Rupert Goodwins' Diary
Tuesday 15/8/2006
IUBHE PKJAW CBAYT NJQZE — or, in other words, Phil Zimmermann is at it again. The inventor of Pretty Good Privacy or PGP, the first generally distributed public key encryption system, has long wanted to give similar security to voice over IP (VoIP) telephony. It's a very good idea: the Internet has no guarantees of security beyond those you put in there yourself, and that's how it should be. As we know from bitter experience, the same is true of the public telephone systems, fixed or mobile; it may be illegal to tap into other people's calls, and it may even be quite difficult, but in the words of a Throbbing Gristle sticker: ASSUME THIS PHONE IS TAPPED.
For the first time, it's possible, even easy, to have secure voice communications between you and your pals. Some systems you have to take on trust — Skype claims to implement strong cryptography on its voice calls and even says which ones it uses — but as it doesn't publish its code there's no way to be sure (and plenty of reasons to be suspicious). Earlier this year, Zimmermann produced a beta for an add-in encryption system called Zfone, which integrates with open standard VoIP, has its source code available for inspection and is intended to become an open standard itself. All it does is make sure that nobody can intercept a call you make to a friend who's also running Zfone. Now, he's trying to get it adopted by existing VoIP providers, so they can offer it as a standard feature in their services.
Coincidentally, today also saw moves towards the activation of the third part of the Regulation of Investigatory Powers Act (RIPA), which would give the police the ability to demand your encryption keys with menace. Fail to comply, and it's the slammer for you. These powers are needed, says the plod, because terrorists and paedophiles are able to deny them evidence by leaving it sitting as so much random binary on hard disks.
This is a common theme in law enforcement, and has also led to numerous powers being taken that let the police, secret services and anyone else with the right job title gather data from ISPs, confiscate computers and generally make free with your data. This most certainly includes VoIP information, which since it isn't carried over the telephone system is much more lightly regulated than phone calls proper.
Zfone bypasses all this, and demonstrates the futility of legislating against secrecy. It doesn't matter if the spooks or the Milk Marketing Board record all your IP traffic; they won't be able to read it. It doesn't matter whether they demand the keys used to actually encrypt the data; you don't know them, because they're generated by the software, and they're destroyed immediately after the call anyway. Not that they'd work again. The only thing that could stop Zfone from doing its job would be if it was made illegal itself — and that sort of legislation is pointless, ineffective and actually dangerous.
But criminals might use Zfone, you cry. Yes, says Zimmermann, and they might tap your phone calls too. There might even be criminals in government, the police and the Milk Marketing Board. I know these places are populated exclusively by paragons of virtue, but one day, one might slip through the net.
There are two endpoints for encryption legislation. One is where all our data is visible to everyone, hung around our neck like an RFID-readable passport in a clear plastic bag. One is where we protect what we own to protect our privacy and prevent harm, and accept that other people will protect things that we might not like and may come to harm us. I know which mode makes me feel safer.
So does Phil Zimmermann: long may he give the people in the shadows sleepless nights.