Thank you all for joining us. And I recognize that this is the last panel of the day. So you've all had a very long mind cramming day. And we're going to do the most fun thing possible, which is throw cryptography at your way for this last hour, which is certainly an engaging subject, but perhaps a bit complicated sometimes, but we'll do our best to make it as uncomplicated as possible. And to that end, my name is Laura Draper, I am the Associate Program Director for the tech law and security program at the American University, Washington College of Law. As you might guess, from that title, I am an attorney. So unlike the rest of the panelists, I come at this from a legal angle. And so as a result of that, I'm going to do the most on loyally thing possible, which is talk as little as possible today. So I'm going to turn it over primarily to our expert panelists. I'm very excited for the folks we've got joining us today. And I really want to just kick this off by kicking things over to one our resident professor in computer science to tell us just at a high level, what is cryptography?
Well, first of all, hi to everyone during my neighborhood alias ELive, use around here the dominance wrote the avenue here and the dominant waiting, so near the the engineering college. So welcome to the neighborhood. First of all, I bring some of my notes because sometimes I as a Spanish speaker, I think in Spanish and sometimes in English and get stuck. So I need to, especially when I am excited. First of all, let's talk about cryptography. Cryptography is the art of hiding information is the practice of hiding information in a very evident way and also in an efficient way. But it's everything because you get a text and you transform that text into a ciphertext. And then the cipher text sometimes is very unreadable for humans so and has no meaning. So we intersects intersect all these fields of math, computer science and, and also all other fields of other fields of science, but mostly math and computer science and logic. The first ciphers that we know that we stole you a lot in the inner Academy is the first ciphers that we use in recording in progress. In our civilization, that was, the Caesar Cipher was used by the Romans used is achieved cipher is shifting the letters by adding the position of the letters just certain number of positions to the right. Yeah, this is a way of encrypting by shifting the letters. And is, is the first one, the students always study and is the basis easiest one to understand the things that you can decrypted by shifting them to your sides. And if you shift from A to Z, then you can shift from C to A in ascending or descending way from the cipher and descending and ciphering ascending. That's a very easy to break cipher, because you have 26 different alphabets for that type of cipher. So it is easy to break. However, we have to put on in the context that during the Roman Empire, many people didn't know how to read. So, that part of knowledge it was helping hiding the information. Then, we pass from that historically to the mono alphabetic ciphers, that cipher is a cipher that you can randomly shift letters and you have an assignment that the one letter with another letter and is randomly begin, but you have with that, you will have 26 into the factorial different types of alphabets to be a to encrypt your possibilities you have in our in our brute force waves, it is difficult to do that, because you will have possibilities of four to the 10 to four plus 210 to the 26 there's a very large number. However, it does not waste it is breakable because it is easy to make cryptanalysis with it with because we can add the frequency of the letters I cannot withstand a frequent frequency analysis because we know that languages have this way of of building letters and being used and the way we know that for example, letter E is mostly Using all these Latin languages and the Romans has language like Spanish France and and also in English is one of the letters that is used and also a combination of letters are mostly used in English like t and h are very used and a an n. So, doing statistics you can break them on Wi-Fi the cipher very easily then during the 20 century, we had the roller machines then you have machines to cipher texts, and that what was the there have been many movies about it, the Enigma machine that use the Nazis on World War Two was one of the that examples and then the beauty of this is that it started the race to the cipher using machines again. So, it begins we begin to use machines to be the cipher machine. So, the first computers were really electromechanical computers and a special purpose computer just to break code. So, all of you who have seen the movie imitation game, you can see Alan Turing that was one of the fathers of cryptanalysis and one of the the most important people for computer science I think is him then l after this electromechanical special purpose computer, and we started to use computers for and special special electronic devices for ciphering. We have the things like one time time pad and inspired six Sally that was used for crypto ciphering communications, and the rotor machines and the monophyletic ciphers. And they used also to have statistics involved, but when you have to do to make it more difficult to break is to hide that frequencies and studies thick of the language. So the best thing was to flatten that frequency into a uniform distribution. And using a uniform distribution, therefore, it is way difficult to grip liquid analysis. So if you have a random character that used to be cipher with the other ones, then you then he's easily to, to cipher that there is easy to cipher that but it's difficult to make it cryptanalysis Yeah, so all of those are symmetric encryption. And symmetric encryption, what you have is one key as the same as having a padlock in your home, everyone does have the key, open the same padlock, because you have only one key. So the thing is everyone everyone does have the key could open. However, with that approach is difficult to share the key with people that are far away from you, right. So we're using today's as a metric set a as a metric encryption, but is that you have two keys, a public key and a private key, they have both are mathematically related. So if they are related, you can use one for ciphering. And I use another for the cipher your public one, I gave it to everyone, you cipher with that, but I have to decipher with my private key, because both of them are mathematically related. So therefore I can use that and that is used today for many of our daily transactions in the Internet. Yeah. And therefore, to Paris can communicate, communicate without having to share the same key. So I can publish my public key for everyone to see. He wants to if he's the one party wants to communicate with me, they can encrypt with that public key, but I can only decipher what is pin cipher with a public key with my private key. So that's why what we're using today, the advantage we have is we eliminate the problem of exchanging secret keys with that also, there is another thing that is being used, but this is more into into more in the application level not in the way of community Gaining data from end to end. But we can, we can also use steganography. That's another another thing. In steganography, you hide information within the information, the information is there, but you only know how to read it. And it's clear clearly to everyone. It's like how would like to learn how to read graffitis only people in the gangs, how to know how to read the graffiti. But the only people that pass through the through the street, they see the graffiti, they don't know what it's there. So I think I'm making a long introduction outside of cryptography. And that's all.
That was wonderful. Thank you so much. I think I think that was a great overview. And I think it provides folks with a general understanding of just how complicated things can be, but also how simple cryptography can be at a at a more basic level. And with that in mind, I'd like to turn it over to Brian, who is the director of Internet policy at the Internet Society. And Ryan, perhaps you could tell us just a little bit about who uses cryptography or encryption specifically, and, and why is it important?
For sure, thank you. And thank you so much for having me on this panel. So I think the big thing to say is that everyone uses encryption. In fact, right now everyone on this call is using encryption, because zoom itself uses encryption. And at a really high level, when you think about what Encryption provides to you, encryption, really what it does is it allows you to have a smaller group of stakeholders that you have to trust in any sort of communication. And that's a really, really important thing on the Internet. Because the way the Internet works, you have Internet traffic that's being passed around from network to network, going across the Internet, going to a destination. What encryption encryption and in particular encryption encrypted communications do is it makes you so you don't have to trust every single network or every single person who touches that, that traffic going across the Internet with not doing anything wrong with the contents of that of that communication. And so Encryption provides you confidentiality, it also provides authentication. I don't know folks have used things like DocuSign, or other other online signing tools that allow you to sign legal documents online. They use things use cryptography to enable you to have more authentication to make sure the person signing this legal document actually is the the end user that you think they are. Also Encryption provides integrity. Like I mentioned a second ago, if you have communications going across the Internet, going across network to network, maybe 10, maybe 1000 networks, your Internet traffic could go through, how do you make sure that none of those networks change the contents of those communications? How do they make sure how do you make sure that no one gets into into your, your message, transferring your communication that's supposed to transfer money from your bank account to let's say, your wife's bank account and make sure that they don't put in a different routing number and destination and send it to some other bank account somewhere else. And so you get that integrity as well of those communications. And so someone just kind of the, the different ways that we use encryption are everyday on the Internet using things with using Internet protocols that protect Internet traffic using encryption. We also use them for protecting things like online purchases, but also in the offline world as well. If any of you have used a credit card that has a chip in it, that chip is actually protected cryptographically to help make sure that no one can clone it, and then have their own own credit card that is connected to your account. So if you've used one of those today, you have used encryption. Now, we've talked a bit about encryption broadly. But now I'm going to talk a little bit more about end to end encryption, kind of the difference between regular encryption, regular old encryption and end to end encryption. I think of end to end encryption as kind of the purest form of encryption. And encryption is a type of encryption where only the sender and the intended recipient has the key. The means to decrypt or encrypt those communications. No one else has the key to be able to encrypt or decrypt that. That means that the service provider who was providing that service has no way of decrypting those communications and accessing that makes it the most safe. The safest type of thing friction that there is no a really, really important one. And I'll talk a little bit later about kind of the policy debates around end encryption right now. But I want to talk about some of the really good use cases for end to end and end to end encryption that there are right now. And that's things like protecting communications of journalists and their sources. Journalists rely on end to end encrypted services to communicate with with whistleblowers who might feel not feel empowered to speak out. And other means through other means through fear of retribution, marginalized communities utilize end to end encryption to speak freely with one another. For instance, LGBTQ youth in the United States, who might come from families or from areas that are less hospitable to people who are from that community. They use end encryption to feel safe enough to communicate with one another. Also, end to end encryption really just protects billions of us when you think about it from a messaging standpoint, if any of you all use WhatsApp, or signal, those are end to end encrypted communication services. And so there are I think, over 2 billion people now using WhatsApp and signal if you put them together, and all of them are using end to end encryption to protect their communications by default. And that means that they don't have to worry about WhatsApp or in this, I guess, meta, mining their data for whatever purpose and selling their community selling the data that they're communicating. And so it also provides a bit of security from overuse of data, or, you know, commercialization of data. I'll talk a little bit later about why there's a policy debate around and encryption and encryption more generally. But at the Internet Society, we believe that more of the Internet should be encrypted, everyone should have access to end to end encryption, and that governments should not be trying to undermine and encryption, because like I just said, there are so many really important uses of end to end encryption, and there is no way to provide access to end to end encryption without undermining it. So with that, I'll pass it off back to Laura.
Wonderful, thanks so much, Ryan. And I'm trying to speak up a little bit loudly, which is extraordinarily uncomfortable for me while sitting alone in my office, but hopefully, it means you all can hear me a little bit better. I'd like to actually turn things over now to Eduardo up there, who I imagine for most of you in the room doesn't need much of an introduction, but is involved in the Internet Society in Puerto Rico, and generally is a lifelong learner, and currently is studying computer engineering as well. In order perhaps you could talk a little bit about what happens when encryption is not used, what what are some of those horrible situations that, you know, why is this so important? What are some of the examples of what happens when it goes wrong?
Yes, thank you, Laura, for the introduction, just just in my info for a moment, we will, one introduced the concept of cryptography when as the art of concealing information through a an insecure mean, and everyone knowing that information is being transmitted. Ryan mentioned something about the information is transmitted from end to end, and it is encrypted a to keep privacy to a to keep that information conceal. Because he brought the the the example of journalists are a denouncing certain behavior from from governments and so on. So, so just imagine for a moment that and let us assume, of course, with this premises, just let us assume for a moment that all the communication that you have, through the Internet doesn't matter where doesn't matter, from where doesn't matter to whom all communications are being observed monitor and so on, is there a way the capabilities and and, and the power to pick the information that you're transmitting between yourself and another party? So, just imagine for a moment that that information is not encrypted is not protected is not. So, when I learned cryptography many years ago, I remember that we have these a this fellow in between the two, a two person two parties communicating that he saw it was cool, I think it was Alice or Bob, about Alice and Bob and there was a fellow in between them, always enters intercepting the information and with with the power and lack of ability to grasp to get that information to get into the air to into that transmission. So, just imagine for a moment that that information is not encrypted is being transmitted as, as plaintext. So, another party, whatever whatever the secret, you want to share with one another, with another person, that third party will in know, that that information that you want to conceal, they want to keep secret. So, encryption has the purpose intention to conceal to protect, that information cannot be easily, easily cannot be extracted, and be reveal to another party. So the impact of not a encrypting information is that your private information is, is exposed. And this is a very critical point, when your information is exposed doesn't matter in any in whatever the industry or doesn't matter, the application you're using doesn't matter if you want to. If you want to use your your just for example, every account that you use has a login and you go to your bank to your bank online, and you want to access the information that you have in your bank, you log in you enter your credentials. So just imagine for a moment that those credentials are not encrypted, they are not going through this process of being converted or or or manipulated in a certain way using combinations and permutations using these inverse functions that you can create a grader with the keys and so on. So, just imagine for a moment that that information is not English that is sent as a plain text to the server. And so one is just in between reading what you're what you're sending graphs, your credentials, your username and your password entering your bank account solely the same day you will see your bank account balance properly as zero. So, it is very important that you keep that the the impact of not using cryptography is crucial not only in the banking industry, you have for example, in the in the health industry and protecting your your your information your records as patients that has for example, the there is a lot I will mention that later on the leg II plan the protect that allows citizens to protect their information, the information that your doctors, the hospitals and all the department the Department of Health is using you know sharing going around and they are you know pullulan everywhere and you have that information everywhere. And if there is not a regulation or a law, that information will be exposed to whoever knows the same happens with a credit cards you have a credit cards that have been protected a every transaction this is some kind of a global coalition that every entity that a uses that allows the use of credit cards to a do purchases using credit cards those that entity even in the private sector not a are regulated by this PCI PCI DSS I think, I think it is that is always trying to keep that information information of the of the credit cards a console. Just in my in in the medical sector in the medical devices, you have you have this device implanted in your in your chest in your heart and your your your personal doctor is using that device and is monitoring the signals the electrical signals are being sent to your heart the pulses and is measuring some chemistry and so on so and suddenly a a that device from his office he can send I don't know he can manipulate the doses of certain prescription wherever and he can enter using this encrypted information you encrypting credentials. He can enter manipulate your devices and provide you the correct doses for to attend to to attend your your condition. Just imagine that if that information is not encrypted, and you had I don't know Grunch with your neighbor Okay, and your neighbor has a access to the, to the, to the credential with the device, say bye bye, because you know what, see you You're unable anymore. So the importance of encrypting information in any industry, I give a couple of examples that the banking industry, health industry, it is important to keep your information concealed secret. However, however, as Rayyan mentioned, in a previous discussion, rely on encryption alone is a mistake. So, there are other controls or other protocols that are used in conjunction in a jointly with encryption. So, just the importance is basically to keep your information secret to keep the information concealed so that you can not be a victim of a identity theft someone a acting or proceeding under your name a When, when, when, when, because the person, the the disturbed person had access to information. So the importance of encrypting information, keep it concealed, is extremely important just to prevent the damage that could happen often not doing it.
Thank you. That was wonderful. Really appreciate that, that overview. And I think you know what, what I'm hearing from everyone is, encryption is great. We should all do it all the time. But Ryan, you alluded to the fact that there's some debate on this issue, and I realized that it's very much against your position to give the other side of it. But perhaps you could provide us some context for this debate. Why are governments pushing back on end to end encryption, it sounds wonderful. I don't know why we don't have all the time for everything.
I totally agree. I don't know why we don't have governments that feel this way. But I can talk a little bit about the the encryption debate or the so called encrypted crypto wars, as they've been termed in the media. So there's been a push pull between proponents and opponents of encryption, for the last 30 years, started in the 1990s, and continues to this day. And what it really comes down to is a focus on end to end encryption, because as I mentioned before, end to end encryption works by only allowing the sender and the intended recipients to have the keys to decrypt the communications that are being encrypted. What this means is that, like I mentioned earlier, there's no third parties who have access to those communications. For some governments around the world, this is a scary thing. Because for law enforcement purposes, for public order purposes, for spying on on on each other's purposes, they want to be able to have access to those communications and have access in an easy way. And so some governments are against companies introducing end to end encryption, because that means they wouldn't be able to get access to those communications. They in the past have governments in the past have focused on terrorist communications as being one of the their concerns were recently drug trafficking was was a concern. Now it's child safety online as as one of the main concerns that that governments are talking about as the reasons why they don't want to use end to end encryption, or don't want end to end encryption to be legal without any form of access. But here's the issue, even with the most noble of intentions, what you do when you create third party access to an end to end encrypted. And encrypted communications is what what you're actually doing is creating a vulnerability that can't be patched. And a vulnerability that can be found by any bad actor on the Internet. Anyone on the Internet and utilize to gain access to those communications. They can find a so called encryption backdoor and then use it to gain access much as a government would or law enforcement would. And we've actually seen some examples of this in the past.
So hopefully everyone can hear me all right. Okay, good. Okay, excellent. So in the past, we've actually seen some examples of these backdoors being used by criminals or by foreign adversaries. So, in 2015, there was some news that came out that one of Juniper Networks subsidiaries was hacked by, by criminals that they thought were linked to the Chinese government. And they hacked into these Juniper Networks by using a leftover encryption backdoor that had been built into this to their systems. It just so happened that the US Department of Defense was one of the companies like big customers. And so you can only imagine what sort of data these criminals got access to. And so that's one of the big concerns about about this. The use of encryption backdoors is there is no way to keep an encryption backdoors safe, and there's no way to create a safe encryption backdoor, there's been a whole bunch of attempts to try and find ways to do that, what encryption experts and cybersecurity experts have said every time that this is an unsafe way of doing this. What's really interesting about the encryption policy environment right now is that it feels a bit like we're at an inflection point, because you've got many governments around the world really pushing hard right now to pass laws or policies that would undermine encryption or force companies to use encryption backdoors. For instance, the UK passed a law just last year that could be used to force companies to undermine encryption. In the US, for instance, there's a bunch of legislation on on Capitol Hill that is trying to undermine encryption. But at the same time, more people are using end to end encryption than ever before. And more companies are rolling out and encryption by default for their services than ever before. And so you have this, it almost feels like a reactionary impulse from governments right now, because I think they feel like their opportunity to push back on encryption is starting to slip away. And that's because we have over 2 billion people using encryption using end to end encryption and enjoying the benefits. Just as a quick aside, the Internet Society has worked really hard to push back against policies and legislation that would undermine encryption. We also are a founding member of the global encryption Coalition, which is a group of 400 organizations that work together to promote and defend encryption. I believe the Internet Society of Puerto Rico chapter is one of our one of the members. So thank you. And if you're an organization that's interested in doing more work to promote and defend encryption, or just interested in finding out more about the encryption debate, you can check out our website for the global encryption coalition and join. There's no cost to join. And it's a great group to join in and find out more about thanks for the little plug there.
Thanks so much, Ryan. That was very helpful. And a wonderful overview on kind of what the legislative landscape has really looked like recently around and an encryption. A lot of times the terms have been that get bandied about or are going dark or lawful access. But it's all a rehash of the crypto wars, as you said. And so that was a really helpful and useful overview. So thank you so much for that. So we've been talking a lot now about end to end encryption. And I think any of us well, as Ryan said, we're all currently using it, we probably all have either a whatsapp or signal account or some other form of end to end encrypted communication platform. But there's more to encryption than just end to end. One back to you. I was hoping you could tell us just a little bit about some of the other categories of encryption and how those might be used. Yeah,
the thing is that when we are talking about end to end encryption, I want the audience to, to think about this. During the first generation of cell phones we use they were analog, and I remember the people could hear the conversations of those telephones using a scanner, you know, during those days. So now, the communication that we have between our cell phones can not be heard so easily using that kind of technology. That is what this encryption in end to end communication. That is the analogy for that. However, there's more about it, because yes, we can encrypt from point A to point B in these end to end encryption. However, this is like the pirate does have. We're in the Caribbean. This is the pirate that has the jewels
(inaudible)
the final destination, outdoor station could be stored in a log in a database. And is, is, is today the way it is done, since when you lost your phone, and you buy, buy a new phone, suddenly, everything, your photos, your conversations come back to the phone. So therefore the information is not stored on the phone is stored on the cloud. So what guarantee we have today that our data is being stored in a secure way on our data center. Because we don't see that that is a cloud that we trust. But as a programmer myself, I know that I have worked for every time as soon as you make a program, you have access to all the database and all the information of everyone, as a programmer, and easy to Oh, usually we have an work ethic, because we know if we and also we know, we cannot steal that information and sell it on the market. But anyone could do it and have that in that capability of entering and working with the data and manipulating the deed. So he's the same analogy of having the chest of the pirate open, and all the jewels on top of the table. So there is more than end to end encryption. You know, there is more more than that, you know, we can use that end to end encryption. However, government can say, Okay, let's see all these conversations that have been happening with these two parties. We know that the government does that for the political cases and court and court orders and, you know, they can with a subpoena open the information. And here are the conversations of these two persons here. So really, the end to end is good for a man in the middle attack someone who is wiretapping on your on your conversation, but it's not everything.
Wonderful, thank you so much for that. That was extremely helpful again, and I think really provides a more fulsome picture of what we're talking about when we're talking about encryption and the Internet. I have one more question scheduled. And then I would like to open it up for q&a from the audience. So if you've been chomping at the bit to get a question, and now is your time to think about it. But first, let me turn it over to Eduardo, to give us a little bit of a background on on who regulates encryption, and who sets the standards that we need to be thinking about with this? Yeah,
that is a very important question. And we can say a incorrectly that no one does not true. The reality is that encryption is not a regulator for a private industry. Except in certain cases, like the ICA law, and PCI, the transactions about credit cards, at least those are the ones that come to my mind right now. But there's other regulations, I think is nic 100 179. A, or one Oh 7075 A and B 1k. One was released in the in 2016. The other one was in 2001. And basically they are addressed to regulate the information and communication in the federal government. What has what has happened in the private sector is that the private sector has adopted many of these protocols and frameworks a and have tried to integrate many when when when they encrypt, and they use a particular crypto system. They don't use only one they use a a collection of them that depending on the on the situation information that interests me that or that He's been save a set that up. For example, when you have a, as I mentioned previously, you want to log into your account a un create your information, you increase your credentials, that is not the end of the story. There is a process if you don't
see the
pic a look
server or to a a one stop nexion Cemetery to to do that a, but that is not necessarily regulated. However, the increased the encryptions methodologies and techniques. Yes, in the sense that NIC has developed have documented a certain in crypto system that has been used a as I mentioned previously for the federal government for the communication and the formation the right in the in the federal government that has been adopted in the private sector. So, with the cases of the HIPAA law and the DoD credit card transactions on besides that, there is something else that is important. For example, I remember when I started studying cryptography many years ago, I remember a byte by 10. You can you couldn't send encrypted information to a foreign country. And there was some kind of a joke or some some kind of a TC that we students used to say, Hey, your name is probably is in the in the list in the federal government because you know, cryptography and BM Be careful because the FBI watching on you and so on. So, today the story is different is has there is some flexibility with the information that is sent out of us that is encrypted. On the center conditions, for example, you can send a information related to the Department of Defense, the type of encryption, sometimes there are some restrictions with the number of bits a they use the use for for a key or something like that. So it's not a entirely flexible, there are some restrictions, if you want to send encrypted information out of us. Basically, that is is that done many regulations, there are many standards besides a nice t know, there are I think I triple E there are other organizations that also provide standards have an option for encryption. Not only the NSD. However, for the federal government is the amnesty that applies for the private sector. We are open set in particular cases we are open to use the crystal system that we want for the particular situation or scenario that that we're dealing with. A so that is basically my my response.
If I can say another thing? Um,
yeah, um,
you know, for organizations and corporations, the security is something that is a feeling of the customer. Right. So if the customer feels secure, at secure, that's, that's management sometime thinking. Because if we, as a corporation lost that sense of the customer being secure, we lost everything. So that's why many, many companies stay on the state of the art on an AI continuously continuously continuously looking at what vulnerabilities we have and how to fix them and how to maintain everything secure because we can not lose that customer's sense, that customer feeling about being secure. So another thing is that it is not regulated as us as everyone you know, it is not something common for everyone. However, that feeling that need of the corporation has to maintain the status of being secure is what is self regulating everything.
Thank you. Thank you. That's helpful. So we've got about 11 minutes left by my clock. And I would like to turn it over to the participants, the attendees, with any questions you have for panelists. I cannot see in the room, I'm afraid. So I will have to rely on folks who are there. Or you can put your questions. If you're virtual. If you can put your questions in the chat. That would work too.
Hi, thank you so much for your presentations. And you're, you know, talking about this issue. I'm former law enforcement, former counterterrorism. And I just have a quick question about encryption. You know, you mentioned that the encryption debate has been going on for years. How do you strike the balance between creating trust for a safe Internet and creating trust for privacy?
I'm going to turn that question to Ryan to answer, although I certainly have my thoughts as well. But please write and jump in there.
Sure. So I'm actually going to push back a little bit on the framing. And that's because we've often heard the encryption debate cast as one that's between security and privacy. Whereas I don't think that that's the case. You provide a lot of security for folks through the use of end encryption through online security. There's a lot of security that's added for folks from you know, from things like cyber attacks, from blackmail from lots of other threat vectors, that would be perpetuated from insecurity on the Internet. And when I say insecurity, I mean, less secure communications, less ways of providing integrity, and less ways of providing a of providing confidentiality on the Internet. I think one thing that I always say to folks from law enforcement or from from, from national security agencies is, there's more than one way to catch a criminal. And there's more than one way to do that, which that also doesn't weaken the security and privacy of everyone on the Internet. And that's kind of the danger of undermining encryption. And this whole encryption debate is that in order to try and catch the bad guys, we undermine the security and privacy of everyone. And the other thing that we've seen is that when When criminals feel like they're actually going to be not safe on a service, they'll move to another one, or move to one that is that is of their own design. And so one of the issues that that I'm really concerned about is, if, for instance, the US passed a law making it illegal for, for the use of end to end encryption, or undermining the use of end to end encryption. Most Americans, American citizens probably would just keep using the same services that they're using, but determined criminals, people who are carousels, etc. They're going to move to another service from another country that is still ended encrypted. And so I'm really concerned about a situation where you have have law abiding citizens who are having their security online undercut by these sorts of policies. And then you have criminals and and other national security threats. Continue to break the law because it's what they do. And use and encrypted services from everyone everywhere else in the world. There's really no way at this point to get rid of end to end encryption. Because if, because of the nature of the Internet, there's always going to be someone putting out the code for end for end encryption or putting out a a service for someone to use for end to end encryption.
Right. Thank you, Ryan. And just to make a bit of a shameless plug, the reason I was actually asked to moderate this panel, despite having absolutely no technical expertise, as compared to our panelists, is I actually wrote a report I come from a law enforcement background as well. I was an attorney with the FBI for about five years. And I wrote a report called protecting children in the age of end to end encryption, that specifically looks at some of these techniques that Ryan's talking about, around how can law enforcement and government and civil society and frankly government or in industries, you know, the tech companies don't want this kind of content on their platforms either and so How can we continue to protect children specifically in in these spaces, given end to end encryption is going to be default practice. So with that, I think we have time for at least maybe one more question. Anyone wants to jump in?
There was sorry, there was one question online before and about when when was the global encryption day? And Ryan responded October 21 2024. So that that was the question and answer.
Wonderful, wonderful. Was there any other questions or other from the audience? Or virtually? If not, I'm going to pick one over to Eduardo, and one in the room. Okay, so for people who are,
please, you can't see me, I guess, this question about, about encryption in the 90s. It felt like it was about export controls sort of at that time, and like, we had somehow had some kind of advantage with with higher encryption than the rest of the world, was that just a fantasy at the time, or something that's changed over time. In terms of the encryption encryption discussion, it seemed like, it was about not letting our high level of encryption out to the rest of the world or something seemed to be the question in the 90s.
Right, I'm gonna use seem very attuned, attune, please jump in, yeah, when
I remember in the 90s precisely when I when I learned cryptography. I learned it from a very mathematical point of view, we were talking about set functions and a inverse functions and those sorts of things and relationship that describe one at some point, the world basically functions and all of them has inverses from that point of view, so, it was more a from an academic point of view, where you have the encryption like, like this concept of the end topples, and the functions and, and and the the counterpart of encryption like the, the cryptanalysis, and so on. So, however, today a in the way that is being taught, totally different, and it is like selling cryptography as the panacea like Like, like, something that will not fail, when you are using something that is not true in at that time. We know how to encrypt, but at the same time, we know that encrypt a cryptosystem were vulnerable and they had certain vulnerabilities and they could be break. Today is like a, like some kind of tell story, they pretend to be some kind of a manly thing that will help you to keep your privacy and will keep your your your information safe, and so on. So, a so I don't know if that respond to your to your question, or if that is something that or is not addressing a correctly what your what you intended,
it was early 90s, or late 90s.
In the 90s, but I'm too old to remember the difference I well, because I just remember that there was a conversation specifically about the notion of export controls at the time. And in other words, there was this idea that somehow we wanted to limit the type of encryption that was built into the products that we were exporting outside of the United States. Yes, a 64 bit versus 128, etc. And was that a fantasy all along? Or was there in fact a point at which there was something to be gained from a law enforcement or something through those export controls?
Yes, there was a lot that yeah, there was a lot and correct me Laura, if this lovely list, lovely system is the right word.
lobbyists?
Yes, a bye bye recently that let's say probably 10 years ago or more this restrictions in the law started to harm the way business has been done us there were corporations that wanted to do business out of it with a globalization so there will be saying that we're trying to do business in other countries out of in differing in the foreign space out of us. So because of these restrictions and the requirements that were in need of to export information and do business out of us. These companies were like chain a, so they want flexibility they were they were hiring this lobbyist going to the Congress, I need you to, you know, try to lose a little bit the law because we want to do business. And that law is harming us. And so that is basically what was happening. I don't know if that respond to your? Well, perhaps,
Brian, I think Ryan might have a little bit more intel on this, if he could perhaps jump in.
I'm sure I'll try to help them. So I think there's. So in the 90s, there was a lot of basically saying you can't export cryptography because it was considered munitions. I put in the chat, I don't know if people can see the chat. But for those who can, there's actually a really interesting Wikipedia article about it. And there's a picture of a T shirt that has a cryptographic algorithm on it, because people was protests, were actually printing T shirts with the algorithms on it, and then leaving the country to get those algorithms out. And I think that that kind of shows the futility of this sort of thing of trying to limit the use of encryption nowadays, but also in general, because these sorts of ideas are really easy to spread around the world. And I think, like, like they're saying, there's a big danger in trying to limit the use of encryption in different parts of the world, because the economy and the Internet, and everyone is super interconnected at this point. And they were starting to get really interconnected in the 90s. And as they're saying, if you're trying to do business abroad, and if you're an American citizen trying to do business abroad, for American company, and you can't use encryption to protect yourself strong encryption to protect yourself, then that's a danger to your business, and to the American citizens who are abroad using those those forms of communication. And so I think it's a bit of a fantasy to say that, that that was ever going to work first off, but also that there would be a benefit to law enforcement, because even if they did, you know, if even if they were able to break more foreign, foreign encryption, encrypted communications, because those protocol encryption algorithms were artificially weak, because our export controls, that also meant that criminals could could crack those, it also meant that foreign governments could crack those. And so you're going to have more crime, you're going to have more damages happen, because of these sorts of policies. And so at the end of society, and personally, too, limiting these limiting the use of encryption never goes well, and can cause a lot of these damages. And I think, actually, this question is great, is looking back at the 90s. And saying, you know, how did trying to limit the use of encryption? How did that work out? It didn't work out well. And so this is kind of a broad statement. But this encryption debate, the same things just keep happening over and over again for the last 30 years. And so we see now government's trying to limit the use of encryption or limit the geographic use of encryption, when that's just not possible. And if we look at the crypto wars in the 90s, and trying to stop the export of encryption, encrypted encryption algorithms, it wasn't working, then how is it going to work now when the world's even more interconnected?
Right, right. Well, thank you so much, Ryan. I'm getting the equivalent of the Oscars play off the stage music. So with that, I just I want to thank everybody for joining us. I want to thank Eduardo and Juan in Puerto Rico and Ryan with me virtually thank you all for inviting us and for spending this hour with us talking about cryptography and encryption. Thank you for making it through the day and joining us for this last session today. Thank you all
