Cryptography, Trust and Privacy: It's Complicated

Ero Balsa, Helen Nissenbaum, Sunoo Park

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Privacy technologies support the provision of online services while protecting user privacy. Cryptography lies at the heart of many such technologies, creating remarkable possibilities in terms of functionality while offering robust guarantees of data confidentiality. The cryptography literature and discourse often represent that these technologies eliminate the need to trust service providers, i.e., they enable users to protect their privacy even against untrusted service providers. Despite their apparent promise, privacy technologies have seen limited adoption in practice, and the most successful ones have been implemented by the very service providers these technologies purportedly protect users from. The adoption of privacy technologies by supposedly adversarial service providers highlights a mismatch between traditional models of trust in cryptography and the trust relationships that underlie deployed technologies in practice. Yet this mismatch, while well known to the cryptography and privacy communities, remains relatively poorly documented and examined in the academic literature-let alone broader media. This paper aims to fill that gap. Firstly, we review how the deployment of cryptographic technologies relies on a chain of trust relationships embedded in the modern computing ecosystem, from the development of software to the provision of online services, that is not fully captured by traditional models of trust in cryptography. Secondly, we turn to two case studies-web search and encrypted messaging-to illustrate how, rather than removing trust in service providers, cryptographic privacy technologies shift trust to a broader community of security and privacy experts and others, which in turn enables service providers to implicitly build and reinforce their trust relationship with users. Finally, concluding that the trust models inherent in the traditional cryptographic paradigm elide certain key trust relationships underlying deployed cryptographic systems, we highlight the need for organizational, policy, and legal safeguards to address that mismatch, and suggest some directions for future work.

Original languageEnglish (US)
Title of host publicationCSLAW 2022 - Proceedings of the 2022 Symposium on Computer Science and Law
PublisherAssociation for Computing Machinery, Inc
Pages167-179
Number of pages13
ISBN (Electronic)9781450392341
DOIs
StatePublished - Nov 1 2022
Event2022 ACM Symposium on Computer Science and Law, CSLAW 2022 - Washington, United States
Duration: Nov 1 2022Nov 2 2022

Publication series

NameCSLAW 2022 - Proceedings of the 2022 Symposium on Computer Science and Law

Conference

Conference2022 ACM Symposium on Computer Science and Law, CSLAW 2022
Country/TerritoryUnited States
CityWashington
Period11/1/2211/2/22

Keywords

  • assumptions
  • cryptography
  • privacy
  • trust

ASJC Scopus subject areas

  • General Computer Science
  • Law

Fingerprint

Dive into the research topics of 'Cryptography, Trust and Privacy: It's Complicated'. Together they form a unique fingerprint.

Cite this