Clay Shirky's Writings About the Internet

Economics & Culture, Media & Community, Open Source

The RIAA Succeeds Where the Cypherpunks Failed

First published December 17, 2003 on the "Networks, Economics, and Culture" mailing list.
Subscribe to the mailing list.

For years, the US Government has been terrified of losing surveillance powers over digital communications generally, and one of their biggest fears has been broad public adoption of encryption. If the average user were to routinely encrypt their email, files, and instant messages, whole swaths of public communication currently available to law enforcement with a simple subpoena (at most) would become either unreadable, or readable only at huge expense.

The first broad attempt by the Government to deflect general adoption of encryption came 10 years ago, in the form of the Clipper Chip. The Clipper Chip was part of a proposal for a secure digital phone that would only work if the encryption keys were held in such a way that the Government could get to them. With a pair of Clipper phones, users could make phone calls secure from everyone except the Government.

Though opposition to Clipper by civil liberties groups was swift and extreme, the thing that killed it was work by Matt Blaze, a Bell Labs security researcher, showing that the phone's wiretap capabilities could be easily defeated, allowing Clipper users to make calls that even the Government couldn't decrypt. (Ironically, ATT had designed the phones originally, and had a contract to sell them before Blaze sunk the project.)

The Government's failure to get the Clipper implemented came at a heady time for advocates of digital privacy -- the NSA was losing control of cryptographic products, Phil Zimmerman had launched his Pretty Good Privacy (PGP) email program, and the Cypherpunks, a merry band of crypto-loving civil libertarians, were on the cover of the second issue of Wired. The floodgates were opening, leading to...

...pretty much nothing. Even after the death of Clipper and the launch of PGP, the Government discovered that for the most part, users didn't want to encrypt their communications. The most effective barrier to the spread of encryption has turned out to be not control but apathy. Though business users encrypt sensitive data to hide it from one another, the use of encryption to hide private communications from the Government has been limited mainly to techno-libertarians and a small criminal class.

The reason for this is the obvious one: the average user has little to hide, and so hides little. As a result, 10 years on, e-mail is still sent as plain text, files are almost universally unsecured, and so on. The Cypherpunk fantasy of a culture that routinely hides both legal and illegal activities from the state has been defeated by a giant distributed veto. Until now.

It may be time to dust off that old issue of Wired, because the RIAA is succeeding where 10 years of hectoring by the Cypherpunks failed. When shutting down Napster turned out to have all the containing effects of stomping on a tube of toothpaste, the RIAA switched to suing users directly. This strategy has worked much better than shutting down Napster did, convincing many users to stop using public file sharing systems, and to delete MP3s from their hard drives. However, to sue users, they had to serve a subpoena, and to do that, they had to get their identities from the user's internet service providers.

Identifying those users has had a second effect, and that's to create a real-world version of the scenario that drove the invention of user-controlled encryption in the first place. Whitfield Diffie, inventor of public key encryption, the strategy that underlies most of today's cryptographic products, saw the problem as a version of "Who will guard the guardians?"

In any system where a user's identity is in the hands of a third party, that third party cannot be trusted. No matter who the third party is, there will be at least hypothetical situations where the user does not want his or her identity revealed, but the third party chooses or is forced to disclose it anyway. (The first large scale example of this happening was the compromise of anon.penet.fi, the anonymous email service, in 1994.) Seeing that this problem was endemic to all systems where third parties had access to a user's identity, Diffie set out to design a system that put control of anonymity directly in the hands of the user.

Diffie published theoretical work on public key encryption in 1975, and by the early 90s, practical implementations were being offered to the users. However, the scenario Diffie envisioned had little obvious relevance to users, who were fairly anonymous on the internet already. Instead of worrying now about possible future dangers, most users' privacy concerns centered on issues local to the PC, like hiding downloaded pornography, rather than on encrypting network traffic.

However, Diffie's scenario, where legal intervention destroys the users' de facto privacy wherever it is in the hands of commercial entities, is now real. The RIAA's successful extraction of user identity from internet service providers makes it vividly clear that the veil of privacy enjoyed by the average internet user is diaphanous at best, and that the obstacles to piercing that veil are much much lower than for, say, allowing the police to search your home or read your (physical) mail. Diffie's hypothetical problem is today's reality. As a result, after years of apathy, his proposed solution is being adopted as well.

In response to the RIAA's suits, users who want to share music files are adopting tools like WINW and BadBlue, that allow them to create encrypted spaces where they can share files and converse with one another. As a result, all their communications in these spaces, even messages with no more commercial content than "BRITN3Y SUX!!!1!" are hidden from prying eyes. This is not because such messages are sensitive, but rather because once a user starts encrypting messages and files, it's often easier to encrypt everything than to pick and choose. Note that the broadening adoption of encryption is not because users have become libertarians, but because they have become criminals; to a first approximation, every PC owner under the age of 35 is now a felon.

The obvious parallel here is with Prohibition. By making it unconstitutional for an adult to have a drink in their own home, Prohibition created a cat and mouse game between law enforcement and millions of citizens engaged in an activity that was illegal but popular. As with file sharing, the essence of the game was hidden transactions -- you needed to be able to get into a speakeasy or buy bootleg without being seen.

This requirement in turn created several long-term effects in American society, everything from greatly increased skepticism of Government-mandated morality to broad support for anyone who could arrange for hidden transactions, including organized crime. Reversing the cause did not reverse the effects; both the heightened skepticism and the increased power of organized crime lasted decades after Prohibition itself was reversed.

As with Prohibition, so with file sharing -- the direct effects from the current conflict are going to be minor and over quickly, compared to the shifts in society as a whole. New entertainment technology goes from revolutionary to normal quite rapidly. There were dire predictions made by the silent movie orchestras' union trying to kill talkies, or film executives trying to kill television, or television executives trying to kill the VCR. Once those technologies were in place, however, it was hard to remember what all the fuss was about. Though most of the writing about file sharing concentrates on the effects on the music industry, whatever new bargain is struck between musicians and listeners will almost certainly be unremarkable five years from now. The long-term effects of file sharing are elsewhere.

The music industry's attempts to force digital data to behave like physical objects has had two profound effects, neither of them about music. The first is the progressive development of decentralized network models, loosely bundled together under the rubric of peer-to-peer. Though there were several version of such architectures as early as the mid-90s such as ICQ and SETI@Home, it took Napster to ignite general interest in this class of solutions.

And the second effect, of course, is the long-predicted and oft-delayed spread of encryption. The RIAA is succeeding where the Cypherpunks failed, convincing users to trade a broad but penetrable privacy for unbreakable anonymity under their personal control. In contrast to the Cypherpunks "eat your peas" approach, touting encryption as a first-order service users should work to embrace, encryption is now becoming a background feature of collaborative workspaces. Because encryption is becoming something that must run in the background, there is now an incentive to make its adoption as easy and transparent to the user as possible. It's too early to say how widely casual encryption use will spread, but it isn't too early to see that the shift is both profound and irreversible.

People will differ on the value of this change, depending on their feelings about privacy and their trust of the Government, but the effects of the increased use of encryption, and the subsequent difficulties for law enforcement in decrypting messages and files, will last far longer than the current transition to digital music delivery, and may in fact be the most important legacy of the current legal crackdown.

First published December 17, 2003 on the "Networks, Economics, and Culture" mailing list.
Subscribe to the mailing list.

Clay Shirky's Writings About the Internet

Economics & Culture, Media & Community, Open Source