CNET también está disponible en español.

Ir a español

Don't show this again


Crypto users aren't paranoid

In response to the January 21 Perspectives column by David Holtzman, "Homeland Security and you":

David Holtzman's article "Homeland Security and you" is a wonderfully concise text on upcoming efforts by the U.S. federal government to sort through our mail. I am afraid, however, that it gives the general impression that only people with something to hide would want to use strong cryptography to protect their privacy.

In a related, though not explicit way, it indicated that only the paranoid should use PGP (Pretty Good Privacy), S/MIME (secure multipurpose Internet mail extensions), or any of the other message encryption protocols. Neither point is entirely accurate.

As to the first point, that only the paranoid would want to use strong crypto, I can assure you that is not the truth. Strong authentication technologies may be used for secure remote login and establishing the verity of a particular statement on a particular day. Thus, strong crypto features are ideal for remote logins--say, to a remote corporate network, or to your Web server.

As a "knowledge worker," I deal every day with what the government might call sensitive, but unclassified, information. This is usually identifying information collected from customers or clients for explicit purposes and usually for a limited amount of time. It is our policy to either store this information in an encrypted file or on a hard disk protected with a transparent encryption capability.

As to the second point, that only a paranoid would wish to use existing security solutions: This flies in the face of everything I have been trying to tell my customers for the past ten years. It is the nature of public key cryptography that should you want to receive a secure transmission, you must have a public/private key-pair.

Consider the wide range of things one might want to keep confidential: system passwords, credit card numbers, social security numbers, medical records, identifying information for one's children, etc. It is a gross misstatement to indicate that people with an interest in keeping such data private are paranoid. Relegating the use of crypto to the paranoid implies a community of foil-hat-wearing cryptoanarchists engaged in delusional self-abuse with the aid of a computer and a pair of prime numbers.

It is every bit as true today as it was ten years ago; despite the noise from the cryptoanarchists, use of crypto does not make one "cool"--it simply makes (one) prepared for the eventuality of having to handle sensitive data in a trustworthy fashion. In a world with a decreasing level of discretion, it also makes one polite. Appealing to paranoia may make good copy, but in the long run it will be the appeal to reasonable gentility that will justify the use of strong cryptographic protections in the next decade.

Matthew S. Hamrick
Alexandria, Va.