A CONVERSATION WITH PHIL ZIMMERMAN
On June 30th 1998, I met with Phil Zimmerman at the unlikely location of Sommarøy in the north of Norway. We discussed cryptography in general and the political implications of strong cryptography in particular. Below is a transcript of our conversation.
- What are your motivations for working with cryptography?
I've been interested in cryptography since I was ten years old, when I read a children's book on cryptography. Of course the cryptography in it was not very sophisticated, but it was a lot of fun for a ten-year old. But it wasn't until I got to college that I started using computers with cryptography. That was in 1972. In the 1980ies, I began to see cryptography as a political tool. I saw that it would possibly change the power relationship between the government and its people. That was what started me down the path of writing PGP, which I started working in 1984.
- So you spent a long time refining it before it was released in 1991?
Yeah, I started the design work in 1984, and I also starting writing a bit of code at that time - I think it was the random number generator.
- Can you elaborate on why you see cryptography as a political tool?
Technology is changing society in ways that erode our privacy. Paper mail is being replaced by electronic mail. Face-to-face conversations are being replaced by electronically mediated conversations. Today's interactions frequently takes place over the phone instead of face to face - well most of mine are and I presume it is like that for you as well. So every time we move more of our lives into the digital world we create opportunities for our privacy to be eroded. Cryptography is a countermeasure to that. It tries to restore the privacy that we once had. Working with cryptography, I am not even trying to give us more privacy than we had before. I am trying to give us back the privacy that we once had and we have lost.
- But governments take countermeasures too, by launching things as key escrow and the clipper chip. And they claim that these countermeasures are necessary - not to erode the privacy of Joe Citizen, but as way to target criminals, spies and drug dealers.
I think that the government has a point in as a much as that cryptography can be used by criminals. In fact, I'm sure that cryptography is used by criminals. I know that criminals use PGP. But I can't think of a way in deploying this technology in a way that would give access to everyone else, but would not give access to criminals. I can't think of a way to do that. There are all kinds of technology that criminals use. They use automobiles. They use personal computers, and telephones and microwave ovens and Velcro. You know, are we going to not invent all kinds of technology because criminals might be able to use them? You know, in the early part of the century Bonnie and Clyde robbed banks and used cars to escape to the scene of the crime in a way that was more effective than anyone had seen before that. And the police did not know how to cope with it. The police were unable to catch Bonnie and Clyde because they would cross state lines. They would rob a bank and cross a couple of state lines in a few hours and travel into other jurisdictions. The police had never seen criminals do that before. And so some police were saying that maybe people ought not to have cars. Well you know today cars are used for mostly benign purposes, and they improve the quality of life. They also have other harmful side effects beside letting criminals escape from the scene of the crime. They also pollute the air. They create traffic congestion, traffic deaths, and the usage of natural resources. And yet, somehow we make these tradeoffs and accept cars in our society because they enrich our quality of life. I think cryptography also will have mixed effects on society, not all of them good. But overall, there are going to more good effects than bad effects.
- What about the claim by the government that key escrow is the solution because it will put strong cryptography in the hands of the people while letting the government a backdoor that only will be used to track criminals?
I don't believe that the government will only use it to track criminals. Or let me say this: I think that the government may only use it to track criminals, but their opinion of who a criminal is may be different from mine. That depends upon the government. In some governments anyone who speaks out against the government is a criminal. Even in democracies the government might regard someone as criminals that ought not to be criminals. I mean - in the US sometime we have laws passed that ought not to be passed. The Communications Decency Act is a law that should never have passed Congress. Eventually, it was struck down by the Supreme Court as being unconstitutional, but now they are working on another version and I don't know what is going to happen with that. But that is the kind of law that ought not to be along. And in fact, that is the kind of law that I expect people to use cryptography to try to circumvent. And yet now there is a law being discussed in the US legislation that would make it a crime to use cryptography in the commission of another crime. So it would make an extra crime just for you to use cryptography. To use the example of The Communications Decency Act that particular law would, more than most other laws, tend to get people to use cryptography to hide their attempt to circumvent that law. And so it would make criminals out of those people for laws that should never have been created to begin with. It will make criminals out of them because they are going to use cryptography in addition to violating the Communications Decency Act itself.
- Some cyber activists says that key escrow itself is not harmful because it can be used as a sort of steganographic manner where you can have «real» strong cryptography hidden inside a packet which is then encrypted with key escrow, and the argument is then that because everybody is going to use key escrow cryptography the people who monitor communication will not be able to spot who is using «real» strong cryptography and who is only using key escrow.
The problem with that is that - I hear engineers sometimes make the argument that: «Oh, we don't have to care about these law because we'll just break them.» We'll use encryption nested within encryption, as you just described. But who is going do be able to do that. A few engineers are going to be able to do that. But what about ordinary people? I mean, in the US, the Government tried to get us to use the clipper chip, an encryption device that had key escrow. The chip was designed to be used in telephones. So you could go to the store and buy a telephone. Well, if you go and buy a telephone from the store, how are you going to use the method that you described? Are you going to take it home, get out some tools, open the telephone, get an «Exacto» knife and cut traces on the printed circuit board and solder some wires in with an extra chip that would do encryption. I don't think very many are going to do that. The kind of technology infrastructure that we create that uses cryptography is the kind that most people are going to use. A few skilled engineers, or hobbyists, who can circumvent the law by doing superencryption, by encryption nested within encryption, is not going to change society, it is not going to reduce the negative impact on society that a pervasive surveillance infrastructure creates.
- Another argument, along similar lines, is that even if the government were making weak encryption in the form of short key length or in the form of key escrow mandatory, people would use steganography to circumvent that.
Steganography just has the same characteristics of what I just described. Namely that a few people might resort to steganography in special circumstances, but the average person is not going to do that. I mean, for one thing, steganography only works if noone knows you are doing it. If they know you are doing it, they will look at the low order bits of the photograph and pull out the message. And if it is encrypted, then they will pull out the encrypted message and then it becomes as like you just send an encrypted message. You might find some spy who has parachuted behind enemy lines and who has to get a desperate message back to headquarters resort to steganography. But for millions of people who are living their ordinary daily lives, they are not going to use steganography to send routine email around. It would look funny, wouldn't it; if hundreds of millions of photographs each day were sent across the Internet and nobody sent email any more? Maybe the government would wonder why nobody was sending email any more and now there were hundreds of millions of pictures of Norwegian mountains crossing the Internet.
- Widening the scope - to me it looks like there currently is a high-tech battle going on for the very soul of the Internet. The Internet was financed by the military, but was created by a very special group of people that embedded certain qualities and sentiments into the Internet. But now it looks as if it is going to be taken over by big business. I can see, in the Internet, in cryptography, and in other areas, a struggle going on between those that want technology to be liberating, to be controlled by the user and be of benefit to the user, and technology that are oppressive in the sense that it is impressing an external agent's mission upon the user. How do you see your own role as purveyor of cryptography to the people in all this?
Well, I think that overall new technologies increase the power of governments to survey their citizens. I think that effect overall is stronger than the effect of liberating people. I mean, the Internet does liberate people, and certainly it brings the outside world into some oppressive countries. Some people have said that the Iron Curtain fell more than anything else because of MTV. Of course not speaking of MTV in particular, but of Western influences in general. The Internet will accelerate that, I'll give the Internet that, and that's great. But all the rest of the technologies associated with computers and digital communication and databases and faster processing power have a net effect of increasing the power of surveillance by governments.
- Does this make you a pessimist?
I think that when you call people's attention to a problem, you are affecting a solution. We do not make predictions in a static way, we don't say, for example, 25-30 years ago the Club of Rome predicted that there would be a huge environmental catastrophe from overpopulation and the overuse of natural resources. And certainly there has been a lot of environmental problems, but not to the catastrophic level that the Club of Rome predicted. Well, I think the reason why this prediction did not come true, is because people listened to prediction at that time, and started thinking about the environment more, and started recycling and making cars with better gas mileage, and putting more insulation in their homes and doing all of the hundreds of little things that people do to try to reduce their damaging effect on the environment. And in that way we have somehow avoided the dire predictions of the Club of Rome. Similarly, the nuclear freeze movement of 1980ies were making dire predictions about what would happen if the arms race continued. But I think that it had an effect on the public consciousness, and it increased the visibility of the issues to the politicians, the politicians both in the US and the USSR, and I think that that had something to do with the end of the arms race. There certainly were other factors too, but that had something to do with it. Similarly now, what I am trying to say is that these advances in technology that are bringing us an Orwellian future of surveillance, I hope, increases people's awareness of it to the point where they start trying to do something about it, and change that outcome.
Copyright © 1998 Gisle Hannemyr