Crypto Rebels

It's the FBIs, NSAs, and Equifaxes of the world versus a swelling movement of Cypherpunks, civil libertarians, and millionaire hackers. At stake: Whether privacy will exist in the 21st century.

By Steven Levy
Wired

May/June 1993

The office atmosphere of Cygnus Support / http://www.cygnus.com/ ], a fast-growing Silicon Valley company that earns its dollars by providing support to users of free software, seems like a time warp to the days when hackers ran free. Though Cygnus is located in a mall-like business park within earshot of US 101, it features a spacious cathedral ceiling overhanging a cluttered warren of workstation cubicles arranged in an irregular spherical configuration. A mattress is nestled in the rafters. In a hallway behind the reception desk is a kitchen laden with snack food and soft drinks.

Today, a Saturday, only a few show up for work. The action instead is in a small conference room overlooking the back of the complex -- a "physical meeting" of a group whose members most often gather in the corridors of cyberspace. Their mutual interest is the arcane field of cryptography -- the study of secret codes and cyphers. The very fact that this group exists, however, is indication that the field is about to shift into overdrive. This is crypto with an attitude, best embodied by the group's moniker: Cypherpunks.

The one o'clock meeting doesn't really get underway until almost three. By that time around fifteen techie-cum-civil libertarians are sitting around a table, wandering around the room, or just lying on the floor staring at the ceiling while listening to the conversations. Most have beards and long hair -- Smith Brothers gone digital.

The talk today ranges from reports on a recent cryptography conference to an explanation of how entropy degrades information systems. There is an ad hoc demonstration of a new product, an AT&T "secure" phone, supposedly the first conversation-scrambler that's as simple to use as a standard-issue phone. The group watches in amusement as two of their number, including one of the country's best cryptographic minds, have trouble making the thing work. (This is sort of like watching Eric Clapton struggle with a new, easy-to-play guitar.) There is discussion of random number generators. Technical stuff, but everything has an underlying, if not explicitly articulated, political theme: the vital importance of getting this stuff out to the world for the public weal.

The people in this room hope for a world where an individual's informational footprints -- everything from an opinion on abortion to the medical record of an actual abortion -- can be traced only if the individual involved chooses to reveal them; a world where coherent messages shoot around the globe by network and microwave, but intruders and feds trying to pluck them out of the vapor find only gibberish; a world where the tools of prying are transformed into the instruments of privacy.

There is only one way this vision will materialize, and that is by widespread use of cryptography. Is this technologically possible? Definitely. The obstacles are political -- some of the most powerful forces in government are devoted to the control of these tools. In short, there is a war going on between those who would liberate crypto and those who would suppress it. The seemingly innocuous bunch strewn around this conference room represents the vanguard of the pro-crypto forces. Though the battleground seems remote, the stakes are not: The outcome of this struggle may determine the amount of freedom our society will grant us in the 21st century. To the Cypherpunks, freedom is an issue worth some risk.

"Arise," urges one of their numbers, "You have nothing to lose but your barbed-wire fences."

Crashing the Crypto Monopoly

As the Cold War drifts into deep memory, one might think that the American body charged with keeping our secret codes and breaking the codes of our enemies -- the National Security Agency (NSA) -- might finally breathe easy for the first time in its 30-year existence. Instead, it is sweating out its worst nightmare.

The NSA's cryptographic monopoly has evaporated. Two decades ago, no one outside the government, or at least outside the government's control, performed any serious work in cryptography. That ended abruptly in 1975 when a 31-year-old computer wizard named Whitfield Diffie came up with a new system, called "public-key" cryptography, that hit the world of cyphers with the force of an unshielded nuke. The shock wave was undoubtedly felt most vividly in the fortress-like NSA headquarters at Fort Meade, Maryland.

As a child, Diffie devoured all the books he could find on the subject of cryptography. Certainly there is something about codes -- secret rings, intrigue, Hardy Boys mysteries -- that appeals to youngsters. Diffie, son of an historian, took them very seriously. Though his interest went dormant after he exhausted all the offerings of the local city college library, it resurfaced in the mid-1960s, when he became part of the computer hacker community at the Massachusetts Institute of Technology [ http://web.mit.edu/ ].

Even as a young man, Diffie's passion for technical, math-oriented problems was matched by a keen interest in the privacy of individuals. So it was natural that as one of the tenders of a complicated multi-user computer system at MIT, he became troubled with the problem of how to make the system, which held a person's work and sometimes his or her intimate secrets, truly secure. The traditional, top-down approach to the problem -- protecting the files by user passwords, which in turn were stored in the electronic equivalent of vaults tended by trusted system administrators -- was not satisfying. The weakness of the system was clear: The user's privacy depended on the degree to which the administrators were willing to protect it. "You may have protected files, but if a subpoena was served to the system manager, it wouldn't do you any good," Diffie notes with withering accuracy. "The administrators would sell you out, because they'd have no interest in going to jail."

Diffie recognized that the solution rested in a decentralized system in which each person held the literal key to his or her own privacy. He tried to get people interested in taking on the mathematical challenge of discovering such a system, but there were no takers. It was not until the 1970s, when the people running the ARPAnet (destined to become the Internet) were exploring security options for their members, that Diffie decided to take it on himself. By then he was at Stanford [ http://www.stanford.edu/ ], under the thrall of David Kahn's 1967 work, The Codebreakers. It was a revelatory, well-written, and meticulously documented history of cryptography, focusing on 20th century American military activities, including those at the NSA.

"It brought people out of the woodwork and I certainly was one of them," recalls Diffie. "I probably read it more carefully than anyone had ever read it. By the end of 1973, I was thinking about nothing else." He embarked on what was planned to be a worldwide journey in search of information on the subject. Gaining access to it was a difficult task, since almost everything about modern cryptography was classified, available only to NSA-types and academics. Diffie's sojourn took him as far as the East Coast, where he met the woman he would eventually marry. With his future bride, he moved back to Stanford. It was then that he created a revolution in cryptography.

Specifically, the problem with the existing system of cryptography was that secure information traveled over insecure channels. In other words, a message could be intercepted before reaching its recipient. The traditional methods for securing information involved encoding an original message -- known as a "plaintext," by use of a "key." The key would change all the letters of the message so anyone who tried to read it would see only an impenetrable "cyphertext." When the cyphertext message arrived at its destination, the recipient would use the same key to decipher the code, rendering it once again to plaintext. The difficulty with this scheme was getting the key from one party to another -- if you sent it over an insecure channel, what's to stop someone from intercepting it and using it to decode all subsequent messages?

The problem got even thornier when one tried to imagine encryption employed on a massive scale. The only way to do it, really, was to have registries, or digital repositories, where keys would be stored. As far as Diffie was concerned, that system was screwed -- you wound up having to trust the people in charge of the registry. It negated the very essence of cryptography: to maintain total privacy over your own communications.

Diffie also foresaw the day when people would be not only communicating electronically, but conducting business that way as well. They would need the digital equivalent of contracts and notarized statements. But how could this "digital signature," etched not in paper but in easily duplicated blocks of ones and zeros, possibly work?

In May 1975, collaborating with Stanford computer scientist Martin Hellman, Diffie cracked both problems. His scheme was called public-key cryptography. It was a brilliant breakthrough: Every user in the system has two keys -- a public key and a private key. The public key can be widely distributed without compromising security; the private key, however, is held more closely than an ATM password -- you don't let nobody get at it. For relatively arcane mathematical reasons, a message encoded with either key can be decoded with the other. For instance, if I want to send you a secure letter, I encrypt it with your public key (which I have with your blessing), and send you the cyphertext. You decipher it using your private key. Likewise, if you send a message to me, you can encrypt it with my public key, and I'll switch it back to plaintext with my private key.

This principle can also be used for authentication. Only one person can encrypt text with my private key -- me. If you can decode a message with my public key, you know beyond a doubt that it's straight from my machine to yours. The message, in essence, bears my digital signature.

Public-key cryptography, in the words of David Kahn, was not only "the most revolutionary new concept in the field since. . .the Renaissance," but it was generated totally outside of the government's domain -- by a privacy fanatic, no less! By the time Diffie and Hellman started distributing pre-prints of their scheme in late 1975, an independent movement in cryptography, centered in academia, was growing. These new cryptographers had read Kahn's book, but more important, they realized that the accelerating use of computers was going to mean a growth surge in the field. This expanding community soon had regular conferences and eventually published its own scientific journal.

By 1977, three members of this new community created a set of algorithms that implemented the Diffie-Hellman scheme. Called RSA for its founders -- MIT scientists Rivest, Shamir, and Adleman -- it offered encryption that was likely to be stronger than the Data Encryption Standard (DES), a government-approved alternative that does not use public keys. The actual strength of key-based cryptographic systems rests largely in the size of the key -- in other words, how many bits of information make up the key. The larger the key, the harder it is to break the code. While DES, which was devised at IBM 's [ http://www.ibm.com/ ] research lab, limits key size to 56 bits, RSA keys could be any size. (The trade-off was that bigger keys are unwieldy, and RSA runs much more slowly than DES.) But DES had an added burden: Rumors abounded that the NSA had forced IBM to intentionally weaken the system so that the government could break DES-encoded messages. RSA did not have that stigma. (The NSA has denied these rumors.)

All that aside, the essential fact about RSA is that it was a working public-key system, and thus did not suffer from the dire flaw of all previous systems: the need to safely exchange private keys. It was flexible enough to be used to address the massive requirements of the crypto future. The algorithms were eventually patented and licensed to RSA Data Security [ http://www.rsa.com/ ], whose corporate mission was to create privacy and authentication tools.

As holder of the public-key patents, RSA Data Security is ideally placed to sell its privacy and authentication wares to businesses. Customers who plan to integrate RSA software in their systems include Apple, Microsoft, WordPerfect, Novell, and AT&T. RSA's president, Jim Bidzos, a non-cryptographer, is a compelling spokesperson for the need for privacy. He has cast himself as an adversary of the NSA, fighting legal restrictions on the export of his product. He even has been known to broadly hint that the NSA has used back-channels to retard the flow of his products.

Yet a number of privacy activists regard Bidzos and his company with caution. Some, like Jim Warren, the PC pioneer who chaired the first Computers, Freedom, and Privacy conference in 1991, are unhappy that a single company holds the domestic rights to such a broad concept as public-key cryptography. Others are even more concerned that RSA, a respectable business, will be unable to successfully resist any government pressure to limit the strength of the cryptography it sells.

In the Cypherpunk mind, cryptography is too important to leave to governments or even well-meaning companies. In order to insure that the tools of privacy are available to all, individual acts of heroism are required. Which brings us to Phil Zimmermann.

The Pretty Good Revolution

Phil Zimmermann is no stranger to political action. His participation in anti-nuke sit-ins has twice led to jailings. He has been a military policy analyst to political candidates. But his vocation is computers, and he has always been fascinated with cryptography. When he first heard about public-key crypto he was handling two jobs, one as a programmer and another unpaid post "saving the world." He was about to find a way to combine the two. Why not implement a public-key system on personal computers, using RSA algorithms?

Zimmermann posed this question around 1977, but didn't begin serious work to answer it until 1984. The more he thought about the issues, though, the more important the project became. As he later wrote in the product documentation:

You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something that you feel shouldn't be illegal, but is. Whatever it is, you don't want your private electronic mail or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple- pie as the Constitution.

What if everyone believed that law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their e- mail, innocent or not, so that no one drew suspicion by asserting their e-mail privacy with encryption. Think of it as a form of solidarity.

If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. . . But ordinary people and grass-roots political organizations mostly have not had access to affordable military grade public-key cryptographic technology. Until now.

Not being a professional cryptographer, Zimmermann moved slowly. By 1986, he had implemented RSA, and a year later wrote a scrambling function he called Bass-O-Matic, in homage to a Saturday Night Live commercial for a blender that liquifies fish. Piece by piece he built his program. In June, 1991, it was ready for release. He named his software PGP, for Pretty Good Privacy. Though at one time he mused about asking users for a fee, he subsequently became concerned that the government would one day outlaw the use of cryptography. Since Zimmermann wanted the tools for privacy disseminated widely before that day came, he decided to give PGP away. No strings.

This required some personal sacrifice. Zimmermann missed five mortgage payments producing PGP. "I came within an inch of losing my house," he says.

But the effort was worth it. PGP was unprecedented. It was, Zimmermann claims, faster than anything else available. And despite troublesome details like patent law and export code, it was very available.

Zimmermann put his first version, which ran only on PCs, on computer bulletin-board systems and gave it to a friend who posted it on the Internet. "Like thousands of dandelion seeds blowing in the wind," he wrote, PGP spread throughout cyberspace. Within hours, people were downloading it all over the country and beyond. "It was overseas the day after the release," he said. "I've gotten mail from just about every country on Earth."

PGP won no popularity contests at RSA Data Security. Jim Bidzos was incensed that Zimmermann, whom he considers not an altruistic activist but an opportunist who still hopes to make a buck off stealing intellectual property, had blithely included RSA's patented algorithms in PGP. Zimmermann's defense was that he wasn't selling PGP, but distributing it as a sort of research project. (Some people think that PGP, by spreading the gospel of public key cryptography, is the best thing that ever happened to RSA.)

In any case, the legal situation is still hazy, with Zimmermann now refraining from distributing the software (though he updates the user's guide and provides guidance and encouragement to those who have chosen to revise the software).

What does the NSA think about Phil Zimmermann's Johnny Appleseed-like attempt to bring the world crypto tools? Zimmermann has heard no formal complaint, even though many believe that PGP's strength in protecting data is such that it would never be approved for export to foreign shores. Zimmermann, of course, did not submit PGP to such scrutiny because he required no export license for international sales -- after all, he was not selling it. In any case, Zimmermann himself never shipped the software overseas, warning users that it was their business if they chose to.

To be extra careful, Zimmermann arranged for the more powerful version 2.0, released last September, to be distributed from New Zealand "into" the United States, so there would be no question about exporting forbidden tools. (Due to some regulatory oddities, RSA is patented "only" in the United States, and thus PGP is a potential patent infringer only within US borders.)

An uncounted number of US users, probably thousands, have PGP in its various incarations -- on DOS, Macintosh, Amiga, Atari ST, or VAX/VMS computers.

At first the silence from the NSA actually worried Zimmermann. He wondered if it meant that PGP had some sort of weakness, a "trap door" that the government had identified. But after a session with a world- class cryptographer, Zimmermann was assured that while PGP had many inefficiencies, it offered protection at least as strong as the government-standard DES. It truly was "pretty good" protection. So people could evaluate it on their own, Zimmermann allowed free distribution of the source code -- something one does not enjoy with alternative encryption products. And most of the inefficiencies are addressed in version 2.0.

(It was only as this article was being prepared, in February 1993, that Zimmermann was questioned about PGP by two US Customs officials who flew from California to ask about how the program might have found its way out of the country. As of press time, it seems that this investigation might be still active.

Jim Bidzos of RSA, obviously not a disinterested source, claims that not only Zimmermann, but anyone using PGP, is at risk. He scoffs at Zimmermann's efforts to stay within the letter of the law, charging that the use of PGP is "an illegal activity that violates patent and export law." Bidzos has written to institutions like Stanford and MIT, informing them that any copies of PGP on their computers would put them on the wrong side of the law, and he says that the universities have subsequently banned PGP.)

Still, PGP has changed the world of crypto. It is not a solution to the problem by any means -- using it adds a degree of difficulty to e-mail and file transfers -- but it has developed a cult among those motivated to use it. It's sort of a badge of honor to include one's PGP public key with e-mail messages.

And until the long-awaited alternative for electronic crypto on the Internet, Privacy Enhanced Mail (PEM), is released -- after five years of planning, the release seems near -- PGP is one of the only games in town. (Other alternatives include an RSA-approved product called RIPEM.) Even then, many users may stick to PGP. "PEM is technically cleaner but is bogged down in bureaucracy -- for instance, before you use PEM you must first register a key with something called a policy certification authority," says crypto-activist and Cypherpunk John Gilmore. "PGP is portable, requires no bureaucracy, and has more than a year's head- start."

Ultimately, the value of PGP is in its power to unleash the possibilities of cryptography. Tom Jennings, founder of the FIDOnet matrix of computer bulletin boards, finds the software useful, but becomes positively rapturous as he contemplates its psychic influence. To Jennings, a gay activist, cryptography has the potential to be a powerful force in protecting the privacy of targeted individuals.

"People who never have had cops stomping through their house don't care about this," Jennings said. He believes that public awareness of these issues will be raised only by making the tools available. "If you can't demonstrate stuff, it's hard to explain." On the other hand, said Jennings, "If we flood the world with these tools, that's going to make a big difference."

The Empire Strikes Back

The flood to which Jennings refers is now only a trickle. But you don't have to be a cryptographer to know which way the code will flow. The flood indeed is coming, and the agency charged with safeguarding and mastering encryption technologies is about to be thrust into a cypher age in which messages that once were clear will require tedious cracking -- and may not be crackable at all. While it is impossible to read the government's mind concerning the prospects of this scenario (see The NSA Remains Cryptic, page 57), its actions are telling. The strategy is one of resistance. The feds are stepping up the war between crypto activists and crypto suppressors.

The conflict actually began in the late 1970s. As wars go, this one was more cloak than dagger, with no disappearances in the night -- unlikely to inspire a movie starring Steven Seagall, or even Robert Redford. As Diffie explains, "the whole thing has been conducted in a gentlemanly fashion." Yet the stakes are high: in one view, our privacy; in the other view, our national security. The government was not above implicitly threatening independent cryptographers with jail.

According to The Puzzle Palace, James Bamford's classic NSA expose, the first salvo in the conflict was a letter written in July 1977 by an NSA employee named Joseph A. Meyer. It warned those planning to attend an upcoming symposium on cryptography that participation might be unlawful under an Arms Regulation law, which controls weapons found on the US Munitions List (cryptographic tools, it turns out, are classified right alongside tanks and bomber planes). Though the ensuing controversy in this case blew over, it became clear that NSA regarded what came from the minds of folks like Whit Diffie to be contraband. In an unprecedented interview, the then-new NSA Director Bobby Inman floated the idea that his agency might have the same control over crypto as the Department of Energy has over nukes. In 1979, Inman gave an address that came to be known as "the sky is falling" speech, warning that "non- governmental cryptologic activity and publication. . .poses clear risks to the national security."

Through the 1980s, both sides became entrenched in their views -- but it was by far the alternative crypto movement that gathered strength. Not only was the community growing to the point where government crypto specialists came to terms with the phenomenon, but computers -- the devices destined to be crypto engines -- became commonplace. Just as it was obvious that all communication and data storage was going digital, it was a total no-brainer that effective cryptography was essential to the maintenance of even a semblance of the privacy and security people and corporations enjoyed in the pre-digital era.

In fact, our personal information -- medical information, credit ratings, income -- lies unencrypted on databases. Our most intimate secrets rest on our hard disks, sitting ducks. Our phone conversations bounce off satellites, easily pluckable by those sophisticated enough to sort these things out. Our cellular phone conversations are routinely overheard by any goofus with a broadband radio -- just ask Prince Charles.

And if things are tough for individuals, corporations are in worse shape -- even their (weakly) encrypted secret plans are being swiped by competitors. Recently, the head of the French intelligence service quite cheerfully admitted intercepting confidential IBM documents and handing them over to French-government-backed competitors. (In cases like these, weak encryption -- which gives a false sense of security -- is worse than no encryption at all.)

In the face of this apparent inevitability -- crypto for the masses! -- what's a secret government agency to do? Throw in the towel, let the market determine the strength of the people's algorithms, and grumpily adjust to the new realities? No way. The government has chosen this moment to dig in and take its last stand. The future of crypto, and our ability to protect our information to the fullest extent, hangs in the balance.

The specter of what one Cypherpunk calls "Crypto Anarchy" -- where strong, easy-to-use encryption is accessible to all -- terrifies those accustomed to the old reality. Perhaps the best expression of these fears comes from Donn Parker, a think-tank computer security specialist who is in synch with the government mindset. "We have the capability of 100-percent privacy," he says. "But if we use this I don't think society can survive."

A somewhat less apocalyptic yet equally stern conclusion comes from Georgetown University Professor Dorothy Denning, a respected figure in academic crypto circles: "If we fail to enact legislation that will ensure a continued capability for court-ordered electronic surveillance," Denning writes, ". . .systems fielded without an adequate provision for court-ordered intercepts would become sanctuaries for criminality wherein Organized Crime leaders, drug dealers, terrorists, and other criminals could conspire and act with impunity. Eventually, we could find ourselves with an increase in major crimes against society, a greatly diminished capacity to fight them, and no timely solution."

Denning has spoken favorably of a plan that sends chills up Cypherpunk [ ftp://soda.berkeley.edu/pub/cypherpunks/Home.html ] spines: It allows people access to public-key cryptography only if they agree to "escrow" their private keys in a repository controlled by a third party who would, under a judge's order or other dire circumstance, give it to some government or police body.

Key registries, of course, would require crypto users to trust self- interested third parties, the very paradox that led Diffie to develop public-key cryptography. Diffie did not intend private keys to be shared -- not with colleagues, not with spouses, and certainly not with some swiftie in a suit who would flip it over to the cops at the first flash of a warrant. As Electronic Frontier Foundation co-founder John Perry Barlow put it, "You can have my encryption algorithm. . . when you pry my cold dead fingers from my private key."

But Dorothy Denning has a point. Unfettered cryptography does have its trade-offs. The same codes that protect journalists and accountants will abet the security of mobsters, child molesters, and terrorists. And if everyone encrypts, there certainly would be a weakening of our intelligence agencies, and possibly our national security.

As far as the NSA is concerned, its very mission is to establish and maintain superiority in making and breaking codes. If strong cryptography enters common usage, this task will be greatly complicated, if not rendered nearly impossible.

The government itself has taken action on three fronts:

While defending Digital Telephony on ABC's Nightline, FBI chief William Sessions claimed that the law would merely allow law enforcement to keep pace with technology. But as Whit Diffie notes, "The most important impact of technology on communications security is that it draws better and better traffic into vulnerable channels."

In other words, Digital Telephony, if passed, would grant law- enforcement access not only to phone conversations, but a whole range of personal information previously stored in hard copy but ripe for plucking in the digital age. And if law enforcement can get at it, so can others -- either government agents over-stepping their legal authority, or crooks.

In one sense this debate is moot, because the crypto genie is out of the bottle. The government may limit exports, but strong encryption software packages literally are being sold on the streets of Moscow. The NSA may keep its papers classified, but a whole generation of independent cryptographers is breaking ground and publishing freely. And then there are the crypto-guerrillas, who have already penetrated deep into the territory of their adversaries.

The Promise of Crypto Anonymity

The first physical Cypherpunk meeting occurred early last autumn at the instigation of two software engineers who had developed an interest in crypto. One was Tim May, a former Intel physicist who "retired" several years ago, at age 34, with stock options sufficient to assure that he would never flip a burger for Wendy's. May, who reluctantly permits journalists to pigeon-hole him as a libertarian, is the in-house theoretician, and author of the widely circulated "Crypto Anarchist Manifesto." The other founder, Eric Hughes, has become the moderator of the physical meetings, maintaining an agenda that mixes technical issues of Cypherpunk works-in-progress to reports from the political front.

It would be wrong to think of Cypherpunks as a formal group. It's more a gathering of those who share a predilection for codes, a passion for privacy, and the gumption to do something about it. Anyone who decides to spread personal crypto or its gospel is a traveler in the territory of Cypherpunk.

The real action in that realm occurs via The List, an electronic posting ground which commonly generates more than 50 messages a day. People on The List receive the messages on their Internet mailboxes and can respond. The List is sort of a perpetual conversation pit from which gossip is exchanged, schemes are hatched, fantasies are outlined, and code is swapped. The modus operandi of Cypherpunks is a familiar one to hackers -- If You Build It, They Will Come.

As Eric Hughes posted on The List:

As the Cypherpunks see it, the magic of public-key crypto can be extended far beyond the exchange of messages with secrecy. Ultimately, its value will be to provide anonymity, the right most threatened by a fully digitized society. Our transactions and conversations are now more easily traced by the digital trails we leave behind. By following the electronic links we make, one can piece together a depressingly detailed profile of who we are: Our health records, phone bills, credit histories, arrest records, and electronic mail all connect our actions and expressions to our physical selves. Crypto presents the possibility of severing these links. It is possible to use cryptography to actually limit the degree to which one can track the trail of a transaction.

This is why certain Cypherpunks are hard at work creating remailers that allow messages to be sent without any possible means of tracing who sent the message. Ideally, if someone chooses a pseudonym in one of these systems, no one else can send mail under that name. This allows for the possibility of a true digital persona -- an "identity" permanently disembodied from one's physical being.

Cryptographic techniques can also potentially assure anonymity in more prosaic exchanges. For instance, in a system designed to protect privacy, a prospective employer requesting proof of a college degree will have access to records with that information -- but will only be able to verify that sole datum. Cypherpunks even discuss certain cases in which a person's name would be one of the pieces protected -- for instance, a police officer checking one's license need not know a driver's name, but only whether he or she is licensed to drive. The ultimate Crypto Anarchy tool would be anonymous digital money, an idea proposed and being implemented by cryptographer David Chaum. (Chaum also first proposed the idea of remailers -- a good example of how the Cypherpunks are using academic research from the crypto community to build new privacy tools.)

In essence, the Cypherpunks propose an alternative to the continuation of the status quo, where cryptography is closely held and privacy is an increasingly rare commodity. Ultimately, the lessons taught by the Cypherpunks, as well as the tools they produce, are designed to help shape a world where cryptography runs free -- a Pac-Man-like societal maneuver in which the digital technology that previously snatched our privacy is used, via cryptography, to snatch it back.

Tim May admits that if the whole cryptography matter were put to a vote among his fellow Americans, his side would lose. "Americans have two dichotomous views held exactly at the same time," he claims. "One view is, None of your damn business, a man's home is his castle. What I do is my business.' And the other is, What have you got to hide? If you didn't have anything to hide, you wouldn't be using cryptography.' There's a deep suspicion of people who want to keep things secret."

There's also a legitimate fear that with the anonymous systems proposed by crypto activists, illegal activities could be conducted more easily, and crucial messages our government now easily intercepts might never be noticed. But, as May says, these fears are ultimately irrelevant. Crypto Anarchy, he believes, is inevitable, despite the forces marshaled against it. "I don't see any chance that it will be done politically," says the Cypherpunk. "[But] it will be done technologically. It's already happening."

The NSA Remains Cryptic: The Official Reply

At one time, the National Security Agency would not even admit that it existed. Now, it has a Public Affairs staff whose usual modus operandi is to reply to faxed questions from journalists. Attempting to get the NSA view of the alternative crypto movement, we asked the NSA the following six questions:

Here, in its entirety, is the NSA reply:

The emergence of cryptography in the public sector has stemmed from the rapid growth in communications and information systems for private and commercial applications, and efforts to ensure that these systems are safe from hackers, viruses, and unauthorized access. One of NSA's primary responsibilities in this arena is to provide the means of protecting vital US government and military communications and information systems of a classified nature. NSA maintains a high degree of expertise in cryptographic technology and keeps abreast of advancements, domestically and abroad, in order to better protect vital government communications.

Regarding questions two and three, as we have just stated, NSA is responsible for protecting US government classified information systems. We do not anticipate relaxing security and integrity of these government systems since such disclosure could reduce the effectiveness of these measures. As for domestic use of cryptography, we have always supported the use of cryptographic products by US businesses operating domestically and overseas to protect their sensitive and proprietary information.

Finally, as a policy matter, NSA does not discuss details of its signals intelligence operations, including the types of communications it monitors. Please note, however, that our signals intelligence operations are exclusively limited to producing foreign intelligence information considered vital to the security interest of the US. We, therefore, offer no comment to questions four and six.

In regard to question five and the idea of mandatory key registration, we defer to the Department of Justice/FBI.

John Gilmore Challenges the NSA

His Crime: Checking Out A Book

One day last November, the Justice Department called John Gilmore's lawyer. The message they left: Gilmore was on the verge of violating the Espionage Act. A conviction could send him to jail for ten years. His crime? Basically, showing people a library book.

It was a fight that Gilmore instigated. As Sun Microsystems employee number five, Gilmore retired with a bankroll in the millions. Later, he had the opportunity not only to co-found a new company -- called Cygnus Support -- but to commit acts of public service. "As I get older," says the 37-year-old computer programmer, "I realize how limited our time on Earth is." His cause of choice was the liberation of cryptography, a field that had fascinated him since he was a boy.

"We aren't going to be secure in our persons, houses, papers, and effects unless we get a better understanding of cryptography," he says. "Our government is building some of those tools for its own use -- there have been breakthroughs -- but they're unavailable to us. We paid for them."

To remedy this situation, Gilmore and his lawyer, Lee Tien, have tried to rescue documents from the shroud of secrecy. Gilmore's first major coup was the distribution of a paper written by a Xerox cryptographer that the NSA had convinced Xerox not to publish. Gilmore posted the document on the Net, and within hours, thousands of people had a copy.

Gilmore's next action was to challenge the NSA's refusal to follow Freedom of Information Act (FOIA) protocols in releasing requested documents. The documents he sought were 30-year-old manuals written by William F. Friedman, the father of American cryptography. These seminal textbooks had been declassified, but later, for undisclosed reasons, reclassified. The NSA did not respond to Gilmore's request for their release within the required time-frame, so he took them to court. Meanwhile, a friend of Gilmore discovered copies of two of the documents: one in the Virginia Military Institute Library, the other on microfilm at Boston University. The friend gave copies to Gilmore, who then notified the judge hearing the FOIA appeal that the secret documents were actually on library shelves.

It was then that the government notified Gilmore that distribution of the Friedman texts would violate the Espionage Act, which dictated a possible ten-year prison sentence for violators. Gilmore sent a sealed copy to the judge, asking whether his First Amendment rights were being violated by the notice; he also alerted the press. Meanwhile, worried about whether the government might stage a surprise search of his house or business, he hid copies of the documents -- one in an abandoned building. On November 25, 1992, an article about the case appeared in the San Francisco Examiner. Two days later, a NSA spokesperson announced that the agency had once again declassified the texts. (A Laguna Hills, California publisher, the Aegean Park Press, quickly printed and released the books, Military Crypt-analysis, Part III, and Part IV.)

Gilmore is still pressing his case, requesting a classified book called Military Cryptanalytics, Volume III. More important, he hopes to get a general court ruling that will force the NSA to adhere to FOIA rules, and possibly even a ruling that part of the Espionage Act, by using prior restraint to suppress free speech, is unconstitutional.

What if Gilmore wins, and the NSA is forced to reveal all but the most secret information about cryptography? Would national security be compromised, as the NSA claims? "I don't think so," says Gilmore. "We are not asking to threaten the national security. We're asking to discard a Cold War bureaucratic idea of national security which is obsolete. My response to the NSA is: Show us. Show the public how your ability to violate the privacy of any citizen has prevented a major disaster. They're abridging the freedom and privacy of all citizens -- to defend us against a bogeyman that they will not explain. The decision to literally trade away our privacy is one that must be made by the whole society, not made unilaterally by a military spy agency."

Gilmore Speaks to Congress

John Gilmore presented the following "sound bits" to Congress for consideration as it debates technology policy:

Further Readings on Cypherpunk Topics

The Bedside Crypto Reader

General

The Codebreakers, Kahn (Macmillan, 1967), seminal cryptographic history.

Puzzle Palace, Bamford (Penguin, 1983), classic expose of the National Security Agency.

Books on Cryptographic Systems

Contemporary Cryptology by Gustavus J. Simmons (IEEE Press, 1991), fairly technical volume offering solid background on the subject, including a chapter on the history of public-key cryptography by Whitfield Diffie.

Cryptography and Data Security, Denning (Addison-Wesley, 1982), good primer to the workings of crypto systems.

Sci-Fi Novels Beloved by Cypherpunks

Ender's Game, Scott Card (Tor, 1985), vivid scenarios in which crypto anonymity is crucial.

Shock-Wave Rider, Brunner (Ballantine, 1976), representation of an oppressive lack of privacy in a networked society.

True Names, Vinge (Blue Jay Books, 1984), novel of cyberspace-style sojourns that outline links between electronic identity and physical identity.


The NSA is Not Alone

By John Browning

Cryptographic paranoia is not limited to the United States. Flush with enthusiasm over the export prospects for their new digital cellular telephone system, European telecom companies a year or so ago changed the name of their cellular phone consortium from Group System Mobile to Global System Mobile. Unfortunately the new system is not so global after all. In January, European governments decided to list the new telephones alongside nuclear fuses and other goods whose export is restricted in the name of national security.

Like their US counterparts, the European governments' problem with Global System Mobile -- or GSM as it is more familiarly known -- is that the phones cannot be tapped. In the name of privacy, each GSM handset encrypts its signal using an algorithm called A5. As a sort of backhanded testimonial to A5's effectiveness, NATO governments have decided that it is far too good to sell to those whose privacy they would not wish to respect -- like Saddam Hussein's tank corps. So they have used their powers under the COCOM agreement on "strategic" trade to limit exports.

The companies making GSM equipment -- which include most of Europe's big telecoms firms -- don't want an export product that they cannot export. So they are busily devising a new cryptographic technology -- called A5X -- which doesn't work as well. The new A5X will be much easier to crack than the old A5 technology. The two will also be compatible; so in theory both could be used at the same time -- one for export markets and one at home. That way GSM could make good on its marketing promise that one handset will work anywhere in the world. The intriguing question, however, is whether they will both be used.

Britain's two cellular operators, Vodafone and Cellnet, both say they have heard hints -- nothing direct, just hints -- that various police and security services (stuck for the moment with A5) would be happier if they could eavesdrop on domestic conversations carried on GSM as conveniently as do their counterparts abroad (who only have to crack A5X). Racal, Vodafone's parent, recently specified A5X for a network sold to Australia, which is not a country widely thought of as a threat to the free world. If cellular companies do indeed swap to A5X at home to facilitate government eavesdropping, the Cypherpunk movement will more likely than not go global as well. Keep listening.


Steven Levy (steven@well.com) writes the "Iconoclast" column for Macworld magazine and is the author of "Hackers," "Artificial Life," and "The Unicorn Secret," all unencrypted.


 Copyright 1993