Philip Zimmermann, inventor of the Pretty Good Privacy (PGP) encryption protocol, left his job at Network Associates Inc. last month after a disagreement about the future of PGP. In 1996, Zimmermann founded Pretty Good Privacy Inc., which was then bought by Network Associates in 1997. Last month, he announced he will take a post at Dublin-based Hush Communications Inc.
Zimmermann is a world-renowned cryptographer who beat criminal charges brought by the U.S. government when he began to distribute encryption protocols to groups around the world. He's a passionate believer that everyone deserves the right to encryption and that personal privacy may cease to exist altogether in a very short time.
Q: Why are you so passionate about privacy? Did you have a personal experience that led you to encryption?
A: Well, I was a peace activist in the 1980s, and at that time grass-roots organizations working on peace and justice were in an adversarial relationship with the White House and the FBI. The government had a long history of abusing powers of surveillance against [the anti-]Vietnam War movement and the civil rights movement, so we needed to have some means of protecting files and communications. Then, human rights workers in other countries needed to have protection against their own governments, so it grew out of that.
Q: Did you ever feel that you were being watched? That you needed to protect yourself?
A: I didn't feel I was being watched. During the criminal investigation -- there was an active criminal investigation against me -- I learned that they intercepted my postal mail, and through a Freedom of Information Act request I got a log of postal mail items intercepted. Some of the items they intercepted came from organizations like Greenpeace. Greenpeace is a very subversive organization [laughing].
Q: How did you feel about the government going through your mail?
A: There is a certain irony when the government invades my privacy during a legal investigation that got started when I tried to protect the privacy of others.
Q: Where is the biggest threat to personal privacy today? If you had to single out one person or one entity, or one philosophy, what would it be?
A: In this country, I think that there is more of a problem from business than government. But overall, I think it depends on your threat model. Governments carry guns and can put you in prison, they have the monopoly on violence. In that sense, governments are a worse problem than business. From the terms of invading your privacy and damaging your life, the private sector can do more damage than the government. Business will gather information on you and will use that information to hurt you by denying you health insurance, messing up your credit. The health insurance problem is particularly bad, if you get sick that information goes into a medical information bureau. If anyone changes their job, or has their own health insurance coverage, business will look for any opportunity to exploit that and deny you insurance.
Q: We're entering an era whhen the destructive power that individuals can possess can sometimes rival the power of the state, both in terms of the information that they can acquire and the fire power they can deliver with biological weapons and bombs. What do you say to government organizations that are charged with keeping the peace in an increasingly hostile world when they say they need to be able to backdoor your encryption programs?
A: That was the central focus of the debate throughout the 1990s, and that is a good question. I worry about criminals using cryptography. We have to have a government that can certainly catch criminals and detect criminals. Cryptography can help criminals hide, but signal intelligence is not the only tool law enforcement can use. There's human intelligence, traffic analysis and many other areas that are immune to cryptography. These crimes leave footprints in the real world. But as much as I hate to see criminals perpetrate horrible crimes, you need to remember that governments have killed more people than criminals have. Take a single government, such as Stalin. Stalin killed more people than all the criminals of the 20th century combined. A single government can do more damage than all the criminals put together, and when you add to that what Hitler did, and Suharto and Pol Pot . . . Political opposition groups have used Pretty Good Privacy to bring about their efforts to change governments. It was used in Kosovo, and used by the resistance in Burma and the government in exile of Tibet, it is also used by the White House and the Vatican and every single human rights organization around the world.
Q: What about wartime use? Breaking Nazi and Japanese codes is often seen as a key to the Allied victory in World War II. Do you ever worry that you will give some other government an unfair advantage in a future war?
A: The military use of cryptography has changed since World War II. The U.S. never broke the encryption algorithms of the Soviet Union for at least the past 30 years and that goes for other countries, as well.
It is true that smaller governments and terrorists can now get strong encryption, and I think that does make a difference to the NSA [National Security Agency], and I regret that and I worry about that, but I don't know what do about that. I don't know how to give it to the public without giving it to the bad guys. But criminals can use all kinds of other technologies as well: laptop computers, automobiles, ballpoint pens. Back in the early 20th century, Bonnie and Clyde used cars more effectively than any other criminal before them, and the cops at that time were totally unprepared for that. Some police suggested that cars were a bad thing because it allowed criminals to get away easier. And cars have much more complex effects than allowing criminals to escape -- they contribute to air pollution, traffic fatalities, urban flight to the suburbs. . . . Cars have mixed effects on society, but most people are glad to have cars. Like cars, cryptography will have mixed effects on society, not all of it good, but overall people will be glad to have cryptography.
Q: Some have argued that we are living in an age of erosion. They say the real threat to privacy isn't coming from overt campaigns by the FBI or NSA, but by thousands of small decisions made in boardrooms all over the world. What's your reaction to this?
A: It is sort of like the story, the apocryphal story, of the frog in boiling water. You put the frog in boiling water and it jumps out and survives. But you put the frog in room temperature water and slowly increase the heat, it doesn't notice the incremental changes in the water and it boils to death. I think that is happening to the public. The government doesn't even have to collect information about people, they can ask the private sector to sell it to them. And more and more businesses are doing just that.
This story, "Spreading the power of encryption to the masses" was originally published by Computerworld.