Crypto Wars 2

Crypto Wars 2 is the second state campaign for plaintext, running from roughly the 2010s to the present. The first Crypto War ended in an apparent rout — export controls collapsed, code was held to be speech, Clipper died — but the demand survived the defeat and returned without the word ban. It now arrives as a court order compelling a vendor to sign attack code against its own customers, as a liability lever that never names encryption, and as detection mandates that leave the mathematics untouched while conscripting the endpoint. The battlefield moved from algorithms to intermediaries, and the loss condition moved with it: not a statute against math, but a market in which confidentiality is quietly no longer on offer.

Going Dark: The Demand Survives Its Defeat

Crypto War 1 — the fight recorded in PGP and the Crypto Wars — closed with strong cryptography legal to publish and ship: export controls were relaxed, key escrow was abandoned, and the Code as Speech litigation made prior restraint of encryption source code constitutionally radioactive. What changed in the 2010s was deployment. After the 2013 Snowden disclosures, device encryption and end-to-end messaging moved from activist tooling to shipping defaults on billions of phones — and the FBI and DOJ answered with the Going Dark frame: warrants that issue but return only ciphertext. The San Bernardino attack of December 2015 gave the frame its flagship case, and officials converged across jurisdictions — a UK Home Secretary, in Logan’s collection of specimens, declared that “End-2-End encryption is completely unacceptable.”

The contested point deserves its due: law enforcement is not wrong that strong default encryption changes investigations — a locked phone or end-to-end messenger can defeat a warrant in a way earlier carrier-mediated systems did not. The libertarian and cypherpunk objection is that every proposed remedy changes the security architecture for everyone; and the politically strongest cases for access — terrorism, child exploitation — are precisely the cases most useful for normalizing general-purpose access machinery.

The wiki’s field map of this war, Fog of CryptoWar, insists the sequel is not a rerun:

“The goal is not, and cannot be, to snatch strong cryptography from the hands of people. Instead, the current debate is about making the secrets that cryptography protects accessible to law enforcement.”

— Jonathan “smuggler” Logan, Fog of CryptoWar

If the demand is plaintext rather than prohibition, the state can lose every argument about banning encryption and still win — through the vendors.

Apple v. FBI (2016): The Compelled Signature

On 16 February 2016, a federal magistrate, acting ex parte under the All Writs Act of 1789, ordered Apple to provide “reasonable technical assistance” in unlocking the San Bernardino shooter’s iPhone 5C — concretely, a signed “Software Image File”: a custom iOS build, keyed to that one device, that would bypass the auto-erase function, accept passcodes electronically, and strip the delays between attempts, so the passcode could be brute-forced (the order is preserved here as OCR; quotes advisory). The demand was not for data Apple held — Apple had complied with those warrants. It was: write and cryptographically sign a weakened operating system on command. Tim Cook’s answer, published the same day, was blunt: “They have asked us to build a backdoor to the iPhone.”

“The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices.”

— Tim Cook, “A Message to Our Customers”

Such a tool, Cook wrote, “would be the equivalent of a master key, capable of opening hundreds of millions of locks”. And he named the legal vector: “Rather than asking for legislative action through Congress, the FBI is proposing an unprecedented use of the All Writs Act of 1789 to justify an expansion of its authority.”

The case never resolved. On 28 March 2016 the order was vacated as moot after the FBI obtained access to the phone through a third party. No precedent was set; the gap was closed by the exploit market instead — lawful hacking, one of Logan’s predicted routes.

EARN IT: The Lever That Never Names Encryption

The EARN IT Act (S. 3398, 116th Congress, introduced March 2020) is the legislative version of the same maneuver. Its visible machinery is child-protection process: a 19-member National Commission on Online Child Sexual Exploitation Prevention, chaired by the Attorney General, develops “recommended best practices” that providers “may choose to implement”. The compulsion sits one section over. Section 6 — Earning Immunity — strips Section 230 protection from providers for CSAM claims, exposing them to state prosecution and civil suits under a recklessness standard, unless the provider certifies compliance with the commission’s practices or has implemented “reasonable measures”. The word encryption appears nowhere in the bill; its rule of construction even disclaims requiring providers to “search, screen, or scan” for the material at all.

That double absence is the contention. On its face nothing forbids end-to-end encryption — the bill’s defenders say exactly that. The critics’ reading, and this wiki’s, is structural: a provider whose encryption blinds it to user content is a provider a plaintiff can call reckless, and the body defining diligence is chaired by the government’s chief demander of plaintext; the bill assembles an encryption mandate entirely from liability exposure, deniable at every joint. Immunity is no longer a right; it is earned — and the price-setter wants plaintext.

Chat Control: Conscripting the Endpoint

The EU built the same machine from regulatory parts. COM(2022) 209 final (11 May 2022), “laying down rules to prevent and combat child sexual abuse” — universally, Chat Control — creates detection orders: on a finding of “significant risk”, an authority can require a hosting or interpersonal-communications provider to install and operate technologies detecting known and new CSAM and grooming, against indicator databases run by a new EU Centre. The proposal insists the obligation is technology-neutral — measures apply “regardless of the technologies used by the providers concerned”, precisely to “remain technologically neutral, and avoid circumvention of the detection obligations” — and, in the same recital, praises what it declines to exempt:

“That includes the use of end-to-end encryption technology, which is an important tool to guarantee the security and confidentiality of the communications of users, including those of children.”

— European Commission, COM(2022) 209 final, recital 26

An end-to-end encrypted service has no middle where detection can happen. The structural inference — this wiki’s reading, and the core of the proposal’s public controversy — is that a provider under a detection order must scan on the device, before encryption (client-side scanning), or stop encrypting end to end. The proposal never draws that conclusion itself, though it concedes that grooming detection “requires automatically scanning through texts in interpersonal communications”. The drafting pattern will be familiar from the Digital Euro: a solemn assurance about one use of the machine — encryption is “an important tool”; the digital euro “should not be programmable money” — atop an architecture whose mandates the assurance cannot survive.

The Fog: Why the Banning-Math Argument Loses

Logan’s essay supplies the spine that joins these episodes, in three moves. First, regulation targets behavior, not knowledge. “Banning cryptography is like banning math.” mistakes what the state needs to control: “It is behavior that is regulated, not thought.” Speed limits do not erase the idea of driving fast. Second, enforcement never needed to be total:

“We would agree if the goal were total enforcement. However, almost no laws are completely enforced. All complete enforcement requires totalitarian systems.”

— Jonathan “smuggler” Logan, Fog of CryptoWar

“Regulation does not require perfect adherence.” It is enough that defaults shift, most comply, and holdouts become conspicuous. Third, the mass market for cryptography flows through chokepoints — operating systems, app stores, update channels — controlled by “a handful of corporations in very few jurisdictions”. The state does not need to police users; it needs to move a few vendors. Logan’s realistic menu — metadata retention, weakened defaults, lawful hacking, police trojans through the update channel, and result-driven mandates that vendors “make the plaintext of specific messages or device contents available on request” on pain of fines and app-store removal — requires banning nothing.

Every episode above fits the menu. Apple was ordered to turn its signing key — the update channel’s root of trust — into an instrument of search. EARN IT moves vendor behavior by liability gradient. Chat Control mandates a result and leaves “the choice of the technologies” to the provider. Nobody banned math; the arguments that won Crypto War 1 have nothing left to grip. For the Cypherpunk program the lesson is uncomfortable and clarifying: the Censorship Resistance of protocols is necessary but not sufficient when confidentiality dies by default rather than by decree. The contested ground is now device integrity, software delivery, and control of the endpoint — because, as Logan concludes, “we are facing a change in the views and guarantees of confidentiality”.

See Also

  • PGP and the Crypto Wars - Crypto War 1: export controls, Clipper, and the victory this sequel routes around
  • Fog of CryptoWar - Logan’s 2017 essay, the analytical spine of this article
  • Code as Speech - the Bernstein thesis that closed Crypto War 1’s publication front — and why the state stopped attacking there
  • Censorship Resistance - the property under stress: unstoppable in principle is not unstopped in practice
  • Cypherpunk - the movement whose target list Crypto War 2 rewrites: defaults, delivery channels, device integrity
  • Digital Euro - the same EU drafting pattern in money: assurances about the machine’s use atop mandates for the machine
  • The Snowden Disclosures - June 2013: the hinge event of modern privacy politics — bulk suspicionless surveillance confirmed by the state’s own documents, condemned by its own reviewers and courts
  • Tor - The volunteer-run onion-routing overlay: the cypherpunk mix lineage reborn for real-time traffic, and the internet’s principal anonymity and censorship-resistance infrastructure.
  • Privacy and Cryptography - Topic map of the wiki’s privacy-and-cryptography thread: Austrian privacy theory, state surveillance, Bitcoin, and parallel-economy tools.