Zimmermann’s Law: PGP inventor and Silent Circle co-founder Phil Zimmermann on the surveillance society

Phil Zimmermann might be a technologist, but he tends to get philosophical when it comes to the issues of privacy and security and how they intersect with our society. A cryptographer, in 1991, he created Pretty Good Privacy (PGP), an email encryption software and published it for free on the internet. Since then he has become an eloquent proponent for the need for privacy and tools. Zimmermann has had his run-ins with the authorities in the past, but he is widely respected for his views on cryptography and privacy — one of the reasons why he was inducted into the Internet Hall of Fame and has been a recipient of multiple awards recognizing his achievements.
The spotlight fell on Zimmermann again this week when Silent Circle, a secure-private communications company he co-founded, decided to suspend its Silent Mail service amid fears of future government interference. That action followed on the heels of a decision by another secure and private email service provider, Lavabit, to shut down operations.
Given the frenetic nature of the news, I didn’t think I would get a chance to have a measured discussion with Zimmermann. Much to my surprise, he got on the phone and we ended up discussing everything from the rise of the surveillance state; big data and its devastating impact on society; data totalitarianism; the somewhat dubious role of Google and Facebook in our lives; and why as a society we can’t fall victim to the cynicism that is starting to permeate our lives. He also talked at length about the important role of our legislators in pushing back against the unstoppable tide of the “surveillance society.”
The only thing we didn’t discuss at length — the whole Silent Mail malarkey. (Forbes’ Parmy Olson did a good job of interviewing Phil on the email shutdown and its impact on his customers.) These are excerpts from oue conversation. I have edited my questions a tad (I tend to ramble a bit) and Phil’s comments are trimmed in parts where I had trouble reading my own shorthand/handwriting:

Phil Zimmermann, co-founder Silent Circle & inventor of PGP. (Photo courtesy of Phil Zimmermann)

Phil Zimmermann, co-founder Silent Circle & inventor of PGP. (Photo courtesy of Phil Zimmermann)

Om Malik: We suddenly find ourselves in a very confusing landscape, grappling with the enormity and speed of changes. I was wondering if you could try and make sense of this post-Snowden world and what it means for the long term.
Phil Zimmermann: The surveillance landscape is far worse than it has ever been and I feel like everything we do is now observable. All of our transactions and communications are all fused together into total information awareness apparatus. I don’t think any of this can be fixed merely by the application of cryptography. It is going to require some push back in the policy space. We are going to have to have Congress react to this and we need to get the population to react, perhaps through the economic consequences we face of losing a lot of business for American internet companies. Maybe American internet companies can push back because of economic harm that comes with the rest of world turning its back on us.
Om: Given the world we live in, the National Security Agency is quite necessary, don’t you think?
Zimmermann: I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.” NSA chose to do their assigned jobs with a technically sweet solution of monitoring the internet and looking at anything that happens putting it all in a vast database. It is technically sweet, but it’s bad for privacy.
If we have a change in the government sometime in the future, that government will have such a powerful tool of surveillance, that we will find ourselves in a terrible predicament that we won’t be able to get out from underneath. That’s the kind of fear I have from a public policy perspective.
Om: A few months ago, I wrote about this concept I have (data darwinism) and how society is unable to understand data and the changes data is bringing about in society. And one of the questions I posted in that piece was that this data culture was really something of a legislative and regulatory challenge, more than a technological challenge. We do have legislators who, like many of us, are struggling with the complexity and the scope of what is happening around us.
Zimmermann: They approved the Patriot Act. There is a secret interpretation of the Patriot Act that allows the collection of data. I suspect most of Congress doesn’t know all the ranges of implications of approving this along the way. If you look at Congress’s actions, they have approved the different pieces of it along the way. We have to make them aware of it and we have to create what President Obama calls a “teachable moment” from it. What we have wrought, we never imagined it would get like this.
nsa-logo-copyThe NSA was created after World War II and the original vision was that it would not spy on Americans and it would turn its gaze outward and apply its tools not on domestic populations. In general, all great nations need to have great intelligence apparatus to inform its leadership of what’s going on in the world. But when these tools are focused on domestic population, it is bad for democratic institutions.
If China was to intercept our phone calls, I wouldn’t like that but I wouldn’t worry that Chinese authorities would bang on my door and haul me to prison because I don’t live in China. So when a government turns its powerful surveillance tools on its people, it has impact on the political opposition within the country. The power of incumbency becomes greater and opportunities for the democratic process become less and are undermined.
Om: The world when the NSA was established had clear international boundaries and the “network” has somewhat erased the notion of geographical borders and made location more fungible. What is domestic and what is not domestic isn’t clear and it’s much different from the time of the NSA’s establishment.
Zimmermann: It is clear that after the 9/11 attacks, we became aware of the fact that we are dealing with an enemy that is not abiding to the boundaries of a nation state. Sure, the challenges for all western intelligence agencies are higher. We are not looking at Soviet Union military bases intercepting diplomatic communications. We are now dealing with non-state actors that are scattered all across the world and are part of the native populations. So I can see how much more difficult a job it is for the NSA. But to get from a greater challenge to a solution that involves monitoring the entire population is a bit of an overreach.
We can do better than that. We have to do better than that. If you look at the breaches of civil liberties in past wars, like the internment of Japanese Americans during World War II, as horrible and egregious as it was, at the end of the war, we could say we had wronged and never to do it again and try and get back to normal life. It was because that war had an end. The way this war has unfolded since 9/11, it never seems to end or has an end. And each step of undermining civil liberties becomes the baseline, the new normal. The question is how far we are going to go, if there is no end to this war.
I have spoken about this in the years before 9/11 that the biggest threat to privacy was Moore’s Law. The human population may not be doubling every eighteen months, but the ability of computers to track us doubles every eighteen months. Moore’s Law is almost like a blind force of nature. After 9/11, you have got blind forces of Moore’s Law hooked up to a focused policy of surveillance and that is a terrible combination.
Om: There is the reality of our world and we all live under a cloud of fear — a lot of it is real and this fear has influenced policy, so what should we do? What should legislators be doing here?
Zimmermann: We need to take an objective look at the damage since 9/11 and that would take into account self-inflicted wounds. The harm we have done to our society has come as a reaction to 9/11. The cost includes our expectations of our legal system and our civil liberties. I don’t think it is a partisan issue. We need to push back against this tide of surveillance. In my case, I create technology, so I do things that allow me to apply my skills and part of that is to develop technology tools that push back against a small subset of that problem.
Om: How so? Can you elaborate?
Zimmermann: We do that by creating tools of secure communications and by designing protocols that don’t share keys (encryption) with servers because servers are run by companies that can be coerced by the governments. That’s why our telephony service is immune to the pressures that come from us operating servers. We don’t have the keys and all we have is servers routing the calls and the keys sit on the clients. All our main products — VoIP, text messaging and file transfer — we don’t have keys and we don’t log the messages.
Om: So why stop with Silent Mail? Is email encryption not possible anymore?
How PGP encryption works

How PGP encryption works

Zimmermann: The body of email can be encrypted and PGP does just that. In our case, we offer our services on mobile — iPhone, tablets and Androids — for that reason we cannot run PGP for email since it doesn’t exist. So we had to run PGP on a server and it is called PGP Universal. Now for IT departments (inside organizations), it made sense to have this run on their servers and offer it to their employees and control the (encryption) keys. A box sat next to the mail server and did its job. That was the kind of solution we were using until yesterday.
It doesn’t work that well outside the enterprise environment, especially when offering it to a horizontal market. We were offering this by holding all the keys on our servers and if someone came along and asked for those keys, we would have to turn over those keys. We didn’t want to be put in that position, so we shut down Silent Mail.
For our VoIP, text messaging and file transfer services we don’t have the keys and they run well on mobile devices. If we could run PGP on mobile clients where we didn’t hold the keys we would offer it, but for now it wasn’t worth the risk. We wanted to take this action and putting our customers through this inconvenience is because we wanted them to know how serious we are about privacy and security.
Om: Do you think an average person is more aware of the invasion of privacy and encryption today than, say, a year ago?SILENT CIRCLE LOGO
Zimmermann: Even before the NSA Prism story, there was a rising awareness and more news articles talked about systems being hacked and customer data being leaked. People had realized that Facebook was abusing your data. Everybody today is more aware that Facebook monetizes your data and when we don’t pay for the service, you are really the product. You are not Facebook’s customer, advertisers are Facebook’s customer. Same is true for Google. You become an asset that they monetize and sell to their customers, aka the advertisers.
Om: What, in your opinion, should big tech companies like Google and Facebook do? Follow the example of you guys and Lavabit?
Zimmermann: These companies are very big. What would be better is if there is a pushback in the public policy space to change the way things work. We shouldn’t have the shockingly pervasive surveillance system and infrastructure. I think it will hurt us economically as more and more people (around the world) choose not to do business with us because of the fear that they (the U.S. companies) will sell them out.
Om: Did you think we would end up where we are today? Sometimes, it seems all like science-fiction stuff, and I am amazed by it all.
Zimmermann: I think it is science-fiction to have a Department of Homeland Security — just the name itself. (Laughs.) I wrote about these things over twenty years ago and when I first wrote PGP and technology extrapolations leading us to a future where the governments can listen to all our communications, can search through all our communications and do pattern recognition and study our traffic patterns. But I didn’t think it would get this bad.
Om: Are you fearful for our future? Is this an unending nosedive into surveillance society?
Zimmermann: The question falls under the idea that the best way to predict the future is to make the future. You know, it is an important question, but when it is posed as a question of prediction, then there is a certain act of passivity in the act of prediction. I would rather not passively predict and I would rather actively correct. What kind of future we want to have, that’s the future we should all work together to create.
Om: So you believe that technologists have to keep coming up with new ways to push back against all the intrusions into privacy?
Zimmermann: What I said about Moore’s Law being a threat to privacy and it being a blind force of nature — well right now Moore’s Law is being accelerated in a specific direction by policy pressures. The policy pressure of creating more surveillance as response to the 9/11 attacks. We might be ably to change some of that, but the natural tendency of data and Moore’s Law is that data wants to be free. The natural flow of technology tends to move in the direction of making surveillance easier.
We have to work harder to push back on policies that 9/11 brought us. It is time to re-examine the Patriot Act and re-examine everything. We need engineers and technologists to guide technology in the right direction and not optimize for surveillance. I would like to see a pushback, both on the technology and policy fronts. The engineers tend to be more aware of these problems and they need to be politically aware of the dangers of developing tools of surveillance.
Om: When privacy is put in context of national and individual security and terrorism, it is pretty easy to turn a blind eye to a whole lot of things. Yes, a similar challenge exists on a more day-to-day basis, when we have companies like Google and Facebook and others collecting a lot of ambient information about us, making deductions and pattern recognition and then forcing us to spend money in a certain way.
What about ambient data that will come from sensors in our phones and cars that will soon become judge and jury for our car insurance rates? I think we are a very nebulous state of what I like to call a data-influenced society and a lot of that is much more worrisome than NSA. What are you thoughts?
Zimmermann: I agree it is not just a matter of surveillance. Big data intentionally creates a concentration of data and has a corrupting influence. It really concentrates the power in the hands of whoever holds that data — governments, companies. The PC revolution of the late 1970s and 1980s and the later early Internet (of the 1990s) seemed to hold so much promise and empowered the individual. Now with big data there is a shift of power in the other direction as it concentrates power in fewer hands.
Of course, one can get cynical about all this but one has to fight that urge. A lot of people are getting more cynical because we are living in a surveillance state. Cynicism is the fertile soil where corruption can grow. Cynicism has a paralyzing effect and I think we need to resist that temptation of cynicism and hold on to our ideals in order to bring about change and push back.