E-mail security hero takes on VoIP

After creating an e-mail encryption program, Phil Zimmermann tries to license encryption tech for Net phone calls.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read
LAS VEGAS--Phil Zimmermann gave free e-mail encryption to the world more than a decade ago in the form of software called Pretty Good Privacy.

Now Zimmermann, who became an instant Internet hero in part because of a threat of federal prosecution for much of the 1990s, is trying to bring the same kind of encrypted security to Internet phone calls.

Last year, Zimmermann announced software called Zfone, which wraps voice over Internet Protocol (VoIP) calls in an additional layer of security. Today, Zimmermann is busy trying to convince VoIP makers to glue Zfone into their own products and announced the first licensing deal this week.

Phil Zimmermann
Phil Zimmermann

"The architecture matters," Zimmermann, who is self-funding Zfone, said in an interview at the recent Defcon hacker convention here. "This is a different way of doing it and it's better."

Locating local internet providers

Zimmermann's efforts to popularize Zfone (which uses its own protocol called, of course, ZRTP) place him at the center of a growing political and technical debate about how to secure VoIP conversations--while allowing police and intelligence agencies to conduct electronic surveillance.

Claiming that terrorists and drug criminals will use VoIP, the Bush administration has demanded that broadband Internet providers provide backdoors for government wiretapping. In June, a federal appeals court ruled that such requirements were permissible under a 1994 law called the Communications Assistance for Law Enforcement Act, or CALEA. (The ruling is being appealed.)

Locating local internet providers

Wire taps

Zimmermann's software makes those political debates far less relevant. Instead of requiring users to trust their government (or broadband and VoIP providers), Zfone scrambles the entire conversation from end to end. Think of it by way of analogy: It's as secure as handing a letter directly to its recipient--bypassing potentially nosy workers at the neighborhood post office.

Encrypting VoIP is especially important because computer networks are not nearly as safe as the public switched telephone network, Zimmermann says.

"You can have point-and-click wiretapping," he said. "And look at who's going to be doing it. It's not just going to be the major government agencies. It's going to be organized crime. It's going to be criminals on the other side of the world."

Seth Schoen, staff technologist for the Electronic Frontier Foundation in San Francisco, calls end-to-end encryption "very desirable."

"It takes intermediaries out of the picture in determining whether your communications are secure," Schoen said. "By analogy, it has fewer moving parts and fewer things that can go wrong. Or if you prefer, fewer entities that can betray your privacy."

Crypto-enabled networking gear
Zfone has met with some success. A beta version released in March (available for OS X, Windows, and Linux) works with VoIP software such as Gizmo and Free World Dialup that supports the SIP standard.

On Monday, networking gear maker Borderware said that it had licensed Zfone for use with its SIPassure product. The Toronto-based company's lineup includes firewalls and gateways, mostly designed for enterprise use.

Borderware said in a statement that the licensing arrangement extends "VoIP security provided to organizations from threats such as spam to denial-of-service attacks to include eavesdropping, spying and wiretapping."

Translated, that means Borderware customers won't be caught up in what some reports have alleged to be a huge National Security Agency dragnet that intercepts massive amounts of data that flow through the Internet. While it's still possible to figure out who's talking to whom, the contents of the conversations would in theory remain private.

The stakes are huge. Cisco Systems already has sold millions of VoIP phones, and research firm Gartner predicts that in four years, 30 percent of U.S. homes will use only VoIP or cellular phones.

Zfone isn't the first product to encrypt online audio, of course. Around the same time that the federal government said it would not prosecute Zimmermann on charges of exporting PGP, he released a voice-encryption utility called PGPfone. But the lack of readily available broadband at the time relegated it to a niche product.

Skype does use encryption, but professional cryptologists have been consistently skeptical of its security because its implementation is proprietary and the source code is secret.

An analysis by computer scientist Simson Garfinkel says "it is impossible to validate the company's claims regarding encryption." A subsequent presentation (click for PDF) at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists.

By contrast, in an effort to demonstrate that there are no backdoors, Zimmermann has made Zfone's source code publicly available. In addition, the ZRTP protocol has been submitted to the Internet Engineering Task Force for review.

Still, Zimmermann's effort to build encryption into VoIP hardware could face a familiar obstacle: the U.S. government.

The FBI has drafted legislation, first disclosed by CNET News.com in July, that would force makers of networking gear to build in backdoors for eavesdropping. If approved by Congress, it would prevent companies from following Borderware's lead--unless they included mandatory surveillance backdoors for police and spy agencies.