There has been a lot of “excitement” lately about government surveillance, encryption, and secure message services. This has led to one provider, Lavabit, shutting up shop rather than agreeing to do something they wanted no part in, and another provider, Silent Circle closing down their Silent Mail service in order to avoid been asked to do something they clearly want no part of either.

While I think both Lavabit and Silent Circle are to be commended for their stands, and I’m hoping the fact things are getting to this extreme is giving some others cause for reflection, as usual the popular discussion appears to be turning into how the individual use of encryption can help prevent abuse in a “surveillance state”. This is a bit of a problem as use of encryption, or certainly public key encryption, provides you with no long term protection at all, and not only do some people not seem to understand this, but as usual it’s spawning a new generation of snake oil with claims about products based on public key encryption that are simply not true.

As anyone who knows me will hopefully testify, and my work on Bouncy Castle should show, I do believe  quite passionately in the “civilian population” (in which I include myself) having access to good quality encryption software, but I also recognise the limits of its usefulness. For me encryption is primarily a tool to support trade and commerce, certainly a good defence against corruption and criminal activity but not really as helpful as it might seem in keeping “the Feds” (or any other similarly well resourced and determined party) out of my business. The only thing that defends my individual freedoms and stops a government agency from kicking down my door at 2.00 AM and shooting me is the rule of law.

It is important to understand this. The letters PGP in the software originally created by Philip Zimmermann stand for “Pretty Good Privacy”. I think it’s important to appreciate that “Pretty Good” is quite different from “Indefinite”. In terms of claims made, Phil certainly delivered, it’s pretty good, and if you keep upping your key sizes appropriately and manage your keys carefully you’ll probably still get at least 2 to 5 years before anyone can actually start reading your messages without stealing your keys, or the keys of one your recipients. There is a simple reason for this: as we have advances in mathematics and computing, the ability to recover the secret values associated with algorithms like RSA improves so all public key algorithms really give you is a window of privacy, not the ability to forever hide what you think. So yes, good for medium term planning, great for reducing fraud related to packet sniffing credit cards, but next to useless for protecting you from “the state” (and if you want to fully understand what that means, there is already at least one example showing a few years to a government agency with the right incentives is nothing).

So where does that leave us today? Well if you think your country is on the slippery slope to becoming a surveillance state (and I guess, with all due respect to other people’s good intentions, it’s pretty clear a few countries are…) start lobbying to get the laws changed, improve accountability, make sure you have a diverse and free press employing good investigative journalists, keep an eye out for your neighbours, and while you are carrying out the debate try and keep in mind a lot of people on the “other side” are genuinely trying to do the right thing (so may be a little perplexed and confused that the rest of us are so cross…). Don’t kid yourself that because you’re using cryptography you’re in some way making yourself safer, or apart, from what might happen to everyone around you who is not.

The debate going around us is really about the kind of society we all want to live in, government agencies included. After all, if your country makes the final transition from surveillance state to police state, the only thing the heavy use of encryption is likely to do for you is make you a target. Most likely not the position you intended to be in, and nothing about your private keys will protect you then.