Technology: Code Blues

In 1991 Phil Zimmerman developed a software program called Pretty Good Privacy (PGP), designed to shield electronic information from prying eyes, and gave it away for free. Zimmerman, a Boulder, Colorado, software consultant, thereby provided unbreakable "military-grade" encryption to the masses. After he released PGP, someone put it on the Internet, making it available, with a few keystrokes, to the whole world. In a short time, PGP could be found in London or Moscow. This has upset some powerful people in Washington, especially the National Security Agency.

Agents from the U.S. Customs Service visited Zimmerman in February 1993 to ask him about the "export" of PGP. Under the current interpretation of the International Traffic in Arms Regulations, cryptographic software like PGP is classified as "munitions" and cannot be legally exported without permission from the federal government. "The mere posting of encryption software is tantamount to exporting it," explains Danny Weitzner of the Electronic Frontier Foundation.

Zimmerman says he has been told that he is the primary target of an ongoing federal grand-jury investigation. In September, he says, an encryption company was served with a subpoena to produce documents related to "ViaCrypt [the commercial version of PGP], PGP, Philip Zimmerman, and anyone or any entity acting on behalf of Philip Zimmerman for the time period June 1, 1991, to the present." Assistant U.S. Attorney William Keane, who is in charge of the grand-jury investigation, says he cannot comment on an ongoing case, but there may be "some activity shortly."

If Zimmerman is convicted of "exporting munitions," he could go to jail for four years. He would probably view himself as a political prisoner. "I didn't do it to make money," he says. "I did it to inoculate the body politic." In October he told a congressional subcommittee: "When making public-policy decisions about new technologies for the government, I think one should ask oneself which technologies would best strengthen the hand of a police state. Then, do not allow the government to deploy those technologies. This is simply a matter of good civic hygiene."

Zimmerman believes the expansion of digital communications networks could pose a serious threat to individual liberty. He makes the point by contrasting how government agencies can monitor regular mail with how they can sift through electronic mail. Previously the authorities could only intercept and steam open envelopes sent to a few people. This is like using a hook to catch a fish. With the development of data networks, officials can scan thousands of electronic messages simultaneously for key words. This is like using a drift net.

In a move that could helo weave such a net, the federal government is trying to persuade the U.S. computer and telecommunications industry to adopt an encryption standard developed by the National Security Agency called the Clipper Chip. The Clipper Chip has a "back door" that allows government officials to tap and decode any messages encrypted with it. (See "Hide and Peek," November 1993.) Spooks and law-enforcement officials say this back door is needed so they can monitor the communications of terrorists, drug runners, and wire-fraud artists. They say ordinary citizens would enjoy the same constitutional protections as in the past, since tapping a phone or reading someone's e-mail would still require a court order.

"The government has the balance of costs and benefits all wrong," says the EFF's Weitzner. "We grant that there are some number of people who would use cryptography to further illegal acts, but should we compromise the privacy of all American citizens just to do an ineffective job of trying to police terrorists and mobsters?" Philip Dubois, Zimmerman's attorney, puts it this way: "We can have the kind of country where people can speak freely and privately and take the consequences of that. Or we can have the kind of country where they can't and take the far worse consequences of that."

By creating and disseminating PGP, Zimmerman made it clear which side he comes down on. The program uses an unbreakable algorithm in combination with "public-key" cryptography. In public-key cryptography, everyone has two complementary keys, a public one and a secret one. Each key deciphers the code the other key makes, but the secret key cannot be deduced from the public key. The public key is disseminated widely so that anyone can use it to encode messages to its originator, who decodes them using his secret key. No one but the recipient can decrypt a message sent using his public key, not even the person who encrypted it.

PGP made it easy for the average computer jockey to use public-key cryptography to protect his or her electronic data and messages from snoops, be they government, criminal, or corporate. Zimmerman named his program Pretty Good Privacy as a folksy homage to Ralph's Pretty Good Grocery in Garrison Keillor's mythical Lake Wobegon. He proudly points out that breaking PGP would take "more computing resources than are currently available"–a mathematician's understated way of saying that there aren't enough computers on earth to break it.

Versions of PGP, including the updated PGP 2.3a, are widely available throughout the Internet. (Those interested in getting a freeware copy of PGP can obtain a list of sites by contacting Hugh Miller via e-mail at hmiller@orion.it.luc.edu. For news updates on encryption issues, contact Internet Usenet newsgroups alt.security.pgp, talk.politics.crypto, and sci.crypt.) ViaCrypt, the commercial version of PGP, can be purchased at your local computer software store. Indeed, a wide variety of software with encryption capabilities is available at stores, from mail-order houses, and on computer bulletin boards. Anyone can buy such programs or download them; they can be carried or mailed out of the United States on a floppy disk or blipped via modem to anywhere in the world.

Clearly, the cat is out of the bag. Yet the feds are frantically trying to stuff it back in. "The National Security Agency's opposition is the last vestige of a Cold War bureaucracy holding on," Weitzner says. "After all, what's their mission now?" Zimmerman adds, "The NSA views this as their twilight of the gods, their Armageddon." (Asked about PGP, NSA spokesperson Judi Emmel says, "It is a private encryption technique and it is not our place to comment on it.")

Cryptography used to be something the NSA could control because it was very expensive and the government could break just about any code that could be used affordably. The sole purpose of the super-secret agency is signals intelligence: monitoring communications and deciphering codes. Every year that the NSA delays the widespread adoption of unbreakable encryption is another year in which the agency can provide intelligence to government officials and justify its budget.

Over the long term, however, cryptography is simply too important for the NSA to have its way. "I hope that the administration understands the devastating importance this has to expanding the information superhighway," Weitzner says. "People need to know that their communications on it are secure."

Computer companies strongly oppose the Clipper Chip, arguing that its adoption would dampen exports of American products. After all, why would foreign customers want to own computers or software with encryption systems designed for U.S. government access? Some members of Congress realize the growing importance of encryption to the computer industry. Rep. Maria Cantwell (D-Wash.) introduced a bill last November that would liberalize export controls on software with encryption capabilities. In introducing her bill, Cantwell noted that American software companies stand to lose between $6 billion and $9 billion annually in sales to foreign customers because of the government prohibition on encryption exports. A similar bill has been introduced in the Senate.

The Electronic Frontier Foundation is organizing an electronic mail campaign to support the Cantwell bill. "If we lift export controls, it will make really stupid ideas like the Clipper Chip obsolete," says Weitzner. It would also probably end Zimmerman's legal troubles. Meanwhile, his lawyers have created a fund to help pay his legal bills. (Information about the fund can be obtained by contacting his attorney via e-mail at dubois@csn.org.)

Lately Zimmerman has been working on a voice encryption system that would turn every multimedia computer into a secure telephone. Expected to be available later this year, the system could spell the end for wiretaps. Zimmerman sees it as a logical follow-up to PGP. "PGP empowers people to take their privacy into their own hands," he says. "If privacy is outlawed, then only outlaws will have privacy."

Contributing Editor Ronald Bailey is the author of ECO-SCAM: The False Prophets of Ecological Apocalypse, which will be issued in paperback by St. Martin's Press this spring. He is the 1993 Warren Brookes Fellow in Environmental Journalism at the Competitive Enterprise Institute and the producer of Ben Wattenberg's new national weekly PBS TV series, Think Tank.