Phil Zimmermann gave free email encryption to the world more than a decade ago in the form of software called Pretty Good Privacy.
Now Zimmermann, who became an instant Internet hero in part because of a threat of federal prosecution for much of the 1990s, is trying to bring the same kind of encrypted security to Internet phone calls.
Last year, Zimmermann announced software called Zfone, which wraps Voice over Internet Protocol (VoIP) calls in an additional layer of security. Today, Zimmermann is busy trying to convince VoIP makers to glue Zfone into their own products, and announced the first licensing deal this week.
"The architecture matters," Zimmermann, who is self-funding Zfone, said in an interview at the recent Defcon hacker convention. "This is a different way of doing it and it's better."
Zimmermann's efforts to popularise Zfone (which uses its own protocol called, of course, ZRTP) place him at the centre of a growing political and technical debate about how to secure VoIP conversations — while allowing police and intelligence agencies to conduct electronic surveillance.
Claiming that terrorists and drug criminals will use VoIP, the Bush administration has demanded that broadband Internet providers provide backdoors for government wiretapping. In June, a federal appeals court ruled that such requirements were permissible under a 1994 law called the Communications Assistance for Law Enforcement Act, or CALEA. (The ruling is being appealed.)
Zimmermann's software makes those political debates far less relevant. Instead of requiring users to trust their government (or broadband and VoIP providers), Zfone scrambles the entire conversation from end to end. Think of it by way of analogy: it's as secure as handing a letter directly to its recipient — bypassing potentially nosey workers at the neighbourhood post office.
Encrypting VoIP is especially important because computer networks are not nearly as safe as the public switched telephone network, Zimmermann says.
"You can have point-and-click wiretapping," he said. "And look at who's going to be doing it. It's not just going to be the major government agencies. It's going to be organised crime. It's going to be criminals on the other side of the world."
Seth Schoen, staff technologist for the Electronic Frontier Foundation in San Francisco, calls end-to-end encryption "very desirable".
"It takes intermediaries out of the picture in determining whether your communications are secure," Schoen said. "By analogy, it has fewer moving parts and fewer things that can go wrong. Or if you prefer, fewer entities that can betray your privacy."
Crypto-enabled networking gear
Zfone has met with some success. A beta version released in March (available for OS X, Windows, and Linux) works with VoIP software such as Gizmo and Free World Dialup that supports the SIP standard.
On Monday, networking gear maker Borderware said that it had licensed Zfone for use with its SIPassure product. The Toronto-based company's line-up includes firewalls and gateways, mostly designed for enterprise use.
Borderware said in a statement that the licensing arrangement extends "VoIP security provided to organisations from threats such as spam to denial-of-service attacks to include eavesdropping, spying and wiretapping".
That means Borderware customers won't be caught up in what some reports have alleged to be a huge National Security Agency dragnet that intercepts massive amounts of data that flow through the Internet. While it's still possible to figure out who's talking to whom, the contents of the conversations would in theory remain private.
The stakes are huge. Cisco Systems already has sold millions of VoIP phones, and research firm Gartner predicts that in four years, 30 percent of US homes will use only VoIP or cellular phones.
Zfone isn't the first product to encrypt online audio, of course. Around the same time that the federal government said it would not prosecute Zimmermann on charges of exporting PGP, he released a voice-encryption utility called PGPfone. But the lack of readily available broadband at the time relegated it to a niche product.
Skype does use encryption, but professional cryptologists have been consistently sceptical of its security because its implementation is proprietary and the source code is secret.
An analysis by computer scientist Simson Garfinkel says: "It is impossible to validate the company's claims regarding encryption." A subsequent presentation at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists.
By contrast, in an effort to demonstrate that there are no backdoors, Zimmermann has made Zfone's source code publicly available. In addition, the ZRTP protocol has been submitted to the Internet Engineering Task Force for review.
Still, Zimmermann's effort to build encryption into VoIP hardware could face a familiar obstacle: the US Government.
The FBI has drafted legislation — first disclosed by ZDNet UK's sister site, CNET News.com, in July — that would force makers of networking gear to build in backdoors for eavesdropping. If approved by Congress, it would prevent companies from following Borderware's lead — unless they included mandatory surveillance backdoors for police and spy agencies.
Talkback
Perhaps VoIP companies should consider putting out two versions of their products on the market. A US one (with backdoor) and a non-US one (without backdoor). Or risk that others, non-US orientated, get a hold of the other 93% of the world population. Thing is that even a hint of eavesdropping possibilities isn't considered cool anymore. Far from it actually. Most certainly if there's an increased risk some clueless and not well trained goverment official picks up one of your conversations and next thing you know, thanks to new anti-terrorist and a few other laws, your assets are frozen and you'll be thrown in jail until you have proven your innocence.