Greplaw Interviews Phil Zimmermann

LawGeek writes "The venerable GrepLaw crew has struck again, this time with Editor Mikael Pawlo interviewing PGP author and all-around encryption expert Phil Zimmermann. Pawlo discussed a number of topics with Zimmerman, including the current state of encryption export laws, DRM, and activism against erosion of privacy both in the U.S. and internationally. The interview is here."

from the article

[nounderscores]

# But you donâ(TM)t code any more?

I havenâ(TM)t written code in many years. I am active in policy space rather writing code, doing a lot of public speaking. There is a lot of need for activism now in the shadow of the Patriot Act.


Interesting. I would have thought that hammering out the bugs in the law would have been the oldest form of coding.

___________________________________
The Spiders are coming.

Re:fingerprint scanners in police cars

[Dr+Reducto]

...But technology can fail. Technology can also be "hacked". Technology should only be used as a supplement and taken wih a grain of salt when accuracy absolutely matters. Like the Naval saying: Satellites fail, compasses do not.

Re:fingerprint scanners in police cars

[nounderscores]

The difference is that you don't leave your photograph on every door handle and toilet seat you touch... or at least I don't.

______________________________
The Spiders are coming

In other news...

[zakezuke]

Glove sales are up... and public restrooms are wondering why there are footprints on the flush control.

Zimmerman's contradictory opinions

[geekee]

When asked about encryption technology, he thought it was great that a person could control who read his data. When asked about DRM, he said it was bad that a person could restrict who reads his data. Or does Zimmerman have a bias against companies? A person should be free to encrypt data, but not a company? Or is is, you should be able to encrypt data unless you're selling it? DRM is encryption. I don't see why this guy thinks some people have the right to use it while others don't, just because he thinks it's bad for society somehow when some people use it. He didn't care that terrorists were using PGP, but was concerned about the music industry using DRM. That I find disturbing.

Re:Zimmerman's contradictory opinions

[mpawlo]

That is a good observation I should have made myself during the interview. However, I never posed a question in this respect - my mistake. Reading only from the transcript you may not reach the conclusion you suggest. Mr Zimmermann spoke of both DRM and encryption as problems for the future access to archives. If he hosts double-standards the way you suggests regarding DRM and enryption, I can not tell.

I do not think Mr Zimmermann is corporate-hostile in general, though, since he makes his living selling his knowledge to companies striving to protect their data.

Regards,

Mikael

Re:Zimmerman's contradictory opinions

[Rambo]

When asked about DRM, he said it was bad that a person could restrict who reads his data. Or does Zimmerman have a bias against companies?

I think you're missing the point. The companies utilizing DRM are using it to prevent you from making full use of the content which you purchase. This is in contrast to you encrypting mail which is simply to keep spying eyes from peering into your private life.
However, I did have one concern about a wholesale use of encryption for personal affairs. Suppose I keep a personal journal and I use encryption; who's to say that I won't get run over by a truck, thereby effectively locking that information forever? Ideally I'd like to think that my grandchildren and so forth could learn and appreciate me as a person by reading it when I'm gone. You can't really write down the password as you don't want it falling into the wrong hands (i.e. government), but there's a terrible risk that it may never be readable in the future. Ditto for personal email, which can also be important to future generations.

Re:Zimmerman's contradictory opinions

[HeghmoH]

It's not contradictory at all.

Encryption, the way PGP works, is a way to prevent third parties from getting at data you don't want them to.

DRM is a way to prevent the user from using data that was given to him in "unapproved" ways.

Once you get an e-mail and read it with PGP, you can do anything you want with it. You can copy-paste it into a Word document, you can forward it to a million-member Yahoo mailing list, anything you want. DRM is fundamentally different in that it's not for protecting against unauthorized use by third parties, but for protecting against unauthorized use by the person who supposedly owns the data (or a license).

Re:Zimmerman's contradictory opinions

[Jade+E.+2]

Once you get an e-mail and read it with PGP, you can do anything you want with it. You can copy-paste it into a Word document, you can forward it to a million-member Yahoo mailing list, anything you want

Actually, PGP (the new-ish versions, anyways) has an option when encrypting to only allow the decrypted message to be displayed in PGP's 'Secure Viewer', which prevents you from copying or saving the information (and, optionally, displays it in a grey on slightly-lighter-grey color scheme to try to prevent Tempest attacks). It also has other properties, such as preventing the message from being written to swap/page files (and windows hibernation files).

Of course, you can still just re-type it yourself, but it is distinctly DRM-like in that it requires extra effort to defeat the security, while not really offering any more protection. Of course, the difference is that when receiving a PGP message, the recipient generally *wants* the data to remain secure, and in DRM's case the recipient generally doesn't.

Re:Better than Aimee Deep

[mpawlo]

Here are links to more Greplaw interviews that you may find interesting:

Patrik Faltstrom on IESG, IETF etc.

Don Marti on free software, patents and the Internet.

Cyberlaw profiles: Jennifer Granick.

We try to interview interesting people who one way or another affect and form Internet law and policy. Feel free to suggest people we should interview.

Regards,

Mikael

Re:fingerprint scanners in police cars

[stratjakt]

Bullshit.

You leave your photograph in every store you go to, every public washroom you enter, every highway you drive on.

You're captured on film at least a dozen times a day. At least I am (and other people who go outside).

It's a lot less work to have a computer scan the tapes for the same face than to send crews to dust for fingerprints over the entire planet multiple times daily.

Noone cares where you go to take a dump.

Re:fingerprint scanners in police cars

[csguy314]

It might have prevented the dispute in court over driver's license photos and muslim women wearing veils...with a fingerprint, you dont need picture ID, and its more reliable.

[off-topic]
I was just discussing the issue of this Muslim woman today. As a Muslim I think this woman is doing something kind of dumb. There is nothing in the Quran about covering a women's face. During prayers, in fact, her face must not be covered. So I haven't a clue where they get the idea that they need to wear a veil over their face. And this is specifically for a piece of identification. How the hell are you supposed to identify someone that's covering their face? In fact I've heard suggestions that maybe bin Laden escaped the US in Afghanistan by posing as a veiled woman. It's not beyond comprehension.
But if this woman refuses to be identified, then perhaps she should not be allowed the responsibility of driving. It makes it possible for her to abuse the system and others to abuse her. She could claim some other person wearing a veil caused an accident that she caused, or it's possible someone wears a veil and does something specifically to incriminate her. It's a very unnecessary complication.
[/off-topic] That being said, fingerprints are a bad idea. As another poster mentioned, you leave fingerprints everywhere. And just having them on file and being in the wrong place can make you suspect in something which you have no idea about. It gives far more opportunity for abuse by authorities, and it's naive to think they won't be more abusive the more opportunity you give them.

Two different problems.

[dmaxwell]

Email encryption is intended to keep third parties out of private communication. With PGP nothing stops the other side from divulging his end of the conversation to others. Sure some corporate mail clients may try to mark mails unprintable, unsaveable and what not but that won't defeat a digital camera or even a Bic and piece of paper. Encryption just allows Bob and Alice to have a conversation with reasonable assurance Eve isn't listening in.

DRM is something else altogether. DRM is intended to allow a sender to control what a recipient can do with information. In this case, Alice is trying to use encryption to mark information for Bob's eyes only (on Bob's Alice approved OS or Bob's Alice approved player) regardless of how Bob feels about it. This is absurd. If Bob can see it then Bob can copy it. DRM's only true effect is to create varying degrees of inconvienience for Bob.

Is not at all hypocritical to favor technological means for privacy while being opposed to technological means on control. Email encryption: Privacy. DRM: Control.

Re:Two different problems.

[Dr+Reducto]

You are correct sir. Even if you have theoretically unbreakable encryption, or time consuming to break encryption, it is always breakable. There is the human factor. A computer to brute-force encryption algorithms costs millions, but a $1000 bribe can be just as effecive if you have a disgruntled employee who does not take security seriously.

Veils and Driver's Licences.

[pcwhalen]

Gosh this is offtopic but here goes....

There is no right to drive in the US. It is a privilege imparted to citizens of the various states by the state's government. As such, the state may regulate conduct and licencing with regard to driving.

Too bad, so sad. No veils if the state says "no." The Supreme Court has held on numereous occassions that states have the right to protect their citizens. Where religous freedom contradicts state edicts, the SC looks to see if the edict is a right or a priviledge. Where it is only a priviledge, the state always wins.

Driving is a privilege. Enjoy it.

Re:fingerprint scanners in police cars

[evilviper]

While driving down the street, the police can't look over and identify you based on your fingerprints... Even with fingerprint scanners in police cars, photos are needed.

with a fingerprint, you dont need picture ID, and its more reliable.

Yes, but the potential for abuse is much higher. Walking down the street some nights, the police think you look suspicious. They don't have any reason to take you in, but they could fingerprint you and find out your entire history in an instant.

Also, that would mean the police would have MANY more fingerprints on file. It's really just one step away from police finger printing every person in the country.

What's wrong with it? Well, it's a matter of opinion. If you believe in police states, nothing is wrong with it at all. If you believe even slightly in privacy, there is much wrong with it...

Re:The interview is encrypted!

[jc42]

Heh, yeah. I've used that argument myself in a number of discussions, when I felt like making assorted security schemes look mildly silly. The idea that decrypting a rot13-encrypted message is a violation of the DMCA is one of the better examples of the absurdity of it all. And pointing out that rot26 is just rot13 applied twice (so decrypting rot26 is also a violation of the DMCA) adds a whole new level of fun to the absurdity.

It's even more fun to post the couple-line C program that does xor encryption with another file, and point out that not only is this an unbreakable encryption scheme, but you can also use it to show that any file is an encryption of any other. Thus, your message and mine are both encryptions of any handy pornographic image, and the little xor program will quickly produce the decryption key. This tosses a really fun monkey wrench into any scheme to outlaw pronography in any digital medium.

There's a lot of absurdity flying about here ...

Need for telephone encryption

[Johnny+Pissoff]

I'm surprised that the interview made no mention of the use of encryption in telephone communications. Recently Bruce Schneier in his Crypto-gram newsletter pointed out that based on the US governments report on wiretapping that telephone encryption was rarely encountered and even when it was encountered it never presented a problem to the government in obtaining the cleartext of such encrypted communications.

It seems there is a real need both for strong, open-source cryptographic solutions for VoIp applications and some kind of open-source hardware for telephone communications. Open source because presumably the problem with current telephony encryption is that its closed source implementation has made it easy for the government to crack, as Schneier points out.

Since PZ once wrote an PGPfone for encrypted VoIP communications I'd really like to hear his opinion on this topic.