Subject: WSJ article on PGP
Date: Sun, 30 Apr 1994 10:04:13 MET
Organization: National Obscurity Agency - Anonymous Remailing Service
Remailed by: an...@desert.hacktic.nl
X-Remailer-Software: Remail for Waffle 1.3
From The Wall Street Journal
Vol. LXXV No. 138
Thursday April 28, 1994
Popularity Overseas Of Encryption Code Has the U.S. Worried
Grand Jury Ponders if Creator 'Exported' the Program Through the Internet
`Genie Is Out of the Bottle'
By William M. Bulkeley
Staff Reporter of The Wall Street Journal
BOULDER, Colo. - During the battle between Boris Yeltsin and the Russian
Parliment last October, with Russian freedom hanging in the balance, software
author Philip Zimmermann received an electronic-mail message from Latvia.
"If dictatorship takes over Russia," it read, "your PGP is widespread from
Baltic to Far East now and will help democratic people if necessary.
PGP - for Pretty Good Privacy - is a program written by Mr. Zimmermann for
scrambling computer messages. Dissidents around the world use it to protect
their electronic communications from the prying eyes of secret police.
But PGP has a darker side. In Sacramento, Calif., police lament that last
year, PGP encryption blocked them from reading the computer diary of a
convicted pedophile and finding critical links in a suspected
Admired by freedom lovers and criminals alike, PGP is one thing:
uncrackable, or as close to it as a secret code has ever been. Even U.S.
government snoopers can't break it. And that places Mr. Zimmermann - a
paunchy, bearded, 40-year-old computer consultant who is fast becoming a
folk hero on the information highway - in peril.
A federal grand jury in San Jose, Calif., is examining weather he broke
laws against exporting encryption codes. The Federal Bureau of Investigation
suspects that Mr. Zimmermann had a role in putting PGP on the Internet, the
world-wide web of computer networks, making it easy for foreign governments
and terrrorists to use it and render their computer traffic impervious to
Mr. Zimmermann's lawyer says his client could face charges carrying a
prison term of up to 51 months.
The world-wide use of Mr. Zimmermann's software has altered forever
notions of government surveillance, electronic privacy and export bans on
cryptography. Until recently, difficult codes could always be deciphered
by stealing the key that unraveled the encryption puzzle. During World
War II, for example, the Allies captured a German encrypting Enigma machine,
allowing them to crack Nazi communications. U.S. convoys taking munitions
to Britain used it to help them elude German U-boats.
Keys Are the Key
But PGP, like a growing number of encryption programs, takes advantage of
a new, mathematically sophisticated encrypting technology that requires two
different keys, both of which are necessary to unlock the puzzle. The sender
needs only one to send a message. The receiver decodes the message with the
second key - which never needs to leave his computer, where it can be
protected by passwords from easy pilfering. Although the mathematics are
daunting, the program makes the process quick and straightforward.
In an age when computers can whip up codes of devilish complexity and
zip them around the globe for anyone with a personal computer, the lot of
the encryption policeman is not a happy one. The internet alone reaches 20
"The genie is out of the bottle," says Leonard Mikus, president of
ViaCrypt, a Phoenix company that sells a $100 version of PGP in the U.S.
"There's no way anybody can stop the technology."
The Personal Touch
The availability world-wide of encryption programs makes export controls
"a farce," says Stephen Walker, a former top National Security Agency
cryptographer who is now president of Trusted Information Systems Inc., a
research firm in Glenwood, Md. He says he knows European government
officials who use PGP for their personal e-mail. "We have to recognize
what's out there."
Mr. Zimmermann, a twice-arrested anti-nuclear-war activist, became an
electronic freedom-fighter in 1990. At that time, the FBI and the NSA were
pushing for a law that would ban certain forms of encryption, and force
computer makers to build into their machines hardware that would allow
law-enforcement agencies to decipher any code that was used. The proposal
outraged confidentiality-minded corporations and computer users alike.
Eventually, it was dropped.
But while the issue was still open, Mr. Zimmermann took it upon himself
to thwart the government's purpose by working on what came to be PGP - an
impenetrable code that could be used by virtually anyone. "I did it to
inoculate the body politic" from the danger of government prying, he says.
Mr. Zimmermann stopped consulting and holed up in the computer-filled
workroom in the back of a bungalow in Boulder, where he lives with his wife
and two children. He said he spent six months of 12-hour days writing the
program, drained his family's savings and missed five months of mortgage
payments. He finished the program in June 1991, and named it Pretty Good
Privacy - in deference to Ralph's Pretty Good Grocery in humorist Garrison
Keillor's Prairie Home Companion radio show.
When Mr. Zimmermann was through, he gave the encryption program to
friends. One of them, whom he won't identify, placed it on the Internet,
sometime around June or July 1991, he says. Once there, any computer user
in the world with access to the Internet could download it. Almost
immediately, many did.
But federal laws covering munitions prohibit exporting encryption software
without a license. A year ago, U.S. Customs Service agents asked Mr.
Zimmermann how his software went overseas. In September the U.S. Attorney's
office in San Jose, which has expertise on computer crimes because of its
proximity to Silicon Valley, told Mr. Zimmermann that he was a target of an
investigation. Mr. Zimmermann says he neither sent PGP overseas, nor posted
it on computer systems.
RSA Data Security Inc. is also angry at Mr. Zimmermann. The
computer-security firm says that in creating PGP, Mr. Zimmermann used one of
its patented cryptographic algorithms without permission, after RSA had
denied him a free license.
"We sometimes joke that PGP stands for `Pretty Good Piracy,' " says James
Bidzos, president of the Redwood City, Calif., firm. "What he did was
simple. In this business, you simply don't rip off people's intellectual
property." RSA, which sells its technology to most of the major sofware
makers and makes an encryption program called MailSafe, hasn't sued Mr.
Zimmermann. But it has asserted its legal rights in letters to anyone it
catches using PGP. As a result, few companies use PGP and many universities
and commercial on-line services keep it off their computers.
Mr. Zimmermann says that technically he hasn't violated RSA patents
because he didn't sell the software until he signed the deal with ViaCrypt,
which does have a license to use the algorithm. He notes that the on-line
documentation for PGP suggests that people who use the program should contact
RSA about a license.
For many individuals, PGP has become something of a standard for
encrypted e-mail on the Internet. A Glendale, Calif., college student who
goes by the name Monk on the Internet says, "It's free; it's solid; it
promotes privacy. How can you argue with it?" While the NSA wants to keep
control of encryption, "This teeny little company with a wonderful hero has
changed that," says Thomas Lipscomb, president of InfoSafe Corp., a New York
developer of security devices for CD-ROM publishers.
Fear that hackers may intercept e-mail has spawned a grass-roots cult of
PGP users in the Internet community. Craig McKie, a sociology professor at
Carleton University in Ottawa, encrypts chapters of a new book with PGP as
he sends them to his publisher, fearing that otherwise, "a gazillion copies
would go flying off into the night." Lance Cottrell, an astronomer at the
University of California, San Diego, says he uses PGP to share unpublished
observations with collaborators to keep others from claim-jumping a
PGP also helps make the otherwise leaky internet safe for commerce.
Members of the Electronic Frontier Foundation, a group that advocates
electronic free speech, can pay dues by sending PGP-encrypted credit-card
numbers over computer networks. S. Soloway Inc., a Palo Alto, Calif.,
accounting firm, scrambles backup tapes with PGP, so that clients needn't
worry about lost confidentiality if the tapes are lost or stolen. Kenneth
Bass, a Washington lawyer, communicates with some clients and other
attorneys in PGP code.
For human-rights advocates, the consequences of compromised sources can
be devastating. Daniel Salcedo, who works for the Human Rights Project of
the American Association for the Advancement of Science in Washington,
teaches activists in El Salvador and Guatemala to use PGP. "In this
business, lots of people have been killed," Mr. Salcedo says.
Alan Dawson, a writer living in Thailand, says rebels opposing the regime
in neighboring Burma are using PGP to encrypt information sent among rebel
groups. Before use of PGP became widespread, Mr. Dawson wrote Mr.
Zimmermann, "captured documents have resulted directly in arrests, including
whole families and their torture and death."
But investigators say PGP and other encryption systems aid crime.
William Spernow, a computer-crime specialist with Search Group, a federally
funded police-training firm in Sacramento, Calif., predicts criminals will
routinely encrypt information within two years. "This could signal the end
of computer forensics before it even gets off the ground," he says.
Mr. Bidzos of RSA says that he has had several calls from police in the
Miami area asking for help in decrypting information on computers seized in
drug raids. He says the encryption is unbreakable. Mr. Spernow studied one
case where a criminal conducted a fraud by keeping a double set of books -
the real set encrypted in PGP.
Mr. Zimmermann says he is disturbed by criminal use of encryption, but
thinks the benefit of providing electronic privacy to everyone outweighs
the costs. "It is impossible to obtain real privacy in the information age
without good cryptography," he says.
Encryption also raises some eyebrows inside corporations. Mr. Bass, the
Washington lawyer, notes that most companies assert the right to read
employees' e-mail, since it is composed on their computers and travels their
networks. "What will they do when people start encrypting messages to each
other?" he asks.
Without e-mail encryption, widespread surveillance would be easier. In
theory, CIA, FBI and police computers could tap telephone cables and look
for key words such as "missile" or "bomb" to find people who needed closer
watching. Mr. Zimmermann says: "This is analogous to drift-net fishing."
Computerized encryption "is a technology that for a change benefits our
civil liberties," he adds. "The government law-enforcement agencies have
benefited from many technologies," such as telephones that made wire-
tapping undetectable. In fact, Mr. Zimmermann is currently seeking funding
for a project to create a phone that uses a personal computer equipped with
a microphone and a speaker, to encrypt voice conversations just as PGP
encrypts data exchanges.
Mr. Zimmermann has been suspicious of the government for a long time.
After growing up in Boca Raton, Fla., where a children's book on secret
writing first interested him in codes, he moved to Boulder in 1978 and
worked as a computer engineer. After he was laid off by Storage Technology
Corp. in 1985, along with 3,000 others, he became a consultant specializing
in telecommunications and data security.
In the 1980s he became worried about the nuclear-arms race. He and his
wife investigated moving to New Zealand. But they stayed in Boulder, an
antiwar hotbed, where he lectured on arms policy.
Mr. Zimmermann says that he has not been active on the internet and adds,
"I'm not a cipherpunk - I wear a suit when I visit clients." But he says
he agrees with the electronic free-speech ideals of the cipherpunks, the
Internet habitues who fill cyberspace with blistering criticisms about the
U.S. government's proposal to promote use of the so-called "Clipper chip."
The chip would let companies and individuals encrypt sensitive
communications, but the government would hold a key making it possible -
with court permission - to decipher them for law-enforcement or
Mr. Zimmermann thinks the Clipper project confirms the need for PGP by
showing the government's desire to read electronic mail. "They're treating
us like an enemy foreign population," he says.
This message was mailed through the remailer an...@desert.hacktic.nl
Due to the double-blind, any mail replies to this message will be anonymized,
and an anonymous id will be allocated automatically. You have been warned.
Please report any problems, inappropriate use etc. to ka...@desert.hacktic.nl
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----