(Interviewed by Louis James, Editor, International Speculator)

L: We are talking today with one of Doug Casey's favorite cryptology technologists, a once-shadowy figure named… um… I'm never sure with cypherpunk types. What name can we use? We're on the record here.

Paul: [Laughs] Paul Rosenberg is fine, Lobo. We won't be breaking any laws today.

L: All right then. Paul Rosenberg. Paul is a longtime friend of Doug's and the author of… well… is there anything you'd care to admit to being the author of?

Paul: I'll go on the record and say that I'm the author of A Lodging of Wayfaring Men and a bunch of other books as well.

L: That's a book Doug has commented on favorably and recommended a number of times. It's full of interesting ideas, with perhaps those on information privacy – and private commerce – being among the most discussed. Paul's company also publishes the annual Electronic Police State rankings. In related news, there's been a lot of commentary – we've mentioned it in Casey's Daily Dispatch – about the school district in Pennsylvania that spied on its students in their homes via the cameras in the computers they gave the kids.

Paul: Yeah. Pretty horrifying.

L: Horrifying, but it seems a lot of people are blasé about it. We were talking earlier about how, in my rabble-rousing days before joining the respectable Casey Research team, I was hip to Internet security, I was trying to encourage everybody to use PGP, or at least Hushmail, and trying to get people to secure their communications – to use virtual envelopes rather than postcards for their online communication.

It was like pulling teeth to get anyone to even consider it, and nowadays it seems like even fewer people have a clue, let alone care about this issue. Here we have this slap-in-the-face example of exactly why people should take electronic privacy seriously, but people are more interested in whether or not Sarah Palin's daughter will get married.

What do you think? Do people care? Enough?

Paul: Certainly not enough, but more people care than you might guess. A lot of the focus is on the commercial side now. Many companies are setting up their own encrypted "tubes," for lack of a better word, between themselves and their clients, and between themselves and their employees. Commercial espionage is a huge, huge field – lots of important designs, sales plans, and documents are stolen all the time. These are extremely valuable assets.

A lot of doctors, lawyers, accountants, and investment people are starting to wake up to the fact that they're handling important, valuable information of their own and other people's, and that they need to protect it. It's hard for me to say how many individuals "get" that their information is being taken from them, but it's a large and growing number.

L: There's a lot of talk about identity theft these days – not so much about concerns of Big Brother, which we can come back to later. Identity theft does seem to be in the news a lot – is this threat what might finally wake the average Joe or Josephine up?

Paul: I doubt it, not until it happens to them. Average folks might be more likely to learn about it through their employers, as companies move more and more to secure their data.

L: We've probably already gone over most of our readers' heads, so let's pause and go over some basics. What kind of problems could the average person face who hasn't taken any steps to secure his or her information? And how big is the problem – is it rare like a lightning strike or more common? Should the average guy or gal worry about this?

Paul: First of all, people's information is being gathered without their knowledge or consent every single day. Every email you send, personal information on you is being gathered. Every time you visit a web site, you reveal your IP address, which can be tied to you very easily.

L: And you're not just talking about governments…

Paul: Right. There are people who grab this sort of information, and they sell it. That makes it easy to build a dossier on somebody; a file listing exactly what web sites they go to, how long they spend there, where they go next, and whom they relate to.

L: Who does this?

Paul: Your emails are saved a number of ways by a number of parties. Certainly, Google and Yahoo and all such services save emails. They save drafts, not just emails – the systems save automatically every two minutes or so, and they save everything. Once they've got it, they keep it.

L: And those guys can be hacked – or subpoenaed, which is just a legalistic hack. But can anyone really use such a chaotic mish-mash of data?

Paul: Yes and Yes. It used to be that people would think in terms of word searches – people might worry, for example, about including the word "bomb" in an email. But the searchers are way beyond that. They have programs that can read the context of what you're saying.

L: I didn't know that – so much for being able to hide in the massive volume of global communications.

Paul: Hiding in the open was never a very secure strategy. But now they can keep track of what you're saying and whom you're communicating with. They can see how often you communicate with them, and whom they're communicating with – two, three, and four layers deep – and this is going on every single day. And these people are selling it to other people.

L: Let's be clear here. I can imagine Google selling demographic information on users to advertisers, or at least the ability to target certain groups of users without giving the data away. But I can't see them selling dossiers on whom their Gmail users are communicating with. Do you mean that third parties collect this same information as it flows by on the Internet?

Paul: I do. There are large markets, not only in raw data but in refined data. Much of it is fully legal.

L: Can you give us an example?

Paul: Sure. A friend of mine was online with one of the big stock brokers – a well-known company I won't name – to change an address or something like that. They required my friend to fill in a security page. The page asked, "Is your brother's name so-and-so and is his address such-and-such?" The guy ignored the question and clicked through. Then it asked, "Does your family come from such-and-such a place, and were you raised at such an address in such a year, and then you bought a house at this place at such a time?"

My friend was shocked and called their office. "I never gave you that information," he said, "what is this?" Their reply was: "We got it all from public sources. Nothing's illegal about what we're doing; we're just keeping you safe by trying to verify your identity."

This kind of information is being bought and sold every day, all over the world.

L: By whom?

Paul: All the governments, for starters, which is really, really dangerous. There are private parties as well, ranging from companies like Google and Yahoo, to Eastern gangsters. The hackers gather information and send it to data refineries that in turn link it to other data sets, and sell that to the guys who steal identities and seize bank accounts, and other things like that. It's a big, big deal.

L: I can see this happening, but is it really possible for this to be happening to everybody? How could anybody possibly have computers big enough to store that much information on all the hundreds of millions of people online all around the world?

Paul: Well, I'm sorry to say that it's not that hard anymore. It's certainly out of range for you and me, but if you run an intel bureau for any medium-sized nation-state, it's not that hard. For two or three billion dollars a year, you can surveil just about everything on the Internet. You need an intelligence network in place that can place sensors in key spots. Gathering the data is not that hard. The issue now is searching the data and analyzing it – taking this fire hose of data and finding important bits in it that you need. That's still a problem, but with computer technology increasing according to Moore's Law, it's getting easier all the time.

L: When this threat first came up, it seemed to me that there was no way a federal bureau of information processors could keep up with all the seventeen-year-olds in the world who are constantly creating runarounds and hacks for things. But it sounds like I was being too optimistic.

Paul: I'm sorry to tell you that I think you were.

L: I don't know if you can answer this, but is there anybody out there selling packages of fake identities? Not stolen ones, but, for example, a computer with a pre-installed history of cookies and addresses that have been browsed, etc. – something that gives you a virtual history like what we might guess Mother Teresa would have generated.

Paul: I'm not aware of it happening, but it has been talked about. People have talked about buying computers, using them for a while, and just trading them among themselves every few months.

L: Hm. All this data gathering and compiling, and making use of people's information – it all relies on people being ignorant about the process and not doing anything about it. If lots of people start spoofing the system, or misdirecting it, or hiding from it, then the whole problem comes into question.

Paul: Right. But the system can survive as it is, even with a lot of people choosing to evade it, shall we say. The system can still go on, it'll just be missing more and more people. They won't stop. Data theft is a gigantic business. According to some fairly good estimates, the whole industry made more profit than illegal drugs last year.

L: Wow!

Paul: I can't verify those numbers, but it was a pretty good organization that did the research; and the numbers seem solid.

L: How often does a person suddenly find their credit cards all maxed out, their identity and banking info being used by somebody else, and such? Is it one in a thousand, one in a million?

Paul: I don't have proper numbers, but it's way more than one in a thousand. It's more like one in a hundred. It's often small – somebody gets a credit card number and a couple of charges show up on your statement. You notice it, you call, and eventually it gets straightened out. It isn't always the full, flaming identity theft.

Sometimes they'll take over a bank account, which they'll use for laundering money. They take over an account and send it money, then send it to another, and another. Eventually they take it out on the other end via Western Union.

L: So, it's happening pretty frequently. And even if you haven't been hit directly, you should be concerned because, at the very least, your and everybody else's privacy is being violated. Odds are, every single person reading this interview has information being collected on them, and being passed around.

Paul: No question. It happens everywhere, every day.