Let’s do a little thought experiment, starting with a few assumptions.
- I’m an investigative journalist, and I have come into possession of some sensitive information.
- Publication of either the information itself, or news articles based on it, would have a substantial public interest.
- I need to transfer the information from A to B without, myself, travelling from A to B.
What are my options?
- Given that the information is in digital form, I could just attach it to an email and send it to B.
- I could encrypt it first, and then email it.
- I could encrypt it and have it hand carried by a trusted courier, and not give the courier the decryption keys.
If I use strong, standardised encryption (for instance, of the kind approved by a recognised national standards body and implemented in mainstream commercial products), I am entitled to a reasonable belief that the information is protected against brute force decryption. I could also use, say, asymmetric and/or out-of-band key exchange to ensure that B can decrypt the information once the courier has delivered it.
This is all hypothetical, but it seems to me that option 3 and the subsequent paragraph would be good evidence of a “responsible” approach on the part of the journalist.
Equally hypothetically: if it subsequently emerges that the apparently strong, standardised cryptography has been intentionally weakened in the course of the standardisation process, that does not imply that I was irresponsible in my ‘reasonable belief’ in the strength of the encryption. There may be irresponsibility there, but it is not mine.