March 14th, 2011

Cryptography, Technology, Privacy: Philip Zimmermann, Inventor of PGP

Tom Boutell
Chief Software Architect

Liveblogging Philip Zimmermann's talk on Cryptography, Technology and Privacy at SxSW Interactive.

Philip Zimmermann is the author of PGP (Pretty Good Privacy), widely recognized as the best mainstream tool for keeping communications private on the Internet, particularly email [https plays a more narrow role, securing your communications with a website; PGP can be used to encrypt an email sent over the open Internet, secure files on your hard drive, etc].

PGP was intended for human rights organizations with concerns about having their membership lists stolen by the government and other resourceful opponents. Most existing privacy tools at the time were for keeping corporate secrets from other corporations. (Do these use cases really necessitate different solutions?)

When PGP was released Zimmermann became the target of a multi-year criminal investigation. For three years his legal defense team worked to keep him out of the slammer. Against their advice he talked to the press, which ultimately helped the situation as the government did drop the case.

Then he got started on PGP as a serious company. "I would have started earlier but it's hard to raise venture capital when you are subject to a criminal investigation"

The company ran out of money and was sold to Network Associates, which fumbled the ball. So a new startup was formed, PGP Corporation, largely the same people who had worked at PGP Inc. They bought the assets from Network Associates and were much more successful at selling PHP for eight years until it was finally sold to Symantec, PGP's fifth owner (I missed one here somewhere).

"... But I don't have that much to do with PGP anymore. For the last six years I've been working on secure telephony"

"It isn't only Big Brother we have to worry about. It's criminals (profiting from stolen data)"

"There's so much more risk now than there was from Big Brother alone that in the last six years I've switched my attention to that. I've recently become interested in identity theft. The most popular target is children because they are too young to do things with their identity themselves like getting credit cards, loans, etc. (so nobody notices when their identities are abused)"

"The Pentagon spends a lot of money on situational awareness. As they sent in the rescue force to retrieve the guys who were stuck in Mogadishu (Blackhawk Down), situational awareness was a big problem– nobody knew what was going on. They have invested a great deal in fixing that with aerial camera drones etc. and improved communications between close air support and troops on the ground." (Parting the fog of war...)

"You try to have situational awareness on your side and prevent your opponent from having it. The identity thieves depend on a lack of situational awareness on our side for their attack to succeed. So I found a company called Debix that has put together a fairly sophisticated apparatus that calls you on your mobile when someone takes out a loan in your name. You have to authenticate the opening of the new account." (This is brilliant and I want it for my family)

"We focus too much on digital signatures and not enough on the analog world of physical reality. This company Debix does it procedurally without digital signatures. They call you on the phone and ask you if you authorize this and you say yes or no. It's kind of elegant"

(Zimmermann sits on the advisory board of Debix.)

Now he's taking questions. Short talk! The Q&A is ongoing though and he's doing a good job of emphasizing the importance of identity protection and the ways in which our real world identity security ought to be considered a higher priority than our digitally signed encrypted email security

Tom Boutell
Chief Software Architect