Defending the last missing pixels: Phil Zimmermann speaks out

on encryption, privacy, and avoiding a surveillance state1

Steve Ranger

Since writing the PGP encryption software in the 1990s, Phil Zimmermann
has been a key figure in the internet privacy debate. With that argument
heating up again, his perspective is more relevant than ever.
Walk into London's Victoria and Albert museum design, pass the queues admiring the fashionable
frocks and rooms full of classical statues, and you'll come to a glass case. Look inside and you'll see
the remains of a thoroughly trashed MacBook, and, a little down and to the left, a small, black,
unblemished smartphone.
The ruined MacBook was owned by the Guardian newspaper and held a copy of the files leaked to
the paper by by NSA whistleblower Edward Snowden, or at least it did until it was destroyed with
axle grinders and drills following pressure from the UK government (all of this was pure theatre of
course; duplicate copies of the files on the machine existed elsewhere).
The smartphone is better known as the Blackphone, the handset developed by a company called
Silent Circle with the purpose of keeping its customers' conversations as private as possible.
The hard drive and smartphone tell different parts of the same story: how technology is at the heart
of the battle over what privacy should, and does, mean in the twenty-first century. The smashed
MacBook embodies how governments try (and fail) to contain their secrets (particularly ironic when
the secret they want to protect is that they are spying on us) while the smartphone reflects the
attempts of individuals to keep their communications private.
The Blackphone is the latest project from Phil Zimmermann. Over the last three decades,
Zimmermann has been building encryption technology has ensured the security of countless
messages. If you've ever had any secrets held about you on a computerand everybody has secrets,
even things as simple as tax records and credit card numbersthere's a good chance that
Zimmermann's technology has helped keep them secret.
At a recent private viewing of the exhibition that features the Blackphone, Zimmermann pondered
what the emergence of whistleblowers like Snowden says about the current state of privacy.
"The moral problems with the behaviour of our intel agencies should give us pause, should get us to
step back and question, 'What are we getting our intel agencies to do?' We should take another look
at this. We should try to restrain them more," he told the audience.
"This has been my motivation for my entire career in cryptography," he says. "The driving force is
the human rights aspect of privacy and cryptography and ubiquitous surveillance, pervasive
surveillance... We live in a pervasive surveillance society."
As he spoke, the radio of one of the watching museum guards squaked briefly and loudly into life,
neatly illustrating Zimmermann's point.

http://www.techrepublic.com/article/defending-the-last-missing-pixels-phil-zimmermann/?
tag=nl.e036&s_cid=e036&ttag=e036&ftag=TREa988f1c
1

Miss the mortgage, code the crypto

Encryption is the process by which databe it an email, phonecall, or indeed any digital
communicationcan be scrambled so that it can only be accessed by the intended recipient.
The debate over online privacy had been going on since the emergence of the internet itself, often
centred around the use of encryption, since the technology remains the best way to ensure privacy.
After all, modern encryption systems mean it would take a supercomputer thousands of years to
break encrypted messages without the key.
SEE: The undercover war on your internet secrets: How online surveillance cracked our trust in the
web
Zimmermann has been a central figure in the debate since the start. His work on encryption has
always gone hand-in-hand with his privacy activism, as he explained over tea the day before the
museum's private showing.
"If you're going to do communications on the internet, you pretty much have to do crypto"
Phil Zimmermann
"I can apply my crypto expertise to making a living and that fits nicely with the activism about
privacy," he said. It's certainly the discussion of privacy that makes him most animated, although, as
he notes, "at different times my activism has run in different directions," adding as an aside: "If I
had more time, I'd work on climate change."
In the 1980s in Boulder, Colorado, he worked as a military policy analyst with the Nuclear Weapons
Freeze Campaign while juggling a day job as a software engineer.
During this period he was arrested along with Carl Sagan, Martin Sheen, and Daniel Ellsberg
quite a line-up for a geek dinner partyand 400 others for protesting at a Nevada nuclear weapons
test site. It turned out the test they were trying to stop had taken place a couple of days earlier.
As the Cold War began to draw to its close, Zimmermann's interest in encryption grew as he
realised the need for technology to protect private communications both across the world and at
home. When the internet was just a hangout for a bunch of early adopters, security and privacy
wasn't that big a deal. As it began to grow, that changed.
"The internet became a more hostile place. In the early days of the internet, it was kind of a nice
neighbourhood with well manicured lawns and then it became a blighted neighbourhood so people
were more aware they had to be more careful. If you're going to do communications on the
internet, you pretty much have to do crypto to have any expectation of privacy," he said.
Zimmermann began working on a project, which eventually became Pretty Good PrivacyPGP for
shortan email encryption software package. It was published for free on the internet in 1991, and
became the most widely used encryption software in the world. Its development wasn't an easy job,
however.
"It was a hard road to get to the release of PGP. I missed five mortgage payments developing the
software in the first half of 1991," Zimmermann wrote on the ten-year anniversary of its debut.

It got worse. When PGP spread worldwide, Zimmermann became the target of a three-year
criminal investigation, because the government argued that US export restrictions on cryptographic
software had been violated. The government finally dropped the case in 1996.
"It was shortly after PGP 2.0's release that US Customs took an interest in the case. Little did they
realize that they would help propel PGP's popularity, helping to ignite a controversy that would
eventually lead to the demise of the US export restrictions on strong cryptography," Zimmermann
wrote.
That's because his case, along with a number of other events at the time, created a very public
debate about how privacy technologies should be used. The conclusion was that, despite the
potential risks that encryption might pose, governments ought not place controls on the technology.
"At the end of the 90s we saw many elements of society were reaching a consensus: that strong
crypto was an important technology for ecommerce and civil liberties and privacy and a free
society," Zimmermann said.
Since then, encryption has taken on the same level of importance to the internet as the Force in the
Star Wars universe: a mysterious power that surrounds us and binds the internet galaxy together.
When we shop online, it's encryption that makes sure that your credit card details aren't being
snooped on. When you log into your bank account, it's encryption that means you can be sure it's
really your bank's website you are visiting, not a glossy fake. Encrypted databases keep your medical
records safe from prying eyes, while encrypted email protects your business proposals, declarations
of love, or nude selfies.
PGP is now owned by Symantec, and for the last dozen years Zimmermann has been working on
encrypted voice communications protocols, and most recently the creation of a company called
Silent Circle. One of the voice encryption standards used by Silent Circle is called ZRTP and as the
company's website puts it bluntly: 'The Z in ZRTP stands for Zimmermann."

Silent Circle
Silent Circle launched in October 2012, jointly founded by Zimmerman and Mike Janke, a former
Navy SEAL. The company counts 30 of the Global Fortune 50 among its customers, along with
journalists, government agencies, and the military. The company recently raised $50m to fuel
further growth.
But it's not your standard tech startup, many of which make their money from slicing, dicing, and
reselling information about their customers' web habits. In contrast, last year Silent Circle moved its
headquarters to GenevaZimmermann is also based in the Swiss city nowfrom Canada in
search of stronger privacy laws to protect its customers' information, even from itself.
Originally when they started the company, the intention was just to pursue markets where there
were people with a particular need for privacylike journalists working in war zonebut after the
Snowden revelations, "there were a lot more people that could see that there's a need for this in all
kinds of situations," Zimmermann said.
Talking of Snowden, Zimmermann notes with a certain amount of pride: "Snowden got his hands
on some documents that showed some products that [the NSA] had broken the crypto [on]and
none of my stuff was on the list."

Silent Circle's Blackphone device runs a security-toughened version of Android it calls PrivatOS.
Calls are encrypted end-to-end which means even the company itself can't hand over the details to
anyone. "We have no access to it. None. We can't disclose what we don't have access to," the
company says.
Since the V&A exhibition opened, the Blackphone has been added to the collection of a second
museumthe International Spy Museum in Washington DC. Its 'Weapons of Mass Disruption'
gallery explores the challenges facing the intelligence community in the twenty first century.
The idea behind the Blackphone smartphone, and the tablet that followed it, is to provide an even
greater level of security than is available with current hardware. The decision to move from software
to hardware was in direct response to questions like 'Is your stuff NSA-proof ?' which make
cryptographers uncomfortable, said Zimmermann. That's because, while their software might work
fine on 'clean' hardware, when running on a computer infected with malware, the softwareno
matter how good in theorycould prove useless. "For many years that was our caveat, but it's better
to try to do something about it, [to] see if we can improve the hardware platform," he said.
The second version of the Blackphone is due out later this year, as is the Blackphone+ tablet. They
arrive at a time when the old debates about privacy and surveillance and cryptography are being
rerun once more.

The coming debate

Providing secure communications might seem relatively uncontroversial but the consensus built in
the 1990sthat encryption is a good thingis now on the verge of collapsing, with the Snowden
documents representing the unexpected catalyst.
Governments are warning again about the dark side of encryption, claiming that it allows criminals
to plot in secret because police and intelligence agencies can no longer crack their communications.
Recently, Admiral Mike Rogers, director of the NSA, said: "I certainly have great respect for those
that would argue that the most important thing is to ensure the privacy of our citizens and we
shouldn't allow any means for the government to access information. I would argue that's not in the
nation's best long-term interest."
Lining up on the other side are the privacy campaigners and even the United Nations which argues
that access to encryption is essential to protect basic human rights.
All of this is an issue again because, as a consequence of the revelations from Snowden about the
extensive surveillance programmes of the US intelligence agency, more and more companies
(Apple, Whatsapp, Silent Circle, and others) are making encrypted communications the standard for
their billions of customers.
"All dystopian societies are surveillance societies"
Phil Zimmermann
As a result, politicians and law enforcement agencies have been making louder and louder noises
that something must be done about the use of encryptionalthough they are vague on exactly what
actions should be taken. They also generally sidestep the irony that many companies have only
turned on encryption because of the massive data collection by the NSA and others.

The NSA is demanding access to encrypted communications and the UK is considering passing a
law to enable the same. In contrast, Germany, with a different historical perspective on the dangers
of government surveillance, not only allows encryption but positively encourages it.
Considering that Zimmermann has been through the whole encryption debate once and thought it
settled, only to see it emerge again like some kind of digital Groundhog Day, he seems surprisingly
relaxed and upbeatat least about this element of the privacy battle.
"Back in the days when I was getting arrested for trying to stop the arms race, that seemed pretty
hopeless. The entrenched interests in that were huge. Look around: we managed to get through it.
The Cold War is over, the nuclear arsenals have been dramatically reducedstill enough to blow up
the world a few times, but we're much better off now than we were. If we can change that, why
can't we change this?"
For Zimmermann that means a public debate, like the one that the privacy activists won back in the
90s. "I used to debate NSA and FBI officials; I'd like to do that again. Strong crypto is pervasive
now: in every web browser when you do ecommerce or online banking, the web browser has strong
crypto. There's no rolling that back. That's why I'm not getting all worried about it."
But does the average member of the public care? Despite the Snowden revelations, has there been
any real impact on public opinion? If so, it's difficult to perceive. The issue of privacy would mean
little to an average citizen - say my dad - for example. Therefore, the wider the public debate, the
better.
When bringing up my dad, Zimmermann's response is sharp and to the point: "You bring it up with
him I assume? Then he might have quite a lot of opinions on it. Ask him what he thinks." His point:
the danger is letting such issues pass undiscussed and unchallenged.
He might not be worried about the ongoing anti-encryption rhetoric, but he remains a vocal
supporter of the right to use it. Zimmermann was one of a number of technologists who signed a
letter to the USalong with tech giants like Apple, Google, Microsoft, and Facebook, and the
American Civil Liberties Unionwarning the White House to step back from attempts to bring
encryption under government control.
"More than undermining every American's cybersecurity and the nation's economic security,
introducing new vulnerabilities to weaken encrypted products in the US would also undermine
human rights and information security around the globe," the letter said.
However, the very same governments, even the same agencies, that worry about the use of
encryption by the public are themselves enthusiastic users of encryption products, including those
from Silent Circle.
The irony is not lost on Zimmermann: "Everybody wants this protection for themselves, they don't
want others to have it," he says.
"We had US Customs come into the office. It so happens that US Customs was the agency
investigating me in the 90s. I sat in on the meeting and I said, 'How many people here actually
worked at US Customs back in the 90s?' Nobody's hands went upso none of the people in the
room were aware that US Customs was the investigating agency in my case."
"They are in a golden age of surveillance now. They've got this big picture with a few missing pixels and they're
complaining."
Phil Zimmermann

But what of the idea that only governments should be allowed to use encryption technologies?
While Zimmermann was addressing a security conference in one hall of London's Olympia
exhibition centre, in another hall at a completely different event, the UK's top anti-terrorism police
chief made a speech complaining about how tech companieshe didn't say which oneswere
making life harder for cops.
Zimmermann deploys an analogy to dismiss such arguments: "We're in the business of making body
armourthere's a need for body armour, Navy Seals need body armour. What are we going to do?
We can't just sell to them, there's not enough Navy Seals. If we sold only to them, the cost would just
be crazy."
He points out that there are plenty of other technologies beyond cryptography that have been used
by both consumers and the military.
"There's lots of technologies that are widely used: GPS receivers were developed by the military to
guide missiles to their targets. It's only later that people started using them for other things. Crypto
historically has been used more by the military than anybody, but now everybody uses it for ordinary
things, just like they use GPS for ordinary things," Zimmermann said.

The question of pervasive surveillance

But while Zimmermann is relaxed about the prospect of refighting the crypto wars of the 1990s,
he's far more worried by what he sees as a larger threat to privacy that is looming right now.
"The debate now is about the question of pervasive surveillance. We have to push back against the
intercepting [of] everything that flows over the internet and fusing it with surveillance data that
comes from other sourcescameras everywhere, face recognition algorithms behind the cameras
total information awareness," he warned.
Part of this is down to technologyas we carry more gadgets, snoopers will find it easier to track us
and learn about us. But it's also to do with a change in emphasis for the intelligence agencies, from
focusing on a few individuals to collecting as much data about everyone as they can.
Zimmermann argues that one of the key things that has come out of the Snowden leaks is how the
NSA has changed its definition of the 'collection' of data, which allows it to collect and store vast
amounts of dataas long as it doesn't look at it.
"The new definition of collection is that 'it doesn't really count if all I do is collect it and store it
somewhere, but if I want to look at it in storage, then I go to a court.' Well, that's a pretty looseygoosey definition of collection. That's collection that should count as collection," he said.
Zimmermann speaks with the air of someone who has had these debates many times before, but is
still willing to go back into battle. What of the standard argument often deployed here: that if I have
nothing to hide I have nothing to worry about?
His response is succinct. "If you really felt that you had nothing to hide, then I would never want to
tell you any of my secrets as you're not going to protect them. If you're a doctor, I don't want to see
you because you're not going to protect any of my patient records."
Also, to take such a narrow view is to miss the bigger point. For example, political opposition in
China is impossible because the country has built a surveillance society, he argues. "Here we have a
democracy in Britain, but sometimes in a democracy bad people can come into power and if you
have a system that allows another election cycle, you can get rid of the bad people.

"But if they inherit a surveillance infrastructure like what we are seeing, they can use the power of
incumbency to remain in power. They can neutralise opposition with scandals or blackmail, or
whatever can be exposed about their private life."
Even George Orwell's Big Brother had the decency to limit its surveillance to one all-seeing
'telescreen' per house. Now, thanks to smartphone selfie cameras and webcams on pretty much every
device, we've all but built our own panopticon. All that is required is for the NSA or GCHQ to start
gathering up the streams. Technology can both protect the individual or create an environment
where privacy is impossible, he warns. "All dystopian societies are surveillance societies, so we have
to get people to recognise that it's bad to give up everything," he said. "In any complex society,
people do have secrets."
Even those people who see little to fear might ponder the scenario that Zimmermann sketches out
of the future of pervasive surveillance. "Imagine if the police installed surveillance cameras in your
house, in every room of every house, in your bathroom, in your bedroom, and they collected all the
video and put it on massive disc farms in the basement of the police station and they promise not to
look at the files unless a court orders it. He also has little time for the politicians and police who
worry about losing track of criminals who use encryption.
"They are in a golden age of surveillance now. They've got this big picture with a few missing pixels
and they're complaining. You go back twenty years, and they didn't have this big picture, they didn't
have all these incredibly pervasive surveillance capabilities. So would they take that trade? I don't
think so," he said.
"They have near total information awareness so they shouldn't be trying to take away our last few
remaining black pixels on the big picture."
According to Zimmermann, we are witnessing the emergence of pervasive, retroactive surveillance,
and the response is obvious. "We have to do something about this," he said.
The exhibition "All of This Belongs to You" at London's Victoria and Albert Museum runs until 19
July 2015.