Greplaw Interviews Phil Zimmermann

LawGeek writes "The venerable GrepLaw crew has struck again, this time with Editor Mikael Pawlo interviewing PGP author and all-around encryption expert Phil Zimmermann. Pawlo discussed a number of topics with Zimmerman, including the current state of encryption export laws, DRM, and activism against erosion of privacy both in the U.S. and internationally. The interview is here."

fingerprint scanners in police cars

[AyeFly]

Whats wrong with that? It might have prevented the dispute in court over driver's license photos and muslim women wearing veils...with a fingerprint, you dont need picture ID, and its more reliable.

Re:fingerprint scanners in police cars

But is it just checking against a database of existing fingerprints, or does it then add you to the database once it has you scanned? And what about the next step in forensics, DNA? Would you like DNA scanners in police cars?

Re:fingerprint scanners in police cars

[Dr+Reducto]

...But technology can fail. Technology can also be "hacked". Technology should only be used as a supplement and taken wih a grain of salt when accuracy absolutely matters. Like the Naval saying: Satellites fail, compasses do not.

Re:fingerprint scanners in police cars

[nounderscores]

The difference is that you don't leave your photograph on every door handle and toilet seat you touch... or at least I don't.

______________________________
The Spiders are coming

Re:fingerprint scanners in police cars

[stratjakt]

Bullshit.

You leave your photograph in every store you go to, every public washroom you enter, every highway you drive on.

You're captured on film at least a dozen times a day. At least I am (and other people who go outside).

It's a lot less work to have a computer scan the tapes for the same face than to send crews to dust for fingerprints over the entire planet multiple times daily.

Noone cares where you go to take a dump.

Re:fingerprint scanners in police cars

[csguy314]

It might have prevented the dispute in court over driver's license photos and muslim women wearing veils...with a fingerprint, you dont need picture ID, and its more reliable.

[off-topic]
I was just discussing the issue of this Muslim woman today. As a Muslim I think this woman is doing something kind of dumb. There is nothing in the Quran about covering a women's face. During prayers, in fact, her face must not be covered. So I haven't a clue where they get the idea that they need to wear a veil over their face. And this is specifically for a piece of identification. How the hell are you supposed to identify someone that's covering their face? In fact I've heard suggestions that maybe bin Laden escaped the US in Afghanistan by posing as a veiled woman. It's not beyond comprehension.
But if this woman refuses to be identified, then perhaps she should not be allowed the responsibility of driving. It makes it possible for her to abuse the system and others to abuse her. She could claim some other person wearing a veil caused an accident that she caused, or it's possible someone wears a veil and does something specifically to incriminate her. It's a very unnecessary complication.
[/off-topic] That being said, fingerprints are a bad idea. As another poster mentioned, you leave fingerprints everywhere. And just having them on file and being in the wrong place can make you suspect in something which you have no idea about. It gives far more opportunity for abuse by authorities, and it's naive to think they won't be more abusive the more opportunity you give them.

Re:fingerprint scanners in police cars

[bheer]

> with a fingerprint, you dont need picture ID, and its more reliable.

The problem with any kind of biometric ID is that it's only as secure as the database that it checks against. Security based solely on biometric ID is very brittle -- because it's allegedly so "strong", once broken (by hacking into the database, by using someone else's eyeball) you have massive and nearly undetectable breaches of security.

The best security systems are not brittle. And for driver's licenses, photo ID does provide appropriate level of malleability.

Re:fingerprint scanners in police cars

[evilviper]

While driving down the street, the police can't look over and identify you based on your fingerprints... Even with fingerprint scanners in police cars, photos are needed.

with a fingerprint, you dont need picture ID, and its more reliable.

Yes, but the potential for abuse is much higher. Walking down the street some nights, the police think you look suspicious. They don't have any reason to take you in, but they could fingerprint you and find out your entire history in an instant.

Also, that would mean the police would have MANY more fingerprints on file. It's really just one step away from police finger printing every person in the country.

What's wrong with it? Well, it's a matter of opinion. If you believe in police states, nothing is wrong with it at all. If you believe even slightly in privacy, there is much wrong with it...

Re:fingerprint scanners in police cars

[oobar]

Aside from the general tinfoil-hat paranoia, there are two large problems:

1. It's not as reliable as you'd think. There was a slashdot story a while ago about a study of the most common fingerprint readers on the market and the conclusions were quite horrifying. For one thing, it was found that the majority of them could be easily faked with easy-to-obtain materials like gummy bears and scotch tape.
2. If someone were to lift your prints off something you touched, and then commit identity theft, there's no easy way for you to get new fingerprints. I know this doesn't directly apply to the case of fingerprint readers in cop cars, but the point is that if that were to happen then law enforcement would become even more dependent on prints, moreso than they are now...perhaps to the point where they are solely dependent. If the ONLY ID you have is your fingerprints (as opposed to a passport, drivers license, etc.) then your life becomes significantly more complicated when identity theft or fraud is involoved.

from the article

[nounderscores]

# But you donâ(TM)t code any more?

I havenâ(TM)t written code in many years. I am active in policy space rather writing code, doing a lot of public speaking. There is a lot of need for activism now in the shadow of the Patriot Act.


Interesting. I would have thought that hammering out the bugs in the law would have been the oldest form of coding.

___________________________________
The Spiders are coming.

Greplaw: In the spirit of Aimee Deep . . .

[Nix0n]

So Phil, what is your position on the question of balancing national security concerns against the civil rights of said nation's citizens, in the context of allowing citizens to use uncrackable encryption ?

OMG! That is like the COOLEST QUESTION ! Wow, I'm like totally into law and stuff, and like did you look at my boobies? No, they're not real! OMG, as if!

In other news...

[zakezuke]

Glove sales are up... and public restrooms are wondering why there are footprints on the flush control.

Zimmerman's contradictory opinions

[geekee]

When asked about encryption technology, he thought it was great that a person could control who read his data. When asked about DRM, he said it was bad that a person could restrict who reads his data. Or does Zimmerman have a bias against companies? A person should be free to encrypt data, but not a company? Or is is, you should be able to encrypt data unless you're selling it? DRM is encryption. I don't see why this guy thinks some people have the right to use it while others don't, just because he thinks it's bad for society somehow when some people use it. He didn't care that terrorists were using PGP, but was concerned about the music industry using DRM. That I find disturbing.

Re:Zimmerman's contradictory opinions

[mpawlo]

That is a good observation I should have made myself during the interview. However, I never posed a question in this respect - my mistake. Reading only from the transcript you may not reach the conclusion you suggest. Mr Zimmermann spoke of both DRM and encryption as problems for the future access to archives. If he hosts double-standards the way you suggests regarding DRM and enryption, I can not tell.

I do not think Mr Zimmermann is corporate-hostile in general, though, since he makes his living selling his knowledge to companies striving to protect their data.

Regards,

Mikael

Re:Zimmerman's contradictory opinions

[Rambo]

When asked about DRM, he said it was bad that a person could restrict who reads his data. Or does Zimmerman have a bias against companies?

I think you're missing the point. The companies utilizing DRM are using it to prevent you from making full use of the content which you purchase. This is in contrast to you encrypting mail which is simply to keep spying eyes from peering into your private life.
However, I did have one concern about a wholesale use of encryption for personal affairs. Suppose I keep a personal journal and I use encryption; who's to say that I won't get run over by a truck, thereby effectively locking that information forever? Ideally I'd like to think that my grandchildren and so forth could learn and appreciate me as a person by reading it when I'm gone. You can't really write down the password as you don't want it falling into the wrong hands (i.e. government), but there's a terrible risk that it may never be readable in the future. Ditto for personal email, which can also be important to future generations.

Re:Zimmerman's contradictory opinions

[HeghmoH]

It's not contradictory at all.

Encryption, the way PGP works, is a way to prevent third parties from getting at data you don't want them to.

DRM is a way to prevent the user from using data that was given to him in "unapproved" ways.

Once you get an e-mail and read it with PGP, you can do anything you want with it. You can copy-paste it into a Word document, you can forward it to a million-member Yahoo mailing list, anything you want. DRM is fundamentally different in that it's not for protecting against unauthorized use by third parties, but for protecting against unauthorized use by the person who supposedly owns the data (or a license).

Re:Zimmerman's contradictory opinions

[Jade+E.+2]

Once you get an e-mail and read it with PGP, you can do anything you want with it. You can copy-paste it into a Word document, you can forward it to a million-member Yahoo mailing list, anything you want

Actually, PGP (the new-ish versions, anyways) has an option when encrypting to only allow the decrypted message to be displayed in PGP's 'Secure Viewer', which prevents you from copying or saving the information (and, optionally, displays it in a grey on slightly-lighter-grey color scheme to try to prevent Tempest attacks). It also has other properties, such as preventing the message from being written to swap/page files (and windows hibernation files).

Of course, you can still just re-type it yourself, but it is distinctly DRM-like in that it requires extra effort to defeat the security, while not really offering any more protection. Of course, the difference is that when receiving a PGP message, the recipient generally *wants* the data to remain secure, and in DRM's case the recipient generally doesn't.

Re:Better than Aimee Deep

[mpawlo]

Here are links to more Greplaw interviews that you may find interesting:

Patrik Faltstrom on IESG, IETF etc.

Don Marti on free software, patents and the Internet.

Cyberlaw profiles: Jennifer Granick.

We try to interview interesting people who one way or another affect and form Internet law and policy. Feel free to suggest people we should interview.

Regards,

Mikael

The single greatest moral of the story

[ShatteredDream]

Is that the line between law enforcement officers as peace officers and law enforcement officers as oppressors is very thin in most situations. The federal law enforcement apparatus is slowly beginning to aspire to KGB-level power over the population.

Look at Waco for instance. I'm not a fan of cults like the Branch Davidians, but the use of military-grade hardware like small tanks against a compound that is guarded by a bunch of yokels with at best automatic weapons is a great cause for concern. What most people don't know is that Waco was so badly screwed up that it had to be deliberate. It is not a conspiracy theory to say that the FBI and other agencies wanted to make an example out of them because they had something like 6 months to a year where David Koresh walked everday to wal-mart for supplies. I come from a federal law enforcement family and both my parents agree that in light of how many opportunities they had to NOT make an explosive situation it was literally criminal what the feds did. Same goes for Ruby Ridge.

The majority of police working in these areas don't care about your freedom or your privacy anymore. If they did they'd have given up on bullshit like the Clipper Chip and export regulations. We live in a society in which it is not feasible to keep our technology under wraps. It would be trivial for Al Qaeda to smuggle PGP out of our country; all they'd have to do is get someone inside our country, buy a single copy and send it from a public library to the Middle East.

We can only lose by listening to these security chicken littles because if we did everything we could to make our country secure, we'd resemble a slightly right-wing version of the Soviet Union. There would be no public internet access, no freedom of mobility, no right to keep and bear arms (which saves more lives than all cops in America combined), no right to security in your house and person, no freedom of association, and probably no property rights either. I won't live like that and I consider anyone who would to be worthy of death. They aren't human and because they reduce themselves so low they are a disgrace to our species. Not that I advocate murdering them, but rather I only laugh my ass off at them when they get hurt or killed. Good riddance, we need more people that won't change their lives to accomodate the terrorists, whether they're associates of Al Qaeda, have a General Services rank or call themselves Representative or Senator.

Government can't protect you preemptively, that is the indirect moral of this story. The police can pick up the pieces and get justice, but that's usually about it. Here's a novel thought, let's legalize assassinating terrorists. But this was never about terrorism and national (or is it fatherland) security, it was about big government justifying its Cold War level of control over the people. The worst parts of Communism aren't dead, they're festering in the White House and most of the law and order Republican types can't see that they've already lost. Bob Barr was kicked out because he had the audacity to call out Bush on issues like TIPS where he said, "this program smacks of the very fascist and communist governments that we have faught for so long."

So it's not healthy to be a true patriot and political traditionalist in America anymore. You call for a modern form of the government we started out with (in other words, nothing like slavery) and you're called idealistic, short-sighted and soft-headed. The irony of it is that the true hard-headed people have always advocated limited government and a simultaneously isolationist and Machiavellian foreign policy. We'd be a lot more secure if we minded our own business and made people pay handsomely in blood for every single violent transgression against us. For example we'd have fewer problems with Saudi-funded terrorists if after every such attack against us, the CIA sent its SOG commandos into Saudia Arabia and blew up a few civilian targets. You want respect in war and politics? Show that if you have to choose between doing the right thing and surviving that the former never gets in the way of the latter.

Two different problems.

[dmaxwell]

Email encryption is intended to keep third parties out of private communication. With PGP nothing stops the other side from divulging his end of the conversation to others. Sure some corporate mail clients may try to mark mails unprintable, unsaveable and what not but that won't defeat a digital camera or even a Bic and piece of paper. Encryption just allows Bob and Alice to have a conversation with reasonable assurance Eve isn't listening in.

DRM is something else altogether. DRM is intended to allow a sender to control what a recipient can do with information. In this case, Alice is trying to use encryption to mark information for Bob's eyes only (on Bob's Alice approved OS or Bob's Alice approved player) regardless of how Bob feels about it. This is absurd. If Bob can see it then Bob can copy it. DRM's only true effect is to create varying degrees of inconvienience for Bob.

Is not at all hypocritical to favor technological means for privacy while being opposed to technological means on control. Email encryption: Privacy. DRM: Control.

Re:Two different problems.

[Dr+Reducto]

You are correct sir. Even if you have theoretically unbreakable encryption, or time consuming to break encryption, it is always breakable. There is the human factor. A computer to brute-force encryption algorithms costs millions, but a $1000 bribe can be just as effecive if you have a disgruntled employee who does not take security seriously.

philzimmermanrocks

-----BEGIN PGP MESSAGE-----
Version: PGP 8.0.2

qANQR1DDDQQJAwKQORxFJ2eXpGDSwC8BX+3gT6C1eWdjGZcE B0 lQ3KQ186ZcTNs1
Fv09JDOd3KLv1TXDs/bPdGLh5NQjjn8LK/ B9S0R1nOKNzYKi/M V1REVh9Yffffuy
H9g30N+9CSAovfMziE6m4CY61Gt+JmYfdm +XnP8fTdPKMCHfCp XdHxzLpflgYGJX
5SHtv5A80W34/A0y8ML/g+dhI4Kpfh1vm9 dOmdYGDyaBB1oAIx DUW2PxmJn4Zu8T
CbPtlL2BfHayS69CAMPB2713nY5BC1x0El HCcay5ATZTsxZNeC pxFWc8Nnr3yUJ3
MemlfqeANC5g8VaboKZa09BYgawx2Q==
=H5qE
-----END PGP MESSAGE-----

Re:Better than Aimee Deep

[mpawlo]

I think that is a perfectly sensible idea (disregarding the "idiot" part of your submission) that I will pass on to the Greplaw editors.

Regards,

Mikael

Veils and Driver's Licences.

[pcwhalen]

Gosh this is offtopic but here goes....

There is no right to drive in the US. It is a privilege imparted to citizens of the various states by the state's government. As such, the state may regulate conduct and licencing with regard to driving.

Too bad, so sad. No veils if the state says "no." The Supreme Court has held on numereous occassions that states have the right to protect their citizens. Where religous freedom contradicts state edicts, the SC looks to see if the edict is a right or a priviledge. Where it is only a priviledge, the state always wins.

Driving is a privilege. Enjoy it.

Re:The interview is encrypted!

[jc42]

Heh, yeah. I've used that argument myself in a number of discussions, when I felt like making assorted security schemes look mildly silly. The idea that decrypting a rot13-encrypted message is a violation of the DMCA is one of the better examples of the absurdity of it all. And pointing out that rot26 is just rot13 applied twice (so decrypting rot26 is also a violation of the DMCA) adds a whole new level of fun to the absurdity.

It's even more fun to post the couple-line C program that does xor encryption with another file, and point out that not only is this an unbreakable encryption scheme, but you can also use it to show that any file is an encryption of any other. Thus, your message and mine are both encryptions of any handy pornographic image, and the little xor program will quickly produce the decryption key. This tosses a really fun monkey wrench into any scheme to outlaw pronography in any digital medium.

There's a lot of absurdity flying about here ...

Terrorism and PGP

[alpharoid]

Following the September 11-attacks, it was claimed in some reports that the U.S. authorities investigated if PGP was used to co-ordinate the attacks. Do you regret the decision to release PGP as freeware?

I don't really understand when people bring the subject of PGP being used by terrorists, and how this should weigh against the program. PGP is just a tool that makes encrytion easy for the regular user, and it's not something that suddenly brought encryption to terrorists. There has always been a very simple and effective encryption tool for strong cryptography, called the one-time pad.

I'm just saying that PGP has done nothing to facilitate terrorism. If terrorists really wanted encryption, they could have used it at any point, regardless of PGP's existence. And anyway, historically it seems that terrorists never really used electronic encryption for most of their planning.

Re:Terrorism and PGP

[blibbleblobble]

"I don't really understand when people bring the subject of PGP being used by terrorists, and how this should weigh against the program."

If anything, PGP makes life more difficult for the terrorist, unless we're suggesting that it's a good idea that potential targets use plaintext email when whey're planning their journeys, emailing hotels, etc.

"Blah blah blah, did I mention the [famous person's name] is visiting next thursday, blah blah.

I don't need to encrypt this do I? The government says that encryption is a bad thing.

I'll just email the rental company and check our boss' car, then plan a route on Autoroute Express and email it to the chicago office. No need to worry about security, I'll email to let the guy meeting him know the license-place to look out for.

Encryption? What's that? The news says that only bad people use encryption. I'd best send all this information plain-text.

Need for telephone encryption

[Johnny+Pissoff]

I'm surprised that the interview made no mention of the use of encryption in telephone communications. Recently Bruce Schneier in his Crypto-gram newsletter pointed out that based on the US governments report on wiretapping that telephone encryption was rarely encountered and even when it was encountered it never presented a problem to the government in obtaining the cleartext of such encrypted communications.

It seems there is a real need both for strong, open-source cryptographic solutions for VoIp applications and some kind of open-source hardware for telephone communications. Open source because presumably the problem with current telephony encryption is that its closed source implementation has made it easy for the government to crack, as Schneier points out.

Since PZ once wrote an PGPfone for encrypted VoIP communications I'd really like to hear his opinion on this topic.

Fingerprints not absolutely reliable

[HermanAB]

As govs store more fingerprints, the odds of making identity mistakes increase enormously. So far, nobody cared about the relibility (or lack thereof) of fingerprint systems, since only criminals are fingerprinted. Once everybody is on file, it is sure to be a whole different story. If you are living on the west coast and gets picked up for a murder on the east coast, it may be possible to explain it away, but what if you live in the same neighborhood as the victim? So, eventually, all the information that is stored, will become full of entropy and noise and will be useless as a law enforcement tool.