The NSA's Prism Must be Countered with Public Policy, Says Crypto Guru Phil Zimmermann

The National Security Agency's Prism surveillance system is a dangerous hostage to fortune that must be countered using public policy and not simply clever security technologies alone, privacy campaigner and encryption luminary Phil Zimmermann has argued.

The National Security Agency's Prism surveillance system is a dangerous hostage to fortune that must be countered using public policy and not simply clever security technologies alone, privacy campaigner and encryption luminary Phil Zimmermann has argued.

[ The NSA Security Quagmire ]

It's an unexpected position for a man whose new company, Silent Circle, sells possibly the single most credible anti-surveillance service on the market not to mention writing his own chapter in the history books by inventing the legendary Pretty Good Privacy (PGP) encryption software in the early 1990s.

It's also fair to say that the Prism controversy might be good for Silent Circle's business model, a sort of gigantic imaginary neon sign saying 'we told you so'.

[ How to Protect Your PC From PRISM Surveillance ]

[ FAQ: What the NSA Phone Snooping Uproar is All About ]

"The surge of interest we've had over the last 10 days is huge," admits Zimmermann during a phone call that would doubtless be simple for a system like Prism to monitor. In Zimmermann's case, phone taps aren't required because he'll tell you what he thinks about the surveillance era before you even ask.

"I recognise they [the NSA] have a job to do but there is over-reach and it is harmful," he begins. "If we create a technological infrastructure like the one we saw last week, a government could use it to create an incumbency that could not be shifted by elections."

Some citizens will find Prism comforting on the nave assumption that they have done nothing wrong, or even see surveillance as inevitable, but allowing such systems to exist without oversight is hugely risky for the US, for anywhere, contends Zimmermann.

"Even if you imagine that this Government has put it [Prism] in place with honourable intentions a future government could abuse it. In 2017 who is going to be President? We have no idea, he worries.

"Will that government have the moral sensibility of Thomas Jefferson or Vladimir Putin?"

Zimmermann makes the point that a system as all-seeing and powerful as Prism sets benchmarks for governments not worried about moral nuances. They will want to have the same, as will criminal organisations determined to burrow deep into the data's inner sanctum in search of the contact details of witnesses to crimes or, worse, the judiciary themselves.

Prism sets an example, acts as a proof of concept, and effortlessly sells its dangerous possibilities. He has a point. The fact that we know of Prism's existence is down to a single ex-employee, Edward Snowden, who decided to blow its cover for a principle. Might another employee fall the other way and siphon or sell secret data?

The era of surveillance will surely be fraught will huge risks to everyone. There will be many Prisms.

When put to him that at least Internet users have tools at their disposal to secure their private data - end-to-end encryption is at least an aspiration for a start - Zimmermann slaps this down. Technology is a consequence of surveillance not the solution to it.

"I worry about people falling into fatalism and feeling they can't do anything about it," he says. "We need to fight back not just with [technology] but with public policy."

The key moment was 9/11, both for him and for the system that was given a historic jolt.

"Before 9/11 I was mainly worried about Moore's Law because Moore's Law erodes privacy," he says, noting that the exponentials of processor power birth more and more possibilities when it comes to looking for patterns in data using automated systems, in real time.

"After 9/11, Moore's Law was accelerated by public policy."

September 2001 mattered because after that point the potential of Moore's law was aided by public decisions that claimed, indeed assumed, surveillance was now necessary. These events 'won' important arguments without those being had in public or with the public.

One thing that does appear to have shifted since 2001 is the perception some people have towards their privacy. Surveys routinely find that privacy is a high priority for people who still happily sign up for Facebook.

Zimmermann worries less about the integrity of the firm than what it engenders in society as a whole.

"Facebook has had the effect of de-sensitising people to privacy. Each violation becomes a baseline for more violations," he says. He complains bitterly about the complexity of many privacy controls that are regularly overhauled in ways that users can't keep up with.

As for the phone providers, his expectations are low. "Phone companies have 100 years of behaviour that is wiretap-friendly." It is simply too ingrained in for them not to make this easy because that's how they've always worked.

Zimmermann himself points out the irony of Silent Circle's place in his career. It is a service provider selling end-to-end encrypted email, texting, VoIP and mobile phone calls created to solve the suspicions people have about service providers.

Silent Circle does have some limitations, such as the need for both sender and receiver to use the service (a partially-secure service that works without end-to-end encryption is also now available) but the takeaway point is that it is a gateway; no encryption keys are stored by the firm. Zimmermann designed it (including the implementation of his own ZRTP VoIP protocol) that way.

However, perhaps the greatest irony of all is that some of its most enthusiastic users are specialist departments of government, including the military and special services of the US, UK and Canada. The very people who could in theory access Prism-like systems prefer to use Silent Circle because it stops that being possible for their own communications.

Another sector keen on Silent Circles are large enterprises operating in countries such as Russia or China who fear the Prism-like systems that might exist there to spy on their business deals; entities focused on the need for profit and survival understand the importance of secrecy even if, for now at least, citizens have still to catch up with their own interests.

Nearly ten years ago, Techworld interviewed Zimmermann and it's remarkable how constant the themes are between then and now. He's still a worried man, prophetically so. And ten years hence? The clues are always in the Prism.

This story, "The NSA's Prism Must be Countered with Public Policy, Says Crypto Guru Phil Zimmermann" was originally published by Techworld.com.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.