Cryptography, Trust and Privacy: It's Complicated

Proceedings of the 2022 Symposium on Computer Science and Law Pub Date : 2022-11-01 DOI:10.1145/3511265.3550443

Ero Balsa, H. Nissenbaum, Sunoo Park

{"title":"Cryptography, Trust and Privacy: It's Complicated","authors":"Ero Balsa, H. Nissenbaum, Sunoo Park","doi":"10.1145/3511265.3550443","DOIUrl":null,"url":null,"abstract":"Privacy technologies support the provision of online services while protecting user privacy. Cryptography lies at the heart of many such technologies, creating remarkable possibilities in terms of functionality while offering robust guarantees of data confidentiality. The cryptography literature and discourse often represent that these technologies eliminate the need to trust service providers, i.e., they enable users to protect their privacy even against untrusted service providers. Despite their apparent promise, privacy technologies have seen limited adoption in practice, and the most successful ones have been implemented by the very service providers these technologies purportedly protect users from. The adoption of privacy technologies by supposedly adversarial service providers highlights a mismatch between traditional models of trust in cryptography and the trust relationships that underlie deployed technologies in practice. Yet this mismatch, while well known to the cryptography and privacy communities, remains relatively poorly documented and examined in the academic literature---let alone broader media. This paper aims to fill that gap. Firstly, we review how the deployment of cryptographic technologies relies on a chain of trust relationships embedded in the modern computing ecosystem, from the development of software to the provision of online services, that is not fully captured by traditional models of trust in cryptography. Secondly, we turn to two case studies---web search and encrypted messaging---to illustrate how, rather than removing trust in service providers, cryptographic privacy technologies shift trust to a broader community of security and privacy experts and others, which in turn enables service providers to implicitly build and reinforce their trust relationship with users. Finally, concluding that the trust models inherent in the traditional cryptographic paradigm elide certain key trust relationships underlying deployed cryptographic systems, we highlight the need for organizational, policy, and legal safeguards to address that mismatch, and suggest some directions for future work.","PeriodicalId":254114,"journal":{"name":"Proceedings of the 2022 Symposium on Computer Science and Law","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 Symposium on Computer Science and Law","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3511265.3550443","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Privacy technologies support the provision of online services while protecting user privacy. Cryptography lies at the heart of many such technologies, creating remarkable possibilities in terms of functionality while offering robust guarantees of data confidentiality. The cryptography literature and discourse often represent that these technologies eliminate the need to trust service providers, i.e., they enable users to protect their privacy even against untrusted service providers. Despite their apparent promise, privacy technologies have seen limited adoption in practice, and the most successful ones have been implemented by the very service providers these technologies purportedly protect users from. The adoption of privacy technologies by supposedly adversarial service providers highlights a mismatch between traditional models of trust in cryptography and the trust relationships that underlie deployed technologies in practice. Yet this mismatch, while well known to the cryptography and privacy communities, remains relatively poorly documented and examined in the academic literature---let alone broader media. This paper aims to fill that gap. Firstly, we review how the deployment of cryptographic technologies relies on a chain of trust relationships embedded in the modern computing ecosystem, from the development of software to the provision of online services, that is not fully captured by traditional models of trust in cryptography. Secondly, we turn to two case studies---web search and encrypted messaging---to illustrate how, rather than removing trust in service providers, cryptographic privacy technologies shift trust to a broader community of security and privacy experts and others, which in turn enables service providers to implicitly build and reinforce their trust relationship with users. Finally, concluding that the trust models inherent in the traditional cryptographic paradigm elide certain key trust relationships underlying deployed cryptographic systems, we highlight the need for organizational, policy, and legal safeguards to address that mismatch, and suggest some directions for future work.

查看原文本刊更多论文

密码学、信任和隐私:它很复杂

隐私技术支持在线服务的提供，同时保护用户隐私。密码学是许多此类技术的核心，在功能方面创造了非凡的可能性，同时提供了数据机密性的可靠保证。密码学文献和论述通常表示，这些技术消除了信任服务提供商的需要，也就是说，它们使用户能够保护自己的隐私，即使不受信任的服务提供商的攻击。尽管隐私技术有着明显的前景，但在实践中，它们的采用有限，而最成功的技术是由服务提供商实施的，这些服务提供商据称可以保护用户免受这些技术的侵害。被认为是对抗性的服务提供商采用隐私技术，突显了密码学中传统信任模型与实践中部署技术背后的信任关系之间的不匹配。然而，尽管密码学和隐私社区都知道这种不匹配，但在学术文献中仍然相对缺乏记录和研究，更不用说更广泛的媒体了。本文旨在填补这一空白。首先，我们回顾了密码学技术的部署如何依赖于嵌入在现代计算生态系统中的信任关系链，从软件的开发到在线服务的提供，传统的密码学信任模型没有完全捕捉到这一点。其次，我们转向两个案例研究——网络搜索和加密消息——来说明加密隐私技术如何将信任转移到更广泛的安全和隐私专家和其他人的社区，而不是消除对服务提供商的信任，这反过来又使服务提供商能够隐性地建立和加强他们与用户的信任关系。最后，总结传统加密范式中固有的信任模型忽略了部署加密系统的某些关键信任关系，我们强调需要组织，政策和法律保障来解决这种不匹配，并为未来的工作提出了一些方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2022 Symposium on Computer Science and Law

自引率

0.00%

发文量