Getting Cryptographers Out of the Lab
“Applied cryptography.“
Once Gabe Kaptchuk heard the term he knew that is what he wanted to pursue.
In 2019, cryptography might not have been top-of mind for most people but the COVID-19 pandemic has affected our privacy. Teaching, working, celebrating, grocery shopping, and interviewing BU faculty members for an article all went online, all at once. This new, more virtual world brought with it visible issues of digital privacy, cybersecurity, and data collection. The speed at which so much of our lives went online meant we became more accepting of digital risk.
A unique blend of applied math and solving problems which affect society on a whole, cryptography is the study of keeping information private. Modern cryptography relies heavily on theoretical math and computer science practices; through the use of algorithms cryptographers convert typical plain-text messages into unintelligible coded text that can only be decoded by the intended recipient. Cryptographers have invented many techniques that are used to provide privacy and guarantee that messages are authentic: digital signatures, time stamping, cryptographic hashing; the Kerberos authentication service (developed by MIT) that all of Boston University uses incorporates cryptography to ensure no one accesses your information who should not have it.
Cryptographers often focus on insulated difficult problems siloed in one particular industry, which typically address the question, “how can we accomplish institutional goals (allow users to access information, serve advertising, facilitate communication, etc...) while keeping data private?” Applied cryptography is a subfield which embraces the hyper-applied side and the incredibly theoretical aspect of cryptography, often asking “how do we make theoretical approaches fast enough to use?” At its best, applied cryptographers find real world problems and apply cryptographic techniques in order to solve these problems. However, the ability to understand and engage with the real world, applied computer science, and theoretical computer science isn’t always easy.
Simply put, it has historically been difficult to get the cryptographer to leave the lab or academic bubble. Kaptchuk wants to break out of this pattern, striving to have more challenging conversations about moral obligations, privacy concerns, digital risks, and more.
It is the mix of fun math, theoretical computer science, and humanities issues that draws Kaptchuk in. Always up for a challenge, he is seduced by a field that engages with both sociological and technical problems we don’t know how to work out. He is keen to figure out the kinds of social issues for which cryptographic techniques may be applicable.
It was his stint working in the US Senate in the office of Sen. Ron Wyden which made Kaptchuk realize how far away academics were from making a real impact on the world and that a cultural shift was needed; research -- especially privacy research -- cannot continue to be done in a vacuum. The realization that he and his colleague, Shaanan Cohney, were the first academic cryptographers to work in the Senate made it clear that policies about privacy were being made without enough input from those with expertise.
After graduating from The Johns Hopkins University in 2020, the Massachusetts native found his way to Boston University and the Hariri Institute. Through numerous conversations with security and privacy researchers, he began to see the potential and also the challenges for making change. His two-year post doc project focuses on moving theoreticians to practice, to developing a more human-centric approach to privacy research. At the root of this is the desire to initiate community participation, a kind of grassroots campaign centered on flipping the hierarchy of cryptography and demonstrating tangible results.
As Kaptchuk puts it, “there is a pipeline for building privacy top-down.” Cryptographers, sitting in front of a university white board, identify a hard problem they find interesting and solve it by building algorithms, based on a set of internally constructed assumptions. Eventually the solution passes down to a software engineer who needs to make the abstract solution concrete enough to work for their specific problem. However, once these hit the real world, the solution may not address quite the right problem or the assumptions are not always met, resulting in conflict between the ideal and practical implementation as solutions become increasingly removed from the existing problems.
Iterating on academic theoretical problems can lead to very interesting avenues of research; however these iterations can lose attachment to current real-world problems. Instead of trickle-down cryptography, Kaptchuk argues for involving real people in conversations about emerging societal problems they are facing, viewing them as experts in their own experiences. Creating a shared language around security and privacy can empower cryptography and domain experts to engage in meaningful collaboration aimed at solving problems that exist outside of big-tech and academia. This common vocabulary will allow cryptographers to learn from stakeholders and decision makers directly, understanding their problems and becoming partners in finding solutions. This then will help get problems that matter solved, and expand cryptography past problems which have only been focused on academic interests.
“Cryptography rearranges power: it configures who can do what, from what. This makes cryptography an inherently political tool, and it confers on the field an intrinsically moral dimension.”
If we want to design ethical computation systems, we must take into consideration privacy and data security from the beginning stages of development. This requires domain experts and cryptographers to work in concert for problem formulation, addressing privacy early on and not as a contingency after-thought.
There are arguably many reasons why the community has not typically been in the room when decisions about privacy were being made. The underlying motivations behind the decisions made by those in power often stem from complicated systemic power dynamics, which don’t always account for those not in power.
We also tend not to think about privacy until it is too late. Take for example, digital contact tracing and the many privacy-preserving questions that hindered app use. Concerns from privacy experts and consumers alike revolved around the scope of data being collected by digital contact tracing systems, including the breach or abuse of centrally stored location data. Had cryptographers been in the room for initial conversations about privacy concerns, systems could have been launched to account for digital privacy. By addressing these concerns post-deployment, public trust was lost and valuable time and resources were wasted.
One issue is that brilliant researchers exist in every domain but no one knows what cryptography is or what it can do. Therefore no one is able to articulate if they need help in the arena. Beyond establishing a shared vocabulary, Kaptchuk strives to deliver a document or develop training that allows people to engage with cryptography without knowing too much about it. Imagine a cryptographer being able to approach an organization with a “privacy menu” that lays out their goods and services. Having something organizers and organizations can look at, without knowing all the ins and outs of the field, frees them up to start asking for help.
Though he is just at the beginning of his journey, we look forward to learning more about Kaptchuk’s efforts to get cryptographers to leave the office and share their tools and expertise with the community. And, worse case scenario? Kaptchuk can sell his soul to Facebook and try to enact change from within the belly of the beast.
Dr. Gabe Kaptchuk is a Research Assistant Professor in Computer Science and Research Development Fellow at BU’s Hariri Institute for Computing, as well as the Faculty of Computing & Data Sciences inaugural Civic Tech Fellow. He earned his PhD in Computer Science from Johns Hopkins University in 2020, under the supervision of his advisors Avi Rubin and Matt Green. Gabe has worked in industry, at Intel Labs, and in the policy sphere, working in the United States Senate in the personal office of Sen. Ron Wyden. He has broad research interests within cryptographic systems and is passionate about the spread of provably secure systems beyond the laboratory setting. Discover more about Gabe.