PGP creator: Surveillance must be curbed

Phil Zimmermann, the creator of the Pretty Good Privacy encryption tool, says that widespread surveillance is leading us into an Orwellian future
Written by Alberto D'Ottavi, Contributor and  Gaetano D'Elia, Contributor
Phil Zimmermann, creator of Pretty Good Privacy encryption -- better known as PGP -- was in Italy this week for the InfoSecurity conference. ZDNet Italy caught up with him to discuss the technical, social and politic implications of his encryption tool. At 47 years old, Zimmermann is already a legend in the computing industry. As the inventor of the famous Pretty Good Privacy encyption tool, he faced a three-year-long investigation by the US government for illegal export of weapons. That investigation was launched because he released to the public domain the software along with its source code, allowing Internet users to protect the privacy of their electronic messages. Q: When you initially developed PGP, did you imagine the effect it would have?
A: I imagined that it would have changed something, but I did not foresee that it would have that kind of major political impact. I thought that it would become a useful piece of software but I didn't realise that it would have caused such a firestorm as that which the industry experienced in the '90s with cryptography. When you first published PGP, were you aware that cyberspace had different borders then the real world?
I knew that PGP would spread around the world because I knew the Internet was everywhere. But during the three years of criminal investigation my lawyers insisted that I never acknowledge that I wanted PGP to go outside the US. I had to be very careful when I spoke in public that I intended PGP for domestic use only. The reality is that human rights was one of the primary motivations for developing PGP. I wanted it to be used by human rights workers around the world. But I could not say this during the criminal investigation, because an important part of the prosecuting case focused on my motivation. If I admitted that I wanted to be exported it would make easier for them to prosecute me. So I could not speak about it until the end of the investigation. Now it's too late for them to do anything about this, too many years have passed, so I can say whatever I want. I can say that I developed PGP for human rights applications. What are your feelings about the fact that your tool can be used by people with intentions that are opposed to your original idea?
I can't think at one way to make this technology available to everyone, without also making it available to criminals. I thought about it a lot. This has been the focus of the debate in the '90s: many cryptographers tried to think about the way to make this technology available to good people without making it available to bad people, but nobody could find a solution. Like the telephone?
Yes. For example: after 11 September there were some speculations about the terrorists using some GPS technology. I don't think there is any evidence that they did, they were only speculations that I read in an article at that time. Well, if they did, they were applying technology directly to kill people. You know, it's difficult to fly a plane. It's difficult even to fly it to the airport, it's even more difficult to fly it against the World Trade Centre. It's not a normal path, it would help to have a GPS. This is just speculation. Anyway, the manufacturers could stop making GPS receivers. But what about the rest of us: we benefit from GPS receivers. From an economical standpoint, the success of PGP demonstrated a very important need in the market. What was this need?
I didn't have any market research to measure market demand. I just had my political instincts. And my political instincts told me that society will be transformed by communications technology, that we would lose our privacy if we did nothing. As we migrate into the digital world, we leave our privacy behind, in the analogue world. We enjoyed a great level of privacy in the analogue world, and we lose that as we move in the digital world. I wanted to preserve it, that's what PGP is for. It's a countermeasure to the lack of privacy created by the information age. PGP can also be used as a protection against Echelon?
It's been written a lot about Echelon. It's amusing that everybody is so upset about Echelon, because the NSA has been listening to electronic communication in Europe for many years before anybody called it Echelon. It's nothing new. It has been in place for a long time before Echelon. I think that now the NSA is focused in searching members of Al Qaeda, so now we don't have to worry too much on the attention paid to the rest of us. You always opposed the "key escrow" technology. But in some cases, like in enterprises, it may be a need to be able to open an encrypted communication.
This is exactly the reason why I developed the additional decryption key feature in PGP. (Now in PGP there is a mechanism that allows the encryption and decryption of a message with two public keys. So if for example the owner of the primary key is on vacation, the company he works for can decrypt the message with the second key.) Businesses have different issues than end-users. If you write a love letter you want it to be decrypted only by one key. But if you write any business correspondence, there's an institution involved, so it is in your interest to use an extra key to read the message. What are the new risks caused by technological innovation?
It is not only digital communications that has risks for our privacy, but also the widespread deployment of surveillance technology. For example, video cameras -- especially in Great Britain everybody knows that there are millions of video cameras. I'm sure that you heard about face recognition software that recently has been applied in the US at the Superbowl. If you have video cameras in every street corner, in every public place, together with face recognition software, then it becomes possible to track the movements of every human being as they walk down the street, identifying every person individually and keeping track of their movement, all day long. And this is an Orwellian future that is not in our interest. We should try to limit the spread of surveillance technology. We should not allow the fears that we have for the terrorism to stampede us into an Orwellian world. In many places in the US, it's common habit not to lock house doors, because privacy is respected. But you suggest encrypting email messages. Isn't it a contradiction?
Also in the US, in urban environments we always lock the doors, and in rural environments we leave them open. It depends where you are. In urban environments there are many people that you don't know. So we tend to be more protective. On the Internet, because it allows people to do things anonymously -- well, mostly anonymously -- it may encourage antisocial behaviour like you would find in a large city. So I think that we need to protect ourselves in the Internet. We need encrypted email, we need firewalls, we need virtual private networks, we need intrusion detection systems. The Internet is like an urban environment, where you meet people you'll never meet again. So they may behave as people sometimes behave when they know that they'll never meet you again. To put it in game theory terms, it's like the difference between 'prisoner dilemma' and the 'iterated prisoner dilemma'. People play the game differently when they play a single round or when they play in an iterated fashion with the same people. Do you think that this kind of encryption technology will be also interesting for the wireless communications?
In the wireless world it is essential that you use encryption, especially for the communication links. Because, unlike wired communication, wireless communication is broadcast. Every little device is like a small portable radio station. Anybody can pick it up, if they are listening. You have to encrypt anything if you want to keep it private. So there is a greater urgency to apply encryption technology in the wireless world. Is there some historically famous character that inspired you, or that you like in particular?
During the '80s I become active in the Peace Movement in the United States. And someone that I found particularly inspiring was Daniel Elsberg. He published some classified documents about the Vietnam War, during the war, and these papers became known as the Pentagon Papers. He published them in an effort to bring an end to the Vietnam war. And he was prosecuted for this. He faced so many years in prison that it would be the rest of his life. He prevailed in the legal struggle and did not go to prison. I've found this particularly inspiring. He took great risk, it was dangerous, but he published these documents, and he helped bring an end the Vietnam war in some way. I don't think that the release of these documents had a directly influence on the end of the war, but he helped to create a political condition that eventually led to the end of the war. If I had to settle on one thing that inspired me to publish PGP, in some ways that did.
Who's watching you? Get the latest on spy networks such as Echelon and Carnivore, as well as privacy issues for companies and individuals alike, at ZDNet UK's Privacy News Section. Have your say instantly, and see what others have said. Go to the ZDNet news forum. Let the editors know what you think in the Mailroom.
Editorial standards