In the Shadow of PRISM

It now seems clear that any and all electronic communications are grist for the NSA’s mills. Only a fool would imagine that something expressed directly and plainly by phone, email, or SMS would remain private between sender and receiver. Of course, most of what we say to each other these ways is utterly trivial and inconsequential as far as the spy agencies are concerned, which doesn’t mean, of course, that we are happy or even content to have our private communications, however mundane, so casually and routinely raked through. 

Broadly speaking, there are two ways to go: we can, as some have urged — half provocatively, I think — learn to live in a post-privacy world. Human beings have done it before, as anyone who has lived in a village can tell you. Privacy as a legal concept is, after all, something of a late comer to the party.

Or we can learn to encrypt. This is something that lawyers, who are forbidden from village gossip, must now — as a matter of professional responsibility, I’d say — treat with all seriousness.

I know far too little about encryption to be able to say whether there’s any hope of ever shielding information so securely that only an agreed-upon recipient can learn its true content. But I believe that there are techniques available to us that can make it onerous indeed for a spy to decrypt our messages. I would say that we will see a great deal of Internet attention paid to encryption in the near future.

It’s started already. Slate has a piece on “How to Shield Your Calls, Chats, and Internet Browsing From Government Surveillance,” mentioning among other things PGP (or “pretty good privacy”) as a way to encrypt emails and Cloudfogger as a tool to encrypt files on Dropbox. I’ve learned that a South African company called Seecrypt offers to enable “military grade” encryption of your mobile phone calls and texts.

If you’re interested in following the PRISM revelations and responses, you might look at Gigaom’s tracking of the story. (Hat tip here to the Law Librarian Blog.)


  1. Encyrption wouldn’t necessarily solve the problems of ubiquitous government surveillance unfortunately. A lot of the uproar has been over the NSA’s collection of metadata: not the contents of a phone call but merely the fact that a phone call took place, between two parties, at this time, on this date, for this long. Significant information can be extracted from an analysis of this kind of data, and encryption on it’s own does nothing to solve this problem.

    In my opinion, before worrying about encrypting communications, lawyers should be learning to encrypt the client information that they already store on easily-misplaced electronic devices: phones, tablets and even laptops. This is low-hanging fruit and a it’s practice that every lawyer who uses these devices should be adopting.

  2. David Collier-Brown

    Legal question: if I email a client knowing the NSA may be monitoring, does that vitiate the attorney-client privilege? – Popehat (Kevin White, Esq.), Twitter

    Discussion at

  3. David Collier-Brown

    A good example of the risk of “metadata” tracking: how to identify Paul Revere from
    metadata the British field agent, Mr David Hackett Fischer had collected.

  4. David Collier-Brown

    At the strictly practical level, one of the strongest protection against communications and metadata capture is an encrypted network, sitting on top of an ordinary one. All a snooper sees is encrypted messages to and from the nearest machine.

    An offering of this for smartphones, written by Phil Zimmerman of PGP fame, is “Silent Circle”,

    I’m a happy user of the older program, PGP. The new one is much easier to use, according to a review in Slate,

    [Yes, this is a particular and professional interest of mine: I used to work in formal computer security, and belong to GTALUG POG]

  5. If you think encryption is going to protect your information from trained spies and/or terrorists, you are sadly mistaken. The U.S. government has been using encryption (that I know of) for at least 7 years. If they made it, they can hack it. There are professional hackers that live to break this encryption–some are even hired by the government to find weaknesses. Plus, you can have the most advanced encryption, but if the receiver doesn’t have the exact same product, it’s useless–they cannot receive your message. Encryption will only protect your information from the Everyday Joe, not from people who really want the information for malicious reasons.

  6. @Barb You’re right that both sender and receiver must have access to the encryption key, or a significant part of it, at least. This means you’d reserve encryption for especially sensitive communications. Of course, where you’re concerned about protecting your own data, you could — and should — encrypt to your heart’s content. I think you give too much credit to code-breakers, though, whether governmental or not. It’s not as easy as you suggest to crack available encryption, which, as I understand it, is based on the difficulty of factoring out the two prime numbers that were combined to produce a given product. The explanation here does better than I can in making it clear: All I posited was that encryption will hinder spies. This might disincline them from tackling your communications, given that the machine power required is truly significant. I note that the MIT Center for Civic Media places encryption at the top of its list of “5 productive responses to PRISM”:

  7. “Encryption will only protect your information from the Everyday Joe, not from people who really want the information for malicious reasons.”

    AES256 is a standard and thourgholy vetted encryption algorithm, which is approved to encrypt the highest level of U.S. state secrets. If it were easy to break, why would be be approved for such a use? Some Newer intel procesors have special parts of thier chip dedicated so speeding up these operations.

    AES256 is so strong that a bruce force attack is impossible, It would require a computer bigger than the universe, or more time than anybody can live.

    And there’s also such a thing as assymetric encryption which relies on public-private keychains. The public key or keys are published and the private is kept secret. When sending a message to someone I use my private key and their public key to encrypt it, and they use their private key and my public key to decrypt it. … If such keys are based on an ECC the resulting encryption is very strong. (DSA can be broken, but is takes many samples, and is very computationally expensive. Days or weeks on the largest computers in existence) While vulnerable to a man in the middle attack, the risk can be reduced by establishing a chain of trust or exchanging keys in person.

    As for implementation there are standard and vetted open source programs that implement them. Don’t trust proprietary progams with this.