One of the best parts about SXSWi is the opportunity to hear brilliant minds who’ve made real changes to our world speak about our moment in time. Nerd hero Phil Zimmerman helped change the world back in 1991 when he released Pretty Good Privacy (PGP), an open source crypto program that allowed anybody to encrypt their email messages with heavy-duty encryption without a PhD in computer science.
This may not seem like a big deal now, but it was then because existing USA laws prohibited anybody but the government from possessing such technology. Indeed, the government opened an investigation that lasted for 3 years into Phil’s activities. Ultimately, he was not indicted and the PGP technology not only survives, it’s the most popular cryptographic program on the web today.
PGP has gone through a twisting journey. It’s been sold five times and was most recently purchased by Symantec. Now he’s working on Zfone, a secure telephony tool. Basically, it’s PGP + VoIP. VoIP is “voice over internet protocol” and is most commonly used today in the form of Skype.
His self-proclaimed motivation for developing PGP was to push back against Orwellian Big Brother/governmental control. Now a new threat has emerged: Organized crime, which is not just about selling hooch anymore; they are deep in a lot of digital crimes like the Russian Mafia’s botnets, spam (which accounts for over 80% of all email) & Nigerian phishing scams. Identity theft in particular has caught his eye.
The most popular target for identity threat is children: They have a clean slate. No job or bad credit. It’s a fresh, unused and unnoticed identity, which is perfect for ID crimes. Most other crimes that affect you, you know about it pretty quickly. If your car is stolen you’ll figure it out. But identity theft is different because you might not notice for a long time, especially if it’s your kid’s identity. In fact ID theft doesn’t really work if you know about it because you can take steps to stop it by canceling credit cards and taking the steps necessary to reclaim your identity. ID theft depends on your unawareness that you are a victim.
Phil says there’s an over-reliance on crypto when your computer could easily be stolen or have a keylogger physically put on it. Digital is not the key to everything; we focus too much on digital signaturess and not enough on the analog world of physical reality.
His Zfone protocol was optimized for VoIP (both “voice” and “video”). It doesn’t require a public key infrastructure. You have to set up a bureaucracy to organize and keep track of all the keys, which is difficult to maintain. With his protocol, any two people can talk over IP with no public keys needed. You just verbally compare a short authentication string. Then you know there’s no man-in-the-middle listening to your conversation. You just have to do it once. Phil is now a proponent of using non-digital ways to authenticate; it drags the human being into the protocol. In fact, the human is an integral part of the protocol. In some cases analog tools are better because digital tools have trouble faking it. Also, it avoids the problem of having an authority figure managing your privacy: If your protocol requires a phone company, it’s not a very good protocol. They don’t always have your best interests at heart. Phil’s analogy is: “Why should I have to ask the phone company’s permission to speak Navaho? You shouldn’t have to. And we won’t.” Phil considers anonymity a right: We’ll speak in whatever code or language we want.
Phil touched on a lot of other topics after opening the floor to questions, including quantum cryptography, the pervasive surveillance culture in London and China, national IDs (he’s against it), privacy commissions in Europe that ensure people have a right to know what data is being collected about them, anonymous digital cash (no one’s perfected it yet and patents are encumbering new attempts), and the fact that 30% of American divorces have something to do with Facebook. He’s constantly amazed at how willing people are about putting their most intimate details online. The “I have nothing to hide” mentality erodes our collective privacy rights.
I asked him about the hacker collective Anonymous and he said he would be curious to see what kind of stuff they can find about the causes of the recent economic collapse. He remembers many people going to jail over the Savings & Loan collapse back in the 80s and is shocked that no one has gone to jail over this one yet.
Lastly, he touched on Facebook & the Middle East. When the internet is disconnected in some other country he would like to see some other way to connect people. A mobile mesh networking protocol could really help. What if there was a protocol in every new smart phone that could do this, without having a broadband pipe that can be cut by the authorities? It might not let you connect to Facebook but you could still talk to each other. But it has to be ready to go before the demonstrations that erupt in the streets. “Somebody should get on that,” he said and I agree.
Overall, it was an excellent panel and a fascinating — at turns terrifying and hopeful — look into the state of privacy and cryptography on the web in 2011.