Software

PGP's creator extends security to mobile communications with Silent Circle

Seen the news? It seems your phone data is free for the asking. Michael Kassner interviews Phil Zimmermann -- the man behind PGP -- about Silent Circle, an encryption system for portable devices.

"I should be able to whisper in your ear from a thousand miles away."

Says Phil Zimmermann.

Phil and his partners are set to release technology capable of doing just that -- securing email, mobile-phone calls, text messages, and VoIP conferences.

Street cred

If the name Phil Zimmermann sounds familiar, it could be due to a different project of his: PGP encryption, or maybe Phil's passion for causes. Remind me to tell you about the time he was arrested.

Or it might be the many awards Phil has received, the most recent honor being his induction into the Internet Hall of Fame. You may recognize two earlier inductees: Vint Cerf and Linus Torvalds.

Why Silent Circle

I arranged to chat with Phil this past week about his latest endeavor -- Silent Circle. What I thought would be a 30-minute conversation turned into a two-hour session, hinting at Phil's enthusiasm. You'll see why in a second.

I'm not sure of the circumstances, but Michael Janke, a former Navy SEAL, now privacy advocate and author, met Phil. During the ensuing conversation, Michael asked Phil if there was a way for deployed military personnel to have secure phone conversations with their families back home.

Well, that's all it took. Phil and Michael were off and running. Along the way, Vic Hyder, also a former Navy SEAL and Jon Callas, cryptographer and co-founder of PGP Corporation, joined the team.

Due to time constraints earlier in the week, Phil answered my questions during our phone conversation. Yet another time I regret not learning shorthand.

Kassner: Hello, Phil. Thanks for talking with me. There is little information about Silent Circle on the website. How does it work? Zimmermann: Sorry about that, but we're unable to release many of the details yet. As you know, I am a strong advocate of open source and cryptographic peer review. I welcome colleagues to contact me and we can make arrangements.

Silent Circle consists of four applications: Encrypted Email, Encrypted Mobile, Encrypted VoIP, and Encrypted Text. The Silent-Circle client encrypts the traffic before sending it to our servers using the mobile device's Wi-Fi or data side of the cellular connection. Our servers then forward the packets onto the appropriate remote party.

I need to clarify that encryption currently takes place on the client for Encrypted Mobile, VoIP, and Text. We're working out some issues with Encrypted Email. So for now, the Silent-Circle client sends email to our servers using TLS. The servers then encrypt the traffic. The sooner we figure out the issue, the better. It is our aim to have zero knowledge of individual encryption keys.

Kassner: Forgive the cliche, but it takes "two to tango." I have tried to get colleagues and friends to use PGP, but they can't be bothered. If I understand, both parties are not required to belong to Silent Circle. The app will still encrypt my portion of the communication. How does that work? Zimmermann: You are correct; we would prefer both users have the Silent-Circle client. That way traffic is encrypted at all times. If only one user has the client, traffic is encrypted, but only between the user's mobile device and our servers in Canada.

That may not seem like much, but consider military personnel, government officials, and private individuals working or living outside the United States. Silent Circle will offer some "peace of mind" by encrypted communications from the foreign location to our servers.

Kassner: Do you expect to have the same kind of governmental pushback with Silent Circle as you did with PGP? Zimmermann: No, not at all. Back when I first developed PGP, cryptographers had to justify encryption to the government, particularly, if the product was destined for overseas. Today, it's the opposite. Companies and organizations are getting into trouble because they don't have encryption in place. Kassner: I read that you intend to release the iOS beta of Silent Circle this summer. Will Silent Circle be ported to Android? Zimmermann: Absolutely. We are running Silent Circle on approximately 100 iOS devices right now. We also have a working Android app, but it isn't as far along. If interested, people can sign up to beta-test Silent Circle on the website. We are looking to go live with Silent Circle this coming fall. Kassner: The accolades keep piling up -- recognized by magazines, several lifetime achievement awards, and inducted into the Internet Hall of Fame. With Silent Circle this far along, I'm betting you have something else on the horizon. Can you share it with us? Zimmermann: Securing the cloud. Stay tuned... Kassner: Phil, For several years I've wanted to ask you a few questions about your efforts to provide some semblance of personal privacy while online.

To start, I'm not sure how many people recall your protracted legal battle when PGP was found outside the United States. I certainly do. And I have a dear friend who does as well. He even has a copy of your now famous "munitions-grade" book, PGP Source Code and Internals. I remember reading the book's preface, particularly the last paragraph:

"A book comprised entirely of thousands of lines of source code looks pretty dull. But then so does a nondescript fragment of concrete -- unless it happens to be a piece of the Berlin Wall, which many people display on their mantels as a symbol of freedom opening up for millions of people. Perhaps in the long run, this book will help open up the US borders to the free flow of information."

Have we learned anything since 1994 or is Silent Circle your PGP stand-in for mobile devices?

Zimmermann: I'd like to think we have. Anyone knowing the history of PGP realizes it was quite a battle and we won. I'm afraid we are in the midst of another battle. What I call the "rising tide of surveillance." And, I'm taking direct aim with Silent Circle. Kassner: I almost forgot again. Many years ago, I asked you a few questions about PGP for an article. I had one question left, but ran out of nerve before I could ask it. I'm going to try again. You met three gentlemen under somewhat strange circumstances. What was it like to spend time "behind bars" with Carl Sagan, Martin Sheen, and Daniel Ellsberg? Zimmermann: I was arrested twice actually. The best part was meeting those three gentlemen. I found it ironic that Carl and I spent time discussing the Star Wars/SDI initiative -- while incarcerated.

I also remember being the only one out of 400 arrested at the Nevada Test Site wearing a business suit. I was aware of how hot it was, but I wanted to make a point.

Final thoughts

Phil Zimmermann calls his new technology Silent Circle. Once in the circle, your information and conversations are not available to anyone other than those chosen by you. Just the way Phil wants it.

I would like to thank Phil for sharing his Friday afternoon with me. I finally got my question answered.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

14 comments
Ocie3
Ocie3

Apparently, the Silent Circle for EMail has some issue(s) to resolve, but can Mr. Zimmerman tell me how it compares to PKWare Secure ZIP (which is used for e-mail)?

apotheon
apotheon

I became aware of the Silent Circle endeavor a while ago, but did not know much about it yet (for obvious reasons). It's good to know that the software will provide end-to-end encryption, and it's awfully nice that it'll provide one-end encryption as a fallback. I'll be watching to see how transparent a fallback process that is; if it's pretty opaque, there's nothing stopping the company (perhaps under orders from law enforcement) from eavesdropping whenever it likes. I sure hope Zimmerman and friends decide to release the client software under a good license.

viProCon
viProCon

Very true I would think.

Michael Kassner
Michael Kassner

Secure ZIP is not for mobile devices. And, I think you will agree Phil has a good handle on how to encrypt email on the desktop.

Michael Kassner
Michael Kassner

As I talked with Phil, I knew this is a topic he cares deeply about.

Ocie3
Ocie3

PKWare does have a mobile app for iPhone, iPad, and Android: http://www.pkware.com/software/securezip/securezip-reader At present, it appears to be for reading encrypted compressed files. The product description includes "Send via E-Mail" but there are no details. The app is a free download. I don't know whether PKWare is developing an app that can be used to create encrypted and/or compressed files on a mobile device, whether iOS or Android. It seems to me that "mobile" devices will eventually have the equivalent of the CPUs that are currently used in laptops and desktops, most likely as SoC. Would you consider, for example, the Microsoft Surface that will run Windows 8 Metro to be a "mobile device"? It's appears that it will be as mobile as an iPad and far more powerful.

apotheon
apotheon

Every software release coming from Zimmerman seems to make source code available under different terms, so I'm not so sure Silent Circle's release will be the same. Considering the strength of Silent Circle over alternatives that already exist seems to be tied to the (subscription) service, it would probably be no damage to the business model at all to make the client fully open source. As such, I have hope that it will be released under a copyfree license, though not very high expectations. If it's not released under at least some kind of open source license (as opposed to just "source available" like Zfone), it also won't be ported as widely to different platforms, which would be a crying shame.

apotheon
apotheon

PKWare doesn't offer any fallback to encryption for one leg of the journey when the recipient on the other end doesn't have the same software. That's really the killer feature of Silent Circle, as I understand it right now, which means that PKWare's encrypted file compression does not serve quite the same purpose as Silent Circle's planned secure email functionality.

mclghlne
mclghlne

my guess would be that sending direct to the other client would require both clients to support the same encryption. The article mentions that if only one client supports the Silent Circle that only their communication between the mobile device and the server would be encrypted. I agree however that ideally the data would not have to pass through their servers...

Michael Kassner
Michael Kassner

There are some technical issues to resolve and then it all will occur on the client. And as Phil said as soon as possible.

Ocie3
Ocie3

with regard to e-mail: [i]"Silent Circle consists of four applications: Encrypted Email, Encrypted Mobile, Encrypted VoIP, and Encrypted Text. The Silent-Circle client encrypts the traffic before sending it to our servers using the mobile devices Wi-Fi or data side of the cellular connection. Our servers then forward the packets onto the appropriate remote party."[/i] The purpose is to prevent someone who intercepts the packet(s) from reading the content, of course. What is unclear to me is why the packets encrypted by the mobile client are sent to the Silent Circle servers instead of directly to the intended recipient, whether for e-mail, voice, VOIP, or SMP. Other than that, yes, PKWare currently doesn't have an app which runs on smartphones and tablets that will encrypt and compress a file, only one that will read them.

Michael Kassner
Michael Kassner

Silent Circle is for a completely different purpose.

Michael Kassner
Michael Kassner

I presented your information to Phil. He is a busy guy right now, but I have hopes that he will respond. Thanks.

Editor's Picks