Privacy laws could hurt the little guy

Whitfield Diffie has been credited with making privacy possible in the digital age. As a co-inventor of public key cryptography, he is one of the most respected contributors to the field of computer security and is in constant demand as a speaker.

In his day job as Sun Microsystems’ chief security officer, he works out of a corner office in the Sun Labs, just down the hall from where scientists are working on Sun’s next-generation Proximity Communication processors, which seek to do away with wire connections.

Although he describes his job as a “marketing” position, Diffie didn’t sound anything like a corporate pitch man when he spoke with IDG News Service reporter Robert McMillan at his Menlo Park, California office recently. The following is an edited transcript of that conversation.

InfoWorld: When the PC went on the network, there were security implications that nobody thought about. Microsoft has spent the last five years fixing all of the security problems that maybe could have been foreseen.

Wait a minute. I think there are two issues. I think you’ll find that lots of them were foreseen. I think the critical thing [is] that Microsoft showed that its judgment was correct. If it had paid less attention to security, maybe it would have had less market share.

It had no real motivation, I think, until the last few years to try to fix these things. The interesting thing to me is why it’s been so hard for them to do so, because they must have half the smart people I know about in the industry, and in security, working for them. And I think it has to do with the problems of legacy code, and the legacy interface expectations of their customers.

IW: Nowadays we don’t hear about widespread security outbreaks, but there’s a sense that many of the things we do on the Internet are not trustworthy. People going to Web pages do not have confidence that they are where they think they are.

WD: I think that’s a well-placed misconfidence.

IW: So, are things getting better?

WD: I certainly don’t worry about the security arrangements of going to Americanexpress.com, where I probably make the single largest most routine money transfer that I initiate. I’m not the least bit worried about that, partly because of the law, and partly because the essential point of SSL [Secure Sockets Layer — a standard used in secure Web connections] is not about the quality of the cryptography but about the fact that the certificate costs enough money that the thieves aren’t putting up a front.

IW: I think that ties into an interesting point you made earlier: This lack of security is a fair price to pay for growth.

WD: Look at Microsoft. It has 99 percent penetration in the Chinese market and 1 percent payment in the Chinese market. The business asset to them of being able to claim that they were ripped off at the same time that they gained this market of one billion people is fantastic.

IW: What are your current thoughts on privacy?

WD: I believe in privacy, but privacy is just one of a number of considerations. Privacy of political conversation is essential for a democratic society. Is the privacy of information about yourself necessary for it? That’s not very clear. It’s a very squishy concept. In small communities, you have very little privacy, but you have accountability because you know who the members of the community are.

What bothers me is that information about people is so readily available in a way not auditable to them, to organizations like ChoicePoint, who broker it around and enable other people, who are not legally constrained in what they do with it, to make decisions based on it.

I am, on balance, more pleased with the fact that I can learn lots of information about people in minutes by using the Web than I am concerned about the fact that people can learn lots of information about me that way. And I would not like to see laws that restrict people’s ability to go investigate things.

Here’s my scenario: For all its current faults, it won’t be 10 years before facial recognition gets incredibly good. So everybody’s camera will be saying “hi” to the people who go by. Would I like to see that outlawed? I think what outlawing it would be saying [are] that certain classes of big boys — the Fortune 1,000, the secret police — would be allowed to have access to such information, but you little irresponsible children won’t be. So I have a cowboy viewpoint on this.