This week on my podcast, I read my @Medium column, "The Best Defense Against Rubber-Hose Cryptanalysis," about what the cypherpunks got wrong, what they got right, and what that says about claims that cryptocurrency will defend us from tyranny: 1/
If you'd like an unrolled version of this thread to read or share, here's a link to it on , my surveillance-free, ad-free, tracker-free blog: 2/
30 years ago, the cypherpunks - forerunners of the cryptocurrency movement - waged an epic battle to ensure that we could all access working cryptography. 3/
They believed that safeguarding individuals' right to privacy technology could profoundly alter the relationship of people and their governments. 4/
Governments agreed! The NSA and other agencies were determined to ban civilian access to working crypto, insisting instead that we should all use a deliberately broken cipher that they were widely understood to be able to break. 5/
The agencies claimed that this would strike a balance: on the one hand, it would keep American individuals, agencies and businesses safe from criminals, state actors and corporate spies. 6/
On the other hand, it would let the agencies break into our communications to keep us safe from child pornographers, terrorists, copyright infringers and the mafia (AKA "The Four Horsemen of the Infocalypse"). 7/
With the cypherpunks and the NSA both convinced that unbreakable ciphers represented a seismic shift, the battle was joined. 8/
Pro-crypto fighters put up a valiant fight: they even built a $250,000 computer, #DeepCrack, that could brute-force the NSA's neutered cipher (this computer currently sits next to my desk in my home office - seriously!). 9/
Deep Crack proved the NSA was deluded or lying: if we used the NSA's cipher to protect ourselves, we'd be vulnerable to anyone with $250k to throw at our communications, who could then read our messages, forge software updates for our devices, and make a lot of mischief. 10/
But despite this objective proof, the NSA and its allies were adamant that we could not be trusted with working crypto. 11/
Neither the cypherpunks' technological demonstrations, nor the pleas from security experts with warnings about corporate secrets, financial data, and health records, could sway them. 12/
But we have access to strong crypto today. How did the cypherpunks do it? They used the rule of law. @EFF brought a lawsuit, Bernstein v DoJ, which argued that the #FirstAmendment protected the right of a computer scientist to publish strong ciphers. 13/
There's an important lesson there: while privacy tools are an important check against the abuse of government authority, they are also a *temporary* and *limited* measure. 15/
Ultimately, the point of privacy tools are to provide a way to organize to demand that states uphold the rule of law - they're not a stable alternative to the rule of law. 16/
The cypherpunks knew this. 17/
Marcus Ranum's 1990 coinage, "rubber hose cryptanalysis," described the ability of a corrupt state to break your "unbreakable" cipher by ignoring your human rights, strapping you to a chair, and hitting you with a rubber hose until you gave up your passphrase. 18/
There is no specialized hardware, no additional bits to your key, no fiendish math that will protect you against rubber hoses in the long run. The only stable countermeasure for rubber hoses is a state that respects its residents' human rights. 19/
Much of the time, states don't need to resort to rubber hoses: they have what security experts call "the attacker's advantage." For you to enduringly defend yourself from a powerful surveillance system, you must be perfect. 20/
You need perfect math, embodied in perfect code, on perfect hardware. You need to use it perfectly, choosing a strong passphrase and never leaking it to a hidden camera or a keylogger. 21/
Meanwhile, the attacker - the spies trying to break your security - need only discover and exploit a single imperfection. 22/
What's more, they get to attack your weakest link: they don't need to compromise *you* to read your group-chat - they can compromise *anyone* in the chat and access all of it. Security is a team sport. 23/
So what is the role of cryptography in defending human rights? It's not to allow you to secede from society and live in an impregnable bubble where the state can't see your comms. 24/
It's to provide a temporary shelter that you can use to organize a movement to hold the state to account and demand that it respect your rights. 25/
The cypherpunks were the spiritual ancestors of the cryptocurrency movement, and while many cypherpunks have come to embrace crypto a part of a struggle for human rights, cryptocurrency advocates still often talk about replacing the state with math, rather than perfecting it. 26/
This is an argument I raised in my 2018 talk for Ethereum Devcon, "Decentralize, Democratize, or Die":

Without the rule of law, crypto will fail. Without good governance, we'll see the power of states co-opted by the powerful in ways that make crypto unstable. 28/
For example, companies have long argued for a veto over who can divulge defects in their products, something that they can get by invoking DRM laws like Article 6 of the #EUCD and Sec 1201 of the #DMCA. 29/
These are "anti-circumvention" rules that felonize publishing information that weakens copyright locks. Companies that add a thin layer of DRM to their products gain the legal right to attack security researchers when they warn customers that the products are defective. 30/
Giant companies *love* this, and thanks to market concentration, they can gang up on standards bodies to ensure that this veto over critics expands into new classes of technology. 31/
It's not just #infosec that suffers under corporate concentration. Chevron committed ecological genocide, then locked up the lawyer that held them to account for it:  33/
Russian oligarchs used UK libel law to silence journalists who reported on their hidden wealth: 34/
Pharma companies commit corporate murder with price-gouging, depriving people of life-saving medicine, and their regulators turn a blind eye: 35/
Banks aren't just too big to fail, they're too big to jail, and no matter how many crimes Wells Fargo commits, it walks away intact: 36/
If you care about privacy - not just "financial privacy" but all forms of privacy - then this should alarm you. Undermining privacy makes it easier for states to identify and neutralize dissidents. 39/
The cheaper it is to crush the opposition, the more human rights abuses you can get away with: 40/
It's true that some financial privacy is anti-corruption. If you want to get money to a dissident news source, or a banned political cause, then private money matters. 41/
If you're fighting to decriminalize homosexuality, it helps if people can donate to the cause without outing themselves as supporters of a banned practice. 42/
But remember the attacker's advantage. If your cause fails, then eventually a motivated, human-rights-abusing state will be able to figure out that you're gay, or publishing a dissident media outlet, etc. 43/
Cryptocurrency and other unregulated financial products *do* open up new possibilities for the weak and the poor and the vulnerable. But they *also* enable the corruption that increases the ability of powerful people to suborn powerful states and victimize the vulnerable. 44/
We really *do* have a financial privacy problem. The fact that you can't consume paid media without identifying yourself (either by paying for a subscription, or being exposed to surveillance advertising) is a profound shift in how we talk amongst ourselves. 45/
It's not a problem that we solve with immutable, public ledgers - because eventually, you will slip up and de-anonymize yourself (thanks to the attacker's advantage). 46/
This has created a world where the only people who can pay for dissident media are either so powerful or so reckless that they don't fear reprisals. 47/
The wealthy and powerful have found a way to beat rubber hose cryptanalysis: they're in charge of the rubber hoses. They don't need the rule of law, because they have the golden rule ("them that has the gold, makes the rules"). 49/
For the rest of us, the use of unregulated financial products in defeating financial censorship has to be weighed against its role in promoting the corruption that leads to financial censorship and other human rights abuses. 50/
When advocates for unregulated financial products talk about " #decentralization," they're usually talking about decentralizing *banks*, not *money*. 51/
But our human rights crisis, our governance crisis, is not the result of too few banks competing for oligarchs' loot - the problem is *oligarchs*.

Every oligarch is a policy failure. Every oligarch is a factory for producing policy failures. 52/
Unregulated finance is a vast laundry for oligarchic wealth: dark money begets corrupt policy, which creates more dark money and more corrupt policy. So long as lawmakers are beholden to billionaires, not voters, we will all be vulnerable to rubber hose cryptanalysis. 53/
You can follow @doctorow.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: