INTERVIEW:
Question 1
You are the creator of PGP software. Can you explain what PGP is?
Answer
PGP means Pretty Good Privacy. It's an encryption software product for electronic mail and
computer files. I created it in 1991 and sent it out on the Internet for free; it's spread
all around the world, and today it has become the most widely used software in the world
for the encryption of electronic mail.
Question 2
What is the history of PGP?
Answer
PGP started out as a human rights project. The idea was to create something that grass
roots political organizations or human rights groups could use in their political work.
Today, human rights groups from all over the world use PGP. As far as I know, all of them
do. They use it to encrypt files containing eyewitness accounts of atrocities. The only
way they could get the witnesses to speak against the government and report what they saw
is to assure them that their names would not be given to the government so that the
government could kill them. So, they collect this data, they encrypt the files with PGP,
and if the government raids their offices and takes their computers, they cannot learn the
names of the witnesses. This is the only way you can fight human rights abuses.
Question 3
Why did you decide to give away this product and make it public?
Answer
I wanted it to become widely used. Not just to protect people in human rights situations
but also to protect the civil liberties and privacy of ordinary people even in Western
democracies. So making it available for free is a good way to achieve ubiquity. Pervasive
ubiquity of software is a prerequisite to success. It's not just a consequence of success;
it's a prerequisite to success on the Internet.
Question 4
Can you explain what the relationship is between personal privacy and encryption of
information?
Answer
We used to live our lives in the analogue world. Now we live our lives in the digital
world or we're moving our lives into the digital world. Most of the mail used to be on
paper with envelopes. Now more and more of our mail is electronic mail. Most of our
conversations used to be face to face. Now we have telephones and now more and more of our
conversations are through digital media. Every time we adopt a new technology to give us
convenience and speed in the digital age, we leave behind some of the privacy that we
enjoyed in earlier times. So by encrypting the data, we restore some of the privacy that
we used to have. I'm actually just trying to maintain the status quo. I'm trying to keep
things the way they used to be. Every conversation used to be private before there were
telephones because there was no wire tapping when you're talking face to face. Most of our
mail was secure from third parties intercepting it because it was transported in
envelopes. We need envelopes today for our electronic mail. And that's what encryption
brings.
Question 5
Usually the information that is around the Internet is not secure because people can
intercept this information. Why and how can people intercept this information on the
Internet?
Answer
It's very easy to intercept electronic mail or other kinds of Internet traffic such as web
browsing, because when you send something through the Internet, you send it from one
computer to another and another computer until it finally reaches its destination. And
these intermediate computers are owned by corporations, governments, universities,
Internet service providers, long-distance communications carriers, and all of them along
the way can intercept the information. You don't know who can intercept it. So the
solution is to scramble the information, using modern encryption algorithms to scramble it
in a hopelessly complicated way, so that no one can read the information, except the
person you're sending it to, who knows how to unscramble it, using the software, using
cryptographic keys. If you don't know the right key, you can't unscramble the information.
Question 6
So when is it possible to say that a piece of information protected by cryptographic
software is secure, how can you say that it is secure?
Answer
It used to be that knowledge of encryption technology was limited to intelligence
agencies. The most famous example being the National Security Agency in the United Sates.
But about 25 or 20 years ago, things began to change as academic cryptographers in
universities began publishing papers in academic journals and over the last 20 years there
has been great progress in the development of encryption of algorithms to scramble
information in ways that today is now out of reach of major governments - out of reach in
the sense that major governments can no longer break these encryption algorithms.
Question 7
But do you think it's possible for someone to read the information that was protected with
encryption? And how much can this cost?
Answer
In principle it's possible to intercept encrypted communications and use computers to try
to find the patterns in the data or try every possible key to unscramble it. But because
encryption algorithms have become so good in the past 20 years, it has now reached the
point where the only way to break them is to try every possible key until you have
exhausted all the possible keys to try to decrypt the message. We use keys today that are
so big that it would take geological time to try all the possible keys; in fact,
cosmological time - more time than the earth has been in existence. So probably if you
want to send a love letter to your girlfriend or your boyfriend or whatever, it's unlikely
that somebody is going to be able to intercept it and decrypt it using supercomputers to
try all the keys.
Question 8
So how long do you think it could take to decrypt PGP? It this possible?
Answer
It is always a possibility that someone knows some way to decrypt it without trying all
the possible keys. Perhaps they can find some hidden weakness in the encryption
algorithms. But the algorithms that we use in PGP are the best academic algorithms
published in the academic literature about cryptography. These are algorithms that have
had the most peer review by other cryptographers and have withstood attempts to break them
for many years. So if we assume that these are strong encryption algorithms and it
requires you to try every possible key, then it would take more time than the earth has
been in existence using all the computers in the world today to break one of these
messages.
Question 9
Can we talk about the work of secret services on the Internet? Do they try to control
information?
Answer
Intelligence agencies of the major governments often try to intercept Internet
communications. They try to intercept phone calls, radio traffic, but most especially it's
easy to intercept Internet traffic. The National Security Agency does this more than any
other government agency, more than the agencies in other governments. But the British
government and the French government and other major governments also do this within their
own countries. The NSA does it all over the world, so people in Italy may have their
communications intercepted by the American government through the NSA.
Question 10
Can you talk to us about the Echelon Project?
Answer
The Echelon Project is a large-scale project by the NSA to intercept large amounts of
electronic communications in Europe. It's a good reason to use encryption technology if
you don't want to have your private or business communications intercepted by the American
government.
Question 11
What about e-commerce and encryption? Do you think that it will be very important when we
buy something with a credit card on the Internet?
Answer
Electronic commerce on the Internet is a perfect example of why you need to use
encryption. But I don't think that it's just to protect your credit card because today we
our credit cards to waiters in restaurants. Who knows what the waiters might do with the
credit card numbers. I'm more interested in knowing whether or not I can trust the
business that I'm giving my credit card number to. Are they going to use my credit card
correctly, are they going to put extra charges on it, is it a reputable business? But
something that is much more interesting to me from a privacy perspective is will third
parties be able to intercept the communications that I have and discover what I'm buying
with my credit card. Ken Starr asked the bookstores in the US to tell him which books
Monica Lewinsky was buying. I think this is a terrible thing. Monica Lewinsky should be
able to buy books with no one knowing what books she's buying. We should always be able to
read books or magazines or videos or whatever we want to do without fear of government
interception of discovering what we're reading, what we're thinking, what are our beliefs,
our political beliefs. We've got to protect our privacy as it is eroded by advances in
technology. It used to be that you walked into a bookstore with cash and bought books with
cash. Now you use a credit card, and this creates an electronic record that could be
checked later by an overzealous prosecutor.
Question 12
That is why encryption is so important. But if encryption also protects the money, nobody
would steal the money.
Answer
Yes. It's important to have protocols for doing electronic commerce that ensure that no
one can steal your money, that you're giving it to the right person or the right company,
that no one can intercept it and take money out of your credit card or your bank account
and that the merchant can prove you bought it so he can get the money and there's no fraud
possible. Sometimes these things are pulling in opposite directions. If you increase the
strength against fraud, you may decrease the privacy, because it creates too many records
that can be checked later to see what you're reading or what you're listening to or
watching or other things.
Question 13
You're working with a big company and this company bought your product. Are you afraid
that the government will take your system?
Answer
A lot of people ask me if the cryptographic integrity of PGP is still good. They believe
that it used to be good when I controlled it myself. But some people are afraid that the
cryptographic integrity has been compromised now that a large corporation controls it. Let
me say that after all that I went through with the criminal investigation and all the
hardship of what I went through, there's no way I would allow anyone to compromise the
cryptographic integrity of PGP. And I have seen no evidence that this company is
interested in compromising the integrity of the product.
Question 14
Can you talk to us about the problem you had with the United States justice?
Answer
Some time after I published PGP in 1991 the government became interested in how it got out
of the country. The encryption technology was regarded as the same as other military
technologies. They regarded it as munitions, like exporting Stinger missiles, which is
illegal unless you have a special license from the government. Of course I had no such
license. This was free software published domestically inside the United States. But when
you publish on the Internet, it's impossible to just publish it domestically; it goes
everywhere. So the government thought that this was a violation of US export law and began
a criminal investigation which lasted for 3 years. At the end of 3 years, after doing
hundreds of press interviews, the government decided to drop the case, because it would
have been a political nightmare for them to prosecute me for publishing something on the
Internet.
Question 15
The millennium bug is a great problem. Do you see a solution?
Answer
Software has a lot of bugs. Even PGP has bugs. I think the millennium bug is just one more
bug. It has the unusual property in that it can appear in many places simultaneously. But
I think that somehow we'll get through it just the same as we get through all the other
bugs. I don't think that we have to head for the hills and build a log cabin in the
mountains. There are people in the US stockpiling food and supplies and going up into the
mountains and getting guns as if there were going to be a nuclear war. It's nothing like
that. I think there's just going to be some computer glitches and we'll somehow get
through it. Maybe your automatic teller machine might not work for the first couple of
days until they fix the problems.
Question 16
Are you working on this problem?
Answer
Of course my software doesn't have that bug. I've never written any software that has that
particular kind of bug. I sometimes create other kinds of bugs, but that one is something
I've never been stupid enough to create! I didn't create this bug and I'd rather other
people fixed it.
|
