Encrypted Communications V The Law
This, along with the Cambridge Analytica use of ProtonMail raises the question about where the responsibility for key management lies. There are various apps that allow end-to-end encryption, where the communication provider has no knowledge of the key.
In the simplest form, this could be a one time pad encrypting a message sent by post. The postal service is the conduit but has no ability to read the message. All they can do is make a copy and pass it on. This has existed in one form or another for at least 2,000 years.
Fast forward to today: Now we have services that use PKE to encrypt the message. This has been the case since Phil Zimmerman released PGP in 1991 and faced serious amounts of detention for it. If the sender is careful, then not even they have a copy of the mail and can't decode it (assuming they expect the police raid and store no copies of the plain text). Only the recipient has access to the key needed to decrypt. The use of various trap-door algorithms that form the basis of PKE rely on the fact that we believe that the choice of a suitably long key renders the time to decrypt the message longer than the message validity life time. With ProtonMail, the service provider acts a a transport hub, but can't read the message, even if subpoenaed.
Fast forward again: How long until we have a viable quantum computer that can handle a large number of PKE messages and read the plaintext? Then no-one will know who has read what messages.
So the arms race progresses. Now we will move to harder encryption: say TwoFish or AES. These are not, we believe, subject to quantum crypt analysis. I have to say believe, because that might be what they want us to think, right? What better way to handle cracking seriously hard encryptions by the security services than the classic double bluff: "Oh yes, we have cracked xyz encryption, but abc is still hard" when in fact the opposite is true!
Next stage: Quantum resistant versions of PKE, eg McEliece or its like. Lattice based cryptography. The cost of encryption is dropping as computers get more powerful and we have GPUs to help. We also have high speed comms networks, so the fact that it takes a long time to encrypt a message and the key is in the 4MByte size is not really a problem.
So what does the legal system do now? Seriously, what do they do? They can legislate all they want and make it the senders responsibility to provide the keys, but it does not take a genius to work out ways for the keys themselves to be distributed, used and destroyed making the sender unable to provide the key. And that assumes the sender is in a jurisdiction that is favourable to such legal frameworks.
I am a systems programmer. I have made plans for a multikey quantum resistant message exchange that would permit plausible deniability of knowledge of the keys. I know I could do this using what be believe are trusted methods (no, I am not going to be foolish enough to crate my own encryption, thank you). With multiple encryptions and the addition of noise in the encrypted message, it would be very hard to decrypt, even with a quantum cryptanalyis system.
Random Noise? Can it be random? Yes it can:
Got to stop here - I can see the black helicopters circling and there are men in the garden who must be really cold - they are putting on balaclavas.