Q&A with Phil Zimmermann

Who: Phil Zimmermann

Age: 51

Title: Independent data security consultant

Where: Palo Alto

Biggest Hit: Released Pretty Good Privacy, an
encryption scheme for electronic mail in 1991. PGP, and PGP compliant applications are now the most frequently used programs for email encryption in the world.

Next Big Thing: Zimmermann is preparing to release ZFone, a working title for his latest application, which is aimed at encrypting VoIP calls. He envisions a suite of ZFone products, including software that will run on an existing VoIP client, as well as software that could reside on routers.

A conversation with Phil Zimmermann

By Sean Wolfe
Special to IP Inferno

Interviewed Wednesday by telephone, privacy advocate and PGP inventor Phil Zimmermann was generous with his time, and held forth on a number of issues, including his prospects for ZFone, a product he is developing that would encrypt calls made using VoIP.

The name “ZFone” is a working title for the product and Zimmermann is holding a contest on his Web site to give the products a flashier appellation. Currently, the product exists in prototype form for the Macintosh, but he plans to create a Windows version in the near future. He is currently at work raising money to underwrite the development of the product suite, assemblingr a management team, and working out a way he can distribute his prototype without running afoul of federal export restrictions.

SW: You first announced the product at the Black Hat Security Conference in Las Vegas two weeks ago. Is it typical to do product launches at such conferences?

PZ: I’ve only had two products in my life that were entirely my own creations – PGP and this one. PGP was not announced at a conference. I announced it on Usenet newsgroups back in 1991, but people don’t really use Usenet anymore, or if they do, it’s not in the same way, so I chose a conference setting.

SW: What was the reception there like to the announcement?

PZ: It was very positive. People were enthusiastic, and I also did a similar announcement the next day at DefCon, and that also went very well.

SW: What kinds of issues were raised in conversations you had at those conventions? Did people there really see a need for the product?

PZ: I think everyone there recognized the importance of VoIP as an emerging technology. I also think everyone recognized there are security problems with VoIP. At other conferences there wasn’t as much awareness, but at Black Hat, which mostly attracts security professionals, they were quite aware of VoIP’s security issues.

SW: There’s been some talk amongst the trade press, including here at IP Inferno (see our most recent podcast), that encrypting VoIP calls is something of a solution in search of a problem. How do you react to that?

PZ: (chuckles) Everyone who hasn’t been living under a rock the past few years knows the Internet is a rough neighborhood. The fact is, the Net is a playground for criminals. There are all manner of criminalexploitations going on right now, whether you’re talking about phishing, identity theft, distributed botnets, or malware that infects PCs within minutes of connecting to the Internet. Clearly, if we are to move our phone calls into such a hostile environment, we will
need protection.

SW: I think we’ve all read many of those stories, sometimes on a weekly basis, but how does that apply to VoIP calls? Isn’t there a kind of intrinsic security through obscurity, because of the labor involved in actually finding a specific conversation that could contain sensitive information?

PZ: Not really. There’s a piece of malware out there that if it can infect just one computer in the enterprise, it can sit there, capture all the VoIP calls made on your network, record them to disc, and organize those recordings like a Tivo player. In other words, these recordings can be browsed and selected for persons of interest to listen to. For instance, one could hear all the calls made by the in-house counsel to the outside law firm. Or what one CEO says to another. I think a lot of people are accustomed to the relative safety of PSTN (public switched telephone network), which we’ve had for a century. But the PSTN is like a well-manicured neighborhood compared to the crime-ridden slum of the Internet.

SW: That’s a pretty dark picture you’re painting.

PZ: You bet.

SW: That said, I’ve not read any stories about VoIP networks being exploited in the way you describe.

PZ: It’s a new medium, and it’s a matter of time. But think about this. Not a week goes by without another scandalous revelation about thousands of IDs stolen because of hackers breaking into this or that computer, or backup tapes from a UPS truck. I read this in the news constantly. We’re going to see the same thing happen with VoIP.

SW: Unless…

PZ: Unless we start protecting these calls with powerful encryption.

SW: So you’re advocating against complacency.

PZ: People who think there’s no problem with VoIP need to remember that we’ve heard the same things from complacent IT managers about email encryption years ago. These are the same IT managers who are now red-faced victims of break-ins and massive identity theft.

SW: What about the argument that law-abiding citizens don’t need to worry about encrypting their calls, because they don’t’ have anything to hide? And as a corollary argument, what about the idea that if it’s tough to wiretap VoIP calls, that could ultimately aid wrongdoers?

PZ: I’ve maintained that we need to protect our nation’s critical infrastructure from attacks by criminal organizations, terrorists and foreign governments.

The debate now about how this could be used improperly is very similar to the whole crypto debate in the 1990s about PGP, and export restrictions.

That question of whether strong cryptography should be restricted by the government was widely debated: the White House, the NSA, the FBI, the courts, the Congress, the computer industry, academics, and the press all got involved. This debate fully took into account the question of whether terrorists or criminals would benefit from using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, the collective view was this – the FBI's objections notwithstanding: We would be better off with strong crypto, unencumbered with government back doors.

Ultimately, the export controls were lifted and no domestic controls were imposed. I feel this was a good decision, because we took the time and had such broad expert participation.

As we contemplate this momentous migration of our phone calls from PSTN to VoIP, it would be a bad move to reverse such a careful decision, one that will not only hurt our democracy, but also dangerously increase vulnerability of our nation’s critical infrastructure.

SW: But now the FCC has announced it is in favor of broadband providers providing backdoors to their networks for purposes of law enforcement wiretapping. So it would appear that that careful decision you describe has already been reversed.

PZ: I haven’t read the FCC’s recent decision.

SW: The text is not yet available as I understand it, but the gist of it is in their press releases.

PZ: I have a lot to say about my project and the design approaches I’ve taken, but when it comes to trying to evaluate how the FCC rulings affect me, I’m a little reluctant to speculate.

As I understand CALEA, it mainly applies to service providers, especially where things touch the PSTN. The point here is that I’m not a service provider, I just want to make products for people to use. For example, if you had to talk to someone with a normal telephone on the PSTN, and you had a VoIP connection, at some point the call has to go through a gateway from the network to the PSTN, so it would have to be decrypted. That would be a convenient place to wiretap, if the government chose to do so, but by definition, it would be outside the scope of my product space.

SW: Back to email, and PGP for a second. What about the critics who cite the fact that because the bulk of email goes unencrypted, that PGP is a solution in search of a problem as well?

PZ: Well, again we get back to the fact that we’re sending live customer data through a network that could be compromised en route, or at its destination where it’s stored. The fact that few people do encrypt their email is not an indication of a lack of need to encrypt it. If we did encrypt more of our data traffic, would be fewer of these massive compromises, and less data and ID theft.

I maintain that email should be encrypted in transit and in storage. I think we were right all along about that, and only now, with scandalized IT managers having been caught with their pants down in the press what seems like every week, are people starting to wake up and smell the coffee.

SW: PGP seems pretty popular among those who do encrypt.

PZ: And wildly so. If you look at the pie chart of all email sent, you’re right, a small sliver of it is
encrypted. But if you look at that small sliver, and expand it into its own pie chart, PGP (and OpenPGP compliant products) make up practically the whole pie.

I like to say that you need sensitive laboratory instruments to detect the pharmaceutical impurities of non-PGP encrypted email.

SW: So what are the next steps with regard to getting this product out? I understand you have a working prototype. How can people get their hands on it?

PZ: I do have a working prototype I can give to people. I’m currently working on raising funding, and getting a management team together. I’ve decided I’m not going to write a VoIP client from scratch, so I’m going to have to license one. But this and the other products on the roadmap all have fairly short development cycles.

SW: What are you looking for by way of capital?

PZ: I’m looking for an A-round in the $5 million range, and a seed round in the sub-million range, around $700k or so.

SW: So we’ll see all this sometime in “06-07?

PZ: No, that’s too pessimistic. There will definitely be releasable products ready within a year.

SW: So what about the prototype? Can our readers play with it?

PZ: Right now we’re getting the mechanisms in place for a Web page that checks the person who is downloading it and ensures they aren’t from North Korea, or Iran, or another embargoed nation. It will probably be the end of this month before we have that in place. In the meantime, I’ve been giving it to individuals one at a time.

SW: Thank you very much for your time.

PZ: You're quite welcome.