The US federal government passed a massive $1.15 Trillion piece of legislation today. Inside was the controversial Cybersecurity Information Sharing Act (CISA), which has failed to pass on its own merits previously. For those who care about privacy or their constitutional rights, it was a major defeat.
After CISA passage, Bitcoin advocate Andreas Antonopoulos took to Twitter to give his advice:
CISA, the "Son of Patriot Act", passed the House. No warrants, all data. Don't lobby. Don't vote. Don't whine. Don't plead. ENCRYPT.
— AndreasMAntonopoulos (@aantonop) December 18, 2015
Andreas is right; the political process cannot be trusted and we should focus on how to protect ourselves with technology. But he doesn’t go quite far enough in his recommendations. The response to CISA – and the entire surveillance apparatus – should be two-fold. Encrypting our personal, financial, and commercial communications and moving them onto peer to peer platforms.
The benefits of encryption are obvious. If done properly, then anyone viewing the traffic over the network will be unable to decrypt it and read the contents. This should be default for all traffic online, and is slowly becoming so.
But encryption doesn’t hide metadata, which gives those watching nearly as much information as the plain text of the communication would anyway. It also does little to prevent companies from sharing your data with government agencies. If the information over the wire is encrypted, but then freely given to a company who gives it to the government, then encryption has done you no good at all.
One of CISA’s worst aspects was how they give immunity to companies who hand over their data to the government. As Ars Technica reports:
The CISA part of the spending package gives corporate America legal immunity when sharing consumers’ private data about hacks and digital breaches with the Department of Homeland Security. The DHS can then funnel that information to other agencies, including the NSA and FBI, which can use that information for surveillance purposes.
This poses such a threat to privacy because companies have a huge amount of personal information in their databases that intelligence agencies would love them to share. Now those companies can share it without fear of any legal repercussions.
Encrypting traffic doesn’t solve this problem. However, there is something we can do: Encrypt our personal, financial, and commercial communications and move them onto peer to peer platforms.
Moving our activities onto peer to peer platforms means there is no central organization collecting data about users, and there is no central organization to hand any data over to government agencies. It means that metadata is often more difficult to ascertain. Most peer to peer networks allow for pseudonymity, making connecting activity to identity more time and resource consuming.
I don’t mean to suggest that peer to peer platforms are a panacea. They can still be monitored. More importantly, they are still young and in development. It would be difficult for the average person to move the majority of their activity onto such platforms. But for those among us who value privacy and understand technology, using them – and hopefully helping to build them – is a valuable investment of time. Let me give two examples.
Bitcoin is a peer to peer network for exchanging value. It’s not perfectly private; all transactions are visible on a public ledger. However, it gives users much more privacy and control over their own money than using the traditional banking system. The information around a credit card purchase is directly tied to your identity, to the identity of the place you made the purchase, the item you bought, etc. The information around a Bitcoin transaction doesn’t include either users’ identity or location, or details around the transaction itself. While it’s sometimes possible to discover those details out by analyzing the public ledger of past transactions, it’s not a simple process if the user is careful about their privacy.
OpenBazaar is a peer to peer network for trade, using Bitcoin. I’ve been working on the project with an international community of supporters since mid-2014, and it’s nearing release now.
OpenBazaar isn’t a darknet market, so its main appeal for privacy isn’t based on using IP obfuscation techniques. Instead, it eliminates the middlemen from trade online, along with their massive databases of personal information. Because trade is peer to peer, you only share your information with people you engage in trade with, and only the information you want. No central organization is collecting the data of all users on the platform. The transactions between users is done directly between them, and it’s encrypted. Chat messaging is peer to peer and end to end encrypted as well. Users wanting more privacy can access the network behind a VPN.
There are other examples; Bitmessage or Tox for communications, Bittorrent for data sharing, various other cryptocurrencies and a handful of peer to peer marketplaces.
CISA’s legal immunity for businesses has no power over Bitcoin, OpenBazaar, or other peer to peer platforms; there’s no one to give them data. The more we encrypt our data and move our activities onto peer to peer platforms, the less information is centralized and collected by the surveillance state. Encryption and decentralization go hand in hand.