This week I was privileged to interview privacy and encryption expert Phil Zimmermann.
The founder of PGP has been off the scene since his company was acquired by Symantec in 2010 and he completed his duties to the security giant during that year. His new venture, Silent Circle, sees him in the zone of secure communications, along with partners Mike Janke and Jon Callas. Janke is a special operations communications expert and fellow privacy advocate and Callas was formerly a major player at Apple.
The concept of the company's technology is fast and secure communications over voice-over IP (VoIP), SMS and voice calls. Using Zimmermann's PGP creation as its base, its functionality is on peer-to-peer communications with minimal need for keys and the public key infrastructure (PKI).
Janke said that rather than building for business, this is "built for the individual". He said that a company can buy as many licenses as they need, but it is down to the employee to download the tool to their device and therefore the secure communications are between the sender and recipient, and no data is seen by the employer or Silent Circle.
Janke said: “It is important as they want a service they can trust. We open source our client so anyone can look at it and we were very careful about the basics. There is hot topic around privacy groups and other dissidents so if we don't get this right, it is more than a bad review. It is important to be trustworthy, the trust model exists around the world.”
Zimmermann, speaking to SC via the secure VoIP channel over an iPad, said that he has been working on secure communications since 2004 and that he had been interested in secure voice channels since before secure email, but "the technology wasn't ready yet".
He said: “Back in the early days of PGP I had some legal issues, lawyers would ask me why I was interested in this and after I explained it, they went with it. I said it was like being able to stand a 1,000 miles away and whisper in your ear. Security is now restored with face to face communications.”
One of the key parts of Silent Circle is the minimum reliance on keys, in keeping with the founders' privacy leanings. Janke said that the platform had been designed to retain the least amount of data, only retaining the username, password and ten-digit phone number in the case of a voice call.
Zimmermann said: “With the right protecting we can minimise exposure to keys. They are not shared with the server and for calls, there is nothing that we have that can compromise the call.
“You can put this on your mail client so you can manage the keys on it; sometimes you need to keep keys for email decryption but with a call, when you are done you don't need to keep the keys.”
He also went on to say that rather than a server or depository holding the keys, the device holds the key, further enhancing the motto of privacy. The point of user privacy is understandable, especially when this is used for sensitive or confidential communications, but I asked Janke and Zimmermann how this can be managed by businesses who want to use this and deploy this to users.
Janke said that this was considered, so a web interface was developed for enterprise, while desktop users are given a control panel where they can build a phone book with other user credentials.
“If two people are end-to-end secure, the enterprise cannot decrypt it unless they have the phone book and personal device,” Zimmermann said. “This doesn't need PKI for example and it doesn't require certificates from certificate authorities (CAs), as there has been some spectacular failures.”
Janke said: “When we started this, we said 'let's build for the public, the home office workers and it has to be secure and familiar and the call has to be clear and crisp.”
I concluded the meeting with Janke (who was in London) and Zimmermann (who was in Washington DC) by asking them what they thought about the state of the take-up of encryption, particularly as the likes of the Information Commissioner's Office (ICO) have called for greater take-up of encryption.
Janke said: “Ten years ago no one knew about encryption, now the every day user understands it, so it has to be user friendly and about true peer-to-peer connectivity.”
Zimmermann said: “Everything comes down to having something everybody can use. We see making it easy with PKI, but the technology to deliver it comes at a price and you are at risk like DigiNotar. What is a more spectacular failure for PKI? It is difficult to get it right, it is easy to use and we do not depend on PKI and we have got something your mum can use without being dependent on PKI.
Janke said: “We also understand the huge requirement for people to use secure communications. I tried everywhere and care about security, so we created a secure coding platform that encrypts communications to the network and then connects to the recipient.”
The issue of security is key to so many communications; be it soldiers on active duty talking to families back home; politicians speaking or transmission of data, and Zimmermann's claim that his interest in this area has been as persistent as in secure email, and that he was just waiting for the technology to catch up, suggests that this is the right time for such a launch.
There are other features, such as distinct colouring of the messages and an ability to 'burn' messages after a fixed time, similar to the 'Kill Pill' concept so needed within email clients, but many will find this concept useful.
Many may be suspicious of the concept of total user control of the encrypted communications without total knowledge and visibility of the corporate IT department, but with more tweaking expected from Silent Circle, Zimmermann's new venture may have arrived at the right time for some.