Internet security overall is terrible: Whitfield Diffie

If writer David Foster Wallace didn’t at 46 kill himself three years ago and had lived a couple of decades more, he would probably look like cryptographer Whitfield Diffie, who as a scientific advisor to Florida-based Uniken Inc was recently in Mumbai to deliver a talk. Diffie claims not to be familiar with the cerebral author’s works, while all the same curious about Wallace’s place of origin and alma mater.

Diffie is credited with the invention of, among other things, public key cryptography along with Martin Hellman in 1976. Cryptography is the study of secret writing and public key cryptography allows a person to use a public key to encrypt a message (as in emails), which the recipient can decode only with a private key, ensuring a secure transmission of data. The invention was critical to the subsequent rise of the internet and, especially, e-commerce. In a chat with DNA, Diffie also touched upon the essentiality of privacy, for which he’s been an ardent advocate. Excerpts:

What did you make of the Watergate scandal which signified one of your passions: privacy and its invasion?
I watched the television with relish (laughs).

Was privacy such a prized concept then?
It was not yet a big idea it has become. I know that I believed that we were in a sort of precarious position in that technology could work to either improve freedom of which privacy is one aspect or work to damage it so I’m trying to contribute in ways that I believe are sound.

How would you look at the pre-public key and post-public key days?
I do not believe that internet commerce would have been done without public key. That wasn’t what I envisioned at that time, I was thinking of secure telephones which have never been a big market. But when internet commerce came along it was clear that persuading people to engage in commerce on the internet required giving them a sense of security and public key cryptography was a basis for doing that.

What about the other current applications of cryptography?
There are several things. I mean it’s also applied very much in protecting information that isn’t transmitted, like in people’s laptops.

A lot of technology companies are criticised for applications which people are unaware of but which are said to invade their privacy.

What do you make of all this?
I think this is a transient thing. Techniques for identifying pictures have been around certainly since the 1990s, mostly available to people with more money like the police. And I think it would take tyrannical measures to prevent these things becoming available much more generally and I think they (companies/websites) will have applications I like and I don’t like.

For example, you met some people at a party and you took a picture and you want to remember somebody but you forgot and you have a machine that can do it, that’ll be very attractive to me. On the other hand, there’s something I imagine but I haven’t seen yet. But roughly speaking, cameras on a street will recognise you and when you walk into a shop they will already know what you like and will send a salesman who’s most likely to persuade you or something.

But this is secondary to having a database of everyone and their tastes?
I think that’s a very important point. At the turn of the previous century, there were two billion people and there was no database of any kind. Whereas today there are seven billion and you and I can afford the disk space, we can’t produce the database, that may well not exist for anybody yet, but to store 10 or 100 or 1,000 characters per person, all that is perfectly feasible.

I think that’s just the intrinsic fact of life. Our people have an attitude toward privacy which is that it is something the government protects for you and they allow you to do what they like. I personally care about privacy that’s necessary for a free society. There are a lot of privacy mavens who are willing to see the powers of individuals restricted in order to preserve somebody’s privacy and I’m much less interested in that.

Governments resort to measures like tapping people’s phones to ensure the safety of the country as a whole. Do you subscribe to that?
I don’t object to tapping into people’s phones but I object to telling people they are not allowed to do anything about it. I think that (tapping) is very unlikely to be successful against terrorists but (it’s) very capable of interfering with normal social phenomena like internet commerce. Everybody should have access to these tools to do ordinary, everyday activities and that is important.

Wikileaks has exploded in the public consciousness. Is this proof of a leveller in the last few years that from a time when only governments and their agencies could find out details about you, we now have the vice versa happening, too.

It’s not obvious to me what role cryptography exactly plays in these things. The success of Wikileaks is despite the use of very good cryptography on the networks in question. The success of Anonymous seems to be a manifestation of the miserable state of internet security in general. Cryptography is fairly good but internet security overall is terrible. The way I usually put it is if it’s as hard to break into computer systems as it is to break the crypto systems they use, you wouldn’t be reading about it in newspapers everyday.