Excerpts from Chapter 5: Secret Bits‚ How Codes Became Unbreakable
Encryption in the Hands of Terrorists, and Everyone Else … Historical Cryptography … Lessons for the Internet Age … Secrecy Changes Forever … Cryptography for Everyone … Cryptography Unsettled
If you send your credit card number to a store in an ordinary email, you might as well stand in Times Square and shout it at the top of your lungs. …The way to make Internet communications secure‚ to make sure that no one but the intended recipient knows what is in a message‚ is for the sender to encrypt the information so that only the recipient can decrypt it. If that can be accomplished, then eavesdroppers along the route from sender to receiver will find [only] an undecipherable scramble of bits. In a world awakening to Internet commerce, encryption could no longer be thought of as it had been from ancient times until the turn of the third millennium: as armor used by generals and diplomats to protect information critical to national security. …. Encryption was no longer a munition; it was money. …
Unbreakable encryption may finally be possible, [but] even mathematical certainty would not suffice to create perfect security, if people don’t change their behavior. Hackers were able to steal more than 45 million credit and debit card records from TJX, the parent company of several major retail store chains, because the company was still using WEP encryption as late as 2005. That was long after WEP’s insecurities were known and WPA was available as a replacement. … When encryption was a military monopoly, it was possible in principle for a commander to order everyone to start using a new code if he suspected that the enemy had cracked the old one. [But today,] when a university researcher discovers a tiny hole in an algorithm, computers everywhere become vulnerable, and there is no central authority to give the command for software upgrades everywhere. …
But very little email is encrypted today. Human rights groups use encrypted email. People with something to hide probably encrypt their email. But most of us don’t bother encrypting our email. In fact, millions of people use Gmail, willingly trading their privacy for the benefits of free, reliable service. Google’s computers scan every email, and supply advertisements related to the subject matter. Google might turn over email to the government in response to a court order, without challenging the demand. Why are we so unconcerned about email privacy?