that kicked off the Enigma Conference here yesterday (Jan. 27).

Four cryptography experts discussed the origins of the first "crypto wars" in the 1990s, the current state of crypto wars between governments and technology companies - two weeks ago, the US Attorney General accused Apple of not unlocking the iPhone of a terrorism suspect - and what is at stake now for consumers, businesses and governments. and discussed what is at stake now for consumers, businesses, and governments.

"It is a fundamental human right for two people to speak confidentially wherever they are. It is sacred," said John Karas, a senior technologist with the American Civil Liberties Union (ACLU) who experienced a battle between the U.S. government and high-tech companies over the use of encryption to protect digital communications in the 1990s.

It may be a human right, but most countries do not enshrine secret conversations in their own legal codes, and what began as a renewed fight against government surveillance in the wake of documents leaked by Edward Snowden in 2013 has now turned into a larger battle over who encrypts communications and data It has evolved into a larger struggle over who encrypts communications and data.

In the wake of Snowden, end-to-end encrypted messaging has become much more accessible, and Apple and Google have introduced encrypted data storage on devices by default. However, access to these services may soon change depending on what country you are in and whose digital services you use.

The centerpiece of the crypto wars of the 1990s was the clipper chip, a hardware chip designed to protect phone users' calls from surveillance unless the government wanted to eavesdrop. It was a "back door" that was to be built into all cell phones.

But in 1994, cryptographer Matt Blais, one of the panelists at yesterday's Enigma conference, exposed a security vulnerability in the Clipper chip. Over the next three years, experts discovered additional vulnerabilities in the Clipper chip and fought in court to prevent its inclusion in devices.

Because the commercial Internet was in its infancy at the time, Blais says, legal and computer security experts had no choice but to believe that the World Wide Web would eventually become important. 1997, when a report on key recovery risks that Blais co-authored was When the report on the risks of key recovery, co-authored by Blais, was published in 1997, most U.S. federal agencies stopped fighting cryptographers.

"The FBI became the only organization that claimed computer security was too good to be true," Blaze says.

Today, it is not the law of the land in any country for the government to access encrypted communications through forced backdoors. However, laws mandating various degrees of government access to encrypted communications are becoming more common, said panelist Liana Pfefferkorn, associate director of surveillance and cybersecurity at the Stanford Law School Center for Internet and Society. Liana Pfefferkorn said.

Following the panel discussion, Pfefferkorn said that there is a growing trend, particularly in the United States and India, to link serious liability issues in both criminal and civil law with discussions of encryption. [In the U.S., child pornography. In India, it's the threat of mob violence. These seem like two separate issues, but it's a way of encouraging regulation of encryption without regulating encryption."

"They're trying to induce providers not to implement end-to-end encryption so they don't face ruinous lawsuits," she added.

"It feels like entrapment.

Daniel Weitzner, founding director of the Internet Policy Research Initiative at the Massachusetts Institute of Technology, told the panel that India's proposed amendments to the Intermediary Liability Act would allow Internet communications providers ("intermediaries ) would be held legally liable for the actions and speech of their users.

He said that India's proposal is similar to changes requested by U.S. senators, such as the EARN IT Act of 2019, introduced by Senators Lindsey Graham (R-South Carolina) and Richard Blumenthal (R-Connecticut). Weitzner added that there are other countries that have enacted even stricter engineer liability laws.

In 2016, the United Kingdom passed the Investigatory Powers Act, also known as the Snoopers' Charter. This allows the UK government to issue statutorily ambiguous technical capability notices that can mandate encryption backdoors or force companies not to use end-to-end encryption. The UK government is not required to reveal the results of its assessment process for issuing this notice.

Australia's Assistance and Access Bill of 2018 is similar, except that it specifically prohibits the introduction of systemic vulnerabilities in the product in question. What is not clear is another question raised by the legal mandate. What is the difference between a technical vulnerability and a legally mandated software backdoor?

Since the 1990s, as the technology itself has become more complex and subtle, so has the weight of responsibility faced by its advocates. Proposals to change encryption should be tested "many times" both strategically and technically, argued the Carnegie Encryption Working Group in September 2019.

Also, Susan Landau and Dennis McDonough wrote in a column for The Hill that it is important for the tech community to be aware of the more controversial data in transit, embodied by end-to-end encrypted messaging apps, rather than data stored on a locked iPhone He said it would be wiser for the tech community to find common ground with the government over data at rest, such as data stored on locked iPhones, rather than the more contentious data in transit, embodied by end-to-end encrypted messaging apps.

Ultimately, the future of consumer use of encryption will likely depend largely on the developers and companies that make it available.

Products could be split up and offer different levels of encryption for different countries and regions, as Netscape did in the 1990s, Pfefferkorn said. Alternatively, countries or regions that require weaker encryption or backdoor access could refuse to offer encrypted products.

"Or they could be broken by anyone," Pfefferkorn says.