With admirable timing that buried the news in the heart of the pre-Christmas rush, not to mention burying it further in paragraph 5 of a presidential signing statement, the White House on Dec. 20 declared that
“The executive branch shall construe…the [Postal Accountability and Enhancement] Act, which provides for opening of an item of a class of mail otherwise sealed against inspection, in a manner consistent, to the maximum extent permissible, with the need to conduct searches in exigent circumstances, such as to protect human life and safety against hazardous materials, and the need for physical searches specifically authorized by law for foreign intelligence collection.“
When I finally got around to reading this language–sorry, I was working at the soup kitchen that night–the first thing that came to mind was Philip Zimmermann’s 1991 comment: “If you really are a law-abiding citizen with nothing to hide, then why don’t you always send your paper mail on postcards? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut?”
Zimmermann went on to say,
“What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he’s hiding. Fortunately, we don’t live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There’s safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.“
If you only use encryption and other privacy-enhancing technologies when you have something of high value to protect, you’re making life a whole lot easier for anyone–whether government white hat or criminal black hat, or even government black hat if you admit that such a thing might be possible–who might want to focus finite computing resources on a small number of high-value targets.
If you’re not encrypting databases, at the database level and not just the link level of any database applications; if you’re not encrypting e-mail as a matter of routine; if you’re not managing access privileges in a granular way that identifies roles and assigns individuals to those roles, then you’re just not paying attention.
Setting the standard for what’s normal is something we all do together. Let’s set that standard higher.