Ever since encryption was invented, people have been trying to break it.
That was the main takeaway from my recent stroll through the history of secret-keeping and code-breaking represented by Bob Lord's private collection of vintage cryptography machines, kept at his apartment in San Francisco. As Apple and Facebook spar with the government in the U.S. and Brazil over consumer encryption, I decided to revisit the machines that paved the way for us to so easily send secure communications today.
Lord is the chief security officer at Yahoo and began collecting machines in the 90s when he first started working on computer security. His collection includes the infamous Enigma machine used by the Nazis during World War II; its code was famously broken by English computer scientist Alan Turing, which then helped the Allied Forces win the war. Lord has machines used by the Swiss, the Russians and the U.S. Army over the last half century. Most are big and clunky—not like the silent, invisible encryption that happens on your smartphone or computer now.
"The underpinnings of these machines and modern crypto are the same, though," said Lord.
Today, you can easily send an end-to-end encrypted message on the go using iPhone's iMessage or an app like Telegram or Signal. Historically, it wasn't so simple. The U.S. Army's portable encryption machine, the M-209, is lighter than most of the machines here, but at 7 pounds with its case, much heavier than most smartphones. Its major innovation: a groove in the bottom of its typewriter base so that a soldier could prop it on one knee to shoot off a message from the war field during World War II.
Lord's favorite item is the Russian Fialka, a noisy, electronic crypto-typewriter that was used in Soviet embassies from the 50s through the 90s. It had 10 mechanical rotors, instead of the 3 or 4 used by the Enigma, making its encryption stronger. The gibberish messages it created included pin-pricks on the paper so that it could be sent to another embassy and fed into its Fialka for automatic translation. When the machines were retired, they were ordered to be destroyed so that the Cold War superpower's algorithms didn't fall into enemy hands, but a few units "fell off the truck."
"We suspect the Fialka's encryption must have been broken by the NSA," said Lord. "As we've seen in the last few years, cryptography doesn't always age well. Attacks always get better, they never get worse."
Lord should know. He's been working on computer security since the 90s, including gigs at Netscape, AOL, Twitter and now Yahoo. He's had to deal with attacks on users' secrets coming from hackers and criminals—and from the government.
“People don't understand the value of encryption,” said Lord. “During the Crypto War in the 90s, we struggled to get the government to accept encryption being built into consumer products.”
Lord worked at the early internet browser Netscape then. He was on the team that built the "lock icon" you see in your browser that lets you know what you send won't be readable by anyone who intercepts your Web traffic. Lord said the company had to build two versions of its browser in the 90s to comply with government regulations: a domestic one and an international version with weaker encryption. It was around that time that Lord became interested in the history of encryption and started collecting vintage crypto machines, buying first the M-209 on eBay.
"It was the start of an addiction," he said. And not a cheap one. An Enigma machine like the one in Lord's collection auctioned for $269,000 last year.
Lord's collection hails from a time when encryption was used and controlled primarily by governments.
"These machines protected government secrets against government adversaries," said Lord. "Because cryptography was mainly used by militaries, we thought about it as something dangerous. It was regulated for some time as a weapon."
That's why the government tried so hard in the 90s to prevent its export to other countries, and tried to disarm it by forcing technology companies to build a backdoor into their products, called the Clipper Chip, so that law enforcement would always have a way in. Ultimately, the security-minded technologists won the right to distribute secure software when a federal court ruled that code is speech. Attempts to restrict it were unconstitutional.
“If we had lost in the 90s, I think even those who opposed me would agree the world would be a worse place,” said Lord.
But now, battles are again breaking out between governments and technology companies over encryption.
Facebook and Apple are both currently on the receiving end of government ire due to designing products in a way that only their users are able to unlock the information inside. The head of the FBI compared tech companies building non-back-doored encryption into their products to companies building cars with trunks that cannot be unlocked.
The government’s frustration is boiling over into lawsuits, fines, and even an employee’s arrest. Brazil detained a Facebook executive last month over the company’s inability to hand over the content of encrypted WhatsApp messages related to a drug investigation. (Facebook owns WhatsApp.) Meanwhile, in California, Apple has been fighting a judge’s order that it build special software for the FBI that would allow investigators to circumvent the features protecting a dead mass shooter’s encrypted iPhone.
Yahoo, along with 14 other major technology companies, filed an amicus brief on Apple’s behalf in that case. Lord says tech companies are concerned about the precedent that would be set if the FBI wins. Last year, Yahoo and Google announced plans to develop end-to-end encryption for their email users, which Lord indicated was close to completion. Once rolled out, the company could be in the same boat as Facebook in Brazil, being asked to hand over information which it doesn't have the power to decrypt.
"It’s not our desire to neuter what the FBI can do but we must protect our values and put users first," said Lord.
(This week, the government canceled a court hearing about the case, saying it may have found a way to get into the phone without Apple's help.)
It’s a critical moment for the future of privacy and security. Will tech companies lose and be forced to design communication tools that can be broken into? Or will the government lose and be forced to accept the existence of digital spaces into which it cannot peer?
"We've moved from a world in which encryption is protecting military secrets to protecting much more average secrets but so many more of them," said Lord. "As we've moved our lives online, the need to protect our secrets has moved online. Encryption is important in your daily life, even if you think you have nothing to hide."