August 15, 2006 4:00 AM PDT

E-mail security hero takes on VoIP

LAS VEGAS--Phil Zimmermann gave free e-mail encryption to the world more than a decade ago in the form of software called Pretty Good Privacy.

Now Zimmermann, who became an instant Internet hero in part because of a threat of federal prosecution for much of the 1990s, is trying to bring the same kind of encrypted security to Internet phone calls.

Last year, Zimmermann announced software called Zfone, which wraps voice over Internet Protocol (VoIP) calls in an additional layer of security. Today, Zimmermann is busy trying to convince VoIP makers to glue Zfone into their own products and announced the first licensing deal this week.

Phil Zimmermann
Phil Zimmermann

"The architecture matters," Zimmermann, who is self-funding Zfone, said in an interview at the recent Defcon hacker convention here. "This is a different way of doing it and it's better."

Zimmermann's efforts to popularize Zfone (which uses its own protocol called, of course, ZRTP) place him at the center of a growing political and technical debate about how to secure VoIP conversations--while allowing police and intelligence agencies to conduct electronic surveillance.

Claiming that terrorists and drug criminals will use VoIP, the Bush administration has demanded that broadband Internet providers provide backdoors for government wiretapping. In June, a federal appeals court ruled that such requirements were permissible under a 1994 law called the Communications Assistance for Law Enforcement Act, or CALEA. (The ruling is being appealed.)

Wire taps

Zimmermann's software makes those political debates far less relevant. Instead of requiring users to trust their government (or broadband and VoIP providers), Zfone scrambles the entire conversation from end to end. Think of it by way of analogy: It's as secure as handing a letter directly to its recipient--bypassing potentially nosy workers at the neighborhood post office.

Encrypting VoIP is especially important because computer networks are not nearly as safe as the public switched telephone network, Zimmermann says.

"You can have point-and-click wiretapping," he said. "And look at who's going to be doing it. It's not just going to be the major government agencies. It's going to be organized crime. It's going to be criminals on the other side of the world."

Seth Schoen, staff technologist for the Electronic Frontier Foundation in San Francisco, calls end-to-end encryption "very desirable."

"It takes intermediaries out of the picture in determining whether your communications are secure," Schoen said. "By analogy, it has fewer moving parts and fewer things that can go wrong. Or if you prefer, fewer entities that can betray your privacy."

Crypto-enabled networking gear
Zfone has met with some success. A beta version released in March (available for OS X, Windows, and Linux) works with VoIP software such as Gizmo and Free World Dialup that supports the SIP standard.

On Monday, networking gear maker Borderware said that it had licensed Zfone for use with its SIPassure product. The Toronto-based company's lineup includes firewalls and gateways, mostly designed for enterprise use.

Borderware said in a statement that the licensing arrangement extends "VoIP security provided to organizations from threats such as spam to denial-of-service attacks to include eavesdropping, spying and wiretapping."

Translated, that means Borderware customers won't be caught up in what some reports have alleged to be a huge National Security Agency dragnet that intercepts massive amounts of data that flow through the Internet. While it's still possible to figure out who's talking to whom, the contents of the conversations would in theory remain private.

The stakes are huge. Cisco Systems already has sold millions of VoIP phones, and research firm Gartner predicts that in four years, 30 percent of U.S. homes will use only VoIP or cellular phones.

Zfone isn't the first product to encrypt online audio, of course. Around the same time that the federal government said it would not prosecute Zimmermann on charges of exporting PGP, he released a voice-encryption utility called PGPfone. But the lack of readily available broadband at the time relegated it to a niche product.

Skype does use encryption, but professional cryptologists have been consistently skeptical of its security because its implementation is proprietary and the source code is secret.

An analysis by computer scientist Simson Garfinkel says "it is impossible to validate the company's claims regarding encryption." A subsequent presentation (click for PDF) at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists.

By contrast, in an effort to demonstrate that there are no backdoors, Zimmermann has made Zfone's source code publicly available. In addition, the ZRTP protocol has been submitted to the Internet Engineering Task Force for review.

Still, Zimmermann's effort to build encryption into VoIP hardware could face a familiar obstacle: the U.S. government.

The FBI has drafted legislation, first disclosed by CNET News.com in July, that would force makers of networking gear to build in backdoors for eavesdropping. If approved by Congress, it would prevent companies from following Borderware's lead--unless they included mandatory surveillance backdoors for police and spy agencies.

See more CNET content tagged:
Borderware Technologies Inc., e-mail security, VoIP, CALEA, networking gear

4 comments

Join the conversation!
Add your comment
Network VOIP
That's nice if you control both ends of the call.

What does these privacy concerns mean for people who are using VOIP without knowing it, either because at some point the call goes voip or because they're using a voice product from their cable company or ISP?
Posted by TV James (680 comments )
Reply Link Flag
ENCRYPT IT YOURSERLF
You might just be better off using your own encryption device.

<a class="jive-link-external" href="http://zxo.blogspot.com/2006/05/secure-phone-miser-telephone.html" target="_newWindow">http://zxo.blogspot.com/2006/05/secure-phone-miser-telephone.html</a>
Posted by zxocuteboy (45 comments )
Reply Link Flag
You might just be better off
<a class="jive-link-external" href="http://www.analogstereo.com/dual_action_cleanser.htm" target="_newWindow">http://www.analogstereo.com/dual_action_cleanser.htm</a>
Posted by Ipod Apple (152 comments )
Link Flag
VoIP encryption
Even if the government does require a backdoor, would it still be illegal for a company to distribute an encryption program on the web that could be installed by the sender and recipient on their client or cell phone? Then the ISPs would be off the hook and those who wanted could talk privately without worry of spying.
Posted by NSWorldwide (6 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.