How can I explain to non-techie friends that "cryptography is good"?

  • After that case in which Brazilian government arrested a Facebook VP due to end-to-end encryption and no server storage of messages on WhatsApp to prove connection with a drug case, it's become pretty common for friends of mine to start conversations about what cryptography is and why we should use it on a daily basis. The same applies with the iPhone terrorist encryption case in which the FBI broke in.

    For non-techie friends, it's easy to understand the basics of cryptography. I have managed to explain them the basics, public key x private key, what is end-to-end encryption during communication(your data is not stored encrypted, but it is "scrambled" during data exchange), all the core concepts without enter on more technical words like AES, MD5, SSL, PGP, hardware encryption acceleration, TPMs, etc. They like to have encryption on their phones, but they always come up with the following concept:

    If terrorists/criminals could be caught by not having cryptography in our world, I would not blame data surveillance by governments and companies, nor the lack of cryptography in our communications/data storage.

    I explained that this point of view is somehow twisted (as a knife can be used to do crimes, but its primary use is as a tool), but I didn't keep their attention.

    Is there a best way to explain the value of cryptography for end-users in our modern world? (Snowden and Assange stories seems like fairy tales to them too).

    Compendium: Some of the explanations/concepts that didn't work so far:

    • Would you let the government have a copy of your house key?

      People tend to isolate data from house access, and they clearly would say "no, i do not want the government to have a copy of my house key and watch me doing private stuff. But if they are looking for a terrorist/criminal, it's fine to break the door". For them, it's okay since they don't break in your house while you are pooping. The existence of a "master key" on encryption world is fine to them. "My information is encrypted, but it could be turned into plain again in case of terrorism/crime".

    • Would you let others trace your life based on what you do online?

      "But Google already does that based on emails and searches...". This mostly shocks me, because they are "with the flow" and they aren't bothered with data mining. Worse, people tend to trust way too much on Google.

    • What about the privacy of your communications? What if you are talking dirty things with your boy(girl)friend?.

      "I don't talk about things that would harm others(criminally speaking) so, i don't mind on being MITM'ded.". Again, it's fine to them if a conversation about their sexual routine is recorded, if the intent is to investigate criminal activity on their city.

    • The Knife paradox.

      You can see on their faces that this is a good one, but instead, they say that "knifes aren't as dangerous as secret information being traded between criminals so, it's okay that Knifes are misused by criminals sometimes".

    Comments are not for extended discussion; this conversation has been moved to chat.

    Jon Callas (a well-known cryptographer) simply uses curtains as his analogy. You want curtains, you want your neighbors to have curtains. Too short for an answer, but less vulgar than the toilet answer below.

    The comments on PseudoSu's answer raise a point I haven't yet seen directly made in these answers/comments: encryption, ideally, prevents one's communications from being spied on, altered, and/or spoofed **without one's knowledge**, which communications made in-the-clear usually don't. In some cases I'm okay with my privacy being compromised, but I definitely want to know whether to expect privacy or not.

    Not sure it's even worth engaging, but you could always grab the latest headline about police malfeasance or criminality to point out that they're not always the good guys. "So you're willing to trust your money and data to a group that executes unarmed civilians and plants weapons on their bodies?" You're many times more likely to be killed by a cop than a terrorist, so your friends are scared of the wrong threat, actually.

    @MathieuK. Yeah, the same way that at your work, they warn you about security policies, and that your communication could not be confidential at all times.

    If your friends think encryption is unnecessary, I'm sure they'll have no problem posting the passwords for all of their online accounts on 4chan.

    Again. They didn't said is unnecessary. They said that on specific situations(take your time to read all the content this question created) they would drop encryption to a "greater good".

    Then the question isn't whether encryption is good - it's who you trust with your keys.

    There is no need to be BINARY on this subject. It is not because they trust the government/companies sniffing around on SOME of the communication, that they are stupid enough to post passwords as plain text online, or to abdicate door locks. This is the kind of argument that is not going to work or happen. "Cryptography is good" is not only about trust, but changing a point of view that tries to undermine cryptography just because some minority uses to do bad stuff...

    Sorry, I guess I wasn't clear. What I'm hearing is that they want to hide info from some people, so they need encryption, but they're willing to let certain parties (e.g. the government) bypass it. In other words, the question becomes "Do you trust those parties that you are entrusting with this power?" Another important question: "Could those parties ever change in such a way that would cause you to stop trusting them?" - after elections for example...

    Even the TSA requires you to lock a gun case with a real lock (not a TSA lock). Sometimes it's a bad idea to allow everything to be accessible with a master key even when it's the "authorities" who control the master key.

    @HopelessN00b That's the right approach but still not a perfect example given that the suspect was fleeing the crime scene, which indicates some degree of guilt (an innocent person would have no reason to flee from a police officer). The officer still shouldn't have shot him, but that example can be argued both ways. Also that example wouldn't work so well in countries where the police don't carry guns.

    Most people don't realise what encryption protects or how reliant they are on it. I would start there. It protects your medical data. Your biometric data. Your WiFi/webcam from hacking. Your children's chats from snooping by abusers. Your online banking/ATM use. Your ability to transact/shop online. Businesses abilities to trade long-distance or using the web. Persecuted peoples ability to communicate with support+voluntary groups and be sure who they are talking to and that persecutors cannot read messages. Certainty that data has not been tampered. Confidentiality communicating fears/abuses.

    @Pharap He was behind on his child support payments and didn't want to lose his job by being thrown in a debtor's prison. Anyone who doesn't get that isn't worth having a conversation with, or calling a friend. But whatever, if you don't like that example, wait a week for the next one.

    @HopelessN00b You have just proved he wasn't innocent and he had committed a crime. The analogy fails since the victim was still technically a criminal. The 'non-techies' would probably argue that the authorities wouldn't target someone unless they believed the person was a criminal. To convince them you'd have to show them an example of the police getting it completely wrong e.g. harming someone who hadn't committed any crime due to either malice or misinformation. Again, I agree with your point, but I think your chosen example is flawed and could be contested.

    I think this question is phrased wrongly. Yes, most people think of the it in terms of "Is Crypto a good thing?". But I think everyone agrees it is a good thing. The real questions are "Is ubiquitous crypto a good thing?" and "Is weak crypto better than no crypto?". The problem is that most people don't understand that, 'weak crypto = no crypto'.

    Be careful with phrasing: "crypto is good" is an opinion, not a fact. To quote Tom Leek's answer: "technology is morally neutral" - crypto is not good, nor is it evil; just like book printing or the Internet). At best, you can try to convince people that it is not evil, or even more, that *it is useful*. One more thing: these people "don't understand" your arguments not because they are stupid or lack technical knowledge: they are just naive. In their ideal society of honest and respectful people, you don't need locks or curtains - you have nothing to hide and nobody would look anyway.

    A thought occurs... I have some non-techie friends, and they generally don't buy into the government's arguments on this topic (including one who's former military, currently working as a firefighter), so I'm thinking that them being non-technical isn't the root of their position on the issue. You don't need to be technically literate to understand the hazards of giving the government (or anyone at all) the degree of power that comes with unrestricted access to everyone's data and communications. (Which is ultimately what results from banning crypto or creating a government backdoor.)

    "From now I on, I will read all your emails and texts. I will catalog them and keep them in perpetuity. I will not tell you why I am doing this except that it is for the common good (as vaguely defined by me and changed as I see fit). I will not tell you under which conditions they will be used, when they are being used, or how they will be used." Now imagine if that statement comes from an authority that, based upon the whims of an un-elected unknown person, will callously bankrupt you, imprison you, and ruin your reputation through innuendo.

    For the house key analogy, in my opinion, the following would be more correct : Would you be ok if you were forced by the government to leave a copy of your key outside on your door so that they could enter any time you want ? Obviously, not just the government would be able to open your door...

    you should tell them to forget all FOD produced by government and law enforcement agency about terrorists and encryption, its what they tell people to make them feel bad for using encryption so they can continue to mass servaile the population

    @Tyler Is that true? Can you provide a link? That's a great point.

    @JesseJackson google "gun tsa lock". It's all over the internet on "how to fly with a gun" how-tos, though, oddly enough, not directly mentioned on their gun ruled page. Their page does say that "only you should have keys to your gun case," (paraphrasing) which implies that a TSA master key shouldn't open the lock.

    @Tyler You made a claim that the TSA requires something and I am asking you to point to the requirement. Where are you getting this information?

  • Tom Leek

    Tom Leek Correct answer

    5 years ago

    "If lack of encryption allows FBI to catch terrorists, then lack of encryption allows criminals to loot your emails and plunder your bank account."

    The rational point here is that technology is morally neutral. Encryption does not work differently depending on whether the attacker is morally right and the defender morally wrong, or vice versa.

    It is all fear-driven rhetoric anyway, so don't use logic; talk about what most frightens people, personally. And people fear most for their money.

    Comments are not for extended discussion; this conversation has been moved to chat.

    Great post, just wanted to add an analogy I think hits close to home for backdoors. Putting a backdoor into encryption is like leaving your house key under the door mat. At some point a bad guy is going to find it, get into your house, kick your cat, and steal your dog. Bad guys are cruel.

    yet ! i prefer the knife analogy (first a tool then a mean to kill) to the gun (first a tool to kill, then...). The moral neutrality is always debatable :) Nevertheless, cryptography is like clothes, you never want to be naked in public, even if you have nothing to hide, unless you are an exhibitionist of course o_O

    @dakre18, 'cause no one would want to kick your dog and steal the cat. That'd just be dumb.

    @dakre18 That should be an answer by itself.

    I would vote this up twice if I could.

    @yota This is something I've been grappling with for ages. A gun factory is perfectly legal. But "OMG ISIS IS USING TELEGRAM" is what scares people. For me, that's the ultimate hypocrisy right there.

    Well and here's something inportant to keep in mind. Encryption exists solely to protect data. If you're data doesn't need to be protected then there would be nobody after it. Not the government. Not criminals. Not nosey neighbors. In such a world, either your data is physically inaccessible or there is no more crime. You're literally implying something that cannot exist. Such a world wouldn't even bother with house keys. Nobody would bother stealing your stuff.

    I use nearly the same technique - I remind people that encryption is what secures our credit card details, bank accounts, retirement plans, stocks... and also municipal water and gas systems, air traffic control... the list goes on (I leave off anything federal/military, because of course they would keep encryption). While strong encryption might be a factor that makes it harder to catch or prosecute a small amount of criminals and terrorists, it's also the main tool that is used to protect *literally everyone* from mass amounts of criminals and terrorists.

    "It is all fear-driven rhetoric anyway, so don't use logic" Critical nuance to articulate; very nice.

    I like your point "talk about what most frightens people". Apart from money, they also fear for their dick-pics: see John Oliver on Government Surveillance

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM