After the government dropped its case in 1996, Zimmermann founded PGP Inc. Network Appliance bought that company in 1997. In August, 2002, PGP was acquired by PGP Corp., where Zimmermann still works as an advisor and consultant. I spoke with him at the recent RSA conference in San Francisco.

q: Tell us about your history.

a: Most people know me for my work with PGP, or pretty good privacy, which is the world’s most widely used email encryption software. Most readers of the Mercury News who follow encryption software know about PGP. It caused a controversy in the 1990s because the government tried to incarcerate me for releasing it.

q: You released it what year?

a: 1991.

q: You had to fight with the government for how long?

a: For three years. From the beginning of 1993 to the beginnng of 1996.

q: That was the age when releasing strong encryption was against government policy.
They didn’t want to see it exported.

a: Fortunately we’re all past that now.

q: And what have you moved on to do?

a: My latest project is to encrypt voice over the Internet phone calls. I did that ten
years ago with PGP phone. But at that time, the Internet wasn’t ready. Nobody had broadband and there were no VoIP standards. But today, it’s time to do it again. And so the new project is called Zfone. You can read about it at www.philzimmermann.com.

q: Can you spell out the technology and the idea?
  
a: I encrypt VoIP phone calls with a protocol that does not depend on the phone company to help you negotiate the keys. It is something that leaves the phone company out of it. I think people would feel more comfortable with an encryption protocol that leaves the
phone company out.

q: Why is that?

a: I’m sure you’ve heard of the recent controversies about phone companies cooperating
with …

q: The National Security Agency?

a: Exactly.

q: They always leave a backdoor into the technology for the government to do wiretapping?

a: Yes, but I don’t. I’m sort of well known for that.

q: Can you explain how this works then?

a: I negotiate a cryptographic key at the beginning of the VoIP call. I do it without any communication with servers or the signaling that goes through the phone company. I do it entirely between the media packets that flow between the two parties on the call. I negotiate a key using the Diffie-Hellman protocol (named after the inventors), and the two parties can verify that there is no man in the middle listening in. They can compare a short authentication string. You read it aloud and see if it matches. If you don’t bother to take that step, it’s still pretty secure.

q: Is this pretty unique?

a: For VoIP, yes. There are other VoIP encryption protocols. But they usually involve going through servers or the phone company. Or they involve a public key infrastructure which is quite complex and bureaucratic and difficult to manage. In my system, the keys are created at the beginning of the call and destroyed at the end of the call.

q: Why should consumers care about this? They haven’t care about it with regular
phone calls.

a: That’s right. The public phone system was a pretty good system. It is physically
protected. It’s not easy to wiretap. The only people who do wiretap it in most cases are law enforcement. Of course, you could find a few isolated cases where a determined criminal got to some place and listened to calls with alligator clips attached to a line. Those cases were exceedingly rare.

q: It was risky because you could get caught.

a: But VoIP changes all that. It’s very easy for anyone to wiretap. If they were to infect one of your computers with specially designed spyware, they could wiretap all the VoIP phones in your building. Say you have a couple of thousand computers. If one of them got infected with spyware, it could intercept all the VoIP packets that it sees on the network and intercept them. It could store them to a disk. Then the person using the spyware could browse them like you would with Tivo player. You could choose which calls you want to listen to. The spyware could organize them by who is calling who. I’ve seen spyware like this. You can do it from the other side of the world through a web interface. Somebody in another country can control the spyware running on one of the computers in the office and listen to all of the calls from the CEO of your company to a CEO of another company that is an acquisition target. Or they could listen to your in-house counsel talking to outside law firm. Or, let’s look at it from law enforcement’s point of view….

q: From what you describe here, does that require much sophistication on the part of the person using the spyware?

a: Organized crime is attacking the Internet all the time. The Internet is becoming an incredibly hostile place. A few years ago, no one imagined the Internet would become as hostile as it is today. A few years ago, you worried that teen-age boys with black T-shirts and purple hair hacking into your computer and having fun with it. Now it is organized crime  hacking into your computer to do large-scale criminal enterprises like phishing attacks. Organized crime makes a lot of money from the Internet. When VoIP grows large enough to attract their attention, they will begin attacking it as well. They will be able to intercept phone calls. They will get insider trading information. The individuals doing it don’t have to be sophisticated. They aren’t the ones that wrote the software. You might have some people in Russia who write software that they sell to criminals who use it. This also means that organized crime could wiretap prosecutors and judges. They could get the names of informants and witnesses. They could listen to prosecutors and judges talking to their spouses about picking up the kids at school. This could have an enormous impact on the effectiveness of the criminal justice system. 

Click Here to Continue Reading this Interview