May 22, 2006

Voice Encryption May Draw U.S. Scrutiny

SAN FRANCISCO, May 21 — Philip R. Zimmermann wants to protect online privacy. Who could object to that?

He has found out once already. Trained as a computer scientist, he developed a program in 1991 called Pretty Good Privacy, or PGP, for scrambling and unscrambling e-mail messages. It won a following among privacy rights advocates and human rights groups working overseas — and a three-year federal criminal investigation into whether he had violated export restrictions on cryptographic software. The case was dropped in 1996, and Mr. Zimmermann, who lives in Menlo Park, Calif., started PGP Inc. to sell his software commercially.

Now he is again inviting government scrutiny. On Sunday, he released a free Windows software program, Zfone, that encrypts a computer-to-computer voice conversation so both parties can be confident that no one is listening in. It became available earlier this year to Macintosh and Linux users of the system known as voice-over-Internet protocol, or VoIP.

What sets Zfone apart from comparable systems is that it does not require a web of computers to hold the keys, or long numbers, used in most encryption schemes. Instead, it performs the key exchange inside the digital voice channel while the call is being set up, so no third party has the keys.

Zfone's introduction comes as reports continue to emerge about the government's electronic surveillance efforts. A lawsuit by the Electronic Frontier Foundation, a privacy rights group, contends that AT&T has given the National Security Agency real-time access to Internet communications.

In the wake of 9/11, there were calls for the government to institute new barriers to cryptography, to avoid its use in communications by enemies of the United States. Easily accessible cryptography for Internet calling may intensify that debate.

"I'm afraid it will put front and center an issue that had been resolved in the individual's favor in the 1990's," said James X. Dempsey, policy director for the Center for Democracy and Technology, a Washington-based public policy group.

The Federal Communications Commission has begun adopting regulations that would force Internet service providers and VoIP companies to adopt the technology that permits law enforcement officials to monitor conventional telephone calls. But for now, at least, F.C.C. regulation exempts programs that operate directly between computers, not through a hub.

"From the F.C.C.'s perspective you can't regulate point-to-point communications, which I think will let Phil off the hook," said Marc Rotenberg, director of the Electronic Privacy Information Center, an advocacy group in Washington.

Zfone may face more of a challenge in Europe, where the British government is preparing to give the police the legal authority to compel both organizations and individuals to disclose encryption keys.

But Mr. Zimmermann, 52, does not see those fearing government surveillance — or trying to evade it — as the primary market. The next phase of the Internet's spyware epidemic, he contends, will be software designed to eavesdrop on Internet telephone calls made by corporate users.

"They will have entire digital jukeboxes of covertly acquired telephone conversations, and suddenly someone in Eastern Europe is going to be very wealthy," he said.

While Mr. Zimmerman is giving away his software so far, his goal is to attract VoIP software and hardware developers to license his technology and embed it in their products.

Zfone can automatically encrypt any call between users of freely available VoIP software programs like X-Lite, Gizmo or SJphone. It can be downloaded at www.philzimmermann.com.

The system does not work with Skype, the VoIP system acquired by eBay, which uses its own encryption scheme. But at a conference last week in Cyprus, German officials said they had technology for intercepting and decrypting Skype phone calls, according to Anthony M. Rutkowski, vice president for regulatory affairs and standards for VeriSign, a company that offers security for Internet and phone operations.

Mr. Zimmermann said he had not yet tested Zfone's compatibility with Vonage, another popular VoIP service.

Mr. Zimmermann contends that the nation is better off with strong cryptography. Indeed, Zfone can be considered an asset, he said, because it allows people to have secret conversations without hiding their Internet protocol addresses, which could be traceable geographically. Those observed having a secured conversation could come under suspicion, of course. But for that reason, he argued, sophisticated criminals or terrorists are unlikely to use the technology.

"I'm sympathetic to the needs of the intelligence community to catch the bad guys," he said. "I specifically protect the content the criminals want, while simultaneously not interfering with the traffic analysis that the N.S.A. is trying to do. You could make the case that I'm being socially responsible."