Phil Zimmermann might be a technologist, but he tends to get philosophical when it comes to the issues of privacy and security and how they intersect with our society. A cryptographer, in 1991, he created Pretty Good Privacy (PGP), an email encryption software and published it for free on the internet. Since then he has become an eloquent proponent for the need for privacy and tools. Zimmermann has had his run-ins with the authorities in the past, but he is widely respected for his views on cryptography and privacy — one of the reasons why he was inducted into the Internet Hall of Fame and has been a recipient of multiple awards recognizing his achievements.
The spotlight fell on Zimmermann again this week when Silent Circle, a secure-private communications company he co-founded, decided to suspend its Silent Mail service amid fears of future government interference. That action followed on the heels of a decision by another secure and private email service provider, Lavabit, to shut down operations.
Given the frenetic nature of the news, I didn’t think I would get a chance to have a measured discussion with Zimmermann. Much to my surprise, he got on the phone and we ended up discussing everything from the rise of the surveillance state; big data and its devastating impact on society; data totalitarianism; the somewhat dubious role of Google and Facebook in our lives; and why as a society we can’t fall victim to the cynicism that is starting to permeate our lives. He also talked at length about the important role of our legislators in pushing back against the unstoppable tide of the “surveillance society.”
The only thing we didn’t discuss at length — the whole Silent Mail malarkey. (Forbes’ Parmy Olson did a good job of interviewing Phil on the email shutdown and its impact on his customers.) These are excerpts from oue conversation. I have edited my questions a tad (I tend to ramble a bit) and Phil’s comments are trimmed in parts where I had trouble reading my own shorthand/handwriting:
Om Malik: We suddenly find ourselves in a very confusing landscape, grappling with the enormity and speed of changes. I was wondering if you could try and make sense of this post-Snowden world and what it means for the long term.
Phil Zimmermann: The surveillance landscape is far worse than it has ever been and I feel like everything we do is now observable. All of our transactions and communications are all fused together into total information awareness apparatus. I don’t think any of this can be fixed merely by the application of cryptography. It is going to require some push back in the policy space. We are going to have to have Congress react to this and we need to get the population to react, perhaps through the economic consequences we face of losing a lot of business for American internet companies. Maybe American internet companies can push back because of economic harm that comes with the rest of world turning its back on us.
Om: Given the world we live in, the National Security Agency is quite necessary, don’t you think?
Zimmermann: I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.” NSA chose to do their assigned jobs with a technically sweet solution of monitoring the internet and looking at anything that happens putting it all in a vast database. It is technically sweet, but it’s bad for privacy.
If we have a change in the government sometime in the future, that government will have such a powerful tool of surveillance, that we will find ourselves in a terrible predicament that we won’t be able to get out from underneath. That’s the kind of fear I have from a public policy perspective.
Om: A few months ago, I wrote about this concept I have (data darwinism) and how society is unable to understand data and the changes data is bringing about in society. And one of the questions I posted in that piece was that this data culture was really something of a legislative and regulatory challenge, more than a technological challenge. We do have legislators who, like many of us, are struggling with the complexity and the scope of what is happening around us.
Zimmermann: They approved the Patriot Act. There is a secret interpretation of the Patriot Act that allows the collection of data. I suspect most of Congress doesn’t know all the ranges of implications of approving this along the way. If you look at Congress’s actions, they have approved the different pieces of it along the way. We have to make them aware of it and we have to create what President Obama calls a “teachable moment” from it. What we have wrought, we never imagined it would get like this.
The NSA was created after World War II and the original vision was that it would not spy on Americans and it would turn its gaze outward and apply its tools not on domestic populations. In general, all great nations need to have great intelligence apparatus to inform its leadership of what’s going on in the world. But when these tools are focused on domestic population, it is bad for democratic institutions.
If China was to intercept our phone calls, I wouldn’t like that but I wouldn’t worry that Chinese authorities would bang on my door and haul me to prison because I don’t live in China. So when a government turns its powerful surveillance tools on its people, it has impact on the political opposition within the country. The power of incumbency becomes greater and opportunities for the democratic process become less and are undermined.
Om: The world when the NSA was established had clear international boundaries and the “network” has somewhat erased the notion of geographical borders and made location more fungible. What is domestic and what is not domestic isn’t clear and it’s much different from the time of the NSA’s establishment.
Zimmermann: It is clear that after the 9/11 attacks, we became aware of the fact that we are dealing with an enemy that is not abiding to the boundaries of a nation state. Sure, the challenges for all western intelligence agencies are higher. We are not looking at Soviet Union military bases intercepting diplomatic communications. We are now dealing with non-state actors that are scattered all across the world and are part of the native populations. So I can see how much more difficult a job it is for the NSA. But to get from a greater challenge to a solution that involves monitoring the entire population is a bit of an overreach.
We can do better than that. We have to do better than that. If you look at the breaches of civil liberties in past wars, like the internment of Japanese Americans during World War II, as horrible and egregious as it was, at the end of the war, we could say we had wronged and never to do it again and try and get back to normal life. It was because that war had an end. The way this war has unfolded since 9/11, it never seems to end or has an end. And each step of undermining civil liberties becomes the baseline, the new normal. The question is how far we are going to go, if there is no end to this war.
I have spoken about this in the years before 9/11 that the biggest threat to privacy was Moore’s Law. The human population may not be doubling every eighteen months, but the ability of computers to track us doubles every eighteen months. Moore’s Law is almost like a blind force of nature. After 9/11, you have got blind forces of Moore’s Law hooked up to a focused policy of surveillance and that is a terrible combination.
Om: There is the reality of our world and we all live under a cloud of fear — a lot of it is real and this fear has influenced policy, so what should we do? What should legislators be doing here?
Zimmermann: We need to take an objective look at the damage since 9/11 and that would take into account self-inflicted wounds. The harm we have done to our society has come as a reaction to 9/11. The cost includes our expectations of our legal system and our civil liberties. I don’t think it is a partisan issue. We need to push back against this tide of surveillance. In my case, I create technology, so I do things that allow me to apply my skills and part of that is to develop technology tools that push back against a small subset of that problem.
Om: How so? Can you elaborate?
Zimmermann: We do that by creating tools of secure communications and by designing protocols that don’t share keys (encryption) with servers because servers are run by companies that can be coerced by the governments. That’s why our telephony service is immune to the pressures that come from us operating servers. We don’t have the keys and all we have is servers routing the calls and the keys sit on the clients. All our main products — VoIP, text messaging and file transfer — we don’t have keys and we don’t log the messages.
Om: So why stop with Silent Mail? Is email encryption not possible anymore?
Zimmermann: The body of email can be encrypted and PGP does just that. In our case, we offer our services on mobile — iPhone, tablets and Androids — for that reason we cannot run PGP for email since it doesn’t exist. So we had to run PGP on a server and it is called PGP Universal. Now for IT departments (inside organizations), it made sense to have this run on their servers and offer it to their employees and control the (encryption) keys. A box sat next to the mail server and did its job. That was the kind of solution we were using until yesterday.
It doesn’t work that well outside the enterprise environment, especially when offering it to a horizontal market. We were offering this by holding all the keys on our servers and if someone came along and asked for those keys, we would have to turn over those keys. We didn’t want to be put in that position, so we shut down Silent Mail.
For our VoIP, text messaging and file transfer services we don’t have the keys and they run well on mobile devices. If we could run PGP on mobile clients where we didn’t hold the keys we would offer it, but for now it wasn’t worth the risk. We wanted to take this action and putting our customers through this inconvenience is because we wanted them to know how serious we are about privacy and security.
Om: Do you think an average person is more aware of the invasion of privacy and encryption today than, say, a year ago?
Zimmermann: Even before the NSA Prism story, there was a rising awareness and more news articles talked about systems being hacked and customer data being leaked. People had realized that Facebook was abusing your data. Everybody today is more aware that Facebook monetizes your data and when we don’t pay for the service, you are really the product. You are not Facebook’s customer, advertisers are Facebook’s customer. Same is true for Google. You become an asset that they monetize and sell to their customers, aka the advertisers.
Om: What, in your opinion, should big tech companies like Google and Facebook do? Follow the example of you guys and Lavabit?
Zimmermann: These companies are very big. What would be better is if there is a pushback in the public policy space to change the way things work. We shouldn’t have the shockingly pervasive surveillance system and infrastructure. I think it will hurt us economically as more and more people (around the world) choose not to do business with us because of the fear that they (the U.S. companies) will sell them out.
Om: Did you think we would end up where we are today? Sometimes, it seems all like science-fiction stuff, and I am amazed by it all.
Zimmermann: I think it is science-fiction to have a Department of Homeland Security — just the name itself. (Laughs.) I wrote about these things over twenty years ago and when I first wrote PGP and technology extrapolations leading us to a future where the governments can listen to all our communications, can search through all our communications and do pattern recognition and study our traffic patterns. But I didn’t think it would get this bad.
Om: Are you fearful for our future? Is this an unending nosedive into surveillance society?
Zimmermann: The question falls under the idea that the best way to predict the future is to make the future. You know, it is an important question, but when it is posed as a question of prediction, then there is a certain act of passivity in the act of prediction. I would rather not passively predict and I would rather actively correct. What kind of future we want to have, that’s the future we should all work together to create.
Om: So you believe that technologists have to keep coming up with new ways to push back against all the intrusions into privacy?
Zimmermann: What I said about Moore’s Law being a threat to privacy and it being a blind force of nature — well right now Moore’s Law is being accelerated in a specific direction by policy pressures. The policy pressure of creating more surveillance as response to the 9/11 attacks. We might be ably to change some of that, but the natural tendency of data and Moore’s Law is that data wants to be free. The natural flow of technology tends to move in the direction of making surveillance easier.
We have to work harder to push back on policies that 9/11 brought us. It is time to re-examine the Patriot Act and re-examine everything. We need engineers and technologists to guide technology in the right direction and not optimize for surveillance. I would like to see a pushback, both on the technology and policy fronts. The engineers tend to be more aware of these problems and they need to be politically aware of the dangers of developing tools of surveillance.
Om: When privacy is put in context of national and individual security and terrorism, it is pretty easy to turn a blind eye to a whole lot of things. Yes, a similar challenge exists on a more day-to-day basis, when we have companies like Google and Facebook and others collecting a lot of ambient information about us, making deductions and pattern recognition and then forcing us to spend money in a certain way.
What about ambient data that will come from sensors in our phones and cars that will soon become judge and jury for our car insurance rates? I think we are a very nebulous state of what I like to call a data-influenced society and a lot of that is much more worrisome than NSA. What are you thoughts?
Zimmermann: I agree it is not just a matter of surveillance. Big data intentionally creates a concentration of data and has a corrupting influence. It really concentrates the power in the hands of whoever holds that data — governments, companies. The PC revolution of the late 1970s and 1980s and the later early Internet (of the 1990s) seemed to hold so much promise and empowered the individual. Now with big data there is a shift of power in the other direction as it concentrates power in fewer hands.
Of course, one can get cynical about all this but one has to fight that urge. A lot of people are getting more cynical because we are living in a surveillance state. Cynicism is the fertile soil where corruption can grow. Cynicism has a paralyzing effect and I think we need to resist that temptation of cynicism and hold on to our ideals in order to bring about change and push back.
Making an intelligent decision on liberty vs security first requires a rational assessment of the terror risk. Unfortunately, our human brains are wired to wildly miscalculate that risk. “This is Your Brain on Terrorism” http://libertymcg.com/2013/07/23/this-is-your-brain-on-terrorism/
LibertyMcG
Thansk for sharing that link. I will check it out shortly.
Thought provoking.
“What we have wrought, we never imagined it would get like this.”: Actually, some of us always imagined it would get like this, and I find it difficult to believe Zimmermann isn’t among us. There’s no mystery here. Even if one is willing to assume Alexander et al. have only the best intentions (I’m not, but grant it for discussion), just consider their incentives. If there’s another episode like September 11, 2001 or worse, their necks will be on the block for failing to forestall it. So naturally they’re inclined to collect every bit of information they can that might conceivably help them avoid that fate. Their incentives to exercise restraint, respect the fourth amendment, etc. are much weaker, *unless* the elected officials who supposedly oversee them insist on it, which means among other things *not* giving them nearly carte-blanche licenses like the Patriot Act. Regrettably, the incentives of the elected officials are similar. They have far more to fear from the public hysteria that would follow another big “terrorist attack” than from the likes of Zimmermann, Malik, and me decrying the excesses of the surveillance state. The efforts of some politicians to tar others as “soft on terrorism” makes matters worse, much as with “soft on communism” during the mid-twentieth century.
“The harm we have done to our society has come as a reaction to 9/11.”: I remember sitting in a waiting room at the UC Davis Medical Center that day, watching TV reports, and thinking that what would follow is exactly what has followed: the curtailment of civil liberties, particularly the right to privacy, in the name of national security, with little possibility of a clean-cut end, because The Enemy was no longer a nation that could be definitively defeated. I feel like I’ve been watching a train wreck in slow motion ever since.
“Cynicism has a paralyzing effect”: What has a discouraging if not paralyzing effect on me and, I suspect, many others is the fact that practically none of The People Who Matter in Washington, DC – the president, congressional leaders, and federal judges – seem to feel any interest in changing course. It’s worth remembering that only one member of the senate, Russ Feingold, had the courage, decency, and intelligence to vote against the Patriot Act, which needed no “secret interpretation” to be patently disastrous for civil liberties. Given how the vast majority of America’s politicians have behaved for the past twelve years, expecting things to keep getting worse is reasonable, not cynical. I’ll keep decrying, but I can’t say I have high hopes.
Ralph
Thank you for your thoughtful comment. On your closing argument, all I would say — let’s hold on to the idealism and not stop trying. You seem to be the kind of person who can make a rational argument so keep doing that. Again, thanks for writing that comment.
I found the Zimmerman’s comment about “a change in government” especially disturbing. His implication is that one of the political parties is less or more likely to do harm. Abuse of data collected on the citizenry is not a political problem – the institutions of the state will use whatever means at their disposal to maintain and grow their power, whether it is the Politburo, the Reichstadt, the IRS or the EPA. When threatened, the gloves will come off and the claws will lash out. Institutions, like any organic being, will use any means to survive and surveillance loads the gun for them to target those who seek change.
For those of a literary bent, a book written 40 years ago by Thomas Pynchon, “Gravity’s Rainbow” set during WWII made the assertion that the transistor wasn’t invented, but merely discovered. That it was always there, waiting, and that it “created its own great wind” that was an irresistible force, as Zimmerman seems to imply about Moore’s Law. Pynchon even went so far as to posit that “once the cameras are small enough” reality would also become something engineered and controlled.
While cynicism can lead to corruption, resignation to in the face of forces seemingly gargantuan and unstoppable leads to something much worse. In the long run, rules/laws cannot restrain the onslaught, and policy, while better and absolutely necessary, cannot effect long-term change. It is up to the people to exhibit and demand public virtue, something we are in very short supply of these days,
I think you misunderstood the “change in government” comment. In a parliamentary context that might refer to an election yielding a new party in the majority. In the USA, however, it’s more likely he meant a change in the form of government, i.e., a new constitution. (That being said, a tyranny could certainly be constructed upon the current form.)
Why all this spying on citizens? When even before the terrorist attacks in Boston Russian secret services warned the American police Tsarnaevyh of links with terrorist groups, but U.S. intelligence agencies ignored these warnings.
Because Anti-terror and mass surveillance budgets do not increase without terrorist attacks?
Maybe.
Or for public acceptance of pervasive, intrusive spying by domestic agencies?
Great stuff. But: “If China was to intercept our phone calls, I wouldn’t like that but I wouldn’t worry that Chinese authorities would bang on my door and haul me to prison because I don’t live in China.” Tell that to the families of people killed by US drones.
Matthias
The human condition has never been so good and so bad as it is today. In the end, we all have a bit of a selfish lens on how we view the world. Thanks for reading the post.
Thanks @jalderwood for reading. I appreciate you taking the time to plow through this.
Quote from JXM above –
“The institutions of the state will use whatever means at their disposal to maintain and grow their power, whether it is the Politburo, the Reichstadt, the IRS or the EPA. When threatened, the gloves will come off and the claws will lash out.”
Just to elaborate on this – “Statism is Dead” http://www.youtube.com/watch?v=PGIgOIFdnMQ
The idea that any kind of ‘push back’ from the general population will make a blind bit of difference is as laughable as it is naive. The political pantomime keeps the masses thinking their choices make any kind of difference, even after we see how ‘Yes We Can!’ Obama does nothing but reinforce the acts of the Republican administrations. They are all the same, following an agenda we are not privy to.
Move to the country, get off the internet and just get on with living.
What’s great about the example Mr. Zimmerman is setting for us now: More than just sharing his opinions, he’s walking his talk. Shutting down the company he co-founded rather than co-opt his principles is a courageous act. It is all the more amazing considering all the established companies that failed to put up the least amount of visible resistance. Thanks, Phil!
Push back from the “policy space”? Would that space be best defined as where citizens affected by the policy live, and move, and have their being? IOW: anywhere YOU are now is part of the “policy space.” Push back starts there. Do it.
http://www.sandiego6.com/story/cia-director-brennan-confirmed-as-reporter-michael-hastings-next-target-20130812
The most pernicious example of the loss of privacy was recently demonstrated by the Drug Enforcement Agency. They were alerted to the existence of a drug operation by NSA data collectors who had neither probable cause nor a warrant. To deceive the judicial system, DEA crafted an investigation to document facts they already knew by illegal means. In their minds, it was just like using a snitch, but it wasn’t.
The object of our legal system is to protect our lives, property and our liberties. Couple the state surveillance systems with the explosion of government regulation and virtually every citizen could be arrested for some offense every day – what Glenn Reynolds calls the “ham sandwich nation.”
We, the people, must push back very hard.
I post as somebody who initially had few problems with the PATRIOT Act. I am now horrified at what has happened. This isn’t a partisan thing (I respected Romney but wouldn’t trust him with these powers) and am livid at Republicans and Democrats opposing even cursory methods to curb the FISA courts absurd stretching of the government’s authority.
Even worse, the government is not the worst violator of privacy and that is profoundly depressing.
Our SOCIETY has become the Stasi. And people don’t seem to care. It’s disheartening. Google, Facebook, etc should be nailed with antitrust suits but they never will be. People should be livid when their communications are not protected.
It should be doubly infuriating that the trampling of our rights isn’t even effective. It’s not like terrorism has been impacted terribly. We sacrifice freedom for no better security.
I wish you had — wait! Awesome. Past possible lives include cryptographer Ron Rivest:
http://en.wikipedia.org/wiki/Rivest
Then Phil Zimmerman, boom-boom, bang-bang, lie down, you’re dead such that I wish both of these commented on a computability place to stay. Poppy Om-Ma, what’s wrong with encoding and decoding when both sides of the tracks are not to understand or to create? Rather if P = NP, it is a matter of timing. I came in. Humans do no “human” timing, like six connects to every minute 46,000 / 60 = ~7500 times. The first time a song is sung to the last time it fades out, you can hide, hide, hide. It’s really not much longer to denominate the whole song form, from no songs in the interval with only a spurious blip for mankind, birth to death (safe) and North (from Safe) to South, apparently to make them give (by bravely flying) it back.
Right, we’re low, not real delivered of self.