ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Interview with a legend: Phil Zimmermann, creator of PGP

ProPrivacy.com is honored that crypto-genius and all-round nice guy Phil Zimmermann has taken the time out of his hectic schedule to talk to us about his world-renowned email encryption technology, PGP; his new job at Startpage.com and his views on digital privacy.Phil Zimmermann

Phil is best-known for inventing Pretty Good Privacy (PGP), which after almost 30 years, is still regarded as the gold standard for secure email encryption.

He is also known for his work on internet telephony (VoIP) encryption protocols, and was creator of the highly respected ZRTP encryption protocol. As if that wasn't enough, he was the co-founder and chief scientist of Silent Circle. Quite simply, he is a legend.

Thanks for talking to us Phil. You have recently joined privacy search engine company Startpage.com. Would you like to explain how and why this came about? 

I work in the same building. I know it’s a bit of a flippant answer, but there are a number of different companies that work in the same Haig Security Delta building in the Netherlands. I was touring the place and noticed Startpage. I saw that they used PGP in their products, so I started talking to them.

Startpage already uses PGP, especially in its StartMail encrypted email service. They are currently in the process of rewriting their code to make it into two separate products, and I agreed to come on board to provide advice on how to make the new one more secure. It is still very much in development and is going to take a while to release.

I like the fact that Startpage also runs a privacy search engine. It seems very zeitgeist. StartPage seems to be genuinely concerned about privacy, so I think it’s great that they are offering an alternative to Google.

According to a recent press release, your main focus will be the "development of the company’s next-generation PGP-encrypted email service". This sounds very interesting! Can you tell us any more about this service, and what will make it different from other privacy email services such as ProtonMail?

I have been brought in to help with various implementations of the PGP protocol.  My job is specifically to ensure the service is secure. I can’t comment on how it compares with other services because the new Startpage email product is still in development.

 

Prz Medium Sm

PGP has been in the news recently thanks to some critical vulnerabilities discovered by security researchers (EFAIL). It is our understanding that these vulnerabilities are not a problem with the PGP protocol itself, but with how it is commonly implemented. Is this correct?

That's right. On June 29 I am going to a meeting in Germany to discuss the protocol. How to make it more modern, and how to improve email clients to get better results.

The problem with email is that it has a large attack surface, and that’s where EFAIL had problems. Email itself has a large attack surface and the threat model we face has evolved over the almost three decades since I first invented PGP.

Is it safe to assume that any PGP email products developed by Startpage will mitigate against such issues?

Yes.

Again, it is our belief that although very convenient, webmail services are inherently insecure. Do you agree with this assessment, and if so, do you have plans for mitigating it in Startpage’s upcoming products?

Yes. Currently there are weaknesses in both server-side and client-side encryption. If you're worried about the trustworthiness of the server, be advised that anyone who controls the server also controls the server-supplied JavaScript that executes in the browser.

If someone who operates a web-based email service is hit with a court order, they could be coerced into injecting a “special” version of the JavaScript that could exfiltrate the encryption keys from a user’s browser. These could then be used to decrypt intercepted traffic.

This is a problem with doing cryptography in the browser. End-to-end encryption is all the rage at the moment, but if cryptography is done in the browser then it is no more secure than if done on the server. If a server is compromised, then it can just feed malicious JavaScript to the browser anyway!

Right now, StartMail does crypto on its servers; but I’m helping it to develop a hybrid scheme that uses a combination of server and browser to protect the keys. I’m working on a way the keys can be protected even if the server becomes compromised.

Each of the two places has their own vulnerabilities, although the browser has a larger attack surface.

Are the technologies you are working on for Startpage going to be open source? Why?

I'm a strong advocate for publishing crypto source code, and I would advise anyone to do that. But this is a product still under development so we haven't discussed how this would happen.

The creation of PGP has made you a legend in tech circles, but what other professional achievements are you particularly proud of?

I spent a lot of years on VoIP. The technology is more fun than working on secure email. Being able to actually talk to people is much more interesting than writing emails.

A major reason you have given for joining Startpage is that they are “ideologically aligned on privacy issues”. Why do you think privacy is so important in the modern digital age?

Because we are hemorrhaging our privacy. It’s terrible what is happening. I’m not just talking about privacy as such. Companies like Facebook and Google are a major threat to our democratic society because of the way they work.

American society has been harmed by social networks that are designed to profit by maximizing engagement, and nothing drives engagement like outrage. It is this outrage that tears society apart.

Disregard for users’ privacy is therefore only part of the problem. It is this cycle of outrage that is fed by the very nature of social media platforms which is undermining societal norms.

As an emergent property of a revenue model that maximizes engagement, you get outrage and divisiveness in the body politic.Prz Closeup Sm

That’s why I like Startpage. They are doing something to mitigate the problem by providing a search engine where results are not personally tailored to the individual. Such personalized search results of the kind returned by Google are dangerous because they create echo chambers that only serve to reinforce people’s misinformation and prejudices.

We also need a replacement for Facebook which is built for the good of the people rather than for corporate profit. Something which provides the benefits of social networks without the destructive elements of Facebook.

May I suggest your publication run a feature looking at Openbook. I have a friend who has just started developing for it. It’s good to see good people doing something positive about the situation, so I also help out part-time. Check it out.

Which do you consider to be the greatest threat to ordinary internet users’ privacy - mass government surveillance of the kind carried out by the NSA and GCHQ, or corporate surveillance of the kind carried out by Facebook and Google?

I think it is important to understand that the two are closely related because the surveillance performed by companies can be made available to governments.

Do you think the mass surveillance landscape has improved since Edward Snowden’s shocking NSA revelations back in 2013?

Well, crypto protocols and crypto products have improved. While some things have gotten better, some things have gotten worse. The voracious appetite of tech companies for customer data for their revenue models has made things worse.

As I said earlier, these revenue models that optimize engagement set off a chain of cause and effect that leads to the erosion of liberal democracies.

If you were stranded on a desert island, what is one item would you most like to be washed ashore with you? 

Antibiotics.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

0 Comments

There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service