I have written repeatedly about why I don’t think “encrypt all things” is the right answer for constructing a democratic society going forward. I am, however, a fan of the idea to “sign all things.” What I mean by this is that ideally all my emails, blog posts, etc. would be automatically digitally signed using a private key. Anyone with the corresponding public key could then verify that I really did write this email or post.
Why does this matter? Because with digital tools it is also incredibly easy to pretend that someone wrote something even when they didn’t. Here is a great analysis of this potential threat with regard to the DNC leak from the Lawfare blog
I was actually looking for evidence of something much more frightening and which still keeps me up at night: What if the documents were mostly real, but had been surgically doctored? How effective would a carefully planted paragraph in an otherwise valid document be at derailing a campaign? How easily could Russia remove or sidestep an inconvenient DNC official with a single doctored paragraph showing “proof” of dishonest, unethical or illegal practices? And how little credibility would the sheepish official have in asserting that “all of the rest of the emails are true, but just not the one paragraph or email that makes me look bad”?
As tools are getting better this possibility of hard or impossible to discover manipulation will be true not just for text but also images and video (at the moment changes to visual documents usually still leave obvious traces).
Encrypted communication by itself does not solve this problem. Endpoints may be compromised or actively leaked. Signing emails and documents more generally is an orthogonal problem to encryption but solved by the same underlying technology. This is why when I wrote about a possible new blogging platform last week I included signing of posts and comments as a requirement:
Every post (and comment) would be signed with an identity and it would be possible to follow content based on identity independent of publishing location.
Finding all the posts that belong to an identity and have been properly signed is possible as long as identity and signature information is either included using a microformat or can be re-established (see Mediachain for an example).
Signing all things is a key reason why I believe that a decentralized identity system is a fundamental building block for the future and am excited that Blockstack is building this. You would not want to rely on say your Twitter or Facebook identity to sign all your documents only to then find that they revoke your username or keys.
