Greplaw Interviews Phil Zimmermann

LawGeek writes "The venerable GrepLaw crew has struck again, this time with Editor Mikael Pawlo interviewing PGP author and all-around encryption expert Phil Zimmermann. Pawlo discussed a number of topics with Zimmerman, including the current state of encryption export laws, DRM, and activism against erosion of privacy both in the U.S. and internationally. The interview is here."

from the article

[nounderscores]

# But you donâ(TM)t code any more?

I havenâ(TM)t written code in many years. I am active in policy space rather writing code, doing a lot of public speaking. There is a lot of need for activism now in the shadow of the Patriot Act.


Interesting. I would have thought that hammering out the bugs in the law would have been the oldest form of coding.

___________________________________
The Spiders are coming.

Re:fingerprint scanners in police cars

But is it just checking against a database of existing fingerprints, or does it then add you to the database once it has you scanned? And what about the next step in forensics, DNA? Would you like DNA scanners in police cars?

Re:fingerprint scanners in police cars

[csguy314]

It might have prevented the dispute in court over driver's license photos and muslim women wearing veils...with a fingerprint, you dont need picture ID, and its more reliable.

[off-topic]
I was just discussing the issue of this Muslim woman today. As a Muslim I think this woman is doing something kind of dumb. There is nothing in the Quran about covering a women's face. During prayers, in fact, her face must not be covered. So I haven't a clue where they get the idea that they need to wear a veil over their face. And this is specifically for a piece of identification. How the hell are you supposed to identify someone that's covering their face? In fact I've heard suggestions that maybe bin Laden escaped the US in Afghanistan by posing as a veiled woman. It's not beyond comprehension.
But if this woman refuses to be identified, then perhaps she should not be allowed the responsibility of driving. It makes it possible for her to abuse the system and others to abuse her. She could claim some other person wearing a veil caused an accident that she caused, or it's possible someone wears a veil and does something specifically to incriminate her. It's a very unnecessary complication.
[/off-topic] That being said, fingerprints are a bad idea. As another poster mentioned, you leave fingerprints everywhere. And just having them on file and being in the wrong place can make you suspect in something which you have no idea about. It gives far more opportunity for abuse by authorities, and it's naive to think they won't be more abusive the more opportunity you give them.

The single greatest moral of the story

[ShatteredDream]

Is that the line between law enforcement officers as peace officers and law enforcement officers as oppressors is very thin in most situations. The federal law enforcement apparatus is slowly beginning to aspire to KGB-level power over the population.

Look at Waco for instance. I'm not a fan of cults like the Branch Davidians, but the use of military-grade hardware like small tanks against a compound that is guarded by a bunch of yokels with at best automatic weapons is a great cause for concern. What most people don't know is that Waco was so badly screwed up that it had to be deliberate. It is not a conspiracy theory to say that the FBI and other agencies wanted to make an example out of them because they had something like 6 months to a year where David Koresh walked everday to wal-mart for supplies. I come from a federal law enforcement family and both my parents agree that in light of how many opportunities they had to NOT make an explosive situation it was literally criminal what the feds did. Same goes for Ruby Ridge.

The majority of police working in these areas don't care about your freedom or your privacy anymore. If they did they'd have given up on bullshit like the Clipper Chip and export regulations. We live in a society in which it is not feasible to keep our technology under wraps. It would be trivial for Al Qaeda to smuggle PGP out of our country; all they'd have to do is get someone inside our country, buy a single copy and send it from a public library to the Middle East.

We can only lose by listening to these security chicken littles because if we did everything we could to make our country secure, we'd resemble a slightly right-wing version of the Soviet Union. There would be no public internet access, no freedom of mobility, no right to keep and bear arms (which saves more lives than all cops in America combined), no right to security in your house and person, no freedom of association, and probably no property rights either. I won't live like that and I consider anyone who would to be worthy of death. They aren't human and because they reduce themselves so low they are a disgrace to our species. Not that I advocate murdering them, but rather I only laugh my ass off at them when they get hurt or killed. Good riddance, we need more people that won't change their lives to accomodate the terrorists, whether they're associates of Al Qaeda, have a General Services rank or call themselves Representative or Senator.

Government can't protect you preemptively, that is the indirect moral of this story. The police can pick up the pieces and get justice, but that's usually about it. Here's a novel thought, let's legalize assassinating terrorists. But this was never about terrorism and national (or is it fatherland) security, it was about big government justifying its Cold War level of control over the people. The worst parts of Communism aren't dead, they're festering in the White House and most of the law and order Republican types can't see that they've already lost. Bob Barr was kicked out because he had the audacity to call out Bush on issues like TIPS where he said, "this program smacks of the very fascist and communist governments that we have faught for so long."

So it's not healthy to be a true patriot and political traditionalist in America anymore. You call for a modern form of the government we started out with (in other words, nothing like slavery) and you're called idealistic, short-sighted and soft-headed. The irony of it is that the true hard-headed people have always advocated limited government and a simultaneously isolationist and Machiavellian foreign policy. We'd be a lot more secure if we minded our own business and made people pay handsomely in blood for every single violent transgression against us. For example we'd have fewer problems with Saudi-funded terrorists if after every such attack against us, the CIA sent its SOG commandos into Saudia Arabia and blew up a few civilian targets. You want respect in war and politics? Show that if you have to choose between doing the right thing and surviving that the former never gets in the way of the latter.

Re:Zimmerman's contradictory opinions

[Rambo]

When asked about DRM, he said it was bad that a person could restrict who reads his data. Or does Zimmerman have a bias against companies?

I think you're missing the point. The companies utilizing DRM are using it to prevent you from making full use of the content which you purchase. This is in contrast to you encrypting mail which is simply to keep spying eyes from peering into your private life.
However, I did have one concern about a wholesale use of encryption for personal affairs. Suppose I keep a personal journal and I use encryption; who's to say that I won't get run over by a truck, thereby effectively locking that information forever? Ideally I'd like to think that my grandchildren and so forth could learn and appreciate me as a person by reading it when I'm gone. You can't really write down the password as you don't want it falling into the wrong hands (i.e. government), but there's a terrible risk that it may never be readable in the future. Ditto for personal email, which can also be important to future generations.

Re:fingerprint scanners in police cars

[bheer]

> with a fingerprint, you dont need picture ID, and its more reliable.

The problem with any kind of biometric ID is that it's only as secure as the database that it checks against. Security based solely on biometric ID is very brittle -- because it's allegedly so "strong", once broken (by hacking into the database, by using someone else's eyeball) you have massive and nearly undetectable breaches of security.

The best security systems are not brittle. And for driver's licenses, photo ID does provide appropriate level of malleability.

Re:Better than Aimee Deep

[mpawlo]

I think that is a perfectly sensible idea (disregarding the "idiot" part of your submission) that I will pass on to the Greplaw editors.

Regards,

Mikael

Veils and Driver's Licences.

[pcwhalen]

Gosh this is offtopic but here goes....

There is no right to drive in the US. It is a privilege imparted to citizens of the various states by the state's government. As such, the state may regulate conduct and licencing with regard to driving.

Too bad, so sad. No veils if the state says "no." The Supreme Court has held on numereous occassions that states have the right to protect their citizens. Where religous freedom contradicts state edicts, the SC looks to see if the edict is a right or a priviledge. Where it is only a priviledge, the state always wins.

Driving is a privilege. Enjoy it.

Re:fingerprint scanners in police cars

[oobar]

Aside from the general tinfoil-hat paranoia, there are two large problems:

1. It's not as reliable as you'd think. There was a slashdot story a while ago about a study of the most common fingerprint readers on the market and the conclusions were quite horrifying. For one thing, it was found that the majority of them could be easily faked with easy-to-obtain materials like gummy bears and scotch tape.
2. If someone were to lift your prints off something you touched, and then commit identity theft, there's no easy way for you to get new fingerprints. I know this doesn't directly apply to the case of fingerprint readers in cop cars, but the point is that if that were to happen then law enforcement would become even more dependent on prints, moreso than they are now...perhaps to the point where they are solely dependent. If the ONLY ID you have is your fingerprints (as opposed to a passport, drivers license, etc.) then your life becomes significantly more complicated when identity theft or fraud is involoved.

Need for telephone encryption

[Johnny+Pissoff]

I'm surprised that the interview made no mention of the use of encryption in telephone communications. Recently Bruce Schneier in his Crypto-gram newsletter pointed out that based on the US governments report on wiretapping that telephone encryption was rarely encountered and even when it was encountered it never presented a problem to the government in obtaining the cleartext of such encrypted communications.

It seems there is a real need both for strong, open-source cryptographic solutions for VoIp applications and some kind of open-source hardware for telephone communications. Open source because presumably the problem with current telephony encryption is that its closed source implementation has made it easy for the government to crack, as Schneier points out.

Since PZ once wrote an PGPfone for encrypted VoIP communications I'd really like to hear his opinion on this topic.

Re:Terrorism and PGP

[curious.corn]

Italian terrorist group "Red Brigades" militants responsible for the assasination of law professor Marco Biagi are said to have used encryption to store sensitive data on their Palm handhelds. Italian press mentioned something like symmetric key but nothing about key strenght (but our press is completely clueless when it comes to IT and some tech crime specialized policemen don't miss a chance to spread FUD). Sicilian Mafia bosses on the run have messengers carry carefully ironed and folded paper sheets to detect unauthorized access to the clear-text inside, while other use GSMs stolen or bought with false names. There's just an extremely wide array of information protection or obfuscation and singling one out just for the sake of 'calling enemy' is plain stupid... would you call Ford a criminal for helping bank robbers in their escape? The Wright brothers for making aeroplanes! Since dawn of mankind technology and scientific conceps have been used to kill people more efficiently but it doesn't mean we should turn back to berry-gathering.

Boo!

[Feztaa]

# Could [open source licenses like the GPL] have been an alternative for PGP instead of making it freeware?

There is a place for products under different licenses. There is a place for products under the GNU GPL, also cryptographic products. However, GNU GPL is not enough for everyoneâ(TM)s needs. Some software needs to be sold for profit. Some software can not depend on hobby-programming conducted on weekends and other spare-time by programmers having other day-jobs. There is a place for that. But PGP needs more focused development than that.

I'd really like to know how he feels about the GnuPG project, in that case.

It also kind of bothers me that he seems to think that the GPL prevents you from selling your code.