Privacy laws could hurt the little guy

Whitfield Diffie has been credited with making privacy possible in the digital age. As a co-inventor of public key cryptography, he is one of the most respected contributors to the field of computer security and is in constant demand as a speaker.

In his day job as Sun Microsystems’ chief security officer, he works out of a corner office in the Sun Labs, just down the hall from where scientists are working on Sun’s next-generation Proximity Communication processors, which seek to do away with wire connections.

Although he describes his job as a “marketing” position, Diffie didn’t sound anything like a corporate pitch man when he spoke with IDG News Service reporter Robert McMillan at his Menlo Park, California office recently. The following is an edited transcript of that conversation.

InfoWorld: When the PC went on the network, there were security implications that nobody thought about. Microsoft has spent the last five years fixing all of the security problems that maybe could have been foreseen.

Whit Diffie: Wait a minute. I think there are two issues. I think you’ll find that lots of them were foreseen. I think the critical thing [is] that Microsoft showed that its judgment was correct. If it had paid less attention to security, maybe it would have had less market share.

It had no real motivation, I think, until the last few years to try to fix these things. The interesting thing to me is why it’s been so hard for them to do so, because they must have half the smart people I know about in the industry, and in security, working for them. And I think it has to do with the problems of legacy code, and the legacy interface expectations of their customers.

IW: Nowadays we don’t hear about widespread security outbreaks, but there’s a sense that many of the things we do on the Internet are not trustworthy. People going to Web pages do not have confidence that they are where they think they are.

WD: I think that’s a well-placed misconfidence.

IW: So, are things getting better?

WD: I certainly don’t worry about the security arrangements of going to Americanexpress.com, where I probably make the single largest most routine money transfer that I initiate. I’m not the least bit worried about that, partly because of the law, and partly because the essential point of SSL [Secure Sockets Layer — a standard used in secure Web connections] is not about the quality of the cryptography but about the fact that the certificate costs enough money that the thieves aren’t putting up a front.

IW: I think that ties into an interesting point you made earlier: This lack of security is a fair price to pay for growth.

WD: Look at Microsoft. It has 99 percent penetration in the Chinese market and 1 percent payment in the Chinese market. The business asset to them of being able to claim that they were ripped off at the same time that they gained this market of one billion people is fantastic.

IW: What are your current thoughts on privacy?