Encryption is complicated in a lot of ways. Topics like elliptic curve cryptography and post-quantum cryptography are best left to mathematicians, and not someone like me who needs to count on his fingers to calculate a tip. And even someone who has a perfect understanding of the world’s most advanced cryptography techniques could still slip up in implementing it, since even the smallest mistake in designing a secure system may be all a snoop needs to break it apart.
That said, some of the practical implications of encryption for ordinary Internet users, assuming the systems have been designed correctly, are not that hard to grasp.
Proper use of encryption means that it’s possible for you to communicate with another person (or a company) without any eavesdroppers being about to figure out what you’re saying. This protects the security of online banking and shopping, and lets you use secure chat apps like Signal, WhatsApp, or iMessage to keep in touch with your friends and family without leaving a bunch of records online for advertisers or spies to look through. It means you can browse a website without your ISP knowing exactly what articles you’re reading. It’s very hard to achieve privacy online, and computer networks sometimes seem like tools designed to track and report your every move. Encryption allows users to use mathematical tools that are more sophisticated than what even the US government had a few decades ago to get back some of the privacy we had in the offline world.
But it’s important for Internet users to be just as aware of what encryption doesn’t do. When you have a secure connection with a banking website, your ISP can’t eavesdrop and see how much is in your checking account. But it can see what bank you’re using–encryption might be able to hide the content of your communication, but not the fact of your communication. If someone looking at your Internet history sees that you’re accessing a bunch of websites about a particular illness, he or she might deduce that you or someone in your family has contracted it. Your connection might be secure when you’re shopping online, but if the shop stores its sales receipts in an insecure way, your privacy might still be compromised. You can send a secure message to your friend, but you can’t keep your friend from taking a screenshot of the message and sharing it with the world.
Users should use all the technological tools they can to protect their privacy–not just the ordinary encryption baked into their web browsers or chat apps, but things like VPNs or even tools that obfuscate network connections like Tor. They should make sure their hard drives are encrypted and that their phones have good passcodes.
But the limitations of encryption mean that users need actual policy protections, as well–that is, laws. People want their privacy protected in ways that technology might not allow. Sometimes they might have no choice but to share data, but still want some control over what’s done with it. Your bank knows what your bank balance is–but do you want your bank to sell that information to advertisers? Only real, enforceable laws can provide that kind of protection. In the broadband context, since ISPs unavoidably can see some of what you do online, we need laws that can help limit how closely they’re allowed to look, what records they can keep, and what they can do with what data they do collect.
Finally, we need policymakers who understand the importance of the privacy protections that encryption does provide, and who do not seek to undermine it by making it illegal or making it ineffective with requests for “back doors” or other measures. There’s no such thing as encryption that only good guys are allowed to break, or that bad guys aren’t able to use.
Encryption, along with real and enforceable privacy laws, together can allow users to maintain some control of their personal information in this highly networked age, where everyone has a camera in their pockets and many people conduct a lot of their personal lives online. But the only way for encryption to be effective is for users to understand what it doesn’t do, as well as what it does.