Most people don’t understand how technology works. When they flip a light switch, or tap their phone, what happens next is essentially magic to them. Oh, they may be able to handwave a bit about electrons and volts and microprocessors and radio waves and packet-switched networks, but they’re just mouthing the words. They don’t actually understand any of those things. They’ve never done the math.
Which is fine! Not everyone can or should be an engineer. And as Arthur C. Clarke once said, “Any sufficiently advanced technology is indistinguishable from magic.” Our collective network of pocket supercomputers, communicating almost instantaneously across the globe, comes pretty close to “sufficiently advanced” on its good days.
But “technology is magic” is a dangerous meme. It makes non-engineers begin to believe that technology really can do anything its wizard-engineers desire. It causes them to not understand that they don’t understand. And so it leads to Very Serious People making risibly embarrassing–and potentially dangerous–mistakes.
Last week the editorial board of the Washington Post reiterated their demand that Apple, Google, etc., compromise the security of their users’ communications by building in back doors for law enforcement. This is a terrible, terrible idea, as I’ve mentioned before. But hey, don’t listen to me: listen to Whitfield Diffie, Ron Rivest, Bruce Schneier, and a whole Justice League of infosec legends, who write:
We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago […] Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached […] new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws [and] raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
As Elissa Shevinsky writes in the Christian Science Monitor: “Law enforcement’s argument today is just as flawed now as it was in the 1990s. We cannot bend software or cryptography to our will. Technology is science, not magic.”
Worst of all, any attempt to enforce this kind of magical thinking will still not prevent genuine bad guys from using strong encryption without back doors. That genie is long out of the bottle, widely available, and open-source. We’d get all of the multitudinous problems associated with built-in back doors, and few-to-none of the alleged benefits.
So how did the Very Serious People of the Washington Post editorial board respond to this chorus of “no, bad, terrible, stupid, stop it!” from people who actually know what they’re talking about? Why, by doubling down on their ignorance—
There are legitimate and valid counter arguments from software engineers, privacy advocates and companies that make the smartphones and software […] They say that a compromise isn’t possible, since one crack in encryption — even if for a good actor, like the police — is still a crack that could be exploited by a bad actor […] We urged Apple and Google, paragons of innovation, to create a kind of secure golden key that could unlock encrypted devices, under a court order, when needed. The tech sector does not seem so inclined.
With all due respect to the WaPo’s editorial board–which is to say, very little–that is breathtakingly dumb. They acknowledge that engineers say that it is not possible to do the thing that they want, and that their arguments are “legitimate and valid” — and then, in the very next breath, they try to reframe that as ‘the engineers refuse to do it.’
It does not even seem to cross their collective mind that they simply cannot have what they want, that no “secure golden key” can or will exist. Engineering is all about tradeoffs. Security, or “golden key” back door: pick one. You can’t have both. That bird won’t fly. It is mythical nonsense.
But that kind of engineering analysis doesn’t mean anything to people who don’t understand technology, who think that it’s magic. Magic, after all, has no limitations–and to the Washington Post’s editorial board, there is apparently no meaningful distinction between technology and magic.
Who, you might ask, are the members of this august body? Here you go. If any of them has the slightest hint of a technical background, their biographies hide it well1. And yet they are happy to pontificate stentorian nonsense on a subject where they are effectively illiterate. I’m torn between horror that important decision-makers might actually take their collective opinion at all seriously, and sheer embarrassment on their behalf.
If you don’t understand how technology works — especially a technical subgenre as complex and dense as encryption and information security — then don’t write about it. Don’t even have an opinion about what is and isn’t possible; just accept that you don’t know. But if you must opine, then please, at least don’t pretend technology is magic. That attitude isn’t just wrong, it’s actually dangerous.
1 Since it’s germane: I have a degree in electrical engineering, and I write software for a living.