Crypto-snake oil

By | August 28, 2006

The term snake oil is often used to describe cryptography that does not actually provide the level of security that its proponents claim. The origin of the term is somewhat unclear, but one story is that it can be traced back to one of the traditional remedies for joint pain and inflammation that was brought to the US in the nineteenth century by Chinese immigrants.

The fat from Chinese water snakes is high in eicosapentaenic acid (EPA), which has been shown to have some medicinal properties, so there may be some basis for believing that the traditional remedy actually had useful effects.

Like the effects of many medications, however, the benefits from the traditional snake oil were subtle and varied significantly from person to person, making it difficult to rigorously prove the effectiveness of the remedy.

The fat of American rattlesnakes has a much lower concentration of EPA, however, so that when copies of the traditional remedy were made in the American West using local ingredients they turned out to be less effective than the original. Consumers could not distinguish between the two types of products, a fact that was quickly exploited by unscrupulous merchants who sold the ineffective snake oil to unsuspecting customers.

Eventually this behavior became so widespread that the term snake oil became generalized to other products, ones that made claims of effectiveness that could not easily be substantiated by consumers and should thus be suspected of being false or misleading.

Whether this is the accurate history of the term or little more than a folk etymology, the connection to cryptography is fairly clear. Some products that provide little or no protection against a skilled adversary are sold as providing a high level of security, and most users of cryptography cannot tell the difference between secure and non-secure versions of the technology.

It seems that cryptography actually has many properties in common with snake oil, so it may be accurate to say that although cryptography may not actually be snake oil, it is very much like snake oil in some ways. And this observation is not limited to the unconventional techniques that are often labeled as such; it also includes cryptographic technologies that have withstood significant scrutiny by industry experts.

Two factors made it easy for unscrupulous vendors of ineffective snake oil to sell their product to unsuspecting customers: it was difficult for customers to distinguish between effective and ineffective versions of the product and the seller of the snake oil was also the person providing the medical advice to his customers. This situation made it extremely tempting for vendors to cheat, a temptation that many were unable to overcome.

This is very similar to the situation that we still see today. Providers of car repairs and medical services both recommend purchases to their customers as well as provide what is purchased. Even after a purchase, though, it is not always clear that you really needed it. Your car may have continued to operate without a particular repair, or you might have recovered from an illness without the medication that your doctor prescribed for you.

Leave a Reply