Login/New-Account | Search | Submit a Story! | Greplaw!??
- About
- Discussions
- Messages
- Topics
- Authors

- Preferences
- Older Stuff
- Past Polls
- Submit Story

This site is a production of the Berkman Center for Internet & Society. Please email if you have questions, contributions, or ideas about improving this site.

F & F


Conversation With Phil Zimmermann
posted by mpawlo on Friday June 06, @02:30PM
from the freedom-fighters dept.
News I recently spoke to Mr Philip Zimmermann. We had a nice chat about Pretty Good Privacy, civil liberties and policy. Mr Zimmermann was willing to let this Greplaw editor pick his brain for inspiration and thoughts on policy and legal aspects of cryptography, surveillance and digital rights management. The interview was conducted over the telephone from Stockholm, using only a phone, a tape recorder, and some of my own scribbling.

Mr Zimmermann introduced me to his sharp mind by telling me the story of an interview he gave once, where the resulting transcript turned out to be more interesting than the actual quotes. Mr Zimmermann was quoted as stating his concern with fingerprint scanners and police cars. Mr Zimmermann may have good reason to be concerned with police cars, considering the criminal investigation he was subject to for three years, but he was actually saying that he was concerned with fingerprint scanners in police cars. A small word may change your perspective on a person, as this story might illustrate, and thus a Greplaw editor must always keep on his toes.

Our conversation was very discursive: in one minute we jumped between diverse topics such as the feasibility of free software to September 11. I have done my best to edit the interview accordingly, and while aiming to make it readable and enjoyable for our readers, I have edited the interview slightly using some artistic freedom. Should Mr Zimmermann’s quotes look strange to you, please be advised that your Greplaw editor may well have made a fool of himself, rather than Mr Zimmermann. Mr Zimmermann did his best to make my job easy by presenting his statements in fit-to-print style.

Mr Philip R. Zimmermann created the popular cryptographic software Pretty Good Privacy. He posted the software on the Internet. For his actions, he was the target of a three-year criminal investigation due to alleged breach of the U.S. export restrictions. PGP became the most used email encryption software in the world. Mr Zimmermann founded PGP Inc, later acquired by Network Associated Inc, and he is a fellow at the Stanford Law School's Center for Internet and Society. He should need no further introduction, but I decided to start by posing the most obvious question of all...

# Who is Phil Zimmermann?

I am a software engineer. I am an applied cryptographer, which is different from a theoretical cryptographer.

# Explain to me – how is it different?

I am an engineer, not a mathematician. I try to find practical solutions to actual problems.

# But you don’t code any more?

I haven’t written code in many years. I am active in policy space rather writing code, doing a lot of public speaking. There is a lot of need for activism now in the shadow of the Patriot Act.

# We should indulge in that later. How do you get by day-to-day?

I run my living by consulting. Companies hire me to advise on how to protect their data. That’s how I pay the bills.

# You created the cryptographic software Pretty Good Privacy which turned out to be the most used cryptographic software for email. When did you realise what you had accomplished?

Well, PGP turned out to be more popular than expected.

# What did you expect?

I thought I was doing kind of a PKzip application. I was thinking of releasing it and then return to consulting, but it got so popular so quickly that I could not go back to do other things.

# What happened?

When the criminal investigation was launched the demand for PGP accelerated. I guess it was a question of forbidden fruit-syndrome. A 2 Live Crew-effect.

# So when did the success dawn upon you?

When email from people all over the world started to come in, I gradually realised what had happened.

# Encryption seems to be something that mostly would concern the spies in a John le Carre novel. Why should I encrypt my email?

That is no soul-searching question. You use envelopes for postal mail. You use it for love letters, business letters and your medical records. The only way to create the digital equivalent of an envelope is to encrypt.

# Is there really a need for encryption?

Most people are unaware of how visible email is. Email could be intercepted by a lot of parties along the way, it could be captured and logged, scanned and then used years later.

# During a good half-hour we engage in a heated debate on the use of public keys in encryption and the role of the government in public key infrastructure in respect of digital signatures. However, we jointly decide that we are getting way too much out of the frame and as Mr Zimmermann observes we may well continue into oblivion. Hence, we move on. Why did you release PGP as freeware?

At first I tried making money from PGP by selling it. In 1991, the government was trying to control technology. Senate Bill 266 was about to become law (Pawlo’s comment: it didn’t), stating that developers of encryption systems should introduce backdoors in their systems, so that the government could read anyone's encrypted messages. In view of the serious implications of such a law, I abandoned my plans to charge for PGP in the hopes of achieving wider distribution.

# So the release as freeware was not based on philosophical belief?

There was a philosophical belief. Senate Bill 266 was a bad law. That is the underlining theme.

# Hence..?

People should have some means to protect themselves against government surveillance. Email is possible to store for scanning years later.

# Why is this a problem?

More and more of our lives become observable, since we use email more and more for a wide range of purposes.

# Should we not trust the government?

Historically, governments have killed a lot of people. I am not saying that all governments are bad. Some governments are good. But some are bad. Citizen in some states gets tortured for their political beliefs, some get killed, some are imprisoned. Some governments conduct genocide. You could not have posed that question in Romania.

# Is it really that bad?

It is often discussed how to restrict criminals’ use of cryptography. Criminals have not killed as many as governments have, historically. As all of us move into a future where life is more and more digital the technology creates a windfall for all governments. I want to deny them that windfall. It is just a matter of good civic hygiene.

# Following the September 11-attacks, it was claimed in some reports that the U.S. authorities investigated if PGP was used to co-ordinate the attacks. Do you regret the decision to release PGP as freeware?

I am aware that there is a greater problem with terrorism today than in 1991, but the question of terrorists using this technology was a central theme in the debate at the time. In this debate NSA, FBI, civilian academia, courts, civil liberties groups and even congress participated. It took year to work through the issues and to reach – not a consensus – but a majority opinion on society’s look on cryptography. The conclusion was that society is better off with strong encryption. It was good that it took time to consider it. I think it was the right decision and the right conclusion. U.S. export controls were eventually lifted and domestic control was never enforced.

# I guess the ‘good forces’ use encryption too?

Human rights groups all over the world use PGP.

# No regrets about releasing PGP as freeware?

I have no regrets about it. After the 9/11-attacks I reconsidered the issues privately. I did not do this publicly. I had to carefully consider the issues. My original position was not changed by the attacks. It was a good decision to release PGP as freeware.

# Would a law introducing domestic control of cryptography have prevented the attacks?

No. Most information was exchanged during face-to-face meetings. There were several other types of problems that did not involve cryptography. For example, the FBI did not have enough Arabic translators to interpret the available information and the FBI ignored several written memos that could have played an important part in preventing the attack.

# Today "free" licenses are much more diversified and widespread than back in 1991. Have you looked into GNU GPL or Creative Commons and what are your take on these initiatives?

I am familiar with the GNU GPL and the BSD license.

# Could they have been an alternative for PGP instead of making it freeware?

There is a place for products under different licenses. There is a place for products under the GNU GPL, also cryptographic products. However, GNU GPL is not enough for everyone’s needs. Some software needs to be sold for profit. Some software can not depend on hobby-programming conducted on weekends and other spare-time by programmers having other day-jobs. There is a place for that. But PGP needs more focused development than that.

# Following the release of PGP as freeware the U.S. government launched a criminal investigation against you. Why?

PGP was regarded as a munition under the Arms Export Control Act, making it subject to export control by the government. Publishing the PGP on the Internet could make it go any place.

# Do you see the same pattern in your case as the fate of Shawn Fanning's Napster or Kazaa or some of the other peer-to-peer-software developers, however subject to civil lawsuits?

That is something completely different.

# Still, they are innovators with new technology being subject to legal action.

I think they are very different issues. In my case, the Arms Export Control Act was introduced to make it hard to sell Stinger missiles to Libya without a license from the government.

# Okay, so it is different, but I think many peer-to-peer developers feel misunderstood in the light of the legal proceedings. What is your take on the fate of Napster and its likes?

I think Napster is about the music industry trying to maintain control over how music is played, distributed and sold. The music industry is making a mistake by trying to stop peer-to-peer. Still, it is obvious that the music industry needs to make money. I think Apple Computer may possibly solve the problem, changing the way music is played, distributed and sold. It should have happened years ago.

# Is it hard to be an innovator and developer in respect of the law?

The Digital Millennium Copyright Act (DMCA) has the effect of stifling innovations. The DMCA makes it difficult for data security professionals to examine security issues without exposing themselves to litigation by reviewing protected material.

# Do you have more examples?

Digital Rights Management (DRM) has long-term horrible side-effects.

# Why?

Today there are difficulties in preserving historical data in archives. We no longer have the ability to read the tapes from the Mariner 4 probe that went to Mars in the 1960s, because we no longer have the right kind of tape drives to read such an old tape format.* If you save your last will and testament on a CD-ROM, what are the chances that your grandchildren will be able to read it? That is without encryption and DRM. It is almost impossible to read historical data just because of the data format problem. Add cryptographicly enforced DRM and the future generations will end up with a period of history that has vanished, until we come to our senses and stop doing it.

# Should we be concerned with Total Information Awareness and other Ashcroftian initiatives?

Yes, of course. I think the biggest threat to privacy is Moore’s law. The human population does not double every eighteen months but the ability to keep track of us does. This may be a prescription for an omniscient government. Democracy never had to face an all-knowing government. I don’t know how we’re going to get through that.

# Are you pessimistic about the future?

We have to pass laws that limit the mindless expansion of technology. We need the equivalent of European privacy commissions limiting the technology intrusions in privacy. Normally, I don’t like to stop technology with laws. In the information age the tracking and scanning of private information is easy creating omnipotence for governments. Before 9/11 this happened in an unguided fashion because of Moore’s law. Now the government has accelerated this development.

# Should I, being European and Swedish, be concerned with the development of U.S. policy on cyberlaw matters and U.S. encryption policy?

Absolutely! U.S. policy could in the long run jeopardise U.S. democracy. Since the U.S is the only remaining superpower it is vital that the U.S. has a healthy, functioning democracy. Democratic institutions might be weakened through surveillance. If the democracy is eroded, the rest of the world is in danger because of U.S.’s superpowers.

# What can we do about it?

We all have to work together to maintain democracy on both sides of the pond.

# Have you ever seen that work in practice?

That’s how we won the crypto-revolution. We collaborated on both sides of the Atlantic to reduce the offence of surveillance and pro-surveillance politics. Together we held the line on crypto-policy.

# Pretty Good Privacy - well, what if I following this interview think that Pretty Good is not good enough - what should I do?

Pretty Good Privacy is a modest name for a very strong product. It is in my personality that I prefer understatements and that got into the name. Ask around – it’s not just pretty good...

Mr Phillip R. Zimmermann was interviewed by Mikael Pawlo.

Big thanks to Mr Roger E. Rustad, Jr. ("Scubacuda") and Mr Miguel Danielson ("md") for proof-reading the article and providing constructive criticism and heads-up. All mistakes are my own.

* = In a previous version of this article, there was a reference to the Nixon-Haldeman tapes. That is incorrect. Mr Zimmermann never referred to the Nixon-Haldeman tapes, but to the tapes of the Mariner 4 probe that went to Mars in the 1960s. My mistakes and apologies! I guess the fingerprint scanner mistake looks pale in comparison... /Mikael

Lessig's Petition Reaches 10,000 Signatures | 'Hack-proof' Cryptography Goes Quantum  >


GrepLaw Login


[ Create a new account ]

Related Links
  • Creative Commons
  • Mikael Pawlo
  • More on News
  • Also by mpawlo
  • This discussion has been archived. No new comments can be posted.
    Conversation With Phil Zimmermann | Login/Create an Account | Top | 10 comments | Search Discussion
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Re: Moore's Law (Score:0)
    by Anonymous Coward on Saturday June 07, @03:14AM (#759)
    # Are you pessimistic about the future?

    We have to pass laws that limit the mindless expansion of technology. We need the equivalent of European privacy commissions limiting the technology intrusions in privacy. Normally, I don’t like to stop technology with laws. In the information age the tracking and scanning of private information is easy creating omnipotence for governments. Before 9/11 this happened without cause because of Moore’s law. Now the government has accelerated this development.

    Previous GrepLaw coverage [harvard.edu] on Zimmermann's thoughts regarding Moore's Law [cnet.com] and civil rights.

    "The human population does not double every 18 months, but its ability to use computers to keep track of us does [through camera surveillance]...You can't encrypt your face...When you put computer technology behind surveillance apparatus, the problem gets worse."

    Re: Moore's Law (Score:1)
    by diningphil on Saturday June 07, @02:20PM (#760)
    User #704 Info

    One thing to think about regarding the vast hoovering of information into this "awareness" is whether it is a destablizing information loop. In a panopticon the surveillance is largely self-imposed, i.e. it hardly matters if anyone is listening or watching. Panopticons are "power amplifiers"

    If the majority of people extracting the information are intelligent and have morals, this might not be a problem.It becomes an issue of effectively managing the readers, listeners, and watchers so there is effective information flow.

    That includes encrypting information, if necessary, or signing it, to prevent non-repudiation.But there is a strong theme of preserving the value of the information against various attacks, which are made much easier by the lack of encryption.

    However, if the information is manipulated in such a way to lose its functionality, and value, then there's a different problem. Put it another way, if human rights groups were not abused so badly, then they probably would not need to encrypt information.

    In order to figure that out, one would have to first understand systemically what true information is doing, (i.e. not just duplication of already existing bits) according to Shannon. Then one would map those information flows onto the existing political structures. The actual loop should look something like a cyberspatial governor, i.e. a smoothing effect that irons out minor differences and provides needed feedback.
    The name PGP (Score:0)
    by Anonymous Coward on Saturday June 07, @02:36PM (#761)
    It's the top of it's encryption technology, but I still think that it's only pretty good... If a faster number factoring algorithm were to be developed... encryption would be less strong, encryption bases itself on a few things that might not be as strong as believed. I think it's an excellent name, an awesome tool... if crypto technology stands.
    DLP, not factoring (Score:0)
    by Anonymous Coward on Saturday June 07, @03:33PM (#762)
    Newer version of PGP use ElGamal, which is a DH derivative. ElGamal uses the Discrete Logarithm Problem [rsasecurity.com] to maintain security, not factoring of products of prime numbers as RSA does. So far, ElGamal has a better record than RSA.
    Re:DLP, not factoring (Score:0)
    by Anonymous Coward on Saturday June 07, @04:29PM (#763)
    Still, once the NSA flip the switch on their quantum factorization engine, NO public key-based cryptosystem will protect your privacy from the government.

    Use the Vernam Cipher! [pro-technix.com]
    Re:DLP, not factoring (Score:0)
    by Anonymous Coward on Saturday June 07, @06:31PM (#764)
    Hmm... you are asserting that all public key-based systems do and must involve factoring numbers? That seems like quite an assertion to me.
    Re:DLP, not factoring (Score:0)
    by Anonymous Coward on Saturday June 07, @08:00PM (#765)
    I think he's suggesting that a quantum computer wouldn't have trouble with either factoring or DLP, which is probably true.
    Re: Vernam (Score:0)
    by Anonymous Coward on Sunday June 08, @05:59AM (#768)
    I guess that's a joke, but if not think about how impractical it is to exchange one-time pads with those you communicate with on the other side of the globe, you'll see that it's not feasible. However, I agree that you shouldn't necessarily thrust the accepted encryption algorithms. But when quantum computers become publicly available, cryptographic problems will not be that it's easy to factor lagre numbers. We will have a change of paradigm in cryptography, as we can make truly secure channels.
    Re:DLP, not factoring (Score:0)
    by Anonymous Coward on Saturday June 07, @09:31PM (#766)
    I had an opportunity a few years back to ask Whitfield Diffie about the relative strengths of RSA vice DH keys. I understood him to say that although DH keys are based on logarithms, both RSA and DH are vulnerable to a factoring break through. DH keys only add about a 20 percent increase in cracking difficulty over RSA which is not a significant difference.
    GPL and crypto software (Score:1)
    by dd9jn on Sunday June 08, @09:56AM (#769)
    User #710 Info
    The comment about possible uses of GPL software needs a clarification and shows that Phil is not very well aware of Free Software facts:

    It is very well possible to run a commercial entity based on Free Software. Most companies chose the GPL for this. The former Cygnus (now owned by RedHat) proved this more than a decade ago. Today there are several companies creating and distributing software under the GPL: ACT [gnat.com] and RedHat [redhat.com] are very well known and there a lot of smaller companies doing all there development under the GPL. Crypto software under Free Licenses is very wide spreaded and there would be no secure Internet without it (e.g. OpenSSH).

    If Phil would have released PGP under a Free Software license, there would have been no need for me to spend most of my time (and I don't mean spare-time or weekends) to create and maintain GnuPG [gnupg.org] as a free (as in freedom) replacement of PGP. Today, I even run a company [g10code.com] to provide support, consulting etc.

    Humanity has the stars in its future, and that future is too important to be lost under the burden of juvenile folly and ignorant superstition. - Isaac Asimov

    [ home | contribute story | older articles | past polls | faq | authors | preferences ]