SAN FRANCISCO – Cryptography is at the heart of security, especially here at this week’s RSAC 2020. And during the event’s annual Cryptographer’s Panel, industry leaders broke down their top crypto-concerns, including privacy regulations, election security and blockchain.
Privacy is clearly a top application for cryptography as more and more data is collected and sent to various stakeholders in the digital economy. Arvind Narayanan, associate professor of computer science at Princeton University, brought up the fact that it’s not just the basic invasion of privacy that people should be concerned about. After using the example of China using facial recognition to “name and shame” jaywalkers in Shenzhen to illustrate one aspect of the misuse of data collection, he pointed out that increasingly, personal information can be used for a range of civil liberties violations.
“It’s about discrimination and fairness,” he said. “Think about genetic privacy for instance – a potential employer might deny me a job, law enforcement could misuse it, insurance companies could use it for enable discriminatory pricing.”
[For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.]
Tal Rabin, head of research at the Algorand Foundation, added that regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) that are meant to protect citizens against data falling into the wrong hands offers both an opportunity and a challenge to the cryptography community.
“Many of the protocols that have been designed don’t offer appropriate ways that comply with [these regulations],” she said. “Take the right to be forgotten – what do we mean by that? It’s written into the law, but what do people actually want when they talk about the right to be forgotten? Say ‘person X’ posts his information online, and I query that and download it and I have it on my computer. Then, I ask to be forgotten—which will include the fact that I queried something about ‘person X’. So later, how can the search engine satisfy ‘person X’s’ right to be forgotten? There are conflicting requests.”
Princeton’s Narayanan called the term “right to be forgotten” a “silly name” – but pointed out that the function is important.
“Suppose you have a criminal record, you’ve served your time and are now applying for a job,” he said. “Do you want your prospective boss’ first impression to be that criminal record, or do you want to be able to bring it up in context on your own terms? Here the ‘right to delist’ is a better term – asking for certain search results being deleted from certain queries.”
He added that Google gets 50,000 requests a month from consumers asking for the right to be forgotten. “They said that it’s working well to be able to delist some search results,” he pointed out.
Whitfield Diffie, cryptographer and security expert at Cryptomathic, stirred debate with a different take. “The right to be forgotten doesn’t affect anyone who can keep their own records or the secret police – it just prevents busybody employers from accessing information,” he said. “We already have laws in place against discrimination, so what do we need this for?”
Adi Shamir, Borman Professor of computer science at The Weizmann Institute in Israel, pointed out that there are millions of formerly incarcerated persons can’t find jobs because of their records – “and this is the main reason for recidivism.”
Rabin added, “We need tech to eliminate data from the internet because of course there are things we want to be removed from the web. The tech will never be perfect, but we should work on these types of technologies.”
‘Blockchain is Overhyped’
There are cryptographic roadblocks to enabling the deletion of information, Shamir also pointed out – notably blockchain.
“Blockchain is all about making the past immutable,” he said. “Any legislation that requires people to undo past actions is contrary to the technology. In most cases, blockchain is overhyped and there are simpler ways to achieve the same goal. Most of these use cases have been proposed for blockchain are nonsense.”
One of those privacy use cases that some are considering for blockchain is ensuring voting anonymity. Ronald Rivest, professor at Massachusetts Institute of Technology, told the audience that voting is one application where technology should be less involved, not more involved.
“Blockchain is the wrong security technology for voting,” he said. “It’s like trying to use a combination lock to put out a kitchen fire. Voting has requirements that are stronger than other use cases – you need anonymous ballots, which makes it tough to do audits. We’ve learned that we need software independence in the form of paper ballots. Otherwise you trust the results if you trust the software, which is a dangerous path to go down. As for anonymity, blockchain in my view is garbage in, garbage stored for ever.”
Rabin finished the conversation with a look into her crystal ball and noted that blockchain could very well represent a different role in the future – just perhaps not for privacy applications.
“Blockchain took things that we have known since the 80s – hash functions, proof of work – and this shows us that we can bring things from the past and use them in the future,” she said. “Blockchain is still missing the killer app. But that’s the power of this field – you can go and keep designing, because today you might not know what to do with new technology, but ten to 30 years in the future, we’ll find a use for it.”
For Threatpost’s complete RSA Conference 2020 reporting, please visit our special coverage section, available here.